Nearlly done, final check on github

Author: DAILLY

1-CreateKey.md

@@ -3,12 +3,80 @@
 This certificate will be used by the .NET Driver and JDBC Driver using different Key Store.
 
 Points of the script:
-- FriendlyName is mandatory for the JavaKeyStore
+- FriendlyName is mandatory for the JavaKeyStore provider.
 - Exportable is mandatory: you must distribute this certificate to all clients requiring access to encrypted columns.
 - Set the password for your exported certificate.
 
+## Certificate compatibility issue
+
+<table>
+    <tbody>
+    <tr>
+        <td>
+        <img src="assets\warning.png" alt="warning" width="200"/>
+        </td>
+        <td>
+        This setup used Windows Server 2016 to generate the certificate.
+        Nevertheless it seems there is an issue in Java to read the certificate generated by this operating system version (at least in the PKCS#12 format (.pfx file).
+        I used the Oracle JDK 1.8.0_181 and the JDBC driver was unable to read properly the certificate in the JavaKeyStore. This is documented in following bug reports :
+        <ul>
+        <li><a href="https://bugs.java.com/view_bug.do?bug_id=JDK-8202299">https://bugs.java.com/view_bug.do?bug_id=JDK-8202299</a></li>
+        <li><a href="https://bugs.openjdk.java.net/browse/JDK-8202299">https://bugs.openjdk.java.net/browse/JDK-8202299</a></li>
+        </ul>
+        These bugs are resolved in the JDK 11 which is not yet publicly available (early access build <a href="http://jdk.java.net/11/">JDK 11</a>. So until general availability you should generate the certificate with:
+        <ul>
+        <li>A Windows Server 2012 R2 : nevertheless the New-SelfSignedCertificate cmdlet doesn't present all options (especially the -FriendlyName) so it is not suitable.</li>
+        <li>A real PKI infrastructure (Windows Server 2012 R2 or below), to create a certificate request with appropriate settings (especially the FriendlyName).</li>
+        <li>KeyTool.exe available in the Java JDK. This is finally this option that worked for both the .NET Driver and the JDBC Driver.</li>
+        </td>
+    </tr>
+    </tbody>
+</table>
+
+
+## KeyTool
+
+Using keytool.exe (included with JDK) to generate the certificate :
+
+```cmd
+c:\Program Files\Java\jdk1.8.0_181\bin>keytool -genkeypair -keyalg RSA -alias CLINIC_CMK_GENERIC -keystore C:\Temp\CLINIC_CMK_GENERIC.pfx -storepass P@ssw0rd -validity 7200 -keysize 4096 -storetype pkcs12 -keypass P@ssw0rd
+```
+
+Output with answers to generate the certificate subject :
+```txt
+What is your first and last name?
+  [Unknown]:  CLINIC_CMK_GENERIC
+What is the name of your organizational unit?
+  [Unknown]:  CLINIC
+What is the name of your organization?
+  [Unknown]:  CLINIC
+What is the name of your City or Locality?
+  [Unknown]:  BOSTON
+What is the name of your State or Province?
+  [Unknown]:  IL
+What is the two-letter country code for this unit?
+  [Unknown]:  US
+Is CN=CLINIC_CMK_GENERIC, OU=CLINIC, O=CLINIC, L=BOSTON, ST=IL, C=US correct?
+  [no]:  yes
+```
+
+Import the certificate in the Windows Certificate store for both the .NET Client and Security administrator system. Provide the certificate to the JDBC client as file. Do not provide the certificate to DBA administrator.
+All this roles are described in details on [next steps](2.CreateGenericCMK-CEK.md) :
+
+```PowerShell
+$pwd = ConvertTo-SecureString -String "P@ssw0rd" -AsPlainText -Force
+Import-PfxCertificate -FilePath C:\Temp\CLINIC_CMK_GENERIC.pfx -Exportable -CertStoreLocation Cert:\CurrentUser\My -Password $pwd
+```
+
+
+## PowerShell
+
+With the issue described above, Java clients using a certificate generated with a Windows Server 2016 operating system will not be able to decrypt properly encrypted columns. So this script is just for information purpose until JDK 11 availability.
+
+Windows Server 2006 Certificate generation :
 ```PowerShell
 # Create a new self signed certificate
+# FriendlyName is for the JavaKeyStore
 $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My `
             -KeyAlgorithm RSA  `
             -KeyDescription 'SQL Server Always Encrypted CLINIC CMK' `
@@ -28,5 +96,4 @@ $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My `
 #export the certificate in a file
 $pwd = ConvertTo-SecureString  "P@ssw0rd" -AsPlainText -Force
 Export-PfxCertificate -Cert Cert:\CurrentUser\my\$($cert.Thumbprint) -FilePath "C:\Temp\CLINIC_CMK_GENERIC.pfx" -Password $pwd
-
 ```

2.CreateGenericCMK-CEK.md

@@ -2,7 +2,17 @@
 
 This scenario use the Key provising with role separation provided by [Microsoft](https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/configure-always-encrypted-keys-using-powershell?view=sql-server-2017#KeyProvisionWithRoles).
 
-### <span id="setup">Setup environment for Generic Provider usage</span>
+There is 2 distinguished roles :
+- The security administrator, which has access to the certificate.
+- The database (DBA) administrator, which has no access to the certificate.
+
+While this scenario use a complete role separation, for the sake of simplicity everything was performed on the same computer. I just removed the certificate from the Windows Certificate store for the DBA administrator steps.
+
+So I only setup environment once for both.
+
+## <span id="setup">Setup environment for Generic Provider usage</span>
+
+This step must de done only once per computer. This download the PowerShell SqlServer module and overwrite the Microsoft dll with the [patched one](bin\SQLServerAlwaysEncrypted.dll) (making a backup of the originating dll).
 
 ```PowerShell
 #####################################################
@@ -75,24 +85,32 @@ $customprovider = New-Object -TypeName SqlServerAlwaysEncrypted.SqlColumnEncrypt
 #the ProviderName property is a static property ... Microsoft implemented all providers with a static property. So I kept this implementation.
 Write-Host $customprovider.MasterKeyPath
 Write-Host $([SqlServerAlwaysEncrypted.SqlColumnEncryptionGenericProvider]::ProviderName)
+```
 
+Register the generic provider. Be careful with the order of the commands.
+Once the SqlServer PowerShell module is imported, not all assemblies are loaded until you use one cmdlet of the module. At this step, no cmdlet from the SqlServer is used yet. The first command "fake" a call to any SqlServer cmdlet to load all the assemblies used by the module. This initialize the internal dictionnay of custom providers.
 
+```PowerShell
 <#internally Always Encrypted Microsoft cmdlets do not load directly the [Microsoft.SqlServer.Management.AlwaysEncrypted.Management] assembly.
 Call chain:
   - [Microsoft.SqlServer.Management.AlwaysEncrypted.Types]::CustomProviders 
   - [Microsoft.SqlServer.Management.AlwaysEncrypted.Management]::CustomProviders
   - [System.Data.SqlClient.SqlConnection]::RegisterColumnEncryptionKeyStoreProviders()
-All cmdlets related to CMK/CEK follow this call chain.
-All cmdlets related to columns encryption use directly the [System.Data.SqlClient] assembly.
+All cmdlets related to CMK / CEK use this call chain and use the [Microsoft.SqlServer.Management.AlwaysEncrypted.Management]::CustomProviders dictionnary.
+All cmdlets related to columns encryption use directly the [System.Data.SqlClient] assembly and its internal dictionnary of custom providers.
 #>
 [Microsoft.SqlServer.Management.AlwaysEncrypted.Types.AlwaysEncryptedManager]::CustomProviders
 
-#Register our custom provider in the correct Always Encrypted dictionnary.
 #confirm only one custom provider is registered currently (Azure_Key_Vault)
+#PROVIDED CMDLET in the SQLServerAlwaysEncrypted.dll
 Get-SqlColumnEncryptionCustomProvider
+
+#Register the generic provider in all custom providers stores (dictionnary)
+#PROVIDED CMDLET in the SQLServerAlwaysEncrypted.dll
 Register-SqlColumnEncryptionCustomProvider -Provider $customprovider -ProviderName $([SqlServerAlwaysEncrypted.SqlColumnEncryptionGenericProvider]::ProviderName)
 
-#check our custom provider is registered in the different assemblies:
+#PROVIDED CMDLET in the SQLServerAlwaysEncrypted.dll
+#check our custom provider is registered in the different assemblies
 #[Microsoft.SqlServer.Management.AlwaysEncrypted.Management]
 Get-SqlColumnEncryptionCustomProvider
 
@@ -119,8 +137,12 @@ Key             Value
 AZURE_KEY_VAULT Microsoft.SqlServer.Management.AlwaysEncrypted.AzureKeyVaultProvider.SqlColumnEncryptionAzureKeyVaultProvider
 GENERIC         SQLServerAlwaysEncrypted.SqlColumnEncryptionGenericProvider 
 ```
+<br />
+<br />
 
-### CMK Key Exchange
+## CMK Key Exchange
+
+This step is done by the security administrator.
 
 ```PowerShell
 # Create a SqlColumnMasterKeySettings object (the CMK metadata) with information about the generic provider. KeyPath must not be empty. Here i use "NONE", but this may be the certificate thumbprint or whatever you want. This is not important because the generic provider is already configured with the real keypath to the wrapped provider.
@@ -158,6 +180,9 @@ The DBA administrator has no access to the certificate. The DBA administrator mu
 
 
 ```PowerShell
+#Import the module
+Import-Module "SqlServer"
+
 # Obtain the location of the column master key and the encrypted value of the column encryption key from your Security Administrator, via a CSV file on a share drive.
 $keyDataFile = "C:\Temp\ExchangeWithDBAdmin.txt"
 $keyData = Import-Csv $keyDataFile
@@ -258,3 +283,9 @@ Set-SqlColumnEncryption -ColumnEncryptionSettings $ces -LogFileDirectory $logdir
 9/10/2018 4:13:28 PM		INFO		MainThread		Finalizing data migration.
 9/10/2018 4:13:29 PM		INFO		MainThread		Deploying the specified encryption settings completed in 0d:0h:1m:12s.
 ```
+
+
+## Clients
+Now you can use the client sample to access the database and decrypt values :
+- [.NET Client](3-.NETClient.md)
+- [JDBC Client](4-JDBCClient.md)

3-.NET Client.md

@@ -0,0 +1,83 @@
+# .NET Client SQL Query
+
+The code below represent a SQL query. This is coded in PowerShell but this exactly the same in C#.
+- Import the [Generic provider](bin/SQLServerAlwaysEncrypted.dll)
+- Create a connectionString (configure with your own settings)
+- Create the wrapped provider (MSSQL_CERTIFICATE_STORE)
+- Create the generic provider (GENERIC) with the wrapped provider, providing the right path to the certificate for the wrapped provider.
+- Create a SQL command with parameters
+- Execute Query
+- Check the request is successfull and data unencrypted
+
+
+```PowerShell
+#import the extended Always Encrypted types (the Generic provider)
+Add-type -Path '.\bin\SqlServerAlwaysEncrypted.dll'
+
+#Configure your connection settings
+$constr = New-Object -TypeName System.Data.SqlClient.SqlConnectionStringBuilder
+$constr.Item("Data Source") = "192.168.2.19"
+$constr.Item("Initial Catalog") = "CLINIC"
+$constr.Item("Authentication") = [System.Data.Sqlclient.SqlAuthenticationMethod]::ActiveDirectoryIntegrated
+
+#ensure to setup the Column Encryption Setting
+$constr.Item("Column Encryption Setting") = [System.Data.SqlClient.SqlConnectionColumnEncryptionSetting]::Enabled
+$constr.Item("TrustServerCertificate") = $true
+
+#access to your certificate from the Windows Certificate Store (take care if there are many to select the right one, here we get only the fisrt)
+$cert = Get-childitem -Path (Cert:\CurrentUser\My)[0]
+
+#create the wrapped Windows Certificate Store provider
+$sqlstoreprovider = new-object -TypeName System.Data.SqlClient.SqlColumnEncryptionCertificateStoreProvider
+
+#Create the generic provider, providing the inner provider and the right path for this inner provider
+$genericProvider = New-Object -TypeName SqlServerAlwaysEncrypted.SqlColumnEncryptionGenericProvider($sqlstoreprovider, "CurrentUser/My/$($cert.Thumbprint)")
+
+#create a dictionnary, fill this dictionnary with the generic provider and register this provider.
+$customproviders = New-Object -TypeName 'System.Collections.Generic.Dictionary[String,System.Data.SqlClient.SqlColumnEncryptionKeyStoreProvider]'
+$customproviders.Add([SqlServerAlwaysEncrypted.SqlColumnEncryptionGenericProvider]::ProviderName, $genericProvider)
+[System.Data.SqlClient.SqlConnection]::RegisterColumnEncryptionKeyStoreProviders($customproviders)
+
+#create the connection and connect
+$connection = New-Object System.Data.SqlClient.SqlConnection($constr.ConnectionString);
+            
+try
+{
+    $connection.Open();
+} catch {
+    Write-Host "Error connecting"
+}
+
+#create the command with parameter @SSN
+$command = New-Object -TypeName System.Data.SqlClient.SqlCommand
+$command.CommandText = "SELECT [SSN], [FirstName], [LastName], [BirthDate] FROM [dbo].[Patients] WHERE SSN=@SSN";
+$command.Connection = $connection
+
+$paramSSN = $command.CreateParameter();
+$paramSSN.ParameterName = "@SSN";
+$paramSSN.DbType = [System.Data.DbType]::AnsiStringFixedLength;
+$paramSSN.Direction = [System.Data.ParameterDirection]::Input;
+
+#provide clear-text value to search in the database. it's the driver responsability to encrypt the value
+$paramSSN.Value = "795-73-9838";
+$paramSSN.Size = 11;
+$command.Parameters.Add($paramSSN);
+
+#execute the query
+$reader = $command.ExecuteReader()
+
+ if ($reader.HasRows) {
+
+     while ($reader.Read())
+     {
+        #print result, ensure one entry is returned and the data is in clear-text
+        [String]::Format("{0}, {1}, {2}, {3}", $reader[0], $reader[1], $reader[2], ([DateTime]$reader[3]).ToShortDateString());
+     }
+ }
+```
+
+
+Sample Output :
+```
+795-73-9838, Catherine, Abel, 9/10/1996
+```

3-.NETClient.md

@@ -0,0 +1,39 @@
+# JDBC Client. SQL Query
+
+The [Java/SQLServerAlwaysEncrypted](JAVA/SQLServerAlwaysEncrypted) project contains both :
+- the Generic Provider (wrapping the JAVA_KEY_STORE provider).
+- a sample to query the database.
+
+The details of the sample are : 
+- get a connectionString (from arguments)
+- Create the wrapped provider (JAVA_KEY_STORE) with right settings.
+- Create the generic provider (GENERIC) with the wrapped provider, providing the right path for the wrapped provider.
+- Create a SQL command with parameters
+- Execute Query
+- Check the request is successfull and data unencrypted
+
+
+The JAVA_KEY_STORE needs 2 parameters in its constructor (static String in code) :
+- KeyStorePath : the path to the certificate on the file system (.pfx file)
+- KeyStorePassword : the password to open the key store (see [Create Key](1-CreateKey.md))
+
+The CMK does not provide any valid value for the key path. The JAVA_KEY_STORE require this path being the FriendlyName property of the certificate.
+
+Create an instance of the GENERIC_KEY_STORE, providing both the wrapped JAVA_KEY_STORE instance and the friendlyname of the certificate as path ("clinic_cmk_generic" in the [sample](1-CreateKey.md)).
+
+To keep authentication simple with this sample, I created a new account (admin P@ssw0rd) in SSMS.
+
+Provide the connectionstring as arguments (if you use the sample database CLINIC) :
+- exemple in Eclipse Debug Configuration :
+
+![Eclipse Debug arguments](assets/jdbc_eclipse_debug_connectionstring.png)
+
+Else you can inspire from source code to create you own SQL query. The source code is really easy. Everything is detailed enough.
+
+Sample Output :
+```
+Connecting to SQL Server ... Done.
+Executing SQL Query ...
+SSN: 795-73-9838, FirstName: Catherine, LastName:Abel, Date of Birth: 1996-09-10
+Done.
+```

4-JDBC Client.md

@@ -1,4 +1,5 @@
-# PS Module unable to retrieve a registered custom provider
+# SqlServer PowerShell Module unable to find a registered custom provider
+
 
 ## Microsoft Code
 Initial code from the Microsoft.SqlServer.Management.AlwaysEncrypted.Management.dll: 
@@ -32,11 +33,13 @@ public static class AlwaysEncryptedManagement {
 
 The main issue in this code is the default statement. Only an error is returned whenever you attempt to access a custom provider. Normally the code should behave as in the "AZURE_KEY_VAULT" statement.
 
-With the original code, it is impossible to achieve Always Encrypted configuration with PowerShell and a custom/generic provider. It may be possible with a full C# or Java, but all the documentation use PowerShell.
+With the original code, it is impossible to achieve Always Encrypted configuration with PowerShell and a custom/generic provider. It may probably be possible with a full C# or Java, but all the documentation used PowerShell.
+
+In an effort to use PowerShell for this scenario, a solution was necessary.
 
 ## Patched DLL
 
-The [provided patched DLL](bin/Microsoft.SqlServer.Management.AlwaysEncrypted.Management.dll) replace the Microsoft original code with the following simple code. I was not really able to properly insert IL to replace only the default statement from the original code. But it doesn't have any importance, being able to retrieve a custom/generic provider is sufficient.
+The [provided patched DLL](bin/Microsoft.SqlServer.Management.AlwaysEncrypted.Management.dll) replace the Microsoft original code with the following simple code. I was not really able to properly insert IL code to replace only the default statement from the original code. But it doesn't have any importance, being able to retrieve a custom/generic provider is sufficient.
 
 I used ILSpy + Reflexil to achieve this.
 

4-JDBCClient.md

@@ -2,7 +2,7 @@
 
 ## Information about the issue
 
-One of the issue encountered during development of this generic provider was the moment where you want to encrypt columns. The cmdlet used to encrypt the columns does use the [System.Data.SqlClient.SqlConnection] object to get access to registered custom providers.
+One of the issue encountered during development of this generic provider was the moment where you want to encrypt columns. The cmdlet used to encrypt the columns use the [System.Data.SqlClient.SqlConnection] object to get access to registered custom providers.
 
 By following the <a href="#callstack">callstack</a> from the load of the PowerShell module, it is clear that both the PowerShell module and the code from [System.Data.SqlClient] present some issues:
 - The SqlServer PowerShell module loads the "AZURE_KEY_VAULT" as a custom provider and by doing so prevent any other registration of a custom provider.