Skip to content

[Release/6.1] Fix fetching signature verification result from cache#4356

Merged
cheenamalhotra merged 2 commits into
release/6.1from
dev/cheena/cmk-6.1-fix
Jun 16, 2026
Merged

[Release/6.1] Fix fetching signature verification result from cache#4356
cheenamalhotra merged 2 commits into
release/6.1from
dev/cheena/cmk-6.1-fix

Conversation

@cheenamalhotra

@cheenamalhotra cheenamalhotra commented Jun 11, 2026

Copy link
Copy Markdown
Member

Ports #4339 to release/6.1

Copilot AI review requested due to automatic review settings June 11, 2026 06:47
@cheenamalhotra cheenamalhotra requested a review from a team as a code owner June 11, 2026 06:47
@github-project-automation github-project-automation Bot moved this to To triage in SqlClient Board Jun 11, 2026
@cheenamalhotra cheenamalhotra added this to the 6.1.6 milestone Jun 11, 2026
@cheenamalhotra cheenamalhotra moved this from To triage to In review in SqlClient Board Jun 11, 2026
Copilot AI reviewed Jun 11, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Ports #4339 to release/6.1 to fix a security-sensitive bug where CMK signature verification cache lookups could incorrectly treat a cached false (verification failure) as a cache hit/success.

Changes:

  • Introduces a tri-state SignatureVerificationResult to distinguish cache miss vs cached false.
  • Updates SqlSecurityUtility.VerifyColumnMasterKeySignature to re-verify only on cache miss and to honor cached failures.
  • Adds SignatureVerificationCacheTests to cover cached success, cached failure (regression), and cache miss behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
src/Microsoft.Data.SqlClient/tests/UnitTests/Microsoft/Data/SqlClient/SignatureVerificationCacheTests.cs Adds regression/unit coverage for cache hit/miss and cached-false scenarios.
src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlSecurityUtility.cs Switches CMK signature verification flow to use the tri-state cache API correctly.
src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SignatureVerificationCache.cs Implements tri-state cache result and refactors cache get/add + trimming logic.

Comment thread src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SignatureVerificationCache.cs
Comment thread src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SignatureVerificationCache.cs
Comment thread src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SignatureVerificationCache.cs Outdated
Comment thread src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SignatureVerificationCache.cs Outdated
@cheenamalhotra cheenamalhotra enabled auto-merge (squash) June 15, 2026 16:52
@cheenamalhotra cheenamalhotra disabled auto-merge June 16, 2026 16:15
@cheenamalhotra cheenamalhotra merged commit b448b72 into release/6.1 Jun 16, 2026
274 of 276 checks passed
@github-project-automation github-project-automation Bot moved this from In review to Done in SqlClient Board Jun 16, 2026
@cheenamalhotra cheenamalhotra deleted the dev/cheena/cmk-6.1-fix branch June 16, 2026 16:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@mdaigle mdaigle mdaigle approved these changes
@paulmedynski paulmedynski paulmedynski approved these changes

Assignees

@mdaigle mdaigle

@paulmedynski paulmedynski

@priyankatiwari08 priyankatiwari08

Labels

None yet

Projects

SqlClient Board
Status: Done

Milestone

6.1.6

Development

Successfully merging this pull request may close these issues.

5 participants

@cheenamalhotra @mdaigle @paulmedynski @priyankatiwari08