dotnet · edwardneal · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026
@@ -1,8 +1,9 @@
-// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
 using System;
+using System.Buffers.Binary;
 using System.Collections.Generic;
 using System.Diagnostics;
 using Microsoft.Data.SqlClient.Server;
@@ -20,7 +21,7 @@ internal class SqlEncryptionKeyInfo
         internal int databaseId;
         internal int cekId;
         internal int cekVersion;
-        internal byte[] cekMdVersion;
+        internal ulong cekMdVersion;
         internal string keyPath;
         internal string keyStoreName;
         internal string algorithmName;
@@ -63,7 +64,7 @@ internal class SqlTceCipherInfoEntry
         /// <summary>
         /// Cek MD Version
         /// </summary>
-        private byte[] _cekMdVersion;
+        private ulong _cekMdVersion;
 
         /// <summary>
         /// Return the ordinal.
@@ -112,7 +113,7 @@ internal int CekVersion
         /// <summary>
         /// Return the CEK MD Version.
         /// </summary>
-        internal byte[] CekMdVersion
+        internal ulong CekMdVersion
         {
             get
             {
@@ -142,7 +143,7 @@ internal List<SqlEncryptionKeyInfo> ColumnEncryptionKeyValues
         /// <param name="keyPath"></param>
         /// <param name="keyStoreName"></param>
         /// <param name="algorithmName"></param>
-        internal void Add(byte[] encryptedKey, int databaseId, int cekId, int cekVersion, byte[] cekMdVersion, string keyPath, string keyStoreName, string algorithmName)
+        internal void Add(byte[] encryptedKey, int databaseId, int cekId, int cekVersion, ulong cekMdVersion, string keyPath, string keyStoreName, string algorithmName)
         {
 
             Debug.Assert(_columnEncryptionKeyValues != null, "_columnEncryptionKeyValues should already be initialized.");
@@ -172,7 +173,6 @@ internal void Add(byte[] encryptedKey, int databaseId, int cekId, int cekVersion
                 Debug.Assert(_databaseId == databaseId);
                 Debug.Assert(_cekId == cekId);
                 Debug.Assert(_cekVersion == cekVersion);
-                Debug.Assert(_cekMdVersion != null && cekMdVersion != null && _cekMdVersion.Length == _cekMdVersion.Length);
             }
         }
 
@@ -186,7 +186,7 @@ internal SqlTceCipherInfoEntry(int ordinal = 0)
             _databaseId = 0;
             _cekId = 0;
             _cekVersion = 0;
-            _cekMdVersion = null;
+            _cekMdVersion = 0;
             _columnEncryptionKeyValues = new List<SqlEncryptionKeyInfo>();
         }
     }
@@ -550,7 +550,7 @@ private byte[] SerializeToWriteFormat()
             totalLength += sizeof(int);
 
             // Metadata version of the encryption key.
-            totalLength += _cipherMetadata.EncryptionKeyInfo.cekMdVersion.Length;
+            totalLength += sizeof(ulong);
 
             // Normalization Rule Version.
             totalLength += sizeof(byte);
@@ -576,8 +576,8 @@ private byte[] SerializeToWriteFormat()
             SerializeIntIntoBuffer(_cipherMetadata.EncryptionKeyInfo.cekVersion, serializedWireFormat, ref consumedBytes);
 
             // 6 - Write the metadata version of the encryption key.
-            Buffer.BlockCopy(_cipherMetadata.EncryptionKeyInfo.cekMdVersion, 0, serializedWireFormat, consumedBytes, _cipherMetadata.EncryptionKeyInfo.cekMdVersion.Length);
-            consumedBytes += _cipherMetadata.EncryptionKeyInfo.cekMdVersion.Length;
+            BinaryPrimitives.WriteUInt64LittleEndian(serializedWireFormat.AsSpan(consumedBytes), _cipherMetadata.EncryptionKeyInfo.cekMdVersion);
+            consumedBytes += sizeof(ulong);
 
             // 7 - Write Normalization Rule Version.
             serializedWireFormat[consumedBytes++] = _cipherMetadata.NormalizationRuleVersion;

@@ -1,8 +1,9 @@
-// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
 using System;
+using System.Buffers.Binary;
 
 namespace Microsoft.Data.SqlClient
 {
@@ -16,10 +17,9 @@ internal class ColumnEncryptionKeyInfo
         internal readonly byte[] DecryptedKeyBytes;
         internal readonly byte[] KeyIdBytes;
         internal readonly byte[] DatabaseIdBytes;
-        internal readonly byte[] KeyMetadataVersionBytes;
+        internal readonly ulong KeyMetadataVersion;
 
         private static readonly string _decryptedKeyName = "DecryptedKey";
-        private static readonly string _keyMetadataVersionName = "KeyMetadataVersion";
         private static readonly string _className = "ColumnEncryptionKeyInfo";
         private static readonly string _bytePackageName = "BytePackage";
         private static readonly string _serializeToBufferMethodName = "SerializeToBuffer";
@@ -32,7 +32,7 @@ internal class ColumnEncryptionKeyInfo
         /// <param name="databaseId">database id for this column encryption key</param>
         /// <param name="keyMetadataVersion">key metadata version for this column encryption key</param>
         /// <param name="keyid">key id for this column encryption key</param>
-        internal ColumnEncryptionKeyInfo(byte[] decryptedKey, int databaseId, byte[] keyMetadataVersion, int keyid)
+        internal ColumnEncryptionKeyInfo(byte[] decryptedKey, int databaseId, ulong keyMetadataVersion, int keyid)
         {
 
             if (decryptedKey == null)
@@ -43,19 +43,11 @@ internal ColumnEncryptionKeyInfo(byte[] decryptedKey, int databaseId, byte[] key
             {
                 throw SQL.EmptyArgumentInConstructorInternal(_decryptedKeyName, _className);
             }
-            if (keyMetadataVersion == null)
-            {
-                throw SQL.NullArgumentInConstructorInternal(_keyMetadataVersionName, _className);
-            }
-            if (0 == keyMetadataVersion.Length)
-            {
-                throw SQL.EmptyArgumentInConstructorInternal(_keyMetadataVersionName, _className);
-            }
 
             KeyId = keyid;
             DatabaseId = databaseId;
             DecryptedKeyBytes = decryptedKey;
-            KeyMetadataVersionBytes = keyMetadataVersion;
+            KeyMetadataVersion = keyMetadataVersion;
 
             //Covert keyId to Bytes
             ushort keyIdUShort;
@@ -96,7 +88,8 @@ internal int GetLengthForSerialization()
             lengthForSerialization += DecryptedKeyBytes.Length;
             lengthForSerialization += KeyIdBytes.Length;
             lengthForSerialization += DatabaseIdBytes.Length;
-            lengthForSerialization += KeyMetadataVersionBytes.Length;
+            // KeyMetadataVersion is of type ulong which is 8 bytes
+            lengthForSerialization += sizeof(ulong);
             return lengthForSerialization;
         }
 
@@ -131,8 +124,8 @@ internal int SerializeToBuffer(byte[] bytePackage, int startOffset)
 
             Buffer.BlockCopy(DatabaseIdBytes, 0, bytePackage, startOffset, DatabaseIdBytes.Length);
             startOffset += DatabaseIdBytes.Length;
-            Buffer.BlockCopy(KeyMetadataVersionBytes, 0, bytePackage, startOffset, KeyMetadataVersionBytes.Length);
-            startOffset += KeyMetadataVersionBytes.Length;
+            BinaryPrimitives.WriteUInt64LittleEndian(bytePackage.AsSpan(startOffset), KeyMetadataVersion);
+            startOffset += sizeof(ulong);
             Buffer.BlockCopy(KeyIdBytes, 0, bytePackage, startOffset, KeyIdBytes.Length);
             startOffset += KeyIdBytes.Length;
             Buffer.BlockCopy(DecryptedKeyBytes, 0, bytePackage, startOffset, DecryptedKeyBytes.Length);

@@ -3,6 +3,7 @@
 // See the LICENSE file in the project root for more information.
 
 using System;
+using System.Buffers.Binary;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Collections.ObjectModel;
@@ -1016,7 +1017,7 @@ private bool ReadDescribeEncryptionParameterResultsKeys(
                     databaseId: ds.GetInt32((int)DescribeParameterEncryptionResultSet1.DbId),
                     cekId: ds.GetInt32((int)DescribeParameterEncryptionResultSet1.KeyId),
                     cekVersion: ds.GetInt32((int)DescribeParameterEncryptionResultSet1.KeyVersion),
-                    cekMdVersion: keyMdVersion,
+                    cekMdVersion: BinaryPrimitives.ReadUInt64LittleEndian(keyMdVersion),
                     keyPath: keyPath,
                     keyStoreName: providerName,
                     algorithmName: ds.GetString((int)DescribeParameterEncryptionResultSet1.KeyEncryptionAlgorithm));

@@ -5367,6 +5367,10 @@ internal TdsOperationStatus TryProcessAltMetaData(int cColumns, TdsParserStateOb
         /// <summary>
         /// <para> Parses the TDS message to read single CIPHER_INFO entry.</para>
         /// </summary>
+        /// <remarks>
+        /// The CIPHER_INFO structure is represented as an EK_INFO structure in the TDS protocol.
+        /// </remarks>
+        /// <seealso href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/b0f2c914-c5ee-4714-802a-f118edf1b33d"/>.
         internal TdsOperationStatus TryReadCipherInfoEntry(TdsParserStateObject stateObj, out SqlTceCipherInfoEntry entry)
         {
             byte cekValueCount = 0;
@@ -5397,8 +5401,7 @@ internal TdsOperationStatus TryReadCipherInfoEntry(TdsParserStateObject stateObj
             }
 
             // Read the key MD Version
-            byte[] keyMDVersion = new byte[8];
-            result = stateObj.TryReadByteArray(keyMDVersion, 8);
+            result = stateObj.TryReadInt64(out long keyMDVersion);
             if (result != TdsOperationStatus.Done)
             {
                 return result;
@@ -5493,7 +5496,7 @@ internal TdsOperationStatus TryReadCipherInfoEntry(TdsParserStateObject stateObj
                     databaseId: dbId,
                     cekId: keyId,
                     cekVersion: keyVersion,
-                    cekMdVersion: keyMDVersion,
+                    cekMdVersion: unchecked((ulong)keyMDVersion),
                     keyPath: keyPath,
                     keyStoreName: keyStoreName,
                     algorithmName: algorithmName);
@@ -5508,9 +5511,8 @@ internal TdsOperationStatus TryReadCipherInfoEntry(TdsParserStateObject stateObj
         internal TdsOperationStatus TryProcessCipherInfoTable(TdsParserStateObject stateObj, out SqlTceCipherInfoTable cipherTable)
         {
             // Read count
-            short tableSize = 0;
             cipherTable = null;
-            TdsOperationStatus result = stateObj.TryReadInt16(out tableSize);
+            TdsOperationStatus result = stateObj.TryReadUInt16(out ushort tableSize);
             if (result != TdsOperationStatus.Done)
             {
                 return result;
@@ -11525,8 +11527,7 @@ internal void WriteEncryptionEntries(ref SqlTceCipherInfoTable cekTable, TdsPars
                 WriteInt(cekTable[i].CekVersion, stateObj);
 
                 // Write 8 bytes of key MD Version
-                Debug.Assert(8 == cekTable[i].CekMdVersion.Length);
-                stateObj.WriteByteArray(cekTable[i].CekMdVersion, 8, 0);
+                WriteUnsignedLong(cekTable[i].CekMdVersion, stateObj);
 
                 // We don't really need to send the keys
                 stateObj.WriteByte(0x00);