Skip to content

Implement -J flag for server certificate pinning with strict encryption #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Implement -J flag for server certificate pinning with strict encryption #615

Copilot wants to merge 5 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 8, 2026
edited
Loading

Adds the -J flag to specify a server certificate file (PEM, DER, or CER) for certificate pinning when using strict encryption mode. The certificate is matched exactly against the server's TLS certificate, bypassing standard validation (expiry, hostname, trust chain).

Changes

  • SQLCmdArguments & ConnectSettings: Added ServerCertificate string field to store certificate path
  • Flag registration: Added -J/--server-certificate flag with help text
  • Connection string: Pass certificate path via msdsn.Certificate parameter to go-mssqldb driver
  • Validation: Enforce -J requires strict encryption (-N s or -N strict)
  • Tests: Coverage for valid combinations and invalid usage with non-strict modes

Usage

# Valid: certificate pinning with strict encryption
sqlcmd -S myserver -N s -J /path/to/server.pem

# Invalid: certificate requires strict mode
sqlcmd -S myserver -J /path/to/server.pem
# Error: The -J parameter can only be used with strict encryption mode (-N s or -N strict).

The implementation follows the existing pattern for connection flags like -F (HostNameInCertificate).

Original prompt

This section details on the original issue you should resolve

<issue_title>Implement -J flag to allow a specific server certificate be used to encrypt the connection</issue_title>
<issue_description>-J takes a server certificate. This option can be used with the strict encryption mode (-Ys). This option specifies the path to a certificate file to match against the server's connection encryption certificate. The match is done instead of standard certificate validation (expiry, host name, trust chain, etc.) The accepted certificate formats are PEM, DER, and CER. If specified, the server's certificate is checked by seeing if the server certificate provided is an exact match.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits January 8, 2026 22:22
@shueybubbles
Implement -J flag for server certificate pinning with strict encryption
a618537 
Co-authored-by: shueybubbles <2224906+shueybubbles@users.noreply.github.com>
@shueybubbles
Fix error messages to use correct flag syntax (-N s instead of -Ys)
15ea586 
Co-authored-by: shueybubbles <2224906+shueybubbles@users.noreply.github.com>
Copilot AI changed the title [WIP] Implement -J flag to specify server certificate for encryption Implement -J flag for server certificate pinning with strict encryption Jan 8, 2026
Copilot AI requested a review from shueybubbles January 8, 2026 22:30
David Shiflet (from Dev Box) added 2 commits January 14, 2026 09:28
@shueybubbles shueybubbles requested a review from Copilot January 16, 2026 20:55
Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements the -J flag to enable server certificate pinning for encrypted SQL Server connections. The feature allows users to specify a path to a certificate file (PEM, DER, or CER format) that will be matched exactly against the server's TLS certificate, bypassing standard certificate validation.

Changes:

  • Added ServerCertificate field to SQLCmdArguments and ConnectSettings structs
  • Registered -J/--server-certificate flag with validation requiring encryption to be enabled
  • Updated go-mssqldb dependency from v1.9.2 to v1.9.6 to support the certificate pinning feature
  • Added comprehensive test coverage for valid and invalid flag combinations

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
cmd/sqlcmd/sqlcmd.go Added ServerCertificate field, validation logic, flag registration, and helper function to check encryption modes
cmd/sqlcmd/sqlcmd_test.go Added test cases for valid -J flag usage with different encryption modes and invalid combinations
pkg/sqlcmd/connect.go Added ServerCertificate field to ConnectSettings and passed it to connection string via msdsn.ServerCertificate
go.mod Updated go-mssqldb dependency from v1.9.2 to v1.9.6
go.sum Updated checksums for go-mssqldb v1.9.6 and added shopspring/decimal v1.4.0 (transitive dependency)
.gitignore Added patterns to ignore certificate files and build artifacts
Comments suppressed due to low confidence (1)

cmd/sqlcmd/sqlcmd_test.go:1

  • The test case on line 123-125 doesn't verify the EncryptConnection value. The validation function should check both fields are set correctly, similar to line 120-122. Add && args.EncryptConnection == \"true\" to the return statement.
// Copyright (c) Microsoft Corporation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

dlevy-msft-sql
dlevy-msft-sql reviewed Jan 16, 2026
View reviewed changes
cmd/sqlcmd/sqlcmd.go
case a.UseAad && len(a.AuthenticationMethod) > 0:
err = mutuallyExclusiveError("-G", "--authentication-method")
case len(a.HostNameInCertificate) > 0 && len(a.ServerCertificate) > 0:
err = mutuallyExclusiveError("-F", "-J")
Copy link

@dlevy-msft-sql dlevy-msft-sql Jan 16, 2026
edited by shueybubbles
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is -F here still Format? #Resolved

Copy link
Collaborator

@shueybubbles shueybubbles Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hostnameincertificate

Copy link

@dlevy-msft-sql dlevy-msft-sql Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I look at sqlcmd -? it has

-F,--format
   Specifies the formatting for results

@shueybubbles shueybubbles marked this pull request as ready for review January 16, 2026 21:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shueybubbles shueybubbles shueybubbles approved these changes

Copilot code review Copilot Copilot left review comments

@dlevy-msft-sql dlevy-msft-sql dlevy-msft-sql left review comments

@apoorvdeshmukh apoorvdeshmukh Awaiting requested review from apoorvdeshmukh

At least 1 approving review is required to merge this pull request.

Assignees

@shueybubbles shueybubbles

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement -J flag to allow a specific server certificate be used to encrypt the connection

3 participants

@shueybubbles @dlevy-msft-sql