Sample code for 30+ languages & platforms
SQL Server

Verify HMAC XML Digital Signature

See more XML Digital Signatures Examples

Demonstrates how to validate an XML digital signature signed with an HMAC key.

Chilkat SQL Server Downloads

SQL Server
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
    DECLARE @hr int
    -- Important: Do not use nvarchar(max).  See the warning about using nvarchar(max).
    DECLARE @sTmp0 nvarchar(4000)
    DECLARE @success int
    SELECT @success = 0

    -- This example requires the Chilkat API to have been previously unlocked.
    -- See Global Unlock Sample for sample code.

    -- The XML containing the Signature to be verified contains the following:

    -- <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    -- <collection Id="root">
    -- 	<album>
    -- 		<title>Questions, unanswered</title>
    -- 		<artist>Steve and the flubberblubs</artist>
    -- 		<year>1989</year>
    -- 		<t:tracks xmlns:t="http://test.xades4j/tracks">
    -- 			<t:song length="4:05" tracknumber="1">
    -- 				<t:title>What do you know?</t:title>
    -- 				<t:artist>Steve and the flubberblubs</t:artist>
    -- 				<t:lastplayed>2006-10-17-08:31</t:lastplayed>
    -- 			</t:song>
    -- 			<t:song length="3:45" tracknumber="2">
    -- 				<t:title>Who do you know?</t:title>
    -- 				<t:artist>Steve and the flubberblubs</t:artist>
    -- 				<t:lastplayed>2006-10-17-08:35</t:lastplayed>
    -- 			</t:song>
    -- 			<t:song length="5:14" tracknumber="3">
    -- 				<t:title>When do you know?</t:title>
    -- 				<t:artist>Steve and the flubberblubs</t:artist>
    -- 				<t:lastplayed>2006-10-17-08:39</t:lastplayed>
    -- 			</t:song>
    -- 			<t:song length="4:19" tracknumber="4">
    -- 				<t:title>Do you know?</t:title>
    -- 				<t:artist>Steve and the flubberblubs</t:artist>
    -- 				<t:lastplayed>2006-10-17-08:44</t:lastplayed>
    -- 			</t:song>
    -- 		</t:tracks>
    -- 	</album>
    -- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/><ds:Reference URI="#root"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>rD/g8soqKz8EiPUBhEWfcQacS0ta4ULHX3dKMEH6ZoQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>R8dXP95VRYJBfL6d0Peogybdk27+R+JIfX8jnVu0NOI=</ds:SignatureValue></ds:Signature></collection>

    -- The above XML is available at https://www.chilkatsoft.com/exampleData/hmacSigned.xml
    -- First fetch the XML..

    DECLARE @url nvarchar(4000)
    SELECT @url = 'https://www.chilkatsoft.com/exampleData/hmacSigned.xml'
    DECLARE @http int
    EXEC @hr = sp_OACreate 'Chilkat.Http', @http OUT
    IF @hr <> 0
    BEGIN
        PRINT 'Failed to create ActiveX component'
        RETURN
    END

    DECLARE @sbXml int
    EXEC @hr = sp_OACreate 'Chilkat.StringBuilder', @sbXml OUT

    EXEC sp_OAMethod @http, 'QuickGetSb', @success OUT, @url, @sbXml
    IF @success <> 1
      BEGIN
        EXEC sp_OAGetProperty @http, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @http
        EXEC @hr = sp_OADestroy @sbXml
        RETURN
      END

    DECLARE @verifier int
    EXEC @hr = sp_OACreate 'Chilkat.XmlDSig', @verifier OUT

    -- Load the XML containing the signature to be verified.
    EXEC sp_OAMethod @verifier, 'LoadSignatureSb', @success OUT, @sbXml
    IF @success <> 1
      BEGIN
        EXEC sp_OAGetProperty @verifier, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @http
        EXEC @hr = sp_OADestroy @sbXml
        EXEC @hr = sp_OADestroy @verifier
        RETURN
      END

    -- Provide the HMAC key
    -- The HMAC key for this signature is the us-ascii bytes of the string "secret",
    -- It can be set in any of the following ways (and also more ways not shown here..)
    EXEC sp_OAMethod @verifier, 'SetHmacKey', @success OUT, 'secret', 'ascii'
    -- or
    EXEC sp_OAMethod @verifier, 'SetHmacKey', @success OUT, 'c2VjcmV0', 'base64'
    -- or
    EXEC sp_OAMethod @verifier, 'SetHmacKey', @success OUT, '736563726574', 'hex'

    -- Verify the signature
    DECLARE @bVerified int
    EXEC sp_OAMethod @verifier, 'VerifySignature', @bVerified OUT, 1

    PRINT 'Signature verified = ' + @bVerified

    EXEC @hr = sp_OADestroy @http
    EXEC @hr = sp_OADestroy @sbXml
    EXEC @hr = sp_OADestroy @verifier


END
GO