|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(SQL Server) Rewrite PFX using AES256-SHA256Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256. Note: This example requires Chilkat v9.5.0.83 or greater.
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls. -- CREATE PROCEDURE ChilkatSample AS BEGIN DECLARE @hr int -- Important: Do not use nvarchar(max). See the warning about using nvarchar(max). DECLARE @sTmp0 nvarchar(4000) -- This example requires Chilkat v9.5.0.83 or greater. DECLARE @pfx int -- Use "Chilkat_9_5_0.Pfx" for versions of Chilkat < 10.0.0 EXEC @hr = sp_OACreate 'Chilkat.Pfx', @pfx OUT IF @hr <> 0 BEGIN PRINT 'Failed to create ActiveX component' RETURN END -- Let's load a .pfx and examine the encryption algorithms used to protect the private key: DECLARE @success int EXEC sp_OAMethod @pfx, 'LoadPfxFile', @success OUT, 'qa_data/pfx/test_secret.pfx', 'secret' IF @success = 0 BEGIN EXEC sp_OAGetProperty @pfx, 'LastErrorText', @sTmp0 OUT PRINT @sTmp0 EXEC @hr = sp_OADestroy @pfx RETURN END -- Examine the algorithms: -- "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"? EXEC sp_OAGetProperty @pfx, 'AlgorithmId', @sTmp0 OUT PRINT 'Algorithm: ' + @sTmp0 -- If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2. -- (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.) EXEC sp_OAGetProperty @pfx, 'Pbes2CryptAlg', @sTmp0 OUT PRINT 'Pbes2CryptAlg: ' + @sTmp0 EXEC sp_OAGetProperty @pfx, 'Pbes2HmacAlg', @sTmp0 OUT PRINT 'Pbes2HmacAlg: ' + @sTmp0 -- Our output so far: -- Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC -- Pbes2CryptAlg: aes256-cbc -- Pbes2HmacAlg: hmacWithSha256 -- This tells us that the PFX we loaded was protected using triple-DES with SHA1. -- (Most existing .pfx/.p12 files use 3DES w/ SHA1.) -- The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2". We can ignore those values. -- Examine the LastJsonData for the call to LoadPfxFile. This gives us information about what is contained in the PFX, including extended attributes. DECLARE @json int EXEC sp_OAMethod @pfx, 'LastJsonData', @json OUT EXEC sp_OASetProperty @json, 'EmitCompact', 0 EXEC sp_OAMethod @json, 'Emit', @sTmp0 OUT PRINT @sTmp0 EXEC @hr = sp_OADestroy @json -- Here's a sample LastJsonData: -- Use this online tool to generate parsing code from sample JSON: -- Generate Parsing Code from JSON -- { -- "authenticatedSafe": { -- "contentInfo": [ -- { -- "type": "Data", -- "safeBag": [ -- { -- "type": "pkcs8ShroudedKeyBag", -- "attrs": { -- "localKeyId": "16444216", -- "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}", -- "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0" -- } -- } -- ] -- }, -- { -- "type": "EncryptedData", -- "safeBag": [ -- { -- "type": "certBag", -- "attrs": { -- "localKeyId": "16444216" -- }, -- "subject": "....", -- "serialNumber": "9999999999999999999999999999" -- }, -- { -- "type": "certBag", -- "attrs": { -- "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=", -- "friendlyName": "XYZ", -- "enhKeyUsage": [ -- { -- "oid": "1.3.6.1.5.5.7.3.2", -- "usage": "clientAuth" -- }, -- { -- "oid": "1.3.6.1.5.5.7.3.4", -- "usage": "emailProtection" -- }, -- { -- "oid": "1.3.6.1.5.5.7.3.3", -- "usage": "codeSigning" -- }, -- { -- "oid": "1.3.6.1.5.5.7.3.8", -- "usage": "timeStamping" -- }, -- { -- "oid": "1.3.6.1.4.1.311.10.3.4", -- "usage": "encryptedFileSystem" -- }, -- { -- "oid": "1.3.6.1.5.5.8.2.2", -- "usage": "iKEIntermediate" -- }, -- -- { -- "oid": "1.3.6.1.5.5.7.3.6", -- "usage": "ipsecTunnel" -- }, -- { -- "oid": "1.3.6.1.5.5.7.3.7", -- "usage": "ipsecUser" -- }, -- { -- "oid": "1.3.6.1.5.5.7.3.5", -- "usage": "ipsecEndSystem" -- } -- ] -- }, -- "subject": "...", -- "serialNumber": "8888888888888888888888888888" -- }, -- { -- "type": "certBag", -- "subject": "...", -- "serialNumber": "777777777777777777777777777" -- } -- ] -- } -- ] -- } -- } -- ------------------------------------------------------------------------------------------ -- OK... now let's change the AlgorithmId to "pbes2" EXEC sp_OASetProperty @pfx, 'AlgorithmId', 'pbes2' -- We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256". -- Let's set them anyway just for the example... EXEC sp_OASetProperty @pfx, 'Pbes2CryptAlg', 'aes256-cbc' EXEC sp_OASetProperty @pfx, 'Pbes2HmacAlg', 'hmacWithSha256' -- Rewrite the PFX using pbes2/aes256 + sha256 EXEC sp_OAMethod @pfx, 'ToFile', @success OUT, 'secret', 'qa_output/test_secret_aes256.pfx' IF @success = 0 BEGIN EXEC sp_OAGetProperty @pfx, 'LastErrorText', @sTmp0 OUT PRINT @sTmp0 EXEC @hr = sp_OADestroy @pfx RETURN END PRINT 'Success.' EXEC @hr = sp_OADestroy @pfx END GO |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.