Sample code for 30+ languages & platforms
SQL Server

Rewrite PFX using AES256-SHA256

See more PFX/P12 Examples

Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256.

Chilkat SQL Server Downloads

SQL Server
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
    DECLARE @hr int
    -- Important: Do not use nvarchar(max).  See the warning about using nvarchar(max).
    DECLARE @sTmp0 nvarchar(4000)
    DECLARE @success int
    SELECT @success = 0

    DECLARE @pfx int
    EXEC @hr = sp_OACreate 'Chilkat.Pfx', @pfx OUT
    IF @hr <> 0
    BEGIN
        PRINT 'Failed to create ActiveX component'
        RETURN
    END

    -- Let's load a .pfx and examine the encryption algorithms used to protect the private key:
    EXEC sp_OAMethod @pfx, 'LoadPfxFile', @success OUT, 'qa_data/pfx/test_secret.pfx', 'secret'
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @pfx, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @pfx
        RETURN
      END

    -- Examine the algorithms:

    -- "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"?

    EXEC sp_OAGetProperty @pfx, 'AlgorithmId', @sTmp0 OUT
    PRINT 'Algorithm: ' + @sTmp0

    -- If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2.
    -- (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.)

    EXEC sp_OAGetProperty @pfx, 'Pbes2CryptAlg', @sTmp0 OUT
    PRINT 'Pbes2CryptAlg: ' + @sTmp0

    EXEC sp_OAGetProperty @pfx, 'Pbes2HmacAlg', @sTmp0 OUT
    PRINT 'Pbes2HmacAlg: ' + @sTmp0

    -- Our output so far:

    -- Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC
    -- Pbes2CryptAlg: aes256-cbc
    -- Pbes2HmacAlg: hmacWithSha256

    -- This tells us that the PFX we loaded was protected using triple-DES with SHA1.
    -- (Most existing .pfx/.p12 files use 3DES w/ SHA1.)
    -- The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2".  We can ignore those values.

    -- Examine the last JSON data collected in the call to LoadPfxFile.  This gives us information about what is contained in the PFX, including extended attributes.
    DECLARE @json int
    EXEC @hr = sp_OACreate 'Chilkat.JsonObject', @json OUT

    EXEC sp_OAMethod @pfx, 'GetLastJsonData', NULL, @json

    EXEC sp_OASetProperty @json, 'EmitCompact', 0
    EXEC sp_OAMethod @json, 'Emit', @sTmp0 OUT
    PRINT @sTmp0

    -- Sample output

    -- Use this online tool to generate parsing code from sample JSON: 
    -- Generate Parsing Code from JSON

    -- {
    --   "authenticatedSafe": {
    --     "contentInfo": [
    --       {
    --         "type": "Data",
    --         "safeBag": [
    --           {
    --             "type": "pkcs8ShroudedKeyBag",
    --             "attrs": {
    --               "localKeyId": "16444216",
    --               "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}",
    --               "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0"
    --             }
    --           }
    --         ]
    --       },
    --       {
    --         "type": "EncryptedData",
    --         "safeBag": [
    --           {
    --             "type": "certBag",
    --             "attrs": {
    --               "localKeyId": "16444216"
    --             },
    --             "subject": "....",
    --             "serialNumber": "9999999999999999999999999999"
    --           },
    --           {
    --             "type": "certBag",
    --             "attrs": {
    --               "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=",
    --               "friendlyName": "XYZ",
    --               "enhKeyUsage": [
    --                 {
    --                   "oid": "1.3.6.1.5.5.7.3.2",
    --                   "usage": "clientAuth"
    --                 },
    --                 {
    --                   "oid": "1.3.6.1.5.5.7.3.4",
    --                   "usage": "emailProtection"
    --                 },
    --                 {
    --                   "oid": "1.3.6.1.5.5.7.3.3",
    --                   "usage": "codeSigning"
    --                 },
    --                 {
    --                   "oid": "1.3.6.1.5.5.7.3.8",
    --                   "usage": "timeStamping"
    --                 },
    --                 {
    --                   "oid": "1.3.6.1.4.1.311.10.3.4",
    --                   "usage": "encryptedFileSystem"
    --                 },
    --                 {
    --                   "oid": "1.3.6.1.5.5.8.2.2",
    --                   "usage": "iKEIntermediate"
    --                 },
    -- 
    --                 {
    --                   "oid": "1.3.6.1.5.5.7.3.6",
    --                   "usage": "ipsecTunnel"
    --                 },
    --                 {
    --                   "oid": "1.3.6.1.5.5.7.3.7",
    --                   "usage": "ipsecUser"
    --                 },
    --                 {
    --                   "oid": "1.3.6.1.5.5.7.3.5",
    --                   "usage": "ipsecEndSystem"
    --                 }
    --               ]
    --             },
    --             "subject": "...",
    --             "serialNumber": "8888888888888888888888888888"
    --           },
    --           {
    --             "type": "certBag",
    --             "subject": "...",
    --             "serialNumber": "777777777777777777777777777"
    --           }
    --         ]
    --       }
    --     ]
    --   }
    -- }

    -- ------------------------------------------------------------------------------------------
    -- OK... now let's change the AlgorithmId to "pbes2" 

    EXEC sp_OASetProperty @pfx, 'AlgorithmId', 'pbes2'

    -- We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256".
    -- Let's set them anyway just for the example...
    EXEC sp_OASetProperty @pfx, 'Pbes2CryptAlg', 'aes256-cbc'
    EXEC sp_OASetProperty @pfx, 'Pbes2HmacAlg', 'hmacWithSha256'

    -- Rewrite the PFX using pbes2/aes256 + sha256
    EXEC sp_OAMethod @pfx, 'ToFile', @success OUT, 'secret', 'qa_output/test_secret_aes256.pfx'
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @pfx, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @pfx
        EXEC @hr = sp_OADestroy @json
        RETURN
      END


    PRINT 'Success.'

    EXEC @hr = sp_OADestroy @pfx
    EXEC @hr = sp_OADestroy @json


END
GO