SQL Server
SQL Server
PKCS11 Generate Secret Key (such as AES)
See more PKCS11 Examples
Generates a symmetric secret key such as AES on the HSM.Note: This example requires Chilkat v9.5.0.96 or later.
Chilkat SQL Server Downloads
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
DECLARE @hr int
-- Important: Do not use nvarchar(max). See the warning about using nvarchar(max).
DECLARE @sTmp0 nvarchar(4000)
DECLARE @success int
SELECT @success = 0
-- This example requires the Chilkat API to have been previously unlocked.
-- See Global Unlock Sample for sample code.
-- Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.
DECLARE @pkcs11 int
EXEC @hr = sp_OACreate 'Chilkat.Pkcs11', @pkcs11 OUT
IF @hr <> 0
BEGIN
PRINT 'Failed to create ActiveX component'
RETURN
END
-- Use the PKCS11 driver (.dll, .so, .dylib) for your particular HSM.
-- (The format of the path will change with the operating system. Obviously, "C:/" is not used on non-Windows systems.
EXEC sp_OASetProperty @pkcs11, 'SharedLibPath', 'C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS1164.dll'
-- Establish a logged-on session.
DECLARE @pin nvarchar(4000)
SELECT @pin = '0000'
DECLARE @userType int
SELECT @userType = 1
EXEC sp_OAMethod @pkcs11, 'QuickSession', @success OUT, @userType, @pin
IF @success = 0
BEGIN
EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
EXEC @hr = sp_OADestroy @pkcs11
RETURN
END
-- Let's generate a 256-bit AES key on the token, which will exist for the duration of this session.
-- Symmetric keys, such as AES keys, are typically created (or imported) and used during a single session.
-- Other possible values for keyType are "AES XTS", "Blowfish", "Twofish", "ChaCha20", and others.
-- In virtually all cases, you'll want to create an AES key.
DECLARE @keyType nvarchar(4000)
SELECT @keyType = 'AES'
-- Specify attributes and abilities (how this key can be used) by providing a JSON template.
DECLARE @json int
EXEC @hr = sp_OACreate 'Chilkat.JsonObject', @json OUT
-- The key can be extracted or wrapped.
EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'extractable', 1
-- Allow the key to be used for encryption, decryption, wrapping other keys, and unwrapping other keys.
EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'encrypt', 1
EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'decrypt', 1
EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'wrap', 1
EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'unwrap', 1
-- Indicate a 256-bit AES key is to be generated by setting the value_len attribute equal to the key size in bytes.
-- (32 bytes * 8 bits/byte = 256 bits)
EXEC sp_OAMethod @json, 'UpdateInt', @success OUT, 'value_len', 32
DECLARE @keyHandle int
EXEC sp_OAMethod @pkcs11, 'GenSecretKey', @keyHandle OUT, @keyType, @json
IF @keyHandle = 0
BEGIN
EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
PRINT 'Failed to generate an AES key.'
END
ELSE
BEGIN
PRINT 'key handle = ' + @keyHandle
PRINT 'Success.'
END
EXEC sp_OAMethod @pkcs11, 'Logout', @success OUT
EXEC sp_OAMethod @pkcs11, 'CloseSession', @success OUT
EXEC @hr = sp_OADestroy @pkcs11
EXEC @hr = sp_OADestroy @json
END
GO