Sample code for 30+ languages & platforms
SQL Server

PKCS11 Generate Secret Key (such as AES)

See more PKCS11 Examples

Generates a symmetric secret key such as AES on the HSM.

Note: This example requires Chilkat v9.5.0.96 or later.

Chilkat SQL Server Downloads

SQL Server
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
    DECLARE @hr int
    -- Important: Do not use nvarchar(max).  See the warning about using nvarchar(max).
    DECLARE @sTmp0 nvarchar(4000)
    DECLARE @success int
    SELECT @success = 0

    -- This example requires the Chilkat API to have been previously unlocked.
    -- See Global Unlock Sample for sample code.

    -- Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.

    DECLARE @pkcs11 int
    EXEC @hr = sp_OACreate 'Chilkat.Pkcs11', @pkcs11 OUT
    IF @hr <> 0
    BEGIN
        PRINT 'Failed to create ActiveX component'
        RETURN
    END

    -- Use the PKCS11 driver (.dll, .so, .dylib) for your particular HSM.
    -- (The format of the path will change with the operating system.  Obviously, "C:/" is not used on non-Windows systems.
    EXEC sp_OASetProperty @pkcs11, 'SharedLibPath', 'C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS1164.dll'

    -- Establish a logged-on session.
    DECLARE @pin nvarchar(4000)
    SELECT @pin = '0000'
    DECLARE @userType int
    SELECT @userType = 1
    EXEC sp_OAMethod @pkcs11, 'QuickSession', @success OUT, @userType, @pin
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @pkcs11
        RETURN
      END

    -- Let's generate a 256-bit AES key on the token, which will exist for the duration of this session.
    -- Symmetric keys, such as AES keys, are typically created (or imported) and used during a single session.

    -- Other possible values for keyType are "AES XTS", "Blowfish", "Twofish", "ChaCha20", and others. 
    -- In virtually all cases, you'll want to create an AES key.
    DECLARE @keyType nvarchar(4000)
    SELECT @keyType = 'AES'

    -- Specify attributes and abilities (how this key can be used) by providing a JSON template.
    DECLARE @json int
    EXEC @hr = sp_OACreate 'Chilkat.JsonObject', @json OUT

    -- The key can be extracted or wrapped.
    EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'extractable', 1

    -- Allow the key to be used for encryption, decryption, wrapping other keys, and unwrapping other keys.
    EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'encrypt', 1
    EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'decrypt', 1
    EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'wrap', 1
    EXEC sp_OAMethod @json, 'UpdateBool', @success OUT, 'unwrap', 1

    -- Indicate a 256-bit AES key is to be generated by setting the value_len attribute equal to the key size in bytes.
    -- (32 bytes * 8 bits/byte = 256 bits)
    EXEC sp_OAMethod @json, 'UpdateInt', @success OUT, 'value_len', 32

    DECLARE @keyHandle int
    EXEC sp_OAMethod @pkcs11, 'GenSecretKey', @keyHandle OUT, @keyType, @json
    IF @keyHandle = 0
      BEGIN
        EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0

        PRINT 'Failed to generate an AES key.'
      END
    ELSE
      BEGIN

        PRINT 'key handle = ' + @keyHandle

        PRINT 'Success.'
      END

    EXEC sp_OAMethod @pkcs11, 'Logout', @success OUT
    EXEC sp_OAMethod @pkcs11, 'CloseSession', @success OUT

    EXEC @hr = sp_OADestroy @pkcs11
    EXEC @hr = sp_OADestroy @json


END
GO