SQL Server
SQL Server
PKCS11 Import an Existing AES Key onto the HSM
See more PKCS11 Examples
Demonstrates how to import an existing AES symmetric encrytion key onto the smartcard/token. The imported AES key is a session object, and only exists for the duration of the PKCS11 session. (AES keys are typically used for wrapping/unwrapping RSA and EC keys.)Note: This example requires Chilkat v9.5.0.96 or later.
Chilkat SQL Server Downloads
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
DECLARE @hr int
-- Important: Do not use nvarchar(max). See the warning about using nvarchar(max).
DECLARE @sTmp0 nvarchar(4000)
DECLARE @success int
SELECT @success = 0
-- This example requires the Chilkat API to have been previously unlocked.
-- See Global Unlock Sample for sample code.
-- Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.
DECLARE @pkcs11 int
EXEC @hr = sp_OACreate 'Chilkat.Pkcs11', @pkcs11 OUT
IF @hr <> 0
BEGIN
PRINT 'Failed to create ActiveX component'
RETURN
END
-- Use the PKCS11 driver (.dll, .so, .dylib) for your particular HSM.
-- (The format of the path will change with the operating system. Obviously, "C:/" is not used on non-Windows systems.
EXEC sp_OASetProperty @pkcs11, 'SharedLibPath', 'C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS1164.dll'
-- Establish a logged-on session.
DECLARE @pin nvarchar(4000)
SELECT @pin = '0000'
DECLARE @userType int
SELECT @userType = 1
EXEC sp_OAMethod @pkcs11, 'QuickSession', @success OUT, @userType, @pin
IF @success = 0
BEGIN
EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
EXEC @hr = sp_OADestroy @pkcs11
RETURN
END
-- Generate a 256-bit AES key.
-- (32 bytes is 256 bits)
-- Append 32 bytes of random data in the base64 encoding.
DECLARE @sbAesKey int
EXEC @hr = sp_OACreate 'Chilkat.StringBuilder', @sbAesKey OUT
EXEC sp_OAMethod @sbAesKey, 'AppendRandom', @success OUT, 32, 'base64'
DECLARE @attrs int
EXEC @hr = sp_OACreate 'Chilkat.JsonObject', @attrs OUT
-- Specify the type of object, and the type of key.
EXEC sp_OAMethod @attrs, 'UpdateString', @success OUT, 'class', 'CKO_SECRET_KEY'
EXEC sp_OAMethod @attrs, 'UpdateString', @success OUT, 'key_type', 'CKK_AES'
-- Add an optional label if desired.
EXEC sp_OAMethod @attrs, 'UpdateString', @success OUT, 'label', 'My AES wrapping/unwrapping key'
-- Allow the key to be use for wrapping and unwrapping operations.
EXEC sp_OAMethod @attrs, 'UpdateBool', @success OUT, 'wrap', 1
EXEC sp_OAMethod @attrs, 'UpdateBool', @success OUT, 'unwrap', 1
-- Provide the AES key material.
EXEC sp_OAMethod @sbAesKey, 'GetAsString', @sTmp0 OUT
EXEC sp_OAMethod @attrs, 'UpdateString', @success OUT, 'value', @sTmp0
-- Create the object (i.e. create the AES key with the given key material.)
-- Returns the PKCS11 object handle of the created AES session key.
DECLARE @objHandle int
EXEC sp_OAMethod @pkcs11, 'CreatePkcs11Object', @objHandle OUT, @attrs
IF @objHandle = 0
BEGIN
EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
PRINT 'Failed.'
END
ELSE
BEGIN
PRINT 'PKCS11 object handle = ' + @objHandle
PRINT 'Successfully created a 256-bit AES session key.'
END
-- Typically, you would do other things in the PKCS11 session that use the handle of AES key we just created.
-- ...
-- ...
EXEC sp_OAMethod @pkcs11, 'Logout', @success OUT
EXEC sp_OAMethod @pkcs11, 'CloseSession', @success OUT
EXEC @hr = sp_OADestroy @pkcs11
EXEC @hr = sp_OADestroy @sbAesKey
EXEC @hr = sp_OADestroy @attrs
END
GO