Sample code for 30+ languages & platforms
SQL Server

PKCS11 Import an Existing AES Key onto the HSM

See more PKCS11 Examples

Demonstrates how to import an existing AES symmetric encrytion key onto the smartcard/token. The imported AES key is a session object, and only exists for the duration of the PKCS11 session. (AES keys are typically used for wrapping/unwrapping RSA and EC keys.)

Note: This example requires Chilkat v9.5.0.96 or later.

Chilkat SQL Server Downloads

SQL Server
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
    DECLARE @hr int
    -- Important: Do not use nvarchar(max).  See the warning about using nvarchar(max).
    DECLARE @sTmp0 nvarchar(4000)
    DECLARE @success int
    SELECT @success = 0

    -- This example requires the Chilkat API to have been previously unlocked.
    -- See Global Unlock Sample for sample code.

    -- Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.

    DECLARE @pkcs11 int
    EXEC @hr = sp_OACreate 'Chilkat.Pkcs11', @pkcs11 OUT
    IF @hr <> 0
    BEGIN
        PRINT 'Failed to create ActiveX component'
        RETURN
    END

    -- Use the PKCS11 driver (.dll, .so, .dylib) for your particular HSM.
    -- (The format of the path will change with the operating system.  Obviously, "C:/" is not used on non-Windows systems.
    EXEC sp_OASetProperty @pkcs11, 'SharedLibPath', 'C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS1164.dll'

    -- Establish a logged-on session.
    DECLARE @pin nvarchar(4000)
    SELECT @pin = '0000'
    DECLARE @userType int
    SELECT @userType = 1
    EXEC sp_OAMethod @pkcs11, 'QuickSession', @success OUT, @userType, @pin
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @pkcs11
        RETURN
      END

    -- Generate a 256-bit AES key.
    -- (32 bytes is 256 bits)
    -- Append 32 bytes of random data in the base64 encoding.
    DECLARE @sbAesKey int
    EXEC @hr = sp_OACreate 'Chilkat.StringBuilder', @sbAesKey OUT

    EXEC sp_OAMethod @sbAesKey, 'AppendRandom', @success OUT, 32, 'base64'

    DECLARE @attrs int
    EXEC @hr = sp_OACreate 'Chilkat.JsonObject', @attrs OUT

    -- Specify the type of object, and the type of key.
    EXEC sp_OAMethod @attrs, 'UpdateString', @success OUT, 'class', 'CKO_SECRET_KEY'
    EXEC sp_OAMethod @attrs, 'UpdateString', @success OUT, 'key_type', 'CKK_AES'
    -- Add an optional label if desired.
    EXEC sp_OAMethod @attrs, 'UpdateString', @success OUT, 'label', 'My AES wrapping/unwrapping key'
    -- Allow the key to be use for wrapping and unwrapping operations.
    EXEC sp_OAMethod @attrs, 'UpdateBool', @success OUT, 'wrap', 1
    EXEC sp_OAMethod @attrs, 'UpdateBool', @success OUT, 'unwrap', 1

    -- Provide the AES key material.
    EXEC sp_OAMethod @sbAesKey, 'GetAsString', @sTmp0 OUT
    EXEC sp_OAMethod @attrs, 'UpdateString', @success OUT, 'value', @sTmp0

    -- Create the object (i.e. create the AES key with the given key material.)
    -- Returns the PKCS11 object handle of the created AES session key.
    DECLARE @objHandle int
    EXEC sp_OAMethod @pkcs11, 'CreatePkcs11Object', @objHandle OUT, @attrs
    IF @objHandle = 0
      BEGIN
        EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0

        PRINT 'Failed.'
      END
    ELSE
      BEGIN

        PRINT 'PKCS11 object handle = ' + @objHandle

        PRINT 'Successfully created a 256-bit AES session key.'
      END

    -- Typically, you would do other things in the PKCS11 session that use the handle of AES key we just created.
    -- ...
    -- ...

    EXEC sp_OAMethod @pkcs11, 'Logout', @success OUT
    EXEC sp_OAMethod @pkcs11, 'CloseSession', @success OUT

    EXEC @hr = sp_OADestroy @pkcs11
    EXEC @hr = sp_OADestroy @sbAesKey
    EXEC @hr = sp_OADestroy @attrs


END
GO