Sample code for 30+ languages & platforms
SQL Server

PKCS11 Import a Private Key onto the HSM

See more PKCS11 Examples

Demonstrates how to import an existing RSA private key onto the smartcard/token. The imported key is a token object, meaning it stays on the HSM and exists beyond the end of the PKCS11 session.

Chilkat SQL Server Downloads

SQL Server
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
    DECLARE @hr int
    -- Important: Do not use nvarchar(max).  See the warning about using nvarchar(max).
    DECLARE @sTmp0 nvarchar(4000)
    DECLARE @success int
    SELECT @success = 0

    -- This example requires the Chilkat API to have been previously unlocked.
    -- See Global Unlock Sample for sample code.

    -- Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.

    DECLARE @pkcs11 int
    EXEC @hr = sp_OACreate 'Chilkat.Pkcs11', @pkcs11 OUT
    IF @hr <> 0
    BEGIN
        PRINT 'Failed to create ActiveX component'
        RETURN
    END

    -- Use the PKCS11 driver (.dll, .so, .dylib) for your particular HSM.
    -- (The format of the path will change with the operating system.  Obviously, "C:/" is not used on non-Windows systems.
    EXEC sp_OASetProperty @pkcs11, 'SharedLibPath', 'C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS1164.dll'

    -- Establish a logged-on session.
    DECLARE @pin nvarchar(4000)
    SELECT @pin = '0000'
    DECLARE @userType int
    SELECT @userType = 1
    EXEC sp_OAMethod @pkcs11, 'QuickSession', @success OUT, @userType, @pin
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @pkcs11
        RETURN
      END

    -- Let's import a certificate's private key onto the HSM.
    -- First, we'll load the certificate from a .pfx (also known as .p12), which is a file format
    -- that also includes the certificate's private key.
    DECLARE @cert int
    EXEC @hr = sp_OACreate 'Chilkat.Cert', @cert OUT

    EXEC sp_OAMethod @cert, 'LoadPfxFile', @success OUT, 'qa_data/pfx/ehealth.fgov.be_testing.p12', 'p12_password'
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @cert, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @pkcs11
        EXEC @hr = sp_OADestroy @cert
        RETURN
      END

    -- Let's get the certificate's private key.
    DECLARE @privKey int
    EXEC @hr = sp_OACreate 'Chilkat.PrivateKey', @privKey OUT

    EXEC sp_OAMethod @cert, 'GetPrivateKey', @success OUT, @privKey
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @cert, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @pkcs11
        EXEC @hr = sp_OADestroy @cert
        EXEC @hr = sp_OADestroy @privKey
        RETURN
      END

    -- Build a PKCS11 template to provide additional information about the key to be imported.
    DECLARE @jsonTemplate int
    EXEC @hr = sp_OACreate 'Chilkat.JsonObject', @jsonTemplate OUT

    -- Indicate that the key is to be stored on the token.  It is NOT a session object.
    EXEC sp_OAMethod @jsonTemplate, 'UpdateBool', @success OUT, 'token', 1

    -- Indicate that the key can be used for signing.
    EXEC sp_OAMethod @jsonTemplate, 'UpdateBool', @success OUT, 'sign', 1

    -- Provide an arbitrary ID and label (anything you want).
    -- The information in the ID and/or label provides one means for finding the key in future PKCS11 sessions.
    EXEC sp_OAMethod @jsonTemplate, 'UpdateString', @success OUT, 'id_hex', '010203040A0B0C0D0E0F'
    EXEC sp_OAMethod @jsonTemplate, 'UpdateString', @success OUT, 'label', 'ehealth private key'

    -- Import the key.  The private key handle is returned on success.  Otherwise 0 is returned.
    -- If our only task for now is to simply import the key, we can ignore the returned handle, 
    -- other than to check for success/failure.  Otherwise, the handle can be used in other PKCS11 operations.
    -- This example just creates the key and does not use the returned handle.
    DECLARE @keyHandle int
    EXEC sp_OAMethod @pkcs11, 'ImportPrivateKey', @keyHandle OUT, @privKey, @jsonTemplate
    IF @keyHandle = 0
      BEGIN
        EXEC sp_OAGetProperty @pkcs11, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
      END
    ELSE
      BEGIN

        PRINT 'key handle = ' + @keyHandle

        PRINT 'Successfully imported a private key onto the HSM.'
      END

    EXEC sp_OAMethod @pkcs11, 'Logout', @success OUT
    EXEC sp_OAMethod @pkcs11, 'CloseSession', @success OUT

    EXEC @hr = sp_OADestroy @pkcs11
    EXEC @hr = sp_OADestroy @cert
    EXEC @hr = sp_OADestroy @privKey
    EXEC @hr = sp_OADestroy @jsonTemplate


END
GO