(SQL Server) RSA Sign using a Private Key on a USB Token or Smartcard

See more Apple Keychain Examples

Create an RSA signature using a private key stored on a USB token or smartcard.

Note: On MacOS and iOS, this example requires Chilkat v10.1.2 or later when the Apple Keychain is used as the underlying means to do the signing.

Chilkat ActiveX Downloads ActiveX for 32-bit and 64-bit Windows

-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
    DECLARE @hr int
    DECLARE @iTmp0 int
    -- Important: Do not use nvarchar(max).  See the warning about using nvarchar(max).
    DECLARE @sTmp0 nvarchar(4000)
    -- Assuming the smartcard/USB token is installed with the correct drivers from the manufacturer,
    -- this code can work on multiple platforms including Windows, MacOS, Linux, and iOS.

    -- Chilkat automatically detects and determines the way in which the HSM is used,
    -- which can be by PKCS11, Apple Keychain, Microsoft CNG / Crypto API, or ScMinidriver.

    DECLARE @cert int
    -- Use "Chilkat_9_5_0.Cert" for versions of Chilkat < 10.0.0
    EXEC @hr = sp_OACreate 'Chilkat.Cert', @cert OUT
    IF @hr <> 0
    BEGIN
        PRINT 'Failed to create ActiveX component'
        RETURN
    END

    -- Set the token/smartcard PIN prior to loading.
    EXEC sp_OASetProperty @cert, 'SmartCardPin', '123456'

    -- Specify the certificate by its common name.
    DECLARE @success int
    EXEC sp_OAMethod @cert, 'LoadFromSmartcard', @success OUT, 'cn=chilkat-rsa-2048'
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @cert, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @cert
        RETURN
      END


    EXEC sp_OAGetProperty @cert, 'SubjectCN', @sTmp0 OUT
    PRINT 'Signing with cert: ' + @sTmp0

    -- Create data to be hashed and signed.
    DECLARE @bd int
    -- Use "Chilkat_9_5_0.BinData" for versions of Chilkat < 10.0.0
    EXEC @hr = sp_OACreate 'Chilkat.BinData', @bd OUT

    DECLARE @i int

    SELECT @i = 0
    WHILE @i <= 100
      BEGIN
        EXEC sp_OAMethod @bd, 'AppendEncoded', @success OUT, '000102030405060708090A0B0C0D0E0F', 'hex'
        SELECT @i = @i + 1
      END

    DECLARE @rsa int
    -- Use "Chilkat_9_5_0.Rsa" for versions of Chilkat < 10.0.0
    EXEC @hr = sp_OACreate 'Chilkat.Rsa', @rsa OUT

    -- Use the certificate's private key for signing.
    EXEC sp_OAMethod @rsa, 'SetX509Cert', @success OUT, @cert, 1
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @rsa, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @cert
        EXEC @hr = sp_OADestroy @bd
        EXEC @hr = sp_OADestroy @rsa
        RETURN
      END

    -- Sign the SHA-256 hash of the contents of bd.
    DECLARE @bdSig int
    -- Use "Chilkat_9_5_0.BinData" for versions of Chilkat < 10.0.0
    EXEC @hr = sp_OACreate 'Chilkat.BinData', @bdSig OUT

    EXEC sp_OAMethod @rsa, 'SignBd', @success OUT, @bd, 'sha256', @bdSig
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @rsa, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @cert
        EXEC @hr = sp_OADestroy @bd
        EXEC @hr = sp_OADestroy @rsa
        EXEC @hr = sp_OADestroy @bdSig
        RETURN
      END

    -- The RSA signature is equal in length to the size of the RSA key.

    EXEC sp_OAGetProperty @bdSig, 'NumBytes', @iTmp0 OUT
    PRINT 'Output signature size in bits = ' + @iTmp0 * 8

    -- We can save the signature for later verification..
    EXEC sp_OAMethod @bdSig, 'WriteFile', @success OUT, 'rsaSignatures/test1.sig'

    -- See the example to verify the RSA signature:
    -- Verfies an RSA Signature

    EXEC @hr = sp_OADestroy @cert
    EXEC @hr = sp_OADestroy @bd
    EXEC @hr = sp_OADestroy @rsa
    EXEC @hr = sp_OADestroy @bdSig


END
GO