Sample code for 30+ languages & platforms
SQL Server

Yubikey RSA Encrypt/Decrypt

See more RSA Examples

Demonstrates how to do RSA decryption using a private key stored on a Yubikey (or other USB token or smartcard).

Note: RSA encryption uses the public key, which is freely exportable and does not need to occur on the token/smartcard.

Chilkat SQL Server Downloads

SQL Server
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
    DECLARE @hr int
    -- Important: Do not use nvarchar(max).  See the warning about using nvarchar(max).
    DECLARE @sTmp0 nvarchar(4000)
    DECLARE @success int
    SELECT @success = 0

    -- This example assumes you have a certificate with private key on the Yubikey token.
    -- When doing simple RSA encryption/decryption, we don't actually need the certificate,
    -- but we'll be using the private key associated with the certificate.
    -- 
    -- The sensitive/secret material that needs to be kept private is the private key.
    -- The certificate itself and the public key can be freely shared.
    -- 

    -- We're going to encrypt and decrypt 32-bytes of data.
    DECLARE @bd int
    EXEC @hr = sp_OACreate 'Chilkat.BinData', @bd OUT
    IF @hr <> 0
    BEGIN
        PRINT 'Failed to create ActiveX component'
        RETURN
    END

    EXEC sp_OAMethod @bd, 'AppendEncoded', @success OUT, '000102030405060708090A0B0C0D0E0F', 'hex'
    EXEC sp_OAMethod @bd, 'AppendEncoded', @success OUT, '000102030405060708090A0B0C0D0E0F', 'hex'

    -- Let's get the desired cert.
    -- For this example, a self-signed certificate with a 2048-bit RSA key was generated in slot 9A.
    DECLARE @cert int
    EXEC @hr = sp_OACreate 'Chilkat.Cert', @cert OUT

    -- Force Chilkat to use PKCS11 over ScMinidriver (if on Windows) and Apple Keychain (if on MacOS)
    EXEC sp_OASetProperty @cert, 'UncommonOptions', 'NoScMinidriver,NoAppleKeychain'

    EXEC sp_OASetProperty @cert, 'SmartCardPin', '123456'

    EXEC sp_OAMethod @cert, 'LoadFromSmartcard', @success OUT, 'cn=chilkat_test_2048'
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @cert, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @bd
        EXEC @hr = sp_OADestroy @cert
        RETURN
      END

    -- RSA encrypt using the public key.
    DECLARE @rsa int
    EXEC @hr = sp_OACreate 'Chilkat.Rsa', @rsa OUT

    -- Provide the RSA object with the certificate on the Yubkey.
    EXEC sp_OAMethod @rsa, 'SetX509Cert', @success OUT, @cert, 1
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @rsa, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @bd
        EXEC @hr = sp_OADestroy @cert
        EXEC @hr = sp_OADestroy @rsa
        RETURN
      END

    -- RSA encrypt using the public key.
    DECLARE @usePrivateKey int
    SELECT @usePrivateKey = 0
    EXEC sp_OAMethod @rsa, 'EncryptBd', @success OUT, @bd, @usePrivateKey
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @rsa, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @bd
        EXEC @hr = sp_OADestroy @cert
        EXEC @hr = sp_OADestroy @rsa
        RETURN
      END


    PRINT 'RSA Encrypted Output in Hex:'
    EXEC sp_OAMethod @bd, 'GetEncoded', @sTmp0 OUT, 'hex'
    PRINT @sTmp0

    -- Now let's decrypt, using the private key on the Yubikey.
    SELECT @usePrivateKey = 1
    EXEC sp_OAMethod @rsa, 'DecryptBd', @success OUT, @bd, @usePrivateKey
    IF @success = 0
      BEGIN
        EXEC sp_OAGetProperty @rsa, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        EXEC @hr = sp_OADestroy @bd
        EXEC @hr = sp_OADestroy @cert
        EXEC @hr = sp_OADestroy @rsa
        RETURN
      END


    PRINT 'RSA Decrypted Output in Hex:'
    EXEC sp_OAMethod @bd, 'GetEncoded', @sTmp0 OUT, 'hex'
    PRINT @sTmp0

    EXEC @hr = sp_OADestroy @bd
    EXEC @hr = sp_OADestroy @cert
    EXEC @hr = sp_OADestroy @rsa


END
GO