|
(SQL Server) Create CAdES p7m using AWS KMS to Sign in the Cloud
Demonstrates how to create a CAdES p7m, using AWS KMS. The signing of the hash happens in the Cloud on AWS KMS. Everything else regarding the creation of CAdES happens locally within Chilkat.
Note: This example requires Chilkat v9.5.0.96 or greater.
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls.
--
CREATE PROCEDURE ChilkatSample
AS
BEGIN
DECLARE @hr int
-- Important: Do not use nvarchar(max). See the warning about using nvarchar(max).
DECLARE @sTmp0 nvarchar(4000)
-- This example assumes the Chilkat API to have been previously unlocked.
-- See Global Unlock Sample for sample code.
-- Load the certificate used for signing. The certificate's private key is stored in AWS KMS
-- However, we still need the certificate locally (without private key).
DECLARE @cert int
-- Use "Chilkat_9_5_0.Cert" for versions of Chilkat < 10.0.0
EXEC @hr = sp_OACreate 'Chilkat.Cert', @cert OUT
IF @hr <> 0
BEGIN
PRINT 'Failed to create ActiveX component'
RETURN
END
DECLARE @success int
EXEC sp_OAMethod @cert, 'LoadFromFile', @success OUT, 'qa_data/certs/myCert.cer'
IF @success = 0
BEGIN
EXEC sp_OAGetProperty @cert, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
EXEC @hr = sp_OADestroy @cert
RETURN
END
-- Here's a screenshot showing the key ID of a private key in AWS KMS:
-- To sign using AWS KMS,
-- add the following lines of code to specify your AWS authentication credentials,
-- and the ID of the KMS private key.
DECLARE @jsonAwsKms int
-- Use "Chilkat_9_5_0.JsonObject" for versions of Chilkat < 10.0.0
EXEC @hr = sp_OACreate 'Chilkat.JsonObject', @jsonAwsKms OUT
-- Set the "service" equal to "aws_kms" to tell Chilkat to use AWS KMS for signing.
EXEC sp_OAMethod @jsonAwsKms, 'UpdateString', @success OUT, 'service', 'aws_kms'
EXEC sp_OAMethod @jsonAwsKms, 'UpdateString', @success OUT, 'access_key', 'ACCESS_KEY'
EXEC sp_OAMethod @jsonAwsKms, 'UpdateString', @success OUT, 'secret_key', 'SECRET_KEY'
-- Make sure to specify the correct region for your case.
EXEC sp_OAMethod @jsonAwsKms, 'UpdateString', @success OUT, 'region', 'us-west-2'
-- In the above screenshot, our key ID is "187012e8-008f-4fc7-b100-5efe6146dff2". You will use your key ID.
EXEC sp_OAMethod @jsonAwsKms, 'UpdateString', @success OUT, 'key_id', '187012e8-008f-4fc7-b100-5efe6146dff2'
EXEC sp_OAMethod @cert, 'SetCloudSigner', @success OUT, @jsonAwsKms
DECLARE @crypt int
-- Use "Chilkat_9_5_0.Crypt2" for versions of Chilkat < 10.0.0
EXEC @hr = sp_OACreate 'Chilkat.Crypt2', @crypt OUT
EXEC sp_OAMethod @crypt, 'SetSigningCert', @success OUT, @cert
IF @success = 0
BEGIN
EXEC sp_OAGetProperty @crypt, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
EXEC @hr = sp_OADestroy @cert
EXEC @hr = sp_OADestroy @jsonAwsKms
EXEC @hr = sp_OADestroy @crypt
RETURN
END
-- The CadesEnabled property applies to all methods that create PKCS7 signatures.
-- To create a CAdES-BES signature, set this property equal to true.
EXEC sp_OASetProperty @crypt, 'CadesEnabled', 1
EXEC sp_OASetProperty @crypt, 'HashAlgorithm', 'sha256'
DECLARE @signedAttrs int
-- Use "Chilkat_9_5_0.JsonObject" for versions of Chilkat < 10.0.0
EXEC @hr = sp_OACreate 'Chilkat.JsonObject', @signedAttrs OUT
EXEC sp_OAMethod @signedAttrs, 'UpdateInt', @success OUT, 'contentType', 1
EXEC sp_OAMethod @signedAttrs, 'UpdateInt', @success OUT, 'signingTime', 1
EXEC sp_OAMethod @signedAttrs, 'UpdateInt', @success OUT, 'messageDigest', 1
EXEC sp_OAMethod @signedAttrs, 'UpdateInt', @success OUT, 'signingCertificateV2', 1
EXEC sp_OAMethod @signedAttrs, 'Emit', @sTmp0 OUT
EXEC sp_OASetProperty @crypt, 'SigningAttributes', @sTmp0
-- You can sign any type of file..
DECLARE @inputXmlPath nvarchar(4000)
SELECT @inputXmlPath = 'qa_data/e-Invoice.xml'
DECLARE @outputP7mPath nvarchar(4000)
SELECT @outputP7mPath = 'qa_output/signed.p7m'
-- Create the CAdES-BES attached signature, which contains the original data.
-- Chilkat will build the .p7m locally, but will (internally) use ARSS
-- to do the RSA signing remotely.
EXEC sp_OAMethod @crypt, 'CreateP7M', @success OUT, @inputXmlPath, @outputP7mPath
IF @success = 0
BEGIN
EXEC sp_OAGetProperty @crypt, 'LastErrorText', @sTmp0 OUT
PRINT @sTmp0
EXEC @hr = sp_OADestroy @cert
EXEC @hr = sp_OADestroy @jsonAwsKms
EXEC @hr = sp_OADestroy @crypt
EXEC @hr = sp_OADestroy @signedAttrs
RETURN
END
PRINT 'Success.'
EXEC @hr = sp_OADestroy @cert
EXEC @hr = sp_OADestroy @jsonAwsKms
EXEC @hr = sp_OADestroy @crypt
EXEC @hr = sp_OADestroy @signedAttrs
END
GO
|