search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
documented fixes.
[gnutls.git] / doc / examples / ex-cert-select-pkcs11.c
blob0bd032bf423d7c74a38d1803ef99aba55a6b1bf5
1 /* This example code is placed in the public domain. */
2
3 #ifdef HAVE_CONFIG_H
4 #include <config.h>
5 #endif
6
7 #include <getpass.h>
8
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <sys/types.h>
13 #include <sys/socket.h>
14 #include <arpa/inet.h>
15 #include <unistd.h>
16 #include <gnutls/gnutls.h>
17 #include <gnutls/x509.h>
18 #include <gnutls/pkcs11.h>
19 #include <sys/types.h>
20 #include <sys/stat.h>
21 #include <fcntl.h>
22
23 /* A TLS client that loads the certificate and key.
24 */
25
26 #define MAX_BUF 1024
27 #define MSG "GET / HTTP/1.0\r\n\r\n"
28 #define MIN(x,y) (((x)<(y))?(x):(y))
29
30 #define CAFILE "ca.pem"
31 #define KEY_URL "pkcs11:manufacturer=SomeManufacturer;object=Private%20Key" \
32 ";objecttype=private;id=db:5b:3e:b5:72:33"
33 #define CERT_URL "pkcs11:manufacturer=SomeManufacturer;object=Certificate;" \
34 "objecttype=cert;id=db:5b:3e:b5:72:33"
35
36 extern int tcp_connect (void);
37 extern void tcp_close (int sd);
38
39 static int cert_callback (gnutls_session_t session,
40 const gnutls_datum_t * req_ca_rdn, int nreqs,
41 const gnutls_pk_algorithm_t * sign_algos,
42 int sign_algos_length, gnutls_retr2_st * st);
43
44 gnutls_x509_crt_t crt;
45 gnutls_pkcs11_privkey_t key;
46
47 /* Load the certificate and the private key.
48 */
49 static void
50 load_keys (void)
51 {
52 int ret;
53
54 gnutls_x509_crt_init (&crt);
55
56 ret = gnutls_x509_crt_import_pkcs11_url (crt, CERT_URL, 0);
57
58 /* some tokens require login to read data */
59 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
60 ret = gnutls_x509_crt_import_pkcs11_url (crt, CERT_URL,
61 GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
62
63 if (ret < 0)
64 {
65 fprintf (stderr, "*** Error loading key file: %s\n",
66 gnutls_strerror (ret));
67 exit (1);
68 }
69
70 gnutls_pkcs11_privkey_init (&key);
71
72 ret = gnutls_pkcs11_privkey_import_url (key, KEY_URL, 0);
73 if (ret < 0)
74 {
75 fprintf (stderr, "*** Error loading key file: %s\n",
76 gnutls_strerror (ret));
77 exit (1);
78 }
79
80 }
81
82 static int
83 pin_callback (void *user, int attempt, const char *token_url,
84 const char *token_label, unsigned int flags, char *pin,
85 size_t pin_max)
86 {
87 const char *password;
88 int len;
89
90 printf ("PIN required for token '%s' with URL '%s'\n", token_label,
91 token_url);
92 if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY)
93 printf ("*** This is the final try before locking!\n");
94 if (flags & GNUTLS_PKCS11_PIN_COUNT_LOW)
95 printf ("*** Only few tries left before locking!\n");
96
97 password = getpass ("Enter pin: ");
98 if (password == NULL || password[0] == 0)
99 {
100 fprintf (stderr, "No password given\n");
101 exit (1);
102 }
103
104 len = MIN (pin_max, strlen (password));
105 memcpy (pin, password, len);
106 pin[len] = 0;
107
108 return 0;
109 }
110
111 int
112 main (void)
113 {
114 int ret, sd, ii;
115 gnutls_session_t session;
116 gnutls_priority_t priorities_cache;
117 char buffer[MAX_BUF + 1];
118 gnutls_certificate_credentials_t xcred;
119 /* Allow connections to servers that have OpenPGP keys as well.
120 */
121
122 gnutls_global_init ();
123 /* PKCS11 private key operations might require PIN.
124 * Register a callback.
125 */
126 gnutls_pkcs11_set_pin_function (pin_callback, NULL);
127
128 load_keys ();
129
130 /* X509 stuff */
131 gnutls_certificate_allocate_credentials (&xcred);
132
133 /* priorities */
134 gnutls_priority_init (&priorities_cache, "NORMAL", NULL);
135
136
137 /* sets the trusted cas file
138 */
139 gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
140
141 gnutls_certificate_set_retrieve_function (xcred, cert_callback);
142
143 /* Initialize TLS session
144 */
145 gnutls_init (&session, GNUTLS_CLIENT);
146
147 /* Use default priorities */
148 gnutls_priority_set (session, priorities_cache);
149
150 /* put the x509 credentials to the current session
151 */
152 gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
153
154 /* connect to the peer
155 */
156 sd = tcp_connect ();
157
158 gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
159
160 /* Perform the TLS handshake
161 */
162 ret = gnutls_handshake (session);
163
164 if (ret < 0)
165 {
166 fprintf (stderr, "*** Handshake failed\n");
167 gnutls_perror (ret);
168 goto end;
169 }
170 else
171 {
172 printf ("- Handshake was completed\n");
173 }
174
175 gnutls_record_send (session, MSG, strlen (MSG));
176
177 ret = gnutls_record_recv (session, buffer, MAX_BUF);
178 if (ret == 0)
179 {
180 printf ("- Peer has closed the TLS connection\n");
181 goto end;
182 }
183 else if (ret < 0)
184 {
185 fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
186 goto end;
187 }
188
189 printf ("- Received %d bytes: ", ret);
190 for (ii = 0; ii < ret; ii++)
191 {
192 fputc (buffer[ii], stdout);
193 }
194 fputs ("\n", stdout);
195
196 gnutls_bye (session, GNUTLS_SHUT_RDWR);
197
198 end:
199
200 tcp_close (sd);
201
202 gnutls_deinit (session);
203
204 gnutls_certificate_free_credentials (xcred);
205 gnutls_priority_deinit (priorities_cache);
206
207 gnutls_global_deinit ();
208
209 return 0;
210 }
211
212
213
214 /* This callback should be associated with a session by calling
215 * gnutls_certificate_client_set_retrieve_function( session, cert_callback),
216 * before a handshake.
217 */
218
219 static int
220 cert_callback (gnutls_session_t session,
221 const gnutls_datum_t * req_ca_rdn, int nreqs,
222 const gnutls_pk_algorithm_t * sign_algos,
223 int sign_algos_length, gnutls_retr2_st * st)
224 {
225 char issuer_dn[256];
226 int i, ret;
227 size_t len;
228 gnutls_certificate_type_t type;
229
230 /* Print the server's trusted CAs
231 */
232 if (nreqs > 0)
233 printf ("- Server's trusted authorities:\n");
234 else
235 printf ("- Server did not send us any trusted authorities names.\n");
236
237 /* print the names (if any) */
238 for (i = 0; i < nreqs; i++)
239 {
240 len = sizeof (issuer_dn);
241 ret = gnutls_x509_rdn_get (&req_ca_rdn[i], issuer_dn, &len);
242 if (ret >= 0)
243 {
244 printf (" [%d]: ", i);
245 printf ("%s\n", issuer_dn);
246 }
247 }
248
249 /* Select a certificate and return it.
250 * The certificate must be of any of the "sign algorithms"
251 * supported by the server.
252 */
253
254 type = gnutls_certificate_type_get (session);
255 if (type == GNUTLS_CRT_X509)
256 {
257 /* check if the certificate we are sending is signed
258 * with an algorithm that the server accepts */
259 gnutls_sign_algorithm_t cert_algo, req_algo;
260 int i, match = 0;
261
262 ret = gnutls_x509_crt_get_signature_algorithm (crt);
263 if (ret < 0)
264 {
265 /* error reading signature algorithm
266 */
267 return -1;
268 }
269 cert_algo = ret;
270
271 i = 0;
272 do
273 {
274 ret = gnutls_sign_algorithm_get_requested (session, i, &req_algo);
275 if (ret >= 0 && cert_algo == req_algo)
276 {
277 match = 1;
278 break;
279 }
280
281 /* server has not requested anything specific */
282 if (i == 0 && ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
283 {
284 match = 1;
285 break;
286 }
287 i++;
288 }
289 while (ret >= 0);
290
291 if (match == 0)
292 {
293 printf
294 ("- Could not find a suitable certificate to send to server\n");
295 return -1;
296 }
297
298 st->cert_type = type;
299 st->ncerts = 1;
300
301 st->cert.x509 = &crt;
302 st->key.pkcs11 = key;
303 st->key_type = GNUTLS_PRIVKEY_PKCS11;
304
305 st->deinit_all = 0;
306 }
307 else
308 {
309 return -1;
310 }
311
312 return 0;
313
314 }
Implementation of the SSL/TLS protocol