doc/examples/ex-cert-select-pkcs11.c

   1 /* This example code is placed in the public domain. */
   2
   3 #ifdef HAVE_CONFIG_H
   4 #include <config.h>
   5 #endif
   6
   7 #include <getpass.h>
   8
   9 #include <stdio.h>
  10 #include <stdlib.h>
  11 #include <string.h>
  12 #include <sys/types.h>
  13 #include <sys/socket.h>
  14 #include <arpa/inet.h>
  15 #include <unistd.h>
  16 #include <gnutls/gnutls.h>
  17 #include <gnutls/x509.h>
  18 #include <gnutls/pkcs11.h>
  19 #include <sys/types.h>
  20 #include <sys/stat.h>
  21 #include <fcntl.h>
  22
  23 /* A TLS client that loads the certificate and key.
  24  */
  25
  26 #define MAX_BUF 1024
  27 #define MSG "GET / HTTP/1.0\r\n\r\n"
  28 #define MIN(x,y) (((x)<(y))?(x):(y))
  29
  30 #define CAFILE "ca.pem"
  31
  32 /* The URLs of the objects can be obtained
  33  * using p11tool --list-all --login
  34  */
  35 #define KEY_URL "pkcs11:manufacturer=SomeManufacturer;object=Private%20Key" \
  36   ";objecttype=private;id=%db%5b%3e%b5%72%33"
  37 #define CERT_URL "pkcs11:manufacturer=SomeManufacturer;object=Certificate;" \
  38   "objecttype=cert;id=db%5b%3e%b5%72%33"
  39
  40 extern int tcp_connect (void);
  41 extern void tcp_close (int sd);
  42
  43 static int
  44 pin_callback (void *user, int attempt, const char *token_url,
  45               const char *token_label, unsigned int flags, char *pin,
  46               size_t pin_max)
  47 {
  48   const char *password;
  49   int len;
  50
  51   printf ("PIN required for token '%s' with URL '%s'\n", token_label,
  52           token_url);
  53   if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY)
  54     printf ("*** This is the final try before locking!\n");
  55   if (flags & GNUTLS_PKCS11_PIN_COUNT_LOW)
  56     printf ("*** Only few tries left before locking!\n");
  57   if (flags & GNUTLS_PKCS11_PIN_WRONG)
  58     printf ("*** Wrong PIN\n");
  59
  60   password = getpass ("Enter pin: ");
  61   if (password == NULL || password[0] == 0)
  62     {
  63       fprintf (stderr, "No password given\n");
  64       exit (1);
  65     }
  66
  67   len = MIN (pin_max, strlen (password));
  68   memcpy (pin, password, len);
  69   pin[len] = 0;
  70
  71   return 0;
  72 }
  73
  74 int
  75 main (void)
  76 {
  77   int ret, sd, ii;
  78   gnutls_session_t session;
  79   gnutls_priority_t priorities_cache;
  80   char buffer[MAX_BUF + 1];
  81   gnutls_certificate_credentials_t xcred;
  82   /* Allow connections to servers that have OpenPGP keys as well.
  83    */
  84
  85   gnutls_global_init ();
  86   /* PKCS11 private key operations might require PIN.
  87    * Register a callback.
  88    */
  89   gnutls_pkcs11_set_pin_function (pin_callback, NULL);
  90
  91   /* X509 stuff */
  92   gnutls_certificate_allocate_credentials (&xcred);
  93
  94   /* priorities */
  95   gnutls_priority_init (&priorities_cache, "NORMAL", NULL);
  96
  97   /* sets the trusted cas file
  98    */
  99   gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
 100
 101   gnutls_certificate_set_x509_key_file (xcred, CERT_URL, KEY_URL, GNUTLS_X509_FMT_DER);
 102
 103   /* Initialize TLS session
 104    */
 105   gnutls_init (&session, GNUTLS_CLIENT);
 106
 107   /* Use default priorities */
 108   gnutls_priority_set (session, priorities_cache);
 109
 110   /* put the x509 credentials to the current session
 111    */
 112   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
 113
 114   /* connect to the peer
 115    */
 116   sd = tcp_connect ();
 117
 118   gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
 119
 120   /* Perform the TLS handshake
 121    */
 122   ret = gnutls_handshake (session);
 123
 124   if (ret < 0)
 125     {
 126       fprintf (stderr, "*** Handshake failed\n");
 127       gnutls_perror (ret);
 128       goto end;
 129     }
 130   else
 131     {
 132       printf ("- Handshake was completed\n");
 133     }
 134
 135   gnutls_record_send (session, MSG, strlen (MSG));
 136
 137   ret = gnutls_record_recv (session, buffer, MAX_BUF);
 138   if (ret == 0)
 139     {
 140       printf ("- Peer has closed the TLS connection\n");
 141       goto end;
 142     }
 143   else if (ret < 0)
 144     {
 145       fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
 146       goto end;
 147     }
 148
 149   printf ("- Received %d bytes: ", ret);
 150   for (ii = 0; ii < ret; ii++)
 151     {
 152       fputc (buffer[ii], stdout);
 153     }
 154   fputs ("\n", stdout);
 155
 156   gnutls_bye (session, GNUTLS_SHUT_RDWR);
 157
 158 end:
 159
 160   tcp_close (sd);
 161
 162   gnutls_deinit (session);
 163
 164   gnutls_certificate_free_credentials (xcred);
 165   gnutls_priority_deinit (priorities_cache);
 166
 167   gnutls_global_deinit ();
 168
 169   return 0;
 170 }