doc/examples/ex-client-x509.c

   1 /* This example code is placed in the public domain. */
   2
   3 #ifdef HAVE_CONFIG_H
   4 #include <config.h>
   5 #endif
   6
   7 #include <stdio.h>
   8 #include <stdlib.h>
   9 #include <string.h>
  10 #include <gnutls/gnutls.h>
  11 #include <gnutls/x509.h>
  12 #include "examples.h"
  13
  14 /* A very basic TLS client, with X.509 authentication and server certificate
  15  * verification. Note that error checking for missing files etc. is missing
  16  * for simplicity.
  17  */
  18
  19 #define MAX_BUF 1024
  20 #define CAFILE "/etc/ssl/certs/ca-certificates.crt"
  21 #define MSG "GET / HTTP/1.0\r\n\r\n"
  22
  23 extern int tcp_connect (void);
  24 extern void tcp_close (int sd);
  25 static int _verify_certificate_callback (gnutls_session_t session);
  26
  27 int main (void)
  28 {
  29   int ret, sd, ii;
  30   gnutls_session_t session;
  31   char buffer[MAX_BUF + 1];
  32   const char *err;
  33   gnutls_certificate_credentials_t xcred;
  34
  35   gnutls_global_init ();
  36
  37   /* X509 stuff */
  38   gnutls_certificate_allocate_credentials (&xcred);
  39
  40   /* sets the trusted cas file
  41    */
  42   gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
  43   gnutls_certificate_set_verify_function (xcred, _verify_certificate_callback);
  44
  45   /* If client holds a certificate it can be set using the following:
  46    *
  47      gnutls_certificate_set_x509_key_file (xcred,
  48                                            "cert.pem", "key.pem",
  49                                            GNUTLS_X509_FMT_PEM);
  50    */
  51
  52   /* Initialize TLS session
  53    */
  54   gnutls_init (&session, GNUTLS_CLIENT);
  55
  56   gnutls_session_set_ptr (session, (void *) "my_host_name");
  57
  58   gnutls_server_name_set (session, GNUTLS_NAME_DNS, "my_host_name",
  59                           strlen("my_host_name"));
  60
  61   /* Use default priorities */
  62   ret = gnutls_priority_set_direct (session, "NORMAL", &err);
  63   if (ret < 0)
  64     {
  65       if (ret == GNUTLS_E_INVALID_REQUEST)
  66         {
  67           fprintf (stderr, "Syntax error at: %s\n", err);
  68         }
  69       exit (1);
  70     }
  71
  72   /* put the x509 credentials to the current session
  73    */
  74   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
  75
  76   /* connect to the peer
  77    */
  78   sd = tcp_connect ();
  79
  80   gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
  81   gnutls_handshake_set_timeout (session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
  82
  83   /* Perform the TLS handshake
  84    */
  85   do
  86     {
  87       ret = gnutls_handshake (session);
  88     }
  89   while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
  90
  91   if (ret < 0)
  92     {
  93       fprintf (stderr, "*** Handshake failed\n");
  94       gnutls_perror (ret);
  95       goto end;
  96     }
  97   else
  98     {
  99       printf ("- Handshake was completed\n");
 100     }
 101
 102   gnutls_record_send (session, MSG, strlen (MSG));
 103
 104   ret = gnutls_record_recv (session, buffer, MAX_BUF);
 105   if (ret == 0)
 106     {
 107       printf ("- Peer has closed the TLS connection\n");
 108       goto end;
 109     }
 110   else if (ret < 0)
 111     {
 112       fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
 113       goto end;
 114     }
 115
 116   printf ("- Received %d bytes: ", ret);
 117   for (ii = 0; ii < ret; ii++)
 118     {
 119       fputc (buffer[ii], stdout);
 120     }
 121   fputs ("\n", stdout);
 122
 123   gnutls_bye (session, GNUTLS_SHUT_RDWR);
 124
 125 end:
 126
 127   tcp_close (sd);
 128
 129   gnutls_deinit (session);
 130
 131   gnutls_certificate_free_credentials (xcred);
 132
 133   gnutls_global_deinit ();
 134
 135   return 0;
 136 }
 137
 138 /* This function will verify the peer's certificate, and check
 139  * if the hostname matches, as well as the activation, expiration dates.
 140  */
 141 static int
 142 _verify_certificate_callback (gnutls_session_t session)
 143 {
 144   unsigned int status;
 145   int ret;
 146   const char *hostname;
 147
 148   /* read hostname */
 149   hostname = gnutls_session_get_ptr (session);
 150
 151   /* This verification function uses the trusted CAs in the credentials
 152    * structure. So you must have installed one or more CA certificates.
 153    */
 154   ret = gnutls_certificate_verify_peers3 (session, hostname, &status);
 155   if (ret < 0)
 156     {
 157       printf ("Error\n");
 158       return GNUTLS_E_CERTIFICATE_ERROR;
 159     }
 160
 161   if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
 162     printf ("The certificate hasn't got a known issuer.\n");
 163
 164   if (status & GNUTLS_CERT_REVOKED)
 165     printf ("The certificate has been revoked.\n");
 166
 167   if (status & GNUTLS_CERT_EXPIRED)
 168     printf ("The certificate has expired\n");
 169
 170   if (status & GNUTLS_CERT_NOT_ACTIVATED)
 171     printf ("The certificate is not yet activated\n");
 172
 173   if (status & GNUTLS_CERT_INVALID)
 174     {
 175       printf ("The certificate is not trusted.\n");
 176       return GNUTLS_E_CERTIFICATE_ERROR;
 177     }
 178
 179   /* notify gnutls to continue handshake normally */
 180   return 0;
 181 }
 182