doc/examples/ex-cert-select.c

   1 /* This example code is placed in the public domain. */
   2
   3 #ifdef HAVE_CONFIG_H
   4 #include <config.h>
   5 #endif
   6
   7 #include <stdio.h>
   8 #include <stdlib.h>
   9 #include <string.h>
  10 #include <sys/types.h>
  11 #include <sys/socket.h>
  12 #include <arpa/inet.h>
  13 #include <unistd.h>
  14 #include <gnutls/gnutls.h>
  15 #include <gnutls/x509.h>
  16 #include <gnutls/abstract.h>
  17 #include <sys/types.h>
  18 #include <sys/stat.h>
  19 #include <fcntl.h>
  20
  21 /* A TLS client that loads the certificate and key.
  22  */
  23
  24 #define MAX_BUF 1024
  25 #define MSG "GET / HTTP/1.0\r\n\r\n"
  26
  27 #define CERT_FILE "cert.pem"
  28 #define KEY_FILE "key.pem"
  29 #define CAFILE "/etc/ssl/certs/ca-certificates.crt"
  30
  31 extern int tcp_connect (void);
  32 extern void tcp_close (int sd);
  33
  34 static int
  35 cert_callback (gnutls_session_t session,
  36                const gnutls_datum_t * req_ca_rdn, int nreqs,
  37                const gnutls_pk_algorithm_t * sign_algos,
  38                int sign_algos_length, gnutls_pcert_st ** pcert,
  39                unsigned int *pcert_length, gnutls_privkey_t * pkey);
  40
  41 gnutls_pcert_st crt;
  42 gnutls_privkey_t key;
  43
  44 /* Helper functions to load a certificate and key
  45  * files into memory.
  46  */
  47 static gnutls_datum_t
  48 load_file (const char *file)
  49 {
  50   FILE *f;
  51   gnutls_datum_t loaded_file = { NULL, 0 };
  52   long filelen;
  53   void *ptr;
  54
  55   if (!(f = fopen (file, "r"))
  56       || fseek (f, 0, SEEK_END) != 0
  57       || (filelen = ftell (f)) < 0
  58       || fseek (f, 0, SEEK_SET) != 0
  59       || !(ptr = malloc ((size_t) filelen))
  60       || fread (ptr, 1, (size_t) filelen, f) < (size_t) filelen)
  61     {
  62       if (f)
  63         fclose (f);
  64       return loaded_file;
  65     }
  66
  67   loaded_file.data = ptr;
  68   loaded_file.size = (unsigned int) filelen;
  69   return loaded_file;
  70 }
  71
  72 static void
  73 unload_file (gnutls_datum_t data)
  74 {
  75   free (data.data);
  76 }
  77
  78 /* Load the certificate and the private key.
  79  */
  80 static void
  81 load_keys (void)
  82 {
  83   int ret;
  84   gnutls_datum_t data;
  85   gnutls_x509_privkey_t x509_key;
  86
  87   data = load_file (CERT_FILE);
  88   if (data.data == NULL)
  89     {
  90       fprintf (stderr, "*** Error loading certificate file.\n");
  91       exit (1);
  92     }
  93
  94   ret = gnutls_pcert_import_x509_raw (&crt, &data, GNUTLS_X509_FMT_PEM, 0);
  95   if (ret < 0)
  96     {
  97       fprintf (stderr, "*** Error loading certificate file: %s\n",
  98                gnutls_strerror (ret));
  99       exit (1);
 100     }
 101
 102   unload_file (data);
 103
 104   data = load_file (KEY_FILE);
 105   if (data.data == NULL)
 106     {
 107       fprintf (stderr, "*** Error loading key file.\n");
 108       exit (1);
 109     }
 110
 111   gnutls_x509_privkey_init (&x509_key);
 112
 113   ret = gnutls_x509_privkey_import (x509_key, &data, GNUTLS_X509_FMT_PEM);
 114   if (ret < 0)
 115     {
 116       fprintf (stderr, "*** Error loading key file: %s\n",
 117                gnutls_strerror (ret));
 118       exit (1);
 119     }
 120
 121   gnutls_privkey_init (&key);
 122
 123   ret =
 124     gnutls_privkey_import_x509 (key, x509_key,
 125                                 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
 126   if (ret < 0)
 127     {
 128       fprintf (stderr, "*** Error importing key: %s\n",
 129                gnutls_strerror (ret));
 130       exit (1);
 131     }
 132
 133   unload_file (data);
 134 }
 135
 136 int
 137 main (void)
 138 {
 139   int ret, sd, ii;
 140   gnutls_session_t session;
 141   gnutls_priority_t priorities_cache;
 142   char buffer[MAX_BUF + 1];
 143   gnutls_certificate_credentials_t xcred;
 144   /* Allow connections to servers that have OpenPGP keys as well.
 145    */
 146
 147   gnutls_global_init ();
 148
 149   load_keys ();
 150
 151   /* X509 stuff */
 152   gnutls_certificate_allocate_credentials (&xcred);
 153
 154   /* priorities */
 155   gnutls_priority_init (&priorities_cache, "NORMAL", NULL);
 156
 157
 158   /* sets the trusted cas file
 159    */
 160   gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
 161
 162   gnutls_certificate_set_retrieve_function2 (xcred, cert_callback);
 163
 164   /* Initialize TLS session
 165    */
 166   gnutls_init (&session, GNUTLS_CLIENT);
 167
 168   /* Use default priorities */
 169   gnutls_priority_set (session, priorities_cache);
 170
 171   /* put the x509 credentials to the current session
 172    */
 173   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
 174
 175   /* connect to the peer
 176    */
 177   sd = tcp_connect ();
 178
 179   gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
 180
 181   /* Perform the TLS handshake
 182    */
 183   ret = gnutls_handshake (session);
 184
 185   if (ret < 0)
 186     {
 187       fprintf (stderr, "*** Handshake failed\n");
 188       gnutls_perror (ret);
 189       goto end;
 190     }
 191   else
 192     {
 193       printf ("- Handshake was completed\n");
 194     }
 195
 196   gnutls_record_send (session, MSG, strlen (MSG));
 197
 198   ret = gnutls_record_recv (session, buffer, MAX_BUF);
 199   if (ret == 0)
 200     {
 201       printf ("- Peer has closed the TLS connection\n");
 202       goto end;
 203     }
 204   else if (ret < 0)
 205     {
 206       fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
 207       goto end;
 208     }
 209
 210   printf ("- Received %d bytes: ", ret);
 211   for (ii = 0; ii < ret; ii++)
 212     {
 213       fputc (buffer[ii], stdout);
 214     }
 215   fputs ("\n", stdout);
 216
 217   gnutls_bye (session, GNUTLS_SHUT_RDWR);
 218
 219 end:
 220
 221   tcp_close (sd);
 222
 223   gnutls_deinit (session);
 224
 225   gnutls_certificate_free_credentials (xcred);
 226   gnutls_priority_deinit (priorities_cache);
 227
 228   gnutls_global_deinit ();
 229
 230   return 0;
 231 }
 232
 233
 234
 235 /* This callback should be associated with a session by calling
 236  * gnutls_certificate_client_set_retrieve_function( session, cert_callback),
 237  * before a handshake.
 238  */
 239
 240 static int
 241 cert_callback (gnutls_session_t session,
 242                const gnutls_datum_t * req_ca_rdn, int nreqs,
 243                const gnutls_pk_algorithm_t * sign_algos,
 244                int sign_algos_length, gnutls_pcert_st ** pcert,
 245                unsigned int *pcert_length, gnutls_privkey_t * pkey)
 246 {
 247   char issuer_dn[256];
 248   int i, ret;
 249   size_t len;
 250   gnutls_certificate_type_t type;
 251
 252   /* Print the server's trusted CAs
 253    */
 254   if (nreqs > 0)
 255     printf ("- Server's trusted authorities:\n");
 256   else
 257     printf ("- Server did not send us any trusted authorities names.\n");
 258
 259   /* print the names (if any) */
 260   for (i = 0; i < nreqs; i++)
 261     {
 262       len = sizeof (issuer_dn);
 263       ret = gnutls_x509_rdn_get (&req_ca_rdn[i], issuer_dn, &len);
 264       if (ret >= 0)
 265         {
 266           printf ("   [%d]: ", i);
 267           printf ("%s\n", issuer_dn);
 268         }
 269     }
 270
 271   /* Select a certificate and return it.
 272    * The certificate must be of any of the "sign algorithms"
 273    * supported by the server.
 274    */
 275   type = gnutls_certificate_type_get (session);
 276   if (type == GNUTLS_CRT_X509)
 277     {
 278       *pcert_length = 1;
 279       *pcert = &crt;
 280       *pkey = key;
 281     }
 282   else
 283     {
 284       return -1;
 285     }
 286
 287   return 0;
 288
 289 }