doc/examples/ex-cert-select-pkcs11.c

   1 /* This example code is placed in the public domain. */
   2
   3 #ifdef HAVE_CONFIG_H
   4 #include <config.h>
   5 #endif
   6
   7 #include <stdio.h>
   8 #include <stdlib.h>
   9 #include <string.h>
  10 #include <sys/types.h>
  11 #include <sys/socket.h>
  12 #include <arpa/inet.h>
  13 #include <unistd.h>
  14 #include <gnutls/gnutls.h>
  15 #include <gnutls/x509.h>
  16 #include <gnutls/pkcs11.h>
  17 #include <sys/types.h>
  18 #include <sys/stat.h>
  19 #include <fcntl.h>
  20 #include <getpass.h> /* for getpass() */
  21
  22 /* A TLS client that loads the certificate and key.
  23  */
  24
  25 #define MAX_BUF 1024
  26 #define MSG "GET / HTTP/1.0\r\n\r\n"
  27 #define MIN(x,y) (((x)<(y))?(x):(y))
  28
  29 #define CAFILE "/etc/ssl/certs/ca-certificates.crt"
  30
  31 /* The URLs of the objects can be obtained
  32  * using p11tool --list-all --login
  33  */
  34 #define KEY_URL "pkcs11:manufacturer=SomeManufacturer;object=Private%20Key" \
  35   ";objecttype=private;id=%db%5b%3e%b5%72%33"
  36 #define CERT_URL "pkcs11:manufacturer=SomeManufacturer;object=Certificate;" \
  37   "objecttype=cert;id=db%5b%3e%b5%72%33"
  38
  39 extern int tcp_connect (void);
  40 extern void tcp_close (int sd);
  41
  42 static int
  43 pin_callback (void *user, int attempt, const char *token_url,
  44               const char *token_label, unsigned int flags, char *pin,
  45               size_t pin_max)
  46 {
  47   const char *password;
  48   int len;
  49
  50   printf ("PIN required for token '%s' with URL '%s'\n", token_label,
  51           token_url);
  52   if (flags & GNUTLS_PIN_FINAL_TRY)
  53     printf ("*** This is the final try before locking!\n");
  54   if (flags & GNUTLS_PIN_COUNT_LOW)
  55     printf ("*** Only few tries left before locking!\n");
  56   if (flags & GNUTLS_PIN_WRONG)
  57     printf ("*** Wrong PIN\n");
  58
  59   password = getpass ("Enter pin: ");
  60   if (password == NULL || password[0] == 0)
  61     {
  62       fprintf (stderr, "No password given\n");
  63       exit (1);
  64     }
  65
  66   len = MIN (pin_max, strlen (password));
  67   memcpy (pin, password, len);
  68   pin[len] = 0;
  69
  70   return 0;
  71 }
  72
  73 int
  74 main (void)
  75 {
  76   int ret, sd, ii;
  77   gnutls_session_t session;
  78   gnutls_priority_t priorities_cache;
  79   char buffer[MAX_BUF + 1];
  80   gnutls_certificate_credentials_t xcred;
  81   /* Allow connections to servers that have OpenPGP keys as well.
  82    */
  83
  84   gnutls_global_init ();
  85   /* PKCS11 private key operations might require PIN.
  86    * Register a callback.
  87    */
  88   gnutls_pkcs11_set_pin_function (pin_callback, NULL);
  89
  90   /* X509 stuff */
  91   gnutls_certificate_allocate_credentials (&xcred);
  92
  93   /* priorities */
  94   gnutls_priority_init (&priorities_cache, "NORMAL", NULL);
  95
  96   /* sets the trusted cas file
  97    */
  98   gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
  99
 100   gnutls_certificate_set_x509_key_file (xcred, CERT_URL, KEY_URL, GNUTLS_X509_FMT_DER);
 101
 102   /* Initialize TLS session
 103    */
 104   gnutls_init (&session, GNUTLS_CLIENT);
 105
 106   /* Use default priorities */
 107   gnutls_priority_set (session, priorities_cache);
 108
 109   /* put the x509 credentials to the current session
 110    */
 111   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
 112
 113   /* connect to the peer
 114    */
 115   sd = tcp_connect ();
 116
 117   gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
 118
 119   /* Perform the TLS handshake
 120    */
 121   ret = gnutls_handshake (session);
 122
 123   if (ret < 0)
 124     {
 125       fprintf (stderr, "*** Handshake failed\n");
 126       gnutls_perror (ret);
 127       goto end;
 128     }
 129   else
 130     {
 131       printf ("- Handshake was completed\n");
 132     }
 133
 134   gnutls_record_send (session, MSG, strlen (MSG));
 135
 136   ret = gnutls_record_recv (session, buffer, MAX_BUF);
 137   if (ret == 0)
 138     {
 139       printf ("- Peer has closed the TLS connection\n");
 140       goto end;
 141     }
 142   else if (ret < 0)
 143     {
 144       fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
 145       goto end;
 146     }
 147
 148   printf ("- Received %d bytes: ", ret);
 149   for (ii = 0; ii < ret; ii++)
 150     {
 151       fputc (buffer[ii], stdout);
 152     }
 153   fputs ("\n", stdout);
 154
 155   gnutls_bye (session, GNUTLS_SHUT_RDWR);
 156
 157 end:
 158
 159   tcp_close (sd);
 160
 161   gnutls_deinit (session);
 162
 163   gnutls_certificate_free_credentials (xcred);
 164   gnutls_priority_deinit (priorities_cache);
 165
 166   gnutls_global_deinit ();
 167
 168   return 0;
 169 }