Next: , Previous: , Up: Client examples   [Contents][Index]

7.1.3 Using a smart card with TLS

This example will demonstrate how to load keys and certificates from a smart-card or any other PKCS #11 token, and use it in a TLS connection. The difference between this and the Client example with X.509 certificate support is that the client keys are provided as PKCS #11 URIs instead of files.

/* This example code is placed in the public domain. */

#include <config.h>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <gnutls/pkcs11.h>
#include <assert.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <getpass.h> /* for getpass() */

/* A TLS client that loads the certificate and key.

#define CHECK(x) assert((x) >= 0)

#define MAX_BUF 1024
#define MSG "GET / HTTP/1.0\r\n\r\n"
#define MIN(x, y) (((x) < (y)) ? (x) : (y))

#define CAFILE "/etc/ssl/certs/ca-certificates.crt"

/* The URLs of the objects can be obtained
 * using p11tool --list-all --login
#define KEY_URL                                                     \
	"pkcs11:manufacturer=SomeManufacturer;object=Private%20Key" \
#define CERT_URL                                                   \
	"pkcs11:manufacturer=SomeManufacturer;object=Certificate;" \

extern int tcp_connect(void);
extern void tcp_close(int sd);

static int pin_callback(void *user, int attempt, const char *token_url,
			const char *token_label, unsigned int flags, char *pin,
			size_t pin_max)
	const char *password;
	int len;

	printf("PIN required for token '%s' with URL '%s'\n", token_label,
	if (flags & GNUTLS_PIN_FINAL_TRY)
		printf("*** This is the final try before locking!\n");
	if (flags & GNUTLS_PIN_COUNT_LOW)
		printf("*** Only few tries left before locking!\n");
	if (flags & GNUTLS_PIN_WRONG)
		printf("*** Wrong PIN\n");

	password = getpass("Enter pin: ");
	/* FIXME: ensure that we are in UTF-8 locale */
	if (password == NULL || password[0] == 0) {
		fprintf(stderr, "No password given\n");

	len = MIN(pin_max - 1, strlen(password));
	memcpy(pin, password, len);
	pin[len] = 0;

	return 0;

int main(void)
	int ret, sd, ii;
	gnutls_session_t session;
	char buffer[MAX_BUF + 1];
	gnutls_certificate_credentials_t xcred;
	/* Allow connections to servers that have OpenPGP keys as well.

	if (gnutls_check_version("3.1.4") == NULL) {
			"GnuTLS 3.1.4 or later is required for this example\n");

	/* for backwards compatibility with gnutls < 3.3.0 */

	/* The PKCS11 private key operations may require PIN.
	 * Register a callback. */
	gnutls_pkcs11_set_pin_function(pin_callback, NULL);

	/* X509 stuff */

	/* sets the trusted cas file
	CHECK(gnutls_certificate_set_x509_trust_file(xcred, CAFILE,

	CHECK(gnutls_certificate_set_x509_key_file(xcred, CERT_URL, KEY_URL,

	/* Note that there is no server certificate verification in this example

	/* Initialize TLS session
	CHECK(gnutls_init(&session, GNUTLS_CLIENT));

	/* Use default priorities */

	/* put the x509 credentials to the current session
	CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred));

	/* connect to the peer
	sd = tcp_connect();

	gnutls_transport_set_int(session, sd);

	/* Perform the TLS handshake
	ret = gnutls_handshake(session);

	if (ret < 0) {
		fprintf(stderr, "*** Handshake failed\n");
		goto end;
	} else {
		char *desc;

		desc = gnutls_session_get_desc(session);
		printf("- Session info: %s\n", desc);

	CHECK(gnutls_record_send(session, MSG, strlen(MSG)));

	ret = gnutls_record_recv(session, buffer, MAX_BUF);
	if (ret == 0) {
		printf("- Peer has closed the TLS connection\n");
		goto end;
	} else if (ret < 0) {
		fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
		goto end;

	printf("- Received %d bytes: ", ret);
	for (ii = 0; ii < ret; ii++) {
		fputc(buffer[ii], stdout);
	fputs("\n", stdout);

	CHECK(gnutls_bye(session, GNUTLS_SHUT_RDWR));






	return 0;

Next: , Previous: , Up: Client examples   [Contents][Index]