PureBasic
PureBasic
HTTPS Client Certificate using Smartcard or Token
See more HTTP Examples
Explains how to use a client certificate for HTTP TLS mutual authentication where the certificate and private key exists on an HSM (Smartcard or USB Token).Chilkat PureBasic Downloads
IncludeFile "CkCert.pb"
IncludeFile "CkHttp.pb"
Procedure ChilkatExample()
success.i = 0
http.i = CkHttp::ckCreate()
If http.i = 0
Debug "Failed to create object."
ProcedureReturn
EndIf
; To do HTTPS mutual authentication where the certificate and private key are stored
; on a smartcard or token, first load the Chilkat certificate object from the smartcard/token,
; and then pass the certificate object to the Http object's SetSslClientCert method.
; Doing HTTP mutual authentication is the same regardless of the source of the cert + private key.
; The steps are to first load the certificate from the source, then pass the cert object to the HTTP object.
; Chilkat provides methods for loading the certificate from a variety of sources, such as smartcards, tokens,
; .pfx/.p12 files, Windows registry-based certificate stores, PEM files, or other file formats.
cert.i = CkCert::ckCreate()
If cert.i = 0
Debug "Failed to create object."
ProcedureReturn
EndIf
; The easiest way to load a certificate from an HSM is to call cert.LoadFromSmartcard with
; an empty string argument. Chilkat will detect the HSM and will choose the most appropriate
; underlying means for accessing and loading the default certificate + key from the HSM.
; The underlying means could be PKCS11, ScMinidriver, or MSCNG, depending on the HSM what it
; supports.
; For example:
; If you know the smart card PIN, it's good to set it prior to loading from the smartcard/USB token.
CkCert::setCkSmartCardPin(cert, "12345678")
; To let Chilkat discover what smartcard or token is connected, pass an empty string to LoadFromSmartcard.
; When testing in this way, it's best to have only a single smartcard or token connected to the system.
success = CkCert::ckLoadFromSmartcard(cert,"")
If success = 0
Debug CkCert::ckLastErrorText(cert)
Debug "Certificate not loaded."
CkHttp::ckDispose(http)
CkCert::ckDispose(cert)
ProcedureReturn
EndIf
; If there are multiple certificates stored on the smartcard/token, then
; you can be more specific. See these examples:
; Load a Certificate from an HSM by Common Name
; Load a Certificate from an HSM by Serial Number
; It may be that you need to code at a lower level with a specific
; supported interface, such as PKCS11.
; See these examples:
; Use PKCS11 to Find a Specific Certificate
; Use PKCS11 to Find a Certificate with a Specified Key Usage
; Once you have the desired certificate, pass it to SetSslClientCert.
; Set the certificate to be used for mutual TLS authentication
; (i.e. sets the client-side certificate for two-way TLS authentication)
success = CkHttp::ckSetSslClientCert(http,cert)
If success <> 1
Debug CkHttp::ckLastErrorText(http)
CkHttp::ckDispose(http)
CkCert::ckDispose(cert)
ProcedureReturn
EndIf
; At this point, the HTTP object instance is setup with the client-side cert, and any SSL/TLS
; connection will automatically use it if the server demands a client-side cert.
CkHttp::ckDispose(http)
CkCert::ckDispose(cert)
ProcedureReturn
EndProcedure