Pascal (Lazarus/Delphi)
Pascal (Lazarus/Delphi)
HTTPS Mutual Authentication using Smartcard or Token
See more HTTP Examples
Explains how to do HTTP TLS mutual authentication using an HSM (Smartcard or USB Token).Chilkat Pascal (Lazarus/Delphi) Downloads
program ChilkatDemo;
// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.
{$IFDEF FPC}
{$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}
uses
{$IFDEF UNIX}
cthreads,
{$ENDIF}
SysUtils,
CkDllLoader,
Chilkat.Cert,
Chilkat.Http;
// ---------------------------------------------------------------------------
procedure RunDemo;
var
success: Boolean;
http: THttp;
cert: TCert;
begin
success := False;
http := THttp.Create;
// To do HTTPS mutual authentication where the certificate and private key are stored
// on a smartcard or token, first load the Chilkat certificate object from the smartcard/token,
// and then pass the certificate object to the Http object's SetSslClientCert method.
// Doing HTTP mutual authentication is the same regardless of the source of the cert + private key.
// The steps are to first load the certificate from the source, then pass the cert object to the HTTP object.
// Chilkat provides methods for loading the certificate from a variety of sources, such as smartcards, tokens,
// .pfx/.p12 files, Windows registry-based certificate stores, PEM files, or other file formats.
cert := TCert.Create;
// The easiest way to load a certificate from an HSM is to call cert.LoadFromSmartcard with
// an empty string argument. Chilkat will detect the HSM and will choose the most appropriate
// underlying means for accessing and loading the default certificate + key from the HSM.
// The underlying means could be PKCS11, ScMinidriver, or MSCNG, depending on the HSM what it
// supports.
// For example:
// If you know the smart card PIN, it's good to set it prior to loading from the smartcard/USB token.
cert.SmartCardPin := '12345678';
// To let Chilkat discover what smartcard or token is connected, pass an empty string to LoadFromSmartcard.
// When testing in this way, it's best to have only a single smartcard or token connected to the system.
success := cert.LoadFromSmartcard('');
if (success = False) then
begin
WriteLn(cert.LastErrorText);
WriteLn('Certificate not loaded.');
Exit;
end;
// If there are multiple certificates stored on the smartcard/token, then
// you can be more specific. See these examples:
// Load a Certificate from an HSM by Common Name
// Load a Certificate from an HSM by Serial Number
// It may be that you need to code at a lower level with a specific
// supported interface, such as PKCS11.
// See these examples:
// Use PKCS11 to Find a Specific Certificate
// Use PKCS11 to Find a Certificate with a Specified Key Usage
// Once you have the desired certificate, pass it to SetSslClientCert.
// Set the certificate to be used for mutual TLS authentication
// (i.e. sets the client-side certificate for two-way TLS authentication)
success := http.SetSslClientCert(cert);
if (success <> True) then
begin
WriteLn(http.LastErrorText);
Exit;
end;
// At this point, the HTTP object instance is setup with the client-side cert, and any SSL/TLS
// connection will automatically use it if the server demands a client-side cert.
http.Free;
cert.Free;
end;
// ---------------------------------------------------------------------------
begin
try
RunDemo;
except
on E: Exception do
WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
end;
WriteLn;
{$IFDEF MSWINDOWS}
WriteLn('Press Enter to exit...');
ReadLn;
{$ENDIF}
end.