Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

HTTPS Mutual Authentication using Smartcard or Token

See more HTTP Examples

Explains how to do HTTP TLS mutual authentication using an HSM (Smartcard or USB Token).

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.Cert,
  Chilkat.Http;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  http: THttp;
  cert: TCert;

begin
  success := False;

  http := THttp.Create;

  //  To do HTTPS mutual authentication where the certificate and private key are stored
  //  on a smartcard or token, first load the Chilkat certificate object from the smartcard/token,
  //  and then pass the certificate object to the Http object's SetSslClientCert method.

  //  Doing HTTP mutual authentication is the same regardless of the source of the cert + private key.
  //  The steps are to first load the certificate from the source, then pass the cert object to the HTTP object.
  //  Chilkat provides methods for loading the certificate from a variety of sources, such as smartcards, tokens,
  //  .pfx/.p12 files, Windows registry-based certificate stores, PEM files, or other file formats.
  cert := TCert.Create;

  //  The easiest way to load a certificate from an HSM is to call cert.LoadFromSmartcard with 
  //  an empty string argument.  Chilkat will detect the HSM and will choose the most appropriate
  //  underlying means for accessing and loading the default certificate + key from the HSM.
  //  The underlying means could be PKCS11, ScMinidriver, or MSCNG, depending on the HSM what it
  //  supports.

  //  For example:
  //  If you know the smart card PIN, it's good to set it prior to loading from the smartcard/USB token.
  cert.SmartCardPin := '12345678';

  //  To let Chilkat discover what smartcard or token is connected, pass an empty string to LoadFromSmartcard.
  //  When testing in this way, it's best to have only a single smartcard or token connected to the system.
  success := cert.LoadFromSmartcard('');
  if (success = False) then
    begin
      WriteLn(cert.LastErrorText);
      WriteLn('Certificate not loaded.');
      Exit;
    end;

  //  If there are multiple certificates stored on the smartcard/token, then 
  //  you can be more specific.  See these examples:

  //  Load a Certificate from an HSM by Common Name
  //  Load a Certificate from an HSM by Serial Number

  //  It may be that you need to code at a lower level with a specific
  //  supported interface, such as PKCS11.
  //  See these examples:

  //  Use PKCS11 to Find a Specific Certificate
  //  Use PKCS11 to Find a Certificate with a Specified Key Usage

  //  Once you have the desired certificate, pass it to SetSslClientCert.
  //  Set the certificate to be used for mutual TLS authentication
  //  (i.e. sets the client-side certificate for two-way TLS authentication)
  success := http.SetSslClientCert(cert);
  if (success <> True) then
    begin
      WriteLn(http.LastErrorText);
      Exit;
    end;

  //  At this point, the HTTP object instance is setup with the client-side cert, and any SSL/TLS
  //  connection will automatically use it if the server demands a client-side cert.


  http.Free;
  cert.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.