HTTPS认证四:使用开源libcurl进行SSL双向认证
程序员文章站
2022-03-08 14:25:40
...
官网:https://curl.haxx.se/libcurl/c/libcurl.html
libcurl参数说明:
CURLOPT_SSLCERTTYPE:证书的格式,支持PEM, DER格式
CURLOPT_SSLCERT:客户端证书的名字,加密传输下默认格式是P12,其它方式下是PEM,使用时候用./filename避免混淆,当使用client证书的时候,很大可能需要使用private key
CURLOPT_SSLKEY: 这个是privatekey的文件名,默认格式是PEM,可以通过 CURLOPT_SSLKEYTYPE修改
CURLOPT_KEYPASSWD: 使用private.key时候需要密码,载入证书不会用到密码,但是载入private.key时候需要
CURLOPT_CAINFO: 根证书,用来验证对端证书的有效性,一般时颁发机构(CA)颁发的
CURLOPT_SSL_VERIFYPEER: 决定是否验证对方证书的有效性,当进行TLS或者SSL连接时,服务器发送证书表明他的身份,CURL会验证证书是否真实(,这种信任基于数字签名链,植根于您提供的证书颁发机构(CA)证书1、准备文件
|
根证书 |
ca.crt |
cacrt.pem |
|
根证书签发的服务端证书 |
server.crt |
|
|
服务端私钥 |
server.key |
|
|
根证书签发的客户端证书 |
client.crt |
clientcrt.pem |
|
客户端私钥 |
client.key |
clientkey.pem |
cacrt.pem :为了验证服务器的证书,因为服务器证书时通过根证书签发的
clientcrt.pem, clientkey.pem :客户端证书,双向认证发给服务器进行认证
头文件记libcurl库文件(参考github libcurl开源)
2、simplc.c文件
#include <stdio.h>
#include "include/curl/curl.h"
int main(void)
{
CURL *curl;
CURLcode res;
FILE *headerfile;
const char *pPassphrase = NULL; //password for private key
static const char *pCertFile = "./clientcrt.pem"; //client certificate
static const char *pCACertFile = "cacrt.pem"; //CA root certificat
static const char *pHeaderFile = "dumpit";
const char *pKeyName;
const char *pKeyType;
const char *pEngine;
pKeyName = "clientkey.pem"; // private.key
pKeyType = "PEM";
pEngine = NULL;
headerfile = fopen(pHeaderFile, "wb");
curl_global_init(CURL_GLOBAL_DEFAULT);
curl = curl_easy_init();
if(curl) {
/* what call to write: */
curl_easy_setopt(curl, CURLOPT_URL, "HTTPS://192.168.31.14:8124");
curl_easy_setopt(curl, CURLOPT_HEADERDATA, headerfile);
do { /* dummy loop, just to break out from */
if(pEngine) {
/* use crypto engine */
if(curl_easy_setopt(curl, CURLOPT_SSLENGINE, pEngine) != CURLE_OK) {
/* load the crypto engine */
fprintf(stderr, "can't set crypto engine\n");
break;
}
if(curl_easy_setopt(curl, CURLOPT_SSLENGINE_DEFAULT, 1L) != CURLE_OK) {
/* set the crypto engine as default */
/* only needed for the first time you load
* a engine in a curl object... */
fprintf(stderr, "can't set crypto engine as default\n");
break;
}
}
/* cert is stored PEM coded in file... */
/* since PEM is default, we needn't set it for PEM */
curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");
/* set the cert for client authentication */
curl_easy_setopt(curl, CURLOPT_SSLCERT, pCertFile);
/* sorry, for engine we must set the passphrase
* (if the key has one...) */
if(pPassphrase)
curl_easy_setopt(curl, CURLOPT_KEYPASSWD, pPassphrase);
/* if we use a key stored in a crypto engine,
* we must set the key type to "ENG" */
curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, pKeyType);
/* set the private key (file or ID in engine) */
curl_easy_setopt(curl, CURLOPT_SSLKEY, pKeyName);
/* set the file with the certs vaildating the server */
curl_easy_setopt(curl, CURLOPT_CAINFO, pCACertFile);
/* disconnect if we can't validate server's cert */
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
/* Perform the request, res will get the return code */
res = curl_easy_perform(curl);
/* Check for errors */
if(res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
/* we are done... */
} while(0);
/* always cleanup */
curl_easy_cleanup(curl);
}
curl_global_cleanup();
return 0;
}
Makefile
TARGET = simplessl
#Which object files that the executable consists of
OBJS= simplessl.o
# What compiler to use
CC = gcc
# Compiler flags, -g for debug, -c to make an object file
CFLAGS = -c -g
# This should point to a directory that holds libcurl, if it isn't
# in the system's standard lib dir
# We also set a -L to include the directory where we have the openssl
# libraries
LDFLAGS = -L./lib/libs -L/usr/local/ssl/lib
# We need -lcurl for the curl stuff
# We need -lsocket and -lnsl when on Solaris
# We need -lssl and -lcrypto when using libcurl with SSL support
# We need -lpthread for the pthread example
LIBS = -lcurl #-lsocket -lnsl -lssl -lcrypto
# Link the target with all objects and libraries
$(TARGET) : $(OBJS)
$(CC) -o $(TARGET) $(OBJS) $(LDFLAGS) $(LIBS)
# Compile the source files into object files
simplessl.o : simplessl.c
$(CC) $(CFLAGS) $<
编译后执行可以看到结果:
请到我的下载资源中找源代码