HTTPS认证四：使用开源libcurl进行SSL双向认证

官网：https://curl.haxx.se/libcurl/c/libcurl.html

libcurl参数说明：

CURLOPT_SSLCERTTYPE：证书的格式，支持PEM, DER格式
CURLOPT_SSLCERT：客户端证书的名字，加密传输下默认格式是P12，其它方式下是PEM，使用时候用./filename避免混淆，当使用client证书的时候，很大可能需要使用private key
CURLOPT_SSLKEY: 这个是privatekey的文件名，默认格式是PEM，可以通过 CURLOPT_SSLKEYTYPE修改
CURLOPT_KEYPASSWD： 使用private.key时候需要密码，载入证书不会用到密码，但是载入private.key时候需要
CURLOPT_CAINFO： 根证书，用来验证对端证书的有效性，一般时颁发机构(CA)颁发的
CURLOPT_SSL_VERIFYPEER： 决定是否验证对方证书的有效性，当进行TLS或者SSL连接时，服务器发送证书表明他的身份，CURL会验证证书是否真实（，这种信任基于数字签名链，植根于您提供的证书颁发机构(CA)证书

1、准备文件

 

根证书	ca.crt	cacrt.pem
根证书签发的服务端证书	server.crt
服务端私钥	server.key
根证书签发的客户端证书	client.crt	clientcrt.pem
客户端私钥	client.key	clientkey.pem

 cacrt.pem ：为了验证服务器的证书，因为服务器证书时通过根证书签发的

 clientcrt.pem, clientkey.pem ：客户端证书，双向认证发给服务器进行认证

头文件记libcurl库文件（参考github libcurl开源）

2、simplc.c文件

#include <stdio.h>
#include "include/curl/curl.h"
int main(void)
{
  CURL *curl;
  CURLcode res;
  FILE *headerfile;
  const char *pPassphrase = NULL;    //password for private key

  static const char *pCertFile = "./clientcrt.pem"; //client certificate
  static const char *pCACertFile = "cacrt.pem"; //CA root certificat
  static const char *pHeaderFile = "dumpit";

  const char *pKeyName;
  const char *pKeyType;

  const char *pEngine;

  pKeyName  = "clientkey.pem";        // private.key
  pKeyType  = "PEM";
  pEngine   = NULL;

  headerfile = fopen(pHeaderFile, "wb");

  curl_global_init(CURL_GLOBAL_DEFAULT);

  curl = curl_easy_init();
   if(curl) {
    /* what call to write: */
    curl_easy_setopt(curl, CURLOPT_URL, "HTTPS://192.168.31.14:8124");
    curl_easy_setopt(curl, CURLOPT_HEADERDATA, headerfile);

    do { /* dummy loop, just to break out from */
      if(pEngine) {
        /* use crypto engine */
        if(curl_easy_setopt(curl, CURLOPT_SSLENGINE, pEngine) != CURLE_OK) {
          /* load the crypto engine */
          fprintf(stderr, "can't set crypto engine\n");
           break;
        }
        if(curl_easy_setopt(curl, CURLOPT_SSLENGINE_DEFAULT, 1L) != CURLE_OK) {
          /* set the crypto engine as default */
          /* only needed for the first time you load
 *              a engine in a curl object... */
          fprintf(stderr, "can't set crypto engine as default\n");
          break;
        }
      }
      /* cert is stored PEM coded in file... */
      /* since PEM is default, we needn't set it for PEM */
      curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");

      /* set the cert for client authentication */
      curl_easy_setopt(curl, CURLOPT_SSLCERT, pCertFile);

      /* sorry, for engine we must set the passphrase
 *          (if the key has one...) */
      if(pPassphrase)
        curl_easy_setopt(curl, CURLOPT_KEYPASSWD, pPassphrase);

      /* if we use a key stored in a crypto engine,
 *          we must set the key type to "ENG" */
      curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, pKeyType);

      /* set the private key (file or ID in engine) */
      curl_easy_setopt(curl, CURLOPT_SSLKEY, pKeyName);

      /* set the file with the certs vaildating the server */
      curl_easy_setopt(curl, CURLOPT_CAINFO, pCACertFile);

      /* disconnect if we can't validate server's cert */
      curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);

      /* Perform the request, res will get the return code */
      res = curl_easy_perform(curl);
      /* Check for errors */
      if(res != CURLE_OK)
        fprintf(stderr, "curl_easy_perform() failed: %s\n",
                curl_easy_strerror(res));

      /* we are done... */
    } while(0);
    /* always cleanup */
    curl_easy_cleanup(curl);
  }

  curl_global_cleanup();

  return 0;
}

 

 Makefile

TARGET = simplessl

#Which object files that the executable consists of
OBJS= simplessl.o
# What compiler to use
CC = gcc

# Compiler flags, -g for debug, -c to make an object file
CFLAGS = -c -g
# This should point to a directory that holds libcurl, if it isn't
# in the system's standard lib dir
# We also set a -L to include the directory where we have the openssl
# libraries
LDFLAGS = -L./lib/libs -L/usr/local/ssl/lib

# We need -lcurl for the curl stuff
# We need -lsocket and -lnsl when on Solaris
# We need -lssl and -lcrypto when using libcurl with SSL support
# We need -lpthread for the pthread example
LIBS = -lcurl #-lsocket -lnsl -lssl -lcrypto

# Link the target with all objects and libraries
$(TARGET) : $(OBJS)
        $(CC)  -o $(TARGET) $(OBJS) $(LDFLAGS) $(LIBS)

# Compile the source files into object files
simplessl.o : simplessl.c
        $(CC) $(CFLAGS) $<

编译后执行可以看到结果：

请到我的下载资源中找源代码