Month: June 2018

C/C++用万恶的libcurl透过HTTPS发POST+JSON请求

相比python, nodejs这样的脚本开发语言已有非常好用的RESTful开发库,很多C/C++程序在调用RESTful接口时,还在使用非常难使用的libcurl纯C接口。下面是用libcurl透过HTTPS发POST请求的代码代段,http body是json字符串:

    #include <curl/curl.h>

    CURL* curl;
    struct curl_slist* headers;
    curl = curl_easy_init();
    headers_ = curl_slist_append(headers, "Content-Type: application/json");
    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
    curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");
    curl_easy_setopt(curl, CURLOPT_SSLCERT, cert_file_path.c_str());
    curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, "PEM");
    curl_easy_setopt(curl, CURLOPT_SSLKEY, key_file_path.c_str());
    curl_easy_setopt(curl, CURLOPT_CAINFO, ca_file_path.c_str());
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
    curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);

    // jv_text存了json字符串
    curl_easy_setopt(curl_, CURLOPT_POSTFIELDS, jv_text.c_str());
    curl_easy_setopt(curl_, CURLOPT_URL, path.c_str());

    CURLcode res = curl_easy_perform(curl_);
    if (res != CURLE_OK)   // 没有成功
    {
        LG_ERR("curl_easy_perform() failed: %s", curl_easy_strerror(res));
    }
    else  // 成功了
    {
    }
    curl_easy_cleanup(curl);

openssl签发证书肘后备急方(cheatsheet)

生成一对新的RSA非对称密钥,2048bits长。 generate an RSA private key

openssl genrsa -out private.key 2048

从私钥中提出公钥。 extract the public key

openssl rsa -in mykey.pem -pubout > my_pubkey.pub

创建自签名证书。create a self-singned certificate

openssl req -config openssl.conf -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt

签署CSR。sign the CSR

openssl ca -config openssl.conf -days 375 -notext -in test.csr -out test.crt

检验签书。verify the certificate

openssl verify -CAfile ca.crt test.crt

生成一个CSR。Generate a new private key and CSR(Certificate Signing Request)

openssl req -config openssl.conf -out CSR.csr -nodes -new -newkey rsa:2048 -nodes -keyout private.key

查看一个证书。show the certificate

openssl x509 -noout -text -in test.crt

PEM格式的证书转换为pfx格式的证书

openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx

We can extract the private key form a PFX to a PEM file with this command:

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Exporting the certificate only:

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Removing the password from the extracted private key:

openssl rsa -in key.pem -out server.key

///////////////////////// openssl.conf /////////////////////////

我用的openssl配置文件

[ ca ]
default_ca = kamus # The default ca section

[ kamus ]
dir = . # top dir
database = dir/index.txt # index file.
new_certs_dir =dir/newcerts # new certs dir

certificate = dir/ca.crt # The CA cert
serial =dir/serial # serial no file
private_key = dir/root.key # CA private key
RANDFILE =dir/.rand # random number file

default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # md to use

policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN

name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request

[ policy_any ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
subjectAltName = supplied
emailAddress = optional

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256

[ req_distinguished_name ]
countryName = Country Name(2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
commonName = Common Name
subjectAltName = SubjectAltName
emailAddress = email