C++使用OpenSSL证书API

本文主要介绍如果在C++中使用OpenSSL的证书相关API。(基于OpenSSL 1.0.2k版本,不同版本可能API会有一些差异,但大体应该类似)


使用下面方法前,需要全局调用一次(无需多次调用)

OpenSSL_add_all_algorithms();



1、生成公私钥对

    BIGNUM *bne = NULL;
    int bits = RSAKeyBits;
    unsigned long   e = RSA_F4;
    int ret = 0;

    bne = BN_new();
    int r = BN_set_word(bne,e);
    if(r != 1){
        goto free_all;
    }

    if(m_rsa)
    {
        RSA_free(m_rsa);
        m_rsa = NULL;
    }
    // m_rsa是成员变量,用于存储公私钥对
    m_rsa = RSA_new();
    
    r = RSA_generate_key_ex(m_rsa, bits, bne, NULL);
    if(r != 1){
        goto free_all;
    }

free_all:
    BN_free(bne);


2、生成CSR

    X509 *x509 = NULL;
    X509_NAME *subject = NULL;
    BIO *bio = NULL;
    X509_REQ *x509Req = NULL;
    char *szCSR = NULL;
    // 提取私钥
    EVP_PKEY_assign_RSA(m_pKey, m_rsa);

    x509 = X509_new();
    X509_set_pubkey(x509, m_pKey);

    // 设置属性
    subject = X509_get_subject_name(x509);
    // 国家
    X509_NAME_add_entry_by_txt(subject, SN_countryName, MBSTRING_UTF8,
                               (unsigned char *)"CN", -1, -1, 0);
    // 省份
    X509_NAME_add_entry_by_txt(subject, SN_stateOrProvinceName,  MBSTRING_UTF8,
                               (unsigned char *)"GuangDong", -1, -1, 0);
    // 城市
    X509_NAME_add_entry_by_txt(subject, SN_localityName,  MBSTRING_UTF8,
                               (unsigned char *)"ShenZhen", -1, -1, 0);

    X509_set_subject_name(x509, subject);


    x509Req = X509_to_X509_REQ(x509, m_pKey, ShaFunc);
    if(!x509Req)
    {
        goto free_all;
    }

    // 可视化输出
    bio = BIO_new(BIO_s_mem());
    PEM_write_bio_X509_REQ(bio, x509Req);
    if(bio->num_write == 0)
    {
        goto free_all;
    }

    szCSR = (char*)malloc(bio->num_write+1);
    if(!szCSR)
    {
        goto free_all;
    }

    memset(szCSR, 0, bio->num_write+1);
    BIO_read(bio, szCSR, bio->num_write);


free_all:
    if(x509)
        X509_free(x509);
    if(x509Req)
        X509_REQ_free(x509Req);
    if(bio)
        BIO_free(bio);
    if(szCSR)
        free(szCSR);

3、生成证书

void x509FromCertString(string cert, X509 **pX509)
{
    if(cert.length() == 0)
        return;
    
    handleCertLineBreak(cert);
    
    BIO *bio = NULL;
    X509 *x509 = NULL;
    
    const char *certData = cert.c_str();
    
    bio = BIO_new(BIO_s_mem());
    BIO_puts(bio, certData);
    x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
    
    *pX509 = x509;
    
    BIO_free(bio);
}

bool checkX509Data(X509 *x509)
{
    // 校验密钥和证书是否匹配
    if(!X509_check_private_key(x509, m_pKey))
    {
        return false;
    }
    
    // 根证书校验
    if(m_rootCert == NULL)
    {
        BIO *bio = BIO_new_file("cert/RootCA.cer","r");
        if(!bio)
        {
            return false;
        }
        
        PEM_read_bio_X509(bio, &m_rootCert, NULL, NULL);
        
        BIO_free(bio);
        
        if(m_rootCert == NULL)
        {
            return false;
        }
    }
    
    EVP_PKEY *pubKey = X509_get_pubkey(m_rootCert);
    if(X509_verify(x509, pubKey) != 1)
    {
        return false;
    }
    
    return true;
}

// p12
void importCert(string cert, string pass, string path)
{
    if(cert.length() == 0 || path.length() == 0)
        return;
    
    int ret = 0;
    BIO *bio = NULL;
    X509 *x509 = NULL;
    PKCS12 *p12 = NULL;
    BIO *bioW = NULL;
    
    const char *certData = cert.c_str();
    
    bio = BIO_new(BIO_s_mem());
    BIO_puts(bio, certData);
    x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
    
    // 校验数据
    ret = checkX509Data(x509);
    if(ret)
    {
        goto free_all;
    }
    
    p12 = PKCS12_create((char*)pass.c_str(), CertAlias, m_pKey, x509, NULL, 0, 0, 0, 0, 0);
    
    if(!p12)
    {
        goto free_all;
    }
    
    bioW = BIO_new_file(path.c_str(),"wb");
    if(!bioW)
    {
        goto free_all;
    }
    
    // 写入文件
    if ( i2d_PKCS12_bio(bioW,p12) != 1)
    {
        goto free_all;
    }
    
    
free_all:
    if(x509)
        X509_free(x509);
    if(p12)
        PKCS12_free(p12);
    if(bioW)
        BIO_free(bioW);
}

// crt
void importCert(string cert, string path)
{
    if(cert.length() == 0 || path.length() == 0)
        return;
    
    int ret = 0;
    X509 *x509 = NULL;
    BIO *bioW = NULL;
    
    ret = x509FromCertString(cert, &x509);
    if(ret)
    {
        goto free_all;
    }
    
    ret = checkX509Data(x509, false);
    if(ret)
    {
        goto free_all;
    }
    
    bioW = BIO_new_file(path.c_str(),"wb");
    if(!bioW)
    {
        goto free_all;
    }
    
    // 写入文件
    if ( i2d_X509_bio(bioW,x509) != 1)
    {
        goto free_all;
    }
    
    
free_all:
    if(x509)
        X509_free(x509);
    if(bioW)
        BIO_free(bioW);
    
}

4、展示证书信息

// p12
void getCertInfo(string path, string pass, string &info)
{
    BIO *bio = NULL;
    PKCS12 *p12 = NULL;
    EVP_PKEY *pKey = NULL;
    X509 *x509 = NULL;
    BIO *x509Bio = NULL;
    char *szCertInfo = NULL;

    bio = BIO_new_file(path.c_str(),"r");
    if(!bio)
    {
        goto free_all;
    }

    p12 = d2i_PKCS12_bio(bio, NULL);
    if(!p12)
    {
        goto free_all;
    }

    if(PKCS12_parse(p12, pass.c_str(), &pKey, &x509, NULL) != 1)
    {
        goto free_all;
    }

    x509Bio = BIO_new(BIO_s_mem());
    X509_print(x509Bio, x509);
    if(x509Bio->num_write == 0)
    {
        goto free_all;
    }

    szCertInfo = (char*)malloc(x509Bio->num_write+1);
    if(!szCertInfo)
    {
        goto free_all;
    }

    memset(szCertInfo, 0, x509Bio->num_write+1);
    BIO_read(x509Bio, szCertInfo, x509Bio->num_write);

    info = szCertInfo;


free_all:
    if(bio)
        BIO_free(bio);
    if(p12)
        PKCS12_free(p12);
    if(x509Bio)
        BIO_free(x509Bio);
    if(szCertInfo)
        free(szCertInfo);

}

// crt
int getCertInfo(string path, string &info)
{
    BIO *bio = NULL;
    X509 *x509 = NULL;
    BIO *x509Bio = NULL;
    char *szCertInfo = NULL;

    bio = BIO_new_file(path.c_str(),"r");
    if(!bio)
    {
        goto free_all;
    }

    x509 = d2i_X509_bio(bio, NULL);
    if(!x509)
    {
        goto free_all;
    }

    x509Bio = BIO_new(BIO_s_mem());
    X509_print(x509Bio, x509);
    if(x509Bio->num_write == 0)
    {
        goto free_all;
    }

    szCertInfo = (char*)malloc(x509Bio->num_write+1);
    if(!szCertInfo)
    {
        goto free_all;
    }

    memset(szCertInfo, 0, x509Bio->num_write+1);
    BIO_read(x509Bio, szCertInfo, x509Bio->num_write);

    info = szCertInfo;


free_all:
    if(bio)
        BIO_free(bio);
    if(x509)
        X509_free(x509);
    if(x509Bio)
        BIO_free(x509Bio);
    if(szCertInfo)
        free(szCertInfo);

}

5、读取证书和密钥

// p12
void p_getP12FromCertFile(const string filePath, PKCS12 **p12)
{
    BIO *bio = NULL;
    
    bio = BIO_new_file(filePath.c_str(),"r");
    if(!bio)
    {
        goto free_all;
    }
    
    *p12 = d2i_PKCS12_bio(bio, NULL);
    if(!*p12)
    {
        goto free_all;
    }
    
free_all:
    if(bio)
        BIO_free(bio);
}

void p_getRSAKeyFromP12(PKCS12 *p12, const string pass, RSA **rsa)
{
    EVP_PKEY *pKey = NULL;
    X509 *x509 = NULL;
    
    if(PKCS12_parse(p12, pass.c_str(), &pKey, &x509, NULL) != 1)
    {
        return;
    }
    
    *rsa = EVP_PKEY_get1_RSA(pKey);
}

// crt
void p_getX509FromCertFile(const string filePath, X509 **x509)
{
    BIO *bio = NULL;
    
    bio = BIO_new_file(filePath.c_str(),"r");
    if(!bio)
    {
        goto free_all;
    }
    
    *x509 = d2i_X509_bio(bio, NULL);
    if(!*x509)
    {
        goto free_all;
    }
    
free_all:
    if(bio)
        BIO_free(bio);
    
}

void p_getRSAKeyFromX509(X509 *x509, RSA **rsa)
{
    EVP_PKEY *pKey = X509_get_pubkey(x509);
    if(!pKey)
    {
        return;
    }
    *rsa = EVP_PKEY_get1_RSA(pKey);
}

6、加解密

#define RSA_Data_Len 256

int p_rsaCrypt(bool bPubKey, bool bEncrypt, RSA *rsa, unsigned char inData[RSA_Data_Len], unsigned char outData[RSA_Data_Len])
{
    memset(outData, 0, RSA_Data_Len);
    
    int (*rsa_func)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding);
    if(bPubKey && bEncrypt)
    {
        rsa_func = &RSA_public_encrypt;
    }
    else if(bPubKey && !bEncrypt)
    {
        rsa_func = &RSA_public_decrypt;
    }
    else if(!bPubKey && bEncrypt)
    {
        rsa_func = &RSA_private_encrypt;
    }
    else
    {
        rsa_func = &RSA_private_decrypt;
    }
    
    int retLen = rsa_func(RSA_Data_Len, inData, outData, rsa, RSA_NO_PADDING);
    if(retLen < RSA_Data_Len)
    {
        return 1;
    }
    
    return 0;
}

void rsaCrypt(bool bPubKey, bool bEncrypt, const string input, string &output)
{
    int inLen;
    char *szIn;
    if(bEncrypt)
    {
        inLen = input.length();
        szIn = (char*)input.c_str();
    }
    else
    {
        szIn = (char*)alloca(input.length());
        if(!szIn)
        {
            return;
        }
        
        int ret = Base64_Decode(input.c_str(), input.length(), (unsigned char*)szIn, input.length(), &inLen);
        if(ret)
        {
            return;
        }
    }
    
    int round = (inLen+TP_RSA_Data_Len-1)/RSA_Data_Len;// 1024
    int outLen = round*TP_RSA_Data_Len;
    char *szOut = (char *)alloca(outLen);
    if(!szOut)
    {
        return;
    }
    
    for(int i=0; i

7、签名/验签

// 签名
int p_signWithSha256(RSA *rsa, unsigned char *inData, int inLen, unsigned char outData[RSA_Data_Len])
{
    unsigned char sha256[SHA256_DIGEST_LENGTH];
    
    memset(sha256, 0, sizeof(sha256));
    
    // sha256
    SHA256_CTX c;
    SHA256_Init(&c);
    SHA256_Update(&c, inData, inLen);
    SHA256_Final(sha256, &c);
    
    // rsa pri key encrypt
    memset(outData, 0, TP_RSA_Data_Len);
    // OPENSSL_PKCS1_OAEP_PADDING support is only for: PublicKey::encrypt() -> PrivateKey::decrypt()
    int len = RSA_private_encrypt(sizeof(sha256), sha256, outData, rsa, RSA_PKCS1_PADDING);
    if(len != RSA_Data_Len)
    {
        return 1;
    }
    
    return 0;
}

void signWithSha256(string src, string &sign)
{
    unsigned char *bSrc = (unsigned char*)src.c_str();
    int srcLen = src.length();
    unsigned char bSign[TP_RSA_Data_Len];

    memset(bSign, 0, sizeof(bSign));

    int ret = p_signWithSha256(m_rsa, bSrc, srcLen, bSign);
    if(ret)
    {
        return ret;
    }

    // base64
    int base64Len = sizeof(bSign)*2;
    char *szBase64 = (char*)alloca(base64Len);
    int retLen;
    ret = Base64_Encode(bSign, sizeof(bSign), szBase64, base64Len, &retLen);
    if(ret)
    {
        return;
    }

    sign = szBase64;
}

// 验签
int p_verifySignWithSha256(RSA *rsa, unsigned char sign[RSA_Data_Len], unsigned char *src, int srcLen, bool *verify)
{
    *verify = false;
    
    // rsa pub key decrypt
    unsigned char decSha256[SHA256_DIGEST_LENGTH];
    memset(decSha256, 0, sizeof(decSha256));
    
    int len = RSA_public_decrypt(RSA_Data_Len, sign, decSha256, rsa, RSA_PKCS1_PADDING);
    if(len != sizeof(decSha256))
    {
        return 1;
    }
    
    
    // src sha256
    unsigned char srcSha256[SHA256_DIGEST_LENGTH];
    memset(srcSha256, 0, sizeof(srcSha256));
    
    SHA256_CTX c;
    SHA256_Init(&c);
    SHA256_Update(&c, src, srcLen);
    SHA256_Final(srcSha256, &c);
    
    if(memcmp(decSha256, srcSha256, SHA256_DIGEST_LENGTH) == 0)
    {
        *verify = true;
    }
    
    return 0;
}

void verifySignWithSha256(string sign, string src, bool *verify)
{
    unsigned char bSign[RSA_Data_Len];

    memset(bSign, 0, sizeof(bSign));

    int retLen;

    int ret = Base64_Decode(sign.c_str(), sign.length(), bSign, sizeof(bSign), &retLen);
    if(ret)
    {
        return;
    }

    p_verifySignWithSha256(m_rsa, bSign, (unsigned char *)src.c_str(), src.length(), verify);
}






你可能感兴趣的:(C++)