自制CA证书，自制客户端，服务端证书,弄一个简单的https服务器。

    因为面试问道https服务器怎样实现，双向认证怎样实现，缺啥补啥吧，欠下的技术债要花更大的力气去偿还！得自己用C++写一个https服务器，那就得先把根证书啥的都自己弄一个，这篇博客不错https://blog.csdn.net/qq_22239675/article/details/86541088，查资料的时候也算弄清楚12306的证书是咋回事了，感觉反正是在国内，这样也没啥安全不安全的。

      还不知道这样弄出来的证书到底能不能用，得快点把一个简单的https服务器整出来试试。

有时候感觉懒惰真是害人，不过是http协议而已，自己整的一个rtsp协议服务器也不过如此。

http://www.youdzone.com/signature.html  一片老外的博文

What is a Digital Signature?

An introduction to Digital Signatures, by David Youd

---

 

Bob

(Bob's public key) (Bob's private key)

Bob has been given two keys. One of Bob's keys is called a Public Key, the other is called a Private Key.

 

Bob's Co-workers:
				Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself
Pat	Doug	Susan

Bob's Public key is available to anyone who needs it, but he keeps his Private Key to himself. Keys are used to encrypt information. Encrypting information means "scrambling it up", so that only a person with the appropriate key can make it readable again. Either one of Bob's two keys can encrypt data, and the other key can decrypt that data.

Susan (shown below) can encrypt a message using Bob's Public Key. Bob uses his Private Key to decrypt the message. Any of Bob's coworkers might have access to the message Susan encrypted, but without Bob's Private Key, the data is worthless.

 

"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"

HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A

 

HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A

"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"

With his private key and the right software, Bob can put digital signatures on documents and other data. A digital signature is a "stamp" Bob places on the data which is unique to Bob, and is very difficult to forge. In addition, the signature assures that any changes made to the data that has been signed can not go undetected.

 

 

To sign a document, Bob's software will crunch down the data into just a few lines by a process called "hashing". These few lines are called a message digest. (It is not possible to change a message digest back into the original data from which it was created.)

 

Bob's software then encrypts the message digest with his private key. The result is the digital signature.

 

Finally, Bob's software appends the digital signature to document. All of the data that was hashed has been signed.

 

Bob now passes the document on to Pat.

 

First, Pat's software decrypts the signature (using Bob's public key) changing it back into a message digest. If this worked, then it proves that Bob signed the document, because only Bob has his private key. Pat's software then hashes the document data into a message digest. If the message digest is the same as the message digest created when the signature was decrypted, then Pat knows that the signed data has not been changed.

 

Plot complication...

 

Doug (our disgruntled employee) wishes to deceive Pat. Doug makes sure that Pat receives a signed message and a public key that appears to belong to Bob. Unbeknownst to Pat, Doug deceitfully sent a key pair he created using Bob's name. Short of receiving Bob's public key from him in person, how can Pat be sure that Bob's public key is authentic?

It just so happens that Susan works at the company's certificate authority center. Susan can create a digital certificate for Bob simply by signing Bob's public key as well as some information about Bob.

 

Bob Info:      Name      Department      Cubical Number Certificate Info:      Expiration Date      Serial Number Bob's Public Key:

Now Bob's co-workers can check Bob's trusted certificate to make sure that his public key truly belongs to him. In fact, no one at Bob's company accepts a signature for which there does not exist a certificate generated by Susan. This gives Susan the power to revoke signatures if private keys are compromised, or no longer needed. There are even more widely accepted certificate authorities that certify Susan.

Let's say that Bob sends a signed document to Pat. To verify the signature on the document, Pat's software first uses Susan's (the certificate authority's) public key to check the signature on Bob's certificate. Successful de-encryption of the certificate proves that Susan created it. After the certificate is de-encrypted, Pat's software can check if Bob is in good standing with the certificate authority and that all of the certificate information concerning Bob's identity has not been altered.

Pat's software then takes Bob's public key from the certificate and uses it to check Bob's signature. If Bob's public key de-encrypts the signature successfully, then Pat is assured that the signature was created using Bob's private key, for Susan has certified the matching public key. And of course, if the signature is valid, then we know that Doug didn't try to change the signed content.

 

Although these steps may sound complicated, they are all handled behind the scenes by Pat's user-friendly software. To verify a signature, Pat need only click on it.

root@root-PC:~/Documents$ mkdir ca
root@root-PC:~/Documents$ chmod 777 ca
root@root-PC:~/Documents$ cd ca
root@root-PC:~/Documents/ca$ openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.....+++++
.+++++
e is 65537 (0x010001)
root@root-PC:~/Documents/ca$ openssl rsa -in server.key -pubout -out server.pem
writing RSA key
root@root-PC:~/Documents/ca$ ls
server.key  server.pem
root@root-PC:~/Documents/ca$ openssl genrsa -out client.key 1024
Generating RSA private key, 1024 bit long modulus
.+++++
.....+++++
e is 65537 (0x010001)
root@root-PC:~/Documents/ca$ openssl rsa -in client.key -pubout -out client.pem
writing RSA key
root@root-PC:~/Documents/ca$ openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.........+++++
..........................................................+++++
e is 65537 (0x010001)
root@root-PC:~/Documents/ca$ openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:mycaca
Locality Name (eg, city) []:mycaca
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycaca
Organizational Unit Name (eg, section) []:mycaca
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:              

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:mycaca
root@root-PC:~/Documents/ca$ ls
ca.csr  ca.key  client.key  client.pem  server.key  server.pem
root@root-PC:~/Documents/ca$ openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = CN, ST = mycaca, L = mycaca, O = mycaca, OU = mycaca, CN = localhost
Getting Private key
root@root-PC:~/Documents/ca$ ls
ca.crt  ca.csr  ca.key  client.key  client.pem  server.key  server.pem
root@root-PC:~/Documents/ca$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:myserver
Locality Name (eg, city) []:myserver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myserver
Organizational Unit Name (eg, section) []:myserver
Common Name (e.g. server FQDN or YOUR name) []:myserver
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:myserver
root@root-PC:~/Documents/ca$ ls
ca.crt  ca.csr  ca.key  client.key  client.pem  server.csr  server.key  server.pem
root@root-PC:~/Documents/ca$ openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=C = CN, ST = myserver, L = myserver, O = myserver, OU = myserver, CN = myserver
Getting CA Private Key
root@root-PC:~/Documents/ca$ ls
ca.crt  ca.csr  ca.key  ca.srl  client.key  client.pem  server.crt  server.csr  server.key  server.pem
root@root-PC:~/Documents/ca$ openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:myclient
Locality Name (eg, city) []:myclient
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myclient
Organizational Unit Name (eg, section) []:myclient
Common Name (e.g. server FQDN or YOUR name) []:myclient
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:myclient
root@root-PC:~/Documents/ca$ ls
ca.crt  ca.csr  ca.key  ca.srl  client.csr  client.key  client.pem  server.crt  server.csr  server.key  server.pem
root@root-PC:~/Documents/ca$ openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=C = CN, ST = myclient, L = myclient, O = myclient, OU = myclient, CN = myclient
Getting CA Private Key

 

fatal error: openssl/ssl.h: 没有那个文件或目录,安装libssl-dev

sudo apt-get install libssl-dev
正在读取软件包列表... 完成
正在分析软件包的依赖关系树       
正在读取状态信息... 完成       
有一些软件包无法被安装。如果您用的是 unstable 发行版，这也许是
因为系统无法达到您要求的状态造成的。该版本中可能会有一些您需要的软件
包尚未被创建或是它们已被从新到(Incoming)目录移出。
下列信息可能会对解决问题有所帮助：

下列软件包有未满足的依赖关系：
 libssl-dev : 依赖: libssl1.1 (= 1.1.0j-1~deb9u1) 但是 1.1.1c-1ubuntu4 正要被安装
              推荐: libssl-doc 但是它将不会被安装
E: 无法修正错误，因为您要求某些软件包保持现状，就是它们破坏了软件包间的依赖关系。
root@root-PC:/media/root/Data/gameserver/mongoose/examples/simplest_web_server_ssl$ dpkg -l *libssl*
期望状态=未知(u)/安装(i)/删除(r)/清除(p)/保持(h)
| 状态=未安装(n)/已安装(i)/仅存配置(c)/仅解压缩(U)/配置失败(F)/不完全安装(H)/触发器等待(W)/触发器未决(T)
|/ 错误?=(无)/须重装(R) (状态，错误：大写=故障)
||/ 名称                        版本               体系结构           描述
+++-===========================-==================-==================-===========================================================
ii  libssl1.0.2:amd64           1.0.2q-1~deb9u1    amd64              Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64             1.1.1c-1ubuntu4    amd64              Secure Sockets Layer toolkit - shared libraries
root@root-PC:/media/root/Data/gameserver/mongoose/examples/simplest_web_server_ssl$ sudo apt-get install aptitude
正在读取软件包列表... 完成
正在分析软件包的依赖关系树       
正在读取状态信息... 完成       
aptitude 已经是最新版 (0.8.7-1)。
升级了 0 个软件包，新安装了 0 个软件包，要卸载 0 个软件包，有 107 个软件包未被升级。
root@root-PC:/media/root/Data/gameserver/mongoose/examples/simplest_web_server_ssl$ sudo aptitude install libssl-dev
下列“新”软件包将被安装。         
  libssl-dev{b} libssl-doc{a} 
0 个软件包被升级，新安装 2 个，0 个将被删除， 同时 107 个将不升级。
需要获取 3,064 kB 的存档。解包后将要使用 11.8 MB。
下列软件包存在未满足的依赖关系：
 libssl-dev : 依赖: libssl1.1 (= 1.1.0j-1~deb9u1) but 1.1.1c-1ubuntu4 is installed
下列动作将解决这些依赖关系：

     保持 下列软件包于其当前版本：
1)     libssl-dev [未安装的]      

是否接受该解决方案？[Y/n/q/?] Y
将不会安装，升级或者删除任何软件包。
0 个软件包被升级，新安装 0 个，0 个将被删除， 同时 107 个将不升级。
需要获取 0 B 的存档。解包后将要使用 0 B。
                                 
root@root-PC:/media/root/Data/gameserver/mongoose/examples/simplest_web_server_ssl$ dpkg -l *libssl*
期望状态=未知(u)/安装(i)/删除(r)/清除(p)/保持(h)
| 状态=未安装(n)/已安装(i)/仅存配置(c)/仅解压缩(U)/配置失败(F)/不完全安装(H)/触发器等待(W)/触发器未决(T)
|/ 错误?=(无)/须重装(R) (状态，错误：大写=故障)
||/ 名称                        版本               体系结构           描述
+++-===========================-==================-==================-===========================================================
ii  libssl1.0.2:amd64           1.0.2q-1~deb9u1    amd64              Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64             1.1.1c-1ubuntu4    amd64              Secure Sockets Layer toolkit - shared libraries
root@root-PC:/media/root/Data/gameserver/mongoose/examples/simplest_web_server_ssl$