C:mbedtls库实现https双向认证连接示例_七侠镇莫尛貝大侠20241122

目的:使用C mbedtls库实现https(RSA证书)双向认证连接。

开发环境:windows 11, VS2022,mbedtls-3.6.2

私钥格式:p1/p8

cpp 复制代码
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/debug.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"

#include <mbedtls/pk.h>
#include <mbedtls/pem.h>
#include <mbedtls/base64.h>


// 这个函数假设 SSL 握手已经成功完成
void print_server_san(mbedtls_ssl_context* ssl) {
    const mbedtls_x509_crt* cert = mbedtls_ssl_get_peer_cert(ssl);

    if (cert == NULL) {
        printf("No server certificate found.\n");
        return;
    }

    // 确保 `subject_alt_names` 是正确的类型
    const mbedtls_x509_sequence* san = &cert->subject_alt_names;
    while (san != NULL) {
        const mbedtls_asn1_buf* entry = &san->buf;
        unsigned char tag = entry->tag;

        // 检查是否为 IP 地址 (context-specific tag 7)
        if ((tag & MBEDTLS_ASN1_TAG_CLASS_MASK) == MBEDTLS_ASN1_CONTEXT_SPECIFIC &&
            (tag & MBEDTLS_ASN1_TAG_VALUE_MASK) == 7) {
            // IP 地址以二进制形式存储
            if (entry->len == 4) { // IPv4 地址
                printf("Server certificate SAN (IP): %u.%u.%u.%u\n",
                    entry->p[0], entry->p[1], entry->p[2], entry->p[3]);
            }
            else if (entry->len == 16) { // IPv6 地址
                printf("Server certificate SAN (IPv6): ");
                for (int i = 0; i < 16; i++) {
                    printf("%02x", entry->p[i]);
                    if (i % 2 == 1 && i < 15) {
                        printf(":");
                    }
                }
                printf("\n");
            }
        }

        san = san->next;
    }
}

void print_mbedtls_error(int ret) {
    char error_buf[100];
    mbedtls_strerror(ret, error_buf, sizeof(error_buf));
    fprintf(stderr, "Error: %s\n", error_buf);
}

int print_prikey_b64() {
    int ret;
    mbedtls_pk_context pkey;
    unsigned char* key_buffer = NULL;
    size_t key_len = 0;
    unsigned char* base64_buffer = NULL;
    size_t base64_len = 0;

    mbedtls_pk_init(&pkey);

    // 读取私钥文件
    ret = mbedtls_pk_parse_keyfile(&pkey, "res/yax/client_p8.key", NULL);
    if (ret != 0) {
        print_mbedtls_error(ret);
        goto cleanup;
    }

    // 获取私钥的 DER 格式所需的缓冲区长度
    key_len = mbedtls_pk_write_key_der(&pkey, NULL, 0);
    if (key_len <= 0) {
        print_mbedtls_error(key_len);
        goto cleanup;
    }

    printf("Key length required for DER format: %zu bytes\n", key_len);

    // 分配比所需长度更大的缓冲区来确保足够的空间
    key_buffer = (unsigned char*)malloc(key_len);
    if (!key_buffer) {
        fprintf(stderr, "Memory allocation failed for key_buffer with size %zu bytes\n", key_len);
        ret = -1;
        goto cleanup;
    }

    // 将私钥写入 DER 格式缓冲区,注意返回值是实际写入的字节数
    ret = mbedtls_pk_write_key_der(&pkey, key_buffer, key_len);
    if (ret < 0) {
        print_mbedtls_error(ret);
        goto cleanup;
    }

    // 计算 Base64 编码所需的缓冲区长度
    key_len = ret;  // 实际写入的字节数
    ret = mbedtls_base64_encode(NULL, 0, &base64_len, key_buffer + (key_len - ret), key_len);
    if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) {
        print_mbedtls_error(ret);
        goto cleanup;
    }

    // 分配缓冲区以存储 Base64 编码的数据
    base64_buffer = (unsigned char*)malloc(base64_len);
    if (!base64_buffer) {
        fprintf(stderr, "Memory allocation failed for base64_buffer\n");
        ret = -1;
        goto cleanup;
    }

    // 将 DER 格式的私钥转换为 Base64 编码
    ret = mbedtls_base64_encode(base64_buffer, base64_len, &base64_len, key_buffer + (key_len - ret), key_len);
    if (ret != 0) {
        print_mbedtls_error(ret);
        goto cleanup;
    }

    // 打印 Base64 编码的私钥
    printf("Base64 Encoded Private Key:\n%s\n", base64_buffer);

cleanup:
    mbedtls_pk_free(&pkey);
    if (key_buffer) {
        free(key_buffer);
    }
    if (base64_buffer) {
        free(base64_buffer);
    }
    //Key length required for DER format: 18446744073709551508 bytes
    //Memory allocation failed for key_buffer with size 18446744073709551508 bytes

    return ret != 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}

int testHttps_p8() {
	printf("Https功能演示start:\n");

    int ret;
    mbedtls_net_context server_fd;
    mbedtls_ssl_context ssl;
    mbedtls_ssl_config conf;
    mbedtls_x509_crt cacert, clicert;
    mbedtls_pk_context pkey;
    mbedtls_entropy_context entropy;
    mbedtls_ctr_drbg_context ctr_drbg;
    const char* pers = "ssl_client1";

    // Initialize structures
    mbedtls_net_init(&server_fd);
    mbedtls_ssl_init(&ssl);
    mbedtls_ssl_config_init(&conf);
    mbedtls_x509_crt_init(&cacert);
    mbedtls_x509_crt_init(&clicert);
    mbedtls_pk_init(&pkey);
    mbedtls_ctr_drbg_init(&ctr_drbg);
    mbedtls_entropy_init(&entropy);

    // 设置 RNG
    //ret = mbedtls_ctr_drbg_seed(&(hc->tls.ctr_drbg), mbedtls_entropy_func, &hc->tls.entropy, NULL, 0);
    //ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char*)pers, strlen(pers));
    ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
    if (ret != 0)
    {
        return ret;
    }


    // Load certificates
    //mbedtls_x509_crt_parse_file(&clicert, "res/yax/client_https_with_chain.cer");  //含有客户端证书链
    mbedtls_x509_crt_parse_file(&clicert, "res/yax/client_https.cer");  //不含有证书链
    mbedtls_x509_crt_parse_file(&cacert, "res/yax/ca.cer");   //所有客户端和服务端所有证书链
    //mbedtls_x509_crt_parse_file(&cacert, "res/yax/root.cer");   //只提供一个服务器证书的root证书即可
    mbedtls_pk_parse_keyfile(&pkey, "res/yax/client_p8.key", NULL);    //p1或p8格式都可以,但必须包含头尾
    //mbedtls_pk_parse_keyfile(&pkey, "res/yax2/client_p8.key", NULL);

    mbedtls_ssl_conf_authmode(&ssl, MBEDTLS_SSL_VERIFY_REQUIRED);  //设置认证模式为 MBEDTLS_SSL_VERIFY_OPTIONAL 或 MBEDTLS_SSL_VERIFY_NONE 来调试是否由于证书验证失败引起的问题
                                                                  //但是,这仅用于调试,生产环境应该始终使用 MBEDTLS_SSL_VERIFY_REQUIRED。          
    // Seed the random number generator
    //mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char*)pers, strlen(pers));

    // Setup SSL configuration
    mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
    mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
    mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
    mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
    mbedtls_ssl_conf_own_cert(&conf, &clicert, &pkey);

   
    //mbedtls_ssl_set_hostname(&ssl, "4.3.2.1");   //服务器证书alt name dns = ip而不是域名时,不要调用这个
    //mbedtls_ssl_set_hostname(&ssl, NULL); //忽略主机名验证
    //mbedtls_ssl_conf_verify(&conf, 0, NULL);  // 设置自定义的证书验证回调


    // Connect to server
    mbedtls_net_connect(&server_fd, "4.3.2.1", "443", MBEDTLS_NET_PROTO_TCP);    //rsa https 测试服务端
    //mbedtls_net_connect(&server_fd, "4.3.2.1", "443", MBEDTLS_NET_PROTO_TCP); //RSA 国密sm2 双算法证书https 不适用。

    // Setup SSL context
    mbedtls_ssl_setup(&ssl, &conf);
    mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);

    // Perform SSL handshake
    while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
        if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
            char error_buf[100];
            mbedtls_strerror(ret, error_buf, 100);
            printf("Handshake failed: %s\n", error_buf);
            return 1;
        }
    }

    //打印服务器证书的san
    print_server_san(&ssl);
    //print_prikey_b64();

    // Communicate with the server
    // ...
    // Send data to server
    const char* msg = "Hello, Server!";
    mbedtls_ssl_write(&ssl, (const unsigned char*)msg, strlen(msg));

    // Read response
    char buffer[1024];
    do {
        memset(buffer, 0, sizeof(buffer));
        ret = mbedtls_ssl_read(&ssl, (unsigned char*)buffer, sizeof(buffer) - 1);

        if (ret > 0) {
            printf("Received %d bytes:\n%s\n", ret, buffer);
        }
        else if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
            break;
        }
    } while (ret > 0);

    // Clean up
    mbedtls_ssl_close_notify(&ssl);
    mbedtls_net_free(&server_fd);
    mbedtls_x509_crt_free(&cacert);
    mbedtls_x509_crt_free(&clicert);
    mbedtls_pk_free(&pkey);
    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_config_free(&conf);
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_entropy_free(&entropy);

    printf("Https功能演示End:\n");

	return EXIT_SUCCESS;
}

//在证书base64编码前后添加头尾
char* cert_add_ht(const char* filename) {
    FILE* file = fopen(filename, "r");
    if (!file) {
        perror("无法打开文件");
        return NULL;
    }

    // 获取文件大小
    fseek(file, 0, SEEK_END);
    long filesize = ftell(file);
    fseek(file, 0, SEEK_SET);

    // 分配内存读取文件内容
    char* base64_data = (char*)malloc(filesize + 1);
    if (!base64_data) {
        perror("内存分配失败");
        fclose(file);
        return NULL;
    }

    fread(base64_data, 1, filesize, file);
    base64_data[filesize] = '\0';  // 确保字符串结束
    fclose(file);

    const char* pem_header = "-----BEGIN CERTIFICATE-----\n";
    const char* pem_footer = "\n-----END CERTIFICATE-----\n";

    // 计算 PEM 格式总长度
    size_t pem_size = strlen(pem_header) + strlen(base64_data) + strlen(pem_footer) + 1;

    // 分配内存以存储 PEM 格式数据
    char* pem_cert = (char*)malloc(pem_size);
    if (!pem_cert) {
        perror("内存分配失败");
        free(base64_data);
        return NULL;
    }

    // 生成 PEM 格式数据
    snprintf(pem_cert, pem_size, "%s%s%s", pem_header, base64_data, pem_footer);

    free(base64_data);
    return pem_cert;
}

char* pkcs1_key_add_ht(const char* filename) {
    FILE* file = fopen(filename, "r");
    if (!file) {
        perror("无法打开文件");
        return NULL;
    }

    // 获取文件大小
    fseek(file, 0, SEEK_END);
    long filesize = ftell(file);
    fseek(file, 0, SEEK_SET);

    // 分配内存读取文件内容
    char* base64_data = (char*)malloc(filesize + 1);
    if (!base64_data) {
        perror("内存分配失败");
        fclose(file);
        return NULL;
    }

    fread(base64_data, 1, filesize, file);
    base64_data[filesize] = '\0';  // 确保字符串结束
    fclose(file);

    const char* pem_header = "-----BEGIN RSA PRIVATE KEY-----\n";
    const char* pem_footer = "\n-----END RSA PRIVATE KEY-----\n";

    // 计算 PEM 格式总长度
    size_t pem_size = strlen(pem_header) + strlen(base64_data) + strlen(pem_footer) + 1;

    // 分配内存以存储 PEM 格式数据
    char* pem_cert = (char*)malloc(pem_size);
    if (!pem_cert) {
        perror("内存分配失败");
        free(base64_data);
        return NULL;
    }

    // 生成 PEM 格式数据
    snprintf(pem_cert, pem_size, "%s%s%s", pem_header, base64_data, pem_footer);

    free(base64_data);
    return pem_cert;
}

int testHttps() {
    printf("Https功能演示start:\n");

    int ret;
    mbedtls_net_context server_fd;
    mbedtls_ssl_context ssl;
    mbedtls_ssl_config conf;
    mbedtls_x509_crt cacert, clicert;
    mbedtls_pk_context pkey;
    mbedtls_entropy_context entropy;
    mbedtls_ctr_drbg_context ctr_drbg;
    const char* pers = "ssl_client1";

    // Initialize structures
    mbedtls_net_init(&server_fd);
    mbedtls_ssl_init(&ssl);
    mbedtls_ssl_config_init(&conf);
    mbedtls_x509_crt_init(&cacert);
    mbedtls_x509_crt_init(&clicert);
    mbedtls_pk_init(&pkey);
    mbedtls_ctr_drbg_init(&ctr_drbg);
    mbedtls_entropy_init(&entropy);

    // 设置 RNG
    //ret = mbedtls_ctr_drbg_seed(&(hc->tls.ctr_drbg), mbedtls_entropy_func, &hc->tls.entropy, NULL, 0);
    //ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char*)pers, strlen(pers));
    ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
    if (ret != 0)
    {
        return ret;
    }


    const char* file_cert_b64 = "res/yax2/client_https_noht.cer";
    // 读取证书文件(不包含头尾)并转换为 PEM 格式(包含头尾)
    char* pem_cert = cert_add_ht(file_cert_b64);
    // 获取 PEM 证书的大小
    size_t pem_size = strlen(pem_cert) + 1;  // 包括终止符
    mbedtls_x509_crt_parse(&clicert, (const unsigned char*)pem_cert, pem_size);
    free(pem_cert);


    const char* file_key_p1_b64 = "res/yax2/client_p1_noht.key";
    // 读取证书文件(不包含头尾)并转换为 PEM 格式(包含头尾)
    char* pem_key = pkcs1_key_add_ht(file_key_p1_b64);
    // 获取 PEM 证书的大小
    size_t key_size = strlen(pem_key) + 1;  // 包括终止符
    mbedtls_pk_parse_key(&pkey, (const unsigned char*)pem_key, key_size,NULL,0);
    free(pem_key);


    mbedtls_x509_crt_parse_file(&cacert, "res/yax/ca.cer");   //所有客户端和服务端所有证书链


    // Load certificates
    //mbedtls_x509_crt_parse_file(&clicert, "res/yax/client_https_with_chain.cer");  //含有客户端证书链
    //mbedtls_x509_crt_parse_file(&clicert, "res/yax2/client_https_noht.cer");  //不含有证书链

    //mbedtls_x509_crt_parse_file(&cacert, "res/yax/ca.cer");   //所有客户端和服务端所有证书链
    //mbedtls_x509_crt_parse_file(&cacert, "res/yax/root.cer");   //只提供一个服务器证书的root证书即可
    //mbedtls_pk_parse_keyfile(&pkey, "res/yax2/client_p1.key", NULL);    //p1或p8格式都可以,但必须包含头尾
    //mbedtls_pk_parse_keyfile(&pkey, "res/yax2/client_p8.key", NULL);

    mbedtls_ssl_conf_authmode(&ssl, MBEDTLS_SSL_VERIFY_REQUIRED);  //设置认证模式为 MBEDTLS_SSL_VERIFY_OPTIONAL 或 MBEDTLS_SSL_VERIFY_NONE 来调试是否由于证书验证失败引起的问题
    //但是,这仅用于调试,生产环境应该始终使用 MBEDTLS_SSL_VERIFY_REQUIRED。          
// Seed the random number generator
//mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char*)pers, strlen(pers));

// Setup SSL configuration
    mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
    mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
    mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
    mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
    mbedtls_ssl_conf_own_cert(&conf, &clicert, &pkey);


    //mbedtls_ssl_set_hostname(&ssl, "1.2.3.4");   //服务器证书alt name dns = ip而不是域名时,不要调用这个
    //mbedtls_ssl_set_hostname(&ssl, NULL); //忽略主机名验证
    //mbedtls_ssl_conf_verify(&conf, 0, NULL);  // 设置自定义的证书验证回调


    // Connect to server
    mbedtls_net_connect(&server_fd, "2.3.4.5", "443", MBEDTLS_NET_PROTO_TCP);    //rsa https 测试服务端
    //mbedtls_net_connect(&server_fd, "2.3.4.5", "443", MBEDTLS_NET_PROTO_TCP); //RSA 国密sm2 双算法证书https 不适用。

    // Setup SSL context
    mbedtls_ssl_setup(&ssl, &conf);
    mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);

    // Perform SSL handshake
    while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
        if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
            char error_buf[100];
            mbedtls_strerror(ret, error_buf, 100);
            printf("Handshake failed: %s\n", error_buf);
            return 1;
        }
    }

    //打印服务器证书的san
    print_server_san(&ssl);
    //print_prikey_b64();

    // Communicate with the server
    // ...
    // Send data to server
    const char* msg = "Hello, Server!";
    mbedtls_ssl_write(&ssl, (const unsigned char*)msg, strlen(msg));

    // Read response
    char buffer[1024];
    do {
        memset(buffer, 0, sizeof(buffer));
        ret = mbedtls_ssl_read(&ssl, (unsigned char*)buffer, sizeof(buffer) - 1);

        if (ret > 0) {
            printf("Received %d bytes:\n%s\n", ret, buffer);
        }
        else if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
            break;
        }
    } while (ret > 0);

    // Clean up
    mbedtls_ssl_close_notify(&ssl);
    mbedtls_net_free(&server_fd);
    mbedtls_x509_crt_free(&cacert);
    mbedtls_x509_crt_free(&clicert);
    mbedtls_pk_free(&pkey);
    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_config_free(&conf);
    mbedtls_ctr_drbg_free(&ctr_drbg);
    mbedtls_entropy_free(&entropy);

    printf("Https功能演示End:\n");

    return EXIT_SUCCESS;
}
相关推荐
Yhame.22 分钟前
深入理解 Java 中的 ArrayList 和 List:泛型与动态数组
java·开发语言
mazo_command2 小时前
【MATLAB课设五子棋教程】(附源码)
开发语言·matlab
IT猿手2 小时前
多目标应用(一):多目标麋鹿优化算法(MOEHO)求解10个工程应用,提供完整MATLAB代码
开发语言·人工智能·算法·机器学习·matlab
青春男大2 小时前
java栈--数据结构
java·开发语言·数据结构·学习·eclipse
88号技师2 小时前
几款性能优秀的差分进化算法DE(SaDE、JADE,SHADE,LSHADE、LSHADE_SPACMA、LSHADE_EpSin)-附Matlab免费代码
开发语言·人工智能·算法·matlab·优化算法
Zer0_on2 小时前
数据结构栈和队列
c语言·开发语言·数据结构
一只小bit2 小时前
数据结构之栈,队列,树
c语言·开发语言·数据结构·c++
马浩同学3 小时前
【GD32】从零开始学GD32单片机 | DAC数模转换器 + 三角波输出例程
c语言·单片机·嵌入式硬件·mcu
一个没有本领的人3 小时前
win11+matlab2021a配置C-COT
c语言·开发语言·matlab·目标跟踪
一只自律的鸡4 小时前
C项目 天天酷跑(下篇)
c语言·开发语言