QT Nginx Openssl證書雙向認證

15所 2019-10-30

展開全文

QT+Nginx Openssl證書雙向認證

主要有以下幾點：

1.數(shù)字證書的生成
2.nginx證書的配置
3.Qt使用雙向認證

一、數(shù)字證書的生成

1.生成ca證書

生成ca秘鑰

建議用2048位密鑰，少于此可能會不安全或很快將不安全。

openssl genrsa -des3 -out ca.key 2048

這個命令會生成一個2048位的密鑰，同時有一個des3方法加密的密碼，如果你不想要每次都輸入密碼，可以改成：

#openssl genrsa -out privkey.pem 20481

導(dǎo)出ca證書

openssl rsa -in ca.key -out ca_decrypted.key

openssl req -new -subj '/C=CN/ST=shanghai/L=china/O=test/CN=www.' -x509 -days 3650 -key ca.key -out ca.crt  1

2.生成服務(wù)端證書

openssl genrsa -des3 -out test.com.pem 1024

openssl rsa -in test.com.pem -out test.com.key  1

openssl req -new -subj '/C=CN/ST=shanghai/L=china/O=test/CN=www.' -key test.com.pem -out test.com.csr

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt  1

3.生成客戶端證書

openssl genrsa -out client.pem 2048

openssl req -new -subj '/C=CN/ST=ShangHai/L=china/O=test/CN=www.' -key client.pem -out client-req.csr  1

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in client-req.csr -out client.crt

openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12  1

二.nginx中配置

server {    listen       443;    server_name  www.;    ssl on;                                             #開啟ssl      ssl_certificate  /home/hadoop/ssl/.crt;    #服務(wù)器證書位置      ssl_certificate_key /home/hadoop/ssl/.key; #服務(wù)器私鑰      ssl_client_certificate /home/hadoop/ssl/ca.crt;     #CA證書用于驗證客戶端證書的合法性      ssl_verify_client       on;                         #開啟對客戶端的驗證      ssl_session_timeout 5m;                             #session有效期，5分鐘      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';       #加密算法      ssl_prefer_server_ciphers on;    ...}

3.Qt使用雙向認證

TestAuthentication.h

#ifndef TESTAUTHENTICATION_H#define TESTAUTHENTICATION_H#include <QObject>#include <QNetworkAccessManager>#include <QNetworkRequest>#include <QNetworkReply>#include <QEventLoop>#include <QSslKey>class TestAuthentication: public QObject{    Q_OBJECTpublic:    TestAuthentication(QObject*parent = 0);    ~TestAuthentication();    void auth();};#endif // TESTAUTHENTICATION_H1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

TestAuthentication.cpp

#include 'testauthentication.h'TestAuthentication::TestAuthentication(QObject *parent) :    QObject(parent){}TestAuthentication::~TestAuthentication(){}void TestAuthentication::auth(){    QNetworkAccessManager manager;    QNetworkRequest request;    QSslConfiguration config;    QByteArray password='123456';      //生成客戶端證書時的密碼    QFile pkcs('D:\\ssl\\client.p12'); //生成的證書路徑    pkcs.open(QFile::ReadOnly);    QSslKey key;    QSslCertificate cert;    QList<QSslCertificate> certs;    bool import = QSslCertificate::importPkcs12(&pkcs,&key,&cert,&certs,password);    qDebug()<<import;    pkcs.close();    config.setPrivateKey(key);    config.setLocalCertificate(cert);    config.setProtocol(QSsl::TlsV1_2);    request.setSslConfiguration(config);    request.setUrl(QUrl('https://www.'));    QNetworkReply *reply = manager.get(request);    QEventLoop loop;    connect(&manager,&QNetworkAccessManager::finished,&loop,&QEventLoop::quit);    loop.exec();    qDebug()<<reply->readAll();}

#include 'testauthentication.h'#include <QApplication>int main(int argc, char *argv[]){    QApplication a(argc, argv);    TestAuthentication test;    test.auth();    return 0;}1
2
3
4
5
6
7
8
9
10
11

附件：

#!/bin/bashSUBJECT='/C=CN/ST=shanghai/L=china/O=testServer/CN=www.'cd  ~/  mkdir ssl  cd ssl  mkdir demoCA  cd demoCA  mkdir newcerts  mkdir private  touch index.txt  echo '01' > serial  cd ..#openssl genrsa -des3 -out ca.key 2048  openssl genrsa  -out ca.key 2048  openssl rsa -in ca.key -out ca_decrypted.key  openssl req -new -subj $SUBJECT -x509 -days 3650 -key ca.key -out ca.crt  #openssl genrsa -des3 -out .pem 1024  openssl genrsa  -out .pem 1024  openssl rsa -in .pem -out .key  openssl req -new -subj $SUBJECT -key .pem -out .csr  openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in .csr -out .crt  cat ca.crt >> .crt  #openssl genrsa -des3 -out client.pem 2048  openssl genrsa -out client.pem 2048  SUBJECT='/C=CN/ST=ShangHai/L=china/O=testClient/CN=www.'openssl req -new -subj $SUBJECT -key client.pem -out client-req.csr  openssl ca -policy policy_anything -days 1460 -cert ca.crt  -keyfile ca.key -in client-req.csr -out client.crt  openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12