Support generation of EC keys using P256 curve and support ECDSA certs.

webrtc/base/nssstreamadapter.cc

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 50 matching lines @@
 // This isn't elegant, but it's better than an external reference
 static const SrtpCipherMapEntry kSrtpCipherMap[] = {
   {"AES_CM_128_HMAC_SHA1_80", SRTP_AES128_CM_HMAC_SHA1_80 },
   {"AES_CM_128_HMAC_SHA1_32", SRTP_AES128_CM_HMAC_SHA1_32 },
   {NULL, 0}
 };
 #endif
 
 // Ciphers to enable to get ECDHE encryption with endpoints that support it.
 static const uint32_t kEnabledCiphers[] = {
-  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-};
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256};
 
 // Default cipher used between NSS stream adapters.
 // This needs to be updated when the default of the SSL library changes.
 static const char kDefaultSslCipher10[] =
     "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
 static const char kDefaultSslCipher12[] =
     "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
-
+static const char kDefaultSslEcCipher10[] =
+    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
+static const char kDefaultSslEcCipher12[] =
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
 
 // Implementation of NSPR methods
 static PRStatus StreamClose(PRFileDesc *socket) {
   ASSERT(!socket->lower);
   socket->dtor(socket);
   return PR_SUCCESS;
 }
 
 static PRInt32 StreamRead(PRFileDesc *socket, void *buf, PRInt32 length) {
   StreamInterface *stream = reinterpret_cast<StreamInterface *>(socket->secret);
@@ skipping 396 matching lines @@
 
     if (identity_.get()) {
       identity = static_cast<NSSIdentity *>(identity_.get());
     } else {
       LOG(LS_ERROR) << "Can't be an SSL server without an identity";
       Error("BeginSSL", -1, false);
       return -1;
     }
     rv = SSL_ConfigSecureServer(ssl_fd_, identity->certificate().certificate(),
                                 identity->keypair()->privkey(),
-                                kt_rsa);
+                                identity->keypair()->ssl_kea_type());
     if (rv != SECSuccess) {
       Error("BeginSSL", -1, false);
       return -1;
     }
 
     // Insist on a certificate from the client
     rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE);
     if (rv != SECSuccess) {
       Error("BeginSSL", -1, false);
       return -1;
@@ skipping 577 matching lines @@
   return true;
 #else
   return false;
 #endif
 }
 
 bool NSSStreamAdapter::HaveExporter() {
   return true;
 }
 
-std::string NSSStreamAdapter::GetDefaultSslCipher(SSLProtocolVersion version) {
-  switch (version) {
-    case SSL_PROTOCOL_TLS_10:
-    case SSL_PROTOCOL_TLS_11:
-      return kDefaultSslCipher10;
-    case SSL_PROTOCOL_TLS_12:
-    default:
-      return kDefaultSslCipher12;
+std::string NSSStreamAdapter::GetDefaultSslCipher(SSLProtocolVersion version,
+                                                  KeyType key_type) {
+  if (key_type == KT_RSA) {
+    switch (version) {
+      case SSL_PROTOCOL_TLS_10:
+      case SSL_PROTOCOL_TLS_11:
+        return kDefaultSslCipher10;
+      case SSL_PROTOCOL_TLS_12:
+      default:
+        return kDefaultSslCipher12;
+    }
+  } else if (key_type == KT_ECDSA) {
+    switch (version) {
+      case SSL_PROTOCOL_TLS_10:
+      case SSL_PROTOCOL_TLS_11:
+        return kDefaultSslEcCipher10;
+      case SSL_PROTOCOL_TLS_12:
+      default:
+        return kDefaultSslEcCipher12;
+    }
+  } else {
+    return std::string();
   }
 }
 
 }  // namespace rtc
 
 #endif  // HAVE_NSS_SSL_H