Chromium Code Reviews Chromium Code Reviews
Issue 1189583002:
Support generation of EC keys using P256 curve and support ECDSA certs. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master| Index: webrtc/base/opensslidentity.cc |
| diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc |
| index dbb040ecf41d6ceaf7ca64f5ead6b000a40612f8..7f71a5ee772feaadbb69488008cfc18696515d6c 100644 |
| --- a/webrtc/base/opensslidentity.cc |
| +++ b/webrtc/base/opensslidentity.cc |
| @@ -46,23 +46,39 @@ static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily |
| static const int CERTIFICATE_WINDOW = -60*60*24; |
| // Generate a key pair. Caller is responsible for freeing the returned object. |
| -static EVP_PKEY* MakeKey() { |
| +static EVP_PKEY* MakeKey(KeyType key_type) { |
| LOG(LS_INFO) << "Making key pair"; |
| EVP_PKEY* pkey = EVP_PKEY_new(); |
| - // RSA_generate_key is deprecated. Use _ex version. |
| - BIGNUM* exponent = BN_new(); |
| - RSA* rsa = RSA_new(); |
| - if (!pkey || !exponent || !rsa || |
| - !BN_set_word(exponent, 0x10001) || // 65537 RSA exponent |
| - !RSA_generate_key_ex(rsa, KEY_LENGTH, exponent, NULL) || |
| - !EVP_PKEY_assign_RSA(pkey, rsa)) { |
| - EVP_PKEY_free(pkey); |
| + if (key_type == KT_RSA) { |
| + BIGNUM* exponent = BN_new(); |
| + RSA* rsa = RSA_new(); |
| + if (!pkey || !exponent || !rsa || |
| + !BN_set_word(exponent, 0x10001) || // 65537 RSA exponent |
| + !RSA_generate_key_ex(rsa, KEY_LENGTH, exponent, NULL) || |
| + !EVP_PKEY_assign_RSA(pkey, rsa)) { |
| + EVP_PKEY_free(pkey); |
| + BN_free(exponent); |
| + RSA_free(rsa); |
| + LOG(LS_ERROR) << "Failed to make RSA key pair"; |
| + return NULL; |
| + } |
| + // ownership of rsa struct was assigned, don't free it. |
| BN_free(exponent); |
| - RSA_free(rsa); |
| + } else if (key_type == KT_ECDSA) { |
| + EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
| + if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) || |
| + !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) { |
| + EVP_PKEY_free(pkey); |
| + EC_KEY_free(ec_key); |
| + LOG(LS_ERROR) << "Failed to make EC key pair"; |
| + return NULL; |
| + } |
| + } else { |
| + EVP_PKEY_free(pkey); |
| + LOG(LS_ERROR) << "Key type requested not understood"; |
|
tommi
2015/06/15 21:02:42
[D]CHECK instead?
torbjorng (webrtc)
2015/06/16 14:11:51
Caller needs handle this, making no change.
|
| return NULL; |
| } |
| - // ownership of rsa struct was assigned, don't free it. |
| - BN_free(exponent); |
| + |
| LOG(LS_INFO) << "Returning key pair"; |
| return pkey; |
| } |
| @@ -138,8 +154,8 @@ static void LogSSLErrors(const std::string& prefix) { |
| } |
| } |
| -OpenSSLKeyPair* OpenSSLKeyPair::Generate() { |
| - EVP_PKEY* pkey = MakeKey(); |
| +OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyType key_type) { |
| + EVP_PKEY* pkey = MakeKey(key_type); |
| if (!pkey) { |
| LogSSLErrors("Generating key pair"); |
| return NULL; |
| @@ -207,8 +223,7 @@ OpenSSLCertificate* OpenSSLCertificate::FromPEMString( |
| if (!bio) |
| return NULL; |
| BIO_set_mem_eof_return(bio, 0); |
| - X509 *x509 = PEM_read_bio_X509(bio, NULL, NULL, |
| - const_cast<char*>("\0")); |
| + X509* x509 = PEM_read_bio_X509(bio, NULL, NULL, const_cast<char*>("\0")); |
| BIO_free(bio); // Frees the BIO, but not the pointed-to string. |
| if (!x509) |
| @@ -283,7 +298,7 @@ bool OpenSSLCertificate::ComputeDigest(const X509* x509, |
| unsigned char* digest, |
| size_t size, |
| size_t* length) { |
| - const EVP_MD *md; |
| + const EVP_MD* md; |
| unsigned int n; |
| if (!OpenSSLDigest::GetDigestEVP(algorithm, &md)) |
| @@ -362,11 +377,12 @@ OpenSSLIdentity::OpenSSLIdentity(OpenSSLKeyPair* key_pair, |
| OpenSSLIdentity::~OpenSSLIdentity() = default; |
| OpenSSLIdentity* OpenSSLIdentity::GenerateInternal( |
| - const SSLIdentityParams& params) { |
| - OpenSSLKeyPair *key_pair = OpenSSLKeyPair::Generate(); |
| + const SSLIdentityParams& params, |
| + KeyType key_type) { |
| + OpenSSLKeyPair* key_pair = OpenSSLKeyPair::Generate(key_type); |
| if (key_pair) { |
| - OpenSSLCertificate *certificate = OpenSSLCertificate::Generate( |
| - key_pair, params); |
| + OpenSSLCertificate* certificate = |
| + OpenSSLCertificate::Generate(key_pair, params); |
| if (certificate) |
| return new OpenSSLIdentity(key_pair, certificate); |
| delete key_pair; |
| @@ -375,17 +391,19 @@ OpenSSLIdentity* OpenSSLIdentity::GenerateInternal( |
| return NULL; |
| } |
| -OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name) { |
| +OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name, |
| + KeyType key_type) { |
| SSLIdentityParams params; |
| params.common_name = common_name; |
| params.not_before = CERTIFICATE_WINDOW; |
| params.not_after = CERTIFICATE_LIFETIME; |
| - return GenerateInternal(params); |
| + return GenerateInternal(params, key_type); |
| } |
| OpenSSLIdentity* OpenSSLIdentity::GenerateForTest( |
| - const SSLIdentityParams& params) { |
| - return GenerateInternal(params); |
| + const SSLIdentityParams& params, |
| + KeyType key_type) { |
| + return GenerateInternal(params, key_type); |
| } |
| SSLIdentity* OpenSSLIdentity::FromPEMStrings( |
| @@ -404,8 +422,8 @@ SSLIdentity* OpenSSLIdentity::FromPEMStrings( |
| return NULL; |
| } |
| BIO_set_mem_eof_return(bio, 0); |
| - EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, |
| - const_cast<char*>("\0")); |
| + EVP_PKEY* pkey = |
| + PEM_read_bio_PrivateKey(bio, NULL, NULL, const_cast<char*>("\0")); |
| BIO_free(bio); // Frees the BIO, but not the pointed-to string. |
| if (!pkey) { |
