Added DtlsCertificate, a ref counted object owning an SSLIdentity

talk/app/webrtc/webrtcsessiondescriptionfactory.cc

 /*
  * libjingle
  * Copyright 2013 Google Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
  *  1. Redistributions of source code must retain the above copyright notice,
  *     this list of conditions and the following disclaimer.
  *  2. Redistributions in binary form must reproduce the above copyright notice,
  *     this list of conditions and the following disclaimer in the documentation
  *     and/or other materials provided with the distribution.
  *  3. The name of the author may not be used to endorse or promote products
  *     derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
  * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "talk/app/webrtc/webrtcsessiondescriptionfactory.h"
 
-#include "talk/app/webrtc/dtlsidentitystore.h"
+#include "talk/app/webrtc/dtlsidentityservice.h"
 #include "talk/app/webrtc/jsep.h"
 #include "talk/app/webrtc/jsepsessiondescription.h"
 #include "talk/app/webrtc/mediaconstraintsinterface.h"
 #include "talk/app/webrtc/mediastreamsignaling.h"
 #include "talk/app/webrtc/webrtcsession.h"
 
 using cricket::MediaSessionOptions;
 
 namespace webrtc {
 namespace {
@@ skipping 20 matching lines @@
   std::sort(sorted_streams.begin(), sorted_streams.end(), CompareStream);
   MediaSessionOptions::Streams::iterator it =
       std::adjacent_find(sorted_streams.begin(), sorted_streams.end(),
                          SameId);
   return it == sorted_streams.end();
 }
 
 enum {
   MSG_CREATE_SESSIONDESCRIPTION_SUCCESS,
   MSG_CREATE_SESSIONDESCRIPTION_FAILED,
-  MSG_GENERATE_IDENTITY,
+  MSG_USE_CONSTRUCTOR_CERTIFICATE
 };
 
 struct CreateSessionDescriptionMsg : public rtc::MessageData {
   explicit CreateSessionDescriptionMsg(
       webrtc::CreateSessionDescriptionObserver* observer)
       : observer(observer) {
   }
 
   rtc::scoped_refptr<webrtc::CreateSessionDescriptionObserver> observer;
   std::string error;
   rtc::scoped_ptr<webrtc::SessionDescriptionInterface> description;
 };
 }  // namespace
 
 void WebRtcIdentityRequestObserver::OnFailure(int error) {
   SignalRequestFailed(error);
 }
 
 void WebRtcIdentityRequestObserver::OnSuccess(
     const std::string& der_cert, const std::string& der_private_key) {
   std::string pem_cert = rtc::SSLIdentity::DerToPem(
       rtc::kPemTypeCertificate,
       reinterpret_cast<const unsigned char*>(der_cert.data()),
       der_cert.length());
   std::string pem_key = rtc::SSLIdentity::DerToPem(
       rtc::kPemTypeRsaPrivateKey,
       reinterpret_cast<const unsigned char*>(der_private_key.data()),
       der_private_key.length());
-  rtc::SSLIdentity* identity =
-      rtc::SSLIdentity::FromPEMStrings(pem_key, pem_cert);
-  SignalIdentityReady(identity);
+  rtc::scoped_ptr<rtc::SSLIdentity> identity(
+      rtc::SSLIdentity::FromPEMStrings(pem_key, pem_cert));
+  SignalCertificateReady(DtlsCertificate::Create(identity.Pass()));
 }
 
 void WebRtcIdentityRequestObserver::OnSuccessWithIdentityObj(
     rtc::scoped_ptr<rtc::SSLIdentity> identity) {
-  SignalIdentityReady(identity.release());
+  SignalCertificateReady(DtlsCertificate::Create(identity.Pass()));
 }
 
 // static
 void WebRtcSessionDescriptionFactory::CopyCandidatesFromSessionDescription(
     const SessionDescriptionInterface* source_desc,
     SessionDescriptionInterface* dest_desc) {
   if (!source_desc)
     return;
   for (size_t m = 0; m < source_desc->number_of_mediasections() &&
                      m < dest_desc->number_of_mediasections(); ++m) {
     const IceCandidateCollection* source_candidates =
         source_desc->candidates(m);
     const IceCandidateCollection* dest_candidates = dest_desc->candidates(m);
     for  (size_t n = 0; n < source_candidates->count(); ++n) {
       const IceCandidateInterface* new_candidate = source_candidates->at(n);
       if (!dest_candidates->HasCandidate(new_candidate))
         dest_desc->AddCandidate(source_candidates->at(n));
     }
   }
 }
 
 WebRtcSessionDescriptionFactory::WebRtcSessionDescriptionFactory(
     rtc::Thread* signaling_thread,
+    rtc::Thread* worker_thread,
     cricket::ChannelManager* channel_manager,
     MediaStreamSignaling* mediastream_signaling,
     DTLSIdentityServiceInterface* dtls_identity_service,
+    rtc::scoped_refptr<DtlsCertificate> certificate,
     WebRtcSession* session,
     const std::string& session_id,
     cricket::DataChannelType dct,
     bool dtls_enabled)
     : signaling_thread_(signaling_thread),
+      worker_thread_(worker_thread),
       mediastream_signaling_(mediastream_signaling),
       session_desc_factory_(channel_manager, &transport_desc_factory_),
       // RFC 4566 suggested a Network Time Protocol (NTP) format timestamp
       // as the session id and session version. To simplify, it should be fine
       // to just use a random number as session id and start version from
       // |kInitSessionVersion|.
       session_version_(kInitSessionVersion),
       identity_service_(dtls_identity_service),
+      certificate_(certificate),
       session_(session),
       session_id_(session_id),
       data_channel_type_(dct),
-      identity_request_state_(IDENTITY_NOT_NEEDED) {
+      certificate_request_state_(CERTIFICATE_NOT_NEEDED) {
   transport_desc_factory_.set_protocol(cricket::ICEPROTO_RFC5245);
   session_desc_factory_.set_add_legacy_streams(false);
   // SRTP-SDES is disabled if DTLS is on.
   SetSdesPolicy(dtls_enabled ? cricket::SEC_DISABLED : cricket::SEC_REQUIRED);
 
   if (!dtls_enabled) {
     return;
   }
 
-  if (identity_service_.get()) {
+  certificate_request_state_ = CERTIFICATE_WAITING;
+  if (certificate_.get()) {
+    LOG(LS_VERBOSE) << "DTLS-SRTP enabled; using DTLS certificate.";
+    // We already have a certificate but we wait to do SetCertificate; if we do
+    // it in the constructor then the caller has not had a chance to connect to
+    // SignalCertificateReady.
+    signaling_thread_->Post(this, MSG_USE_CONSTRUCTOR_CERTIFICATE, NULL);

[Henrik Grunell WebRTC, 2015/08/06 14:06:52]

As discussed, pass the certificate here.

[hbos, 2015/08/10 15:10:18]

Acknowledged.

+  } else {
+    // No certificate provided, time to generate a new certificate.
+
+    // Create observer and connect callback functions.

[Henrik Grunell WebRTC, 2015/08/06 14:06:52]

Remove this comment, its clear from the code what is done.

[hbos, 2015/08/10 15:10:18]

Acknowledged.

     identity_request_observer_ =
       new rtc::RefCountedObject<WebRtcIdentityRequestObserver>();
-
     identity_request_observer_->SignalRequestFailed.connect(
         this, &WebRtcSessionDescriptionFactory::OnIdentityRequestFailed);
-    identity_request_observer_->SignalIdentityReady.connect(
-        this, &WebRtcSessionDescriptionFactory::SetIdentity);
+    identity_request_observer_->SignalCertificateReady.connect(
+        this, &WebRtcSessionDescriptionFactory::SetCertificate);
 
-    if (identity_service_->RequestIdentity(
-            DtlsIdentityStore::kIdentityName,
-            DtlsIdentityStore::kIdentityName,
-            identity_request_observer_)) {
-      LOG(LS_VERBOSE) << "DTLS-SRTP enabled; sent DTLS identity request.";
-      identity_request_state_ = IDENTITY_WAITING;
+    // If an |identity_service_| was not provided we default to using
+    // DtlsIdentityStore and DtlsIdentityService.
+    if (!identity_service_.get()) {
+      identity_store_.reset(
+          new DtlsIdentityStore(signaling_thread_, worker_thread_));
+      identity_service_.reset(new DtlsIdentityService(identity_store_.get()));
+    }
+
+    // Request identity. This happens asynchronously, so the caller will have a
+    // chance to connect to SignalCertificateReady.
+    if (identity_service_->RequestIdentity(DtlsIdentityStore::kIdentityName,
+                                           DtlsIdentityStore::kIdentityName,
+                                           identity_request_observer_)) {
+      LOG(LS_VERBOSE) << "DTLS-SRTP enabled but no certificate supplied, sent "
+                      << "DTLS identity request.";
     } else {
-      LOG(LS_ERROR) << "Failed to send DTLS identity request.";
-      identity_request_state_ = IDENTITY_FAILED;
+      certificate_request_state_ = CERTIFICATE_FAILED;
+      LOG(LS_VERBOSE) << "DTLS-SRTP enabled but no certificate supplied, "
+                      << "FAILED to send DTLS identity request.";
     }
-  } else {
-    identity_request_state_ = IDENTITY_WAITING;
-    // Do not generate the identity in the constructor since the caller has
-    // not got a chance to connect to SignalIdentityReady.
-    signaling_thread_->Post(this, MSG_GENERATE_IDENTITY, NULL);
   }
 }
 
 WebRtcSessionDescriptionFactory::~WebRtcSessionDescriptionFactory() {
   ASSERT(signaling_thread_->IsCurrent());
 
   // Fail any requests that were asked for before identity generation completed.
   FailPendingRequests(kFailedDueToSessionShutdown);
 
   // Process all pending notifications in the message queue.  If we don't do
   // this, requests will linger and not know they succeeded or failed.
   rtc::MessageList list;
   signaling_thread_->Clear(this, rtc::MQID_ANY, &list);
   for (auto& msg : list)
     OnMessage(&msg);
 
   transport_desc_factory_.set_identity(NULL);
 }
 
 void WebRtcSessionDescriptionFactory::CreateOffer(
     CreateSessionDescriptionObserver* observer,
     const PeerConnectionInterface::RTCOfferAnswerOptions& options) {
   cricket::MediaSessionOptions session_options;
 
   std::string error = "CreateOffer";
-  if (identity_request_state_ == IDENTITY_FAILED) {
+  if (certificate_request_state_ == CERTIFICATE_FAILED) {
     error += kFailedDueToIdentityFailed;
     LOG(LS_ERROR) << error;
     PostCreateSessionDescriptionFailed(observer, error);
     return;
   }
 
   if (!mediastream_signaling_->GetOptionsForOffer(options,
                                                   &session_options)) {
     error += " called with invalid options.";
     LOG(LS_ERROR) << error;
     PostCreateSessionDescriptionFailed(observer, error);
     return;
   }
 
   if (!ValidStreams(session_options.streams)) {
     error += " called with invalid media streams.";
     LOG(LS_ERROR) << error;
     PostCreateSessionDescriptionFailed(observer, error);
     return;
   }
 
   if (data_channel_type_ == cricket::DCT_SCTP &&
       mediastream_signaling_->HasDataChannels()) {
     session_options.data_channel_type = cricket::DCT_SCTP;
   }
 
   CreateSessionDescriptionRequest request(
       CreateSessionDescriptionRequest::kOffer, observer, session_options);
-  if (identity_request_state_ == IDENTITY_WAITING) {
+  if (certificate_request_state_ == CERTIFICATE_WAITING) {
     create_session_description_requests_.push(request);
   } else {
-    ASSERT(identity_request_state_ == IDENTITY_SUCCEEDED ||
-           identity_request_state_ == IDENTITY_NOT_NEEDED);
+    ASSERT(certificate_request_state_ == CERTIFICATE_SUCCEEDED ||
+           certificate_request_state_ == CERTIFICATE_NOT_NEEDED);
     InternalCreateOffer(request);
   }
 }
 
 void WebRtcSessionDescriptionFactory::CreateAnswer(
     CreateSessionDescriptionObserver* observer,
     const MediaConstraintsInterface* constraints) {
   std::string error = "CreateAnswer";
-  if (identity_request_state_ == IDENTITY_FAILED) {
+  if (certificate_request_state_ == CERTIFICATE_FAILED) {
     error += kFailedDueToIdentityFailed;
     LOG(LS_ERROR) << error;
     PostCreateSessionDescriptionFailed(observer, error);
     return;
   }
   if (!session_->remote_description()) {
     error += " can't be called before SetRemoteDescription.";
     LOG(LS_ERROR) << error;
     PostCreateSessionDescriptionFailed(observer, error);
     return;
@@ skipping 21 matching lines @@
   }
   // RTP data channel is handled in MediaSessionOptions::AddStream. SCTP streams
   // are not signaled in the SDP so does not go through that path and must be
   // handled here.
   if (data_channel_type_ == cricket::DCT_SCTP) {
     options.data_channel_type = cricket::DCT_SCTP;
   }
 
   CreateSessionDescriptionRequest request(
       CreateSessionDescriptionRequest::kAnswer, observer, options);
-  if (identity_request_state_ == IDENTITY_WAITING) {
+  if (certificate_request_state_ == CERTIFICATE_WAITING) {
     create_session_description_requests_.push(request);
   } else {
-    ASSERT(identity_request_state_ == IDENTITY_SUCCEEDED ||
-           identity_request_state_ == IDENTITY_NOT_NEEDED);
+    ASSERT(certificate_request_state_ == CERTIFICATE_SUCCEEDED ||
+           certificate_request_state_ == CERTIFICATE_NOT_NEEDED);
     InternalCreateAnswer(request);
   }
 }
 
 void WebRtcSessionDescriptionFactory::SetSdesPolicy(
     cricket::SecurePolicy secure_policy) {
   session_desc_factory_.set_secure(secure_policy);
 }
 
 cricket::SecurePolicy WebRtcSessionDescriptionFactory::SdesPolicy() const {
   return session_desc_factory_.secure();
 }
 
 void WebRtcSessionDescriptionFactory::OnMessage(rtc::Message* msg) {
   switch (msg->message_id) {
     case MSG_CREATE_SESSIONDESCRIPTION_SUCCESS: {
       CreateSessionDescriptionMsg* param =
           static_cast<CreateSessionDescriptionMsg*>(msg->pdata);
       param->observer->OnSuccess(param->description.release());
       delete param;
       break;
     }
     case MSG_CREATE_SESSIONDESCRIPTION_FAILED: {
       CreateSessionDescriptionMsg* param =
           static_cast<CreateSessionDescriptionMsg*>(msg->pdata);
       param->observer->OnFailure(param->error);
       delete param;
       break;
     }
-    case MSG_GENERATE_IDENTITY: {
-      LOG(LS_INFO) << "Generating identity.";
-      SetIdentity(rtc::SSLIdentity::Generate(DtlsIdentityStore::kIdentityName));
+    case MSG_USE_CONSTRUCTOR_CERTIFICATE: {
+      LOG(LS_INFO) << "Using certificate supplied to constructor.";
+      DCHECK(certificate_.get());
+      SetCertificate(certificate_);
       break;
     }
     default:
       ASSERT(false);
       break;
   }
 }
 
 void WebRtcSessionDescriptionFactory::InternalCreateOffer(
     CreateSessionDescriptionRequest request) {
@@ skipping 100 matching lines @@
     SessionDescriptionInterface* description) {
   CreateSessionDescriptionMsg* msg = new CreateSessionDescriptionMsg(observer);
   msg->description.reset(description);
   signaling_thread_->Post(this, MSG_CREATE_SESSIONDESCRIPTION_SUCCESS, msg);
 }
 
 void WebRtcSessionDescriptionFactory::OnIdentityRequestFailed(int error) {
   ASSERT(signaling_thread_->IsCurrent());
 
   LOG(LS_ERROR) << "Async identity request failed: error = " << error;
-  identity_request_state_ = IDENTITY_FAILED;
+  certificate_request_state_ = CERTIFICATE_FAILED;
 
   FailPendingRequests(kFailedDueToIdentityFailed);
 }
 
-void WebRtcSessionDescriptionFactory::SetIdentity(
-    rtc::SSLIdentity* identity) {
+void WebRtcSessionDescriptionFactory::SetCertificate(
+    rtc::scoped_refptr<DtlsCertificate> certificate) {
   LOG(LS_VERBOSE) << "Setting new identity";
 
-  identity_request_state_ = IDENTITY_SUCCEEDED;
-  SignalIdentityReady(identity);
+  certificate_ = certificate;
+  DCHECK(certificate_.get());
 
-  transport_desc_factory_.set_identity(identity);
+  certificate_request_state_ = CERTIFICATE_SUCCEEDED;
+  SignalCertificateReady(certificate_);
+
+  transport_desc_factory_.set_identity(certificate->identity());
   transport_desc_factory_.set_secure(cricket::SEC_ENABLED);
 
   while (!create_session_description_requests_.empty()) {
     if (create_session_description_requests_.front().type ==
         CreateSessionDescriptionRequest::kOffer) {
       InternalCreateOffer(create_session_description_requests_.front());
     } else {
       InternalCreateAnswer(create_session_description_requests_.front());
     }
     create_session_description_requests_.pop();
   }
 }
 }  // namespace webrtc