RTCCertificates added to RTCConfiguration, used by WebRtcSession/-DescriptionFactory

talk/app/webrtc/webrtcsession.cc

 /*
  * libjingle
  * Copyright 2012 Google Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
  *  1. Redistributions of source code must retain the above copyright notice,
  *     this list of conditions and the following disclaimer.
  *  2. Redistributions in binary form must reproduce the above copyright notice,
@@ skipping 558 matching lines @@
 
 bool WebRtcSession::Initialize(
     const PeerConnectionFactoryInterface::Options& options,
     const MediaConstraintsInterface*  constraints,
     rtc::scoped_ptr<DtlsIdentityStoreInterface> dtls_identity_store,
     const PeerConnectionInterface::RTCConfiguration& rtc_configuration) {
   bundle_policy_ = rtc_configuration.bundle_policy;
   rtcp_mux_policy_ = rtc_configuration.rtcp_mux_policy;
   SetSslMaxProtocolVersion(options.ssl_max_version);
 
+  // Obtain a certificate from RTCConfiguration if any were provided (optional).
+  rtc::scoped_refptr<rtc::RTCCertificate> certificate;
+  if (!rtc_configuration.certificates.empty()) {
+    // TODO(hbos,torbjorng): How to decide which certificate to use?

[torbjorng (webrtc), 2015/08/21 12:39:19]

My understanding is that multiple certificates make sense for DTLS negotiations.
 Quoting from the RFC at 4.2.1.1:

"Although any given DTLS connection will use only one certificate, this
attribute allows the caller to provide multiple certificates that support
different algorithms. The final certificate will be selected based on the DTLS
handshake, which establishes which certificates are allowed. The
RTCPeerConnection implementation selects which of the certificates is used for a
given connection; how certificates are selected is outside the scope of this
specification."

[hbos, 2015/08/24 10:16:43]

Acknowledged. We must look into this more, major code changes might be necessary
including passing around a collection of certificates instead of a single one.
But leaving as-is for the current CL. Let's walk before we can run; let's
support ECDSA before we can do proper DTLS negotiations.

+    certificate = rtc_configuration.certificates[0];
+  }
+
   // TODO(perkj): Take |constraints| into consideration. Return false if not all
   // mandatory constraints can be fulfilled. Note that |constraints|
   // can be null.
   bool value;
 
   if (options.disable_encryption) {
     dtls_enabled_ = false;
   } else {
-    // Enable DTLS by default if we have a |dtls_identity_store|.
-    dtls_enabled_ = (dtls_identity_store != nullptr);
+    // Enable DTLS by default if we have an identity store or a certificate.
+    dtls_enabled_ = (dtls_identity_store || certificate);
     // |constraints| can override the default |dtls_enabled_| value.
     if (FindConstraint(
           constraints,
           MediaConstraintsInterface::kEnableDtlsSrtp,
-          &value, NULL)) {
+          &value, nullptr)) {
       dtls_enabled_ = value;
     }
   }
 
   // Enable creation of RTP data channels if the kEnableRtpDataChannels is set.
   // It takes precendence over the disable_sctp_data_channels
   // PeerConnectionFactoryInterface::Options.
   if (FindConstraint(
       constraints, MediaConstraintsInterface::kEnableRtpDataChannels,
       &value, NULL) && value) {
@@ skipping 96 matching lines @@
   const cricket::VideoCodec default_codec(
       JsepSessionDescription::kDefaultVideoCodecId,
       JsepSessionDescription::kDefaultVideoCodecName,
       JsepSessionDescription::kMaxVideoCodecWidth,
       JsepSessionDescription::kMaxVideoCodecHeight,
       JsepSessionDescription::kDefaultVideoCodecFramerate,
       JsepSessionDescription::kDefaultVideoCodecPreference);
   channel_manager_->SetDefaultVideoEncoderConfig(
       cricket::VideoEncoderConfig(default_codec));
 
-  webrtc_session_desc_factory_.reset(new WebRtcSessionDescriptionFactory(
-      signaling_thread(),
-      channel_manager_,
-      mediastream_signaling_,
-      dtls_identity_store.Pass(),
-      this,
-      id(),
-      data_channel_type_,
-      dtls_enabled_));
+  if (!dtls_enabled_) {
+    // Construct with DTLS disabled.
+    webrtc_session_desc_factory_.reset(new WebRtcSessionDescriptionFactory(
+        signaling_thread(),
+        channel_manager_,
+        mediastream_signaling_,
+        this,
+        id(),
+        data_channel_type_));
+  } else {
+    // Construct with DTLS enabled.
+    if (!certificate) {

[torbjorng (webrtc), 2015/08/21 12:39:19]

Is dtls_identity_store.Pass() and certificate type compatible?
Then, consider combining these calls via a conditionally assigned parameter.

[hbos, 2015/08/24 10:16:43]

You either use store and not certificate, or certificate and not store. If it
took both then it would have to ignore one of the parameters if the other is not
null (ignore store if cert != null). I originally made a constructor that took
both parameters but was asked in the previous version of these CLs to split it
up into different constructor calls.

+      // Use the |dtls_identity_store| to generate a certificate.
+      webrtc_session_desc_factory_.reset(new WebRtcSessionDescriptionFactory(
+          signaling_thread(),
+          channel_manager_,
+          mediastream_signaling_,
+          dtls_identity_store.Pass(),
+          this,
+          id(),
+          data_channel_type_));
+    } else {
+      // Use the already generated certificate.
+      webrtc_session_desc_factory_.reset(new WebRtcSessionDescriptionFactory(
+          signaling_thread(),
+          channel_manager_,
+          mediastream_signaling_,
+          certificate,
+          this,
+          id(),
+          data_channel_type_));
+    }
+  }
 
   webrtc_session_desc_factory_->SignalIdentityReady.connect(
       this, &WebRtcSession::OnIdentityReady);
 
   if (options.disable_encryption) {
     webrtc_session_desc_factory_->SetSdesPolicy(cricket::SEC_DISABLED);
   }
   port_allocator()->set_candidate_filter(
       ConvertIceTransportTypeToCandidateFilter(rtc_configuration.type));
   return true;
@@ skipping 619 matching lines @@
 }
 
 void WebRtcSession::ResetIceRestartLatch() {
   ice_restart_latch_->Reset();
 }
 
 void WebRtcSession::OnIdentityReady(rtc::SSLIdentity* identity) {
   SetIdentity(identity);
 }
 
-bool WebRtcSession::waiting_for_identity() const {
-  return webrtc_session_desc_factory_->waiting_for_identity();
+bool WebRtcSession::waiting_for_identity_for_testing() const {
+  return webrtc_session_desc_factory_->waiting_for_certificate_for_testing();
 }
 
 void WebRtcSession::SetIceConnectionState(
       PeerConnectionInterface::IceConnectionState state) {
   if (ice_connection_state_ == state) {
     return;
   }
 
   // ASSERT that the requested transition is allowed.  Note that
   // WebRtcSession does not implement "kIceConnectionClosed" (that is handled
@@ skipping 674 matching lines @@
 
   if (!srtp_cipher.empty()) {
     metrics_observer_->AddHistogramSample(srtp_name, srtp_cipher);
   }
   if (!ssl_cipher.empty()) {
     metrics_observer_->AddHistogramSample(ssl_name, ssl_cipher);
   }
 }
 
 }  // namespace webrtc