Adds RTCCertificate, a reference counted object indirectly owning an SSLCertificate

webrtc/base/rtccertificate.h

Index: webrtc/base/rtccertificate.h
diff --git a/webrtc/base/rtccertificate.h b/webrtc/base/rtccertificate.h
new file mode 100644
index 0000000000000000000000000000000000000000..cb6835566ec9da67b757c6dbaf91a0463b722dee
--- /dev/null
+++ b/webrtc/base/rtccertificate.h
@@ -0,0 +1,52 @@
+/*
+ *  Copyright 2015 The WebRTC Project Authors. All rights reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#ifndef WEBRTC_BASE_RTCCERTIFICATE_H_
+#define WEBRTC_BASE_RTCCERTIFICATE_H_
+
+#include "webrtc/base/basictypes.h"
+#include "webrtc/base/refcount.h"
+#include "webrtc/base/scoped_ptr.h"
+#include "webrtc/base/scoped_ref_ptr.h"
+#include "webrtc/base/sslidentity.h"
+
+namespace rtc {
+
+// A thin abstraction layer between "lower level crypto stuff" like
+// SSLCertificate and WebRTC usage. Takes ownership of some lower level objects,
+// reference counting protects these from premature destruction.
+class RTCCertificate : public RefCountInterface {
+ public:
+  // Takes ownership of |identity|.
+  static scoped_refptr<RTCCertificate> Create(scoped_ptr<SSLIdentity> identity);
+
+  uint64 expires_timestamp_ns() const;
+  bool HasExpired() const;
+  const SSLCertificate& ssl_certificate() const;
+
+  // TODO(hbos): If possible, remove once RTCCertificate and its
+  // ssl_certificate() is used in all relevant places. Should not pass around
+  // raw SSLIdentity* for the sake of accessing SSLIdentity::certificate().
+  // However, some places might need SSLIdentity* for its public/private key...
+  SSLIdentity* identity() const { return identity_.get(); }
+
+ protected:
+  explicit RTCCertificate(SSLIdentity* identity);
+  ~RTCCertificate() override;
+
+ private:
+  // The SSLIdentity is the owner of the SSLCertificate. To protect our
+  // ssl_certificate() we take ownership of |identity_|.
+  scoped_ptr<SSLIdentity> identity_;

[tommi (sloooow) - chröme, 2015/08/19 19:42:38]

I'm a bit confused here, so I'll ask tomorrow in person.  I thought the identity
was going to be used to generate the certificate, but now it looks like I got
that backwards?

[hbos, 2015/08/20 08:01:39]

Please correct me if I'm wrong torbjorng, but here's how I see it:

If everything made sense what we would Generate is the key pair alone, and this
would be the expensive part, and then from the key pair we would very quickly be
able to generate any number of certificates.

The "identity" is a WebRTC concept which is a key pair AND a certificate.
SSLIdentity::Generate goes to OpenSSLIdentity::Generate which generates both.
SSLIdentity* is used all over the place and splitting up key pairs and
certificates would probably be large clean up work that if performed now would
block this more important work.

The following I am less confident about, but I'm not sure if RSA/ECDSA/etc is
relevant when generating a certificate? Only relevant when generating key
pairs... or is this wrong?
The WebRTC specs don't talk about generating keys separately from generating
certificates though... It's akin to "generate RSA cert with x bits" or "generate
ECDSA cert".

We can talk more offline.

+};
+
+}  // namespace rtc
+
+#endif  // WEBRTC_BASE_RTCCERTIFICATE_H_