Provide RSA2048 as per RFC

webrtc/base/opensslidentity.cc

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 15 matching lines @@
 #include "webrtc/base/helpers.h"
 #include "webrtc/base/logging.h"
 #include "webrtc/base/openssl.h"
 #include "webrtc/base/openssldigest.h"
 
 namespace rtc {
 
 // We could have exposed a myriad of parameters for the crypto stuff,
 // but keeping it simple seems best.
 
-// Strength of generated keys. Those are RSA.
-static const int KEY_LENGTH = 1024;
-
 // Random bits for certificate serial number
 static const int SERIAL_RAND_BITS = 64;
 
 // Certificate validity lifetime
 static const int CERTIFICATE_LIFETIME = 60*60*24*30;  // 30 days, arbitrarily
 // Certificate validity window.
 // This is to compensate for slightly incorrect system clocks.
 static const int CERTIFICATE_WINDOW = -60*60*24;
 
 // Generate a key pair. Caller is responsible for freeing the returned object.
-static EVP_PKEY* MakeKey(KeyType key_type) {
+static EVP_PKEY* MakeKey(const KeyParams& key_params) {
   LOG(LS_INFO) << "Making key pair";
   EVP_PKEY* pkey = EVP_PKEY_new();
-  if (key_type == KT_RSA) {
+  if (key_params.type() == KT_RSA) {
+    int key_length = key_params.rsa_params().mod_size;
     BIGNUM* exponent = BN_new();
     RSA* rsa = RSA_new();
     if (!pkey || !exponent || !rsa ||
-        !BN_set_word(exponent, 0x10001) ||  // 65537 RSA exponent
-        !RSA_generate_key_ex(rsa, KEY_LENGTH, exponent, NULL) ||
+        !BN_set_word(exponent, key_params.rsa_params().pub_exp) ||
+        !RSA_generate_key_ex(rsa, key_length, exponent, NULL) ||
         !EVP_PKEY_assign_RSA(pkey, rsa)) {
       EVP_PKEY_free(pkey);
       BN_free(exponent);
       RSA_free(rsa);
       LOG(LS_ERROR) << "Failed to make RSA key pair";
       return NULL;
     }
     // ownership of rsa struct was assigned, don't free it.
     BN_free(exponent);
-  } else if (key_type == KT_ECDSA) {
+  } else if (key_params.type() == KT_ECDSA &&
+             key_params.ec_curve() == EC_NIST_P256) {

[juberti, 2015/10/07 06:35:22]

I think you want to check the curve inside this if block, so you get an
appropriate error (instead of "Key type not understood")

[torbjorng (webrtc), 2015/10/07 13:30:03]

Done.

     EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
     if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) ||
         !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) {
       EVP_PKEY_free(pkey);
       EC_KEY_free(ec_key);
       LOG(LS_ERROR) << "Failed to make EC key pair";
       return NULL;
     }
     // ownership of ec_key struct was assigned, don't free it.
   } else {
@@ skipping 70 matching lines @@
 static void LogSSLErrors(const std::string& prefix) {
   char error_buf[200];
   unsigned long err;
 
   while ((err = ERR_get_error()) != 0) {
     ERR_error_string_n(err, error_buf, sizeof(error_buf));
     LOG(LS_ERROR) << prefix << ": " << error_buf << "\n";
   }
 }
 
-OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyType key_type) {
-  EVP_PKEY* pkey = MakeKey(key_type);
+OpenSSLKeyPair* OpenSSLKeyPair::Generate(const KeyParams& key_params) {
+  EVP_PKEY* pkey = MakeKey(key_params);
   if (!pkey) {
     LogSSLErrors("Generating key pair");
     return NULL;
   }
   return new OpenSSLKeyPair(pkey);
 }
 
+OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyType key_type) {
+  return OpenSSLKeyPair::Generate(KeyParams(key_type));
+}
+
 OpenSSLKeyPair::~OpenSSLKeyPair() {
   EVP_PKEY_free(pkey_);
 }
 
 OpenSSLKeyPair* OpenSSLKeyPair::GetReference() {
   AddReference();
   return new OpenSSLKeyPair(pkey_);
 }
 
 void OpenSSLKeyPair::AddReference() {
@@ skipping 195 matching lines @@
                                  OpenSSLCertificate* certificate)
     : key_pair_(key_pair), certificate_(certificate) {
   ASSERT(key_pair != NULL);
   ASSERT(certificate != NULL);
 }
 
 OpenSSLIdentity::~OpenSSLIdentity() = default;
 
 OpenSSLIdentity* OpenSSLIdentity::GenerateInternal(
     const SSLIdentityParams& params) {
-  OpenSSLKeyPair* key_pair = OpenSSLKeyPair::Generate(params.key_type);
+  OpenSSLKeyPair* key_pair = OpenSSLKeyPair::Generate(params.key_params);
   if (key_pair) {
     OpenSSLCertificate* certificate =
         OpenSSLCertificate::Generate(key_pair, params);
     if (certificate)
       return new OpenSSLIdentity(key_pair, certificate);
     delete key_pair;
   }
   LOG(LS_INFO) << "Identity generation failed";
   return NULL;
 }
 
 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name,
-                                           KeyType key_type) {
-  SSLIdentityParams params;
+                                           const KeyParams& key_params) {
+  SSLIdentityParams params(key_params);
   params.common_name = common_name;
   params.not_before = CERTIFICATE_WINDOW;
   params.not_after = CERTIFICATE_LIFETIME;
-  params.key_type = key_type;
   return GenerateInternal(params);
 }
 
 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest(
     const SSLIdentityParams& params) {
   return GenerateInternal(params);
 }
 
 SSLIdentity* OpenSSLIdentity::FromPEMStrings(
     const std::string& private_key,
@@ skipping 39 matching lines @@
      SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) {
     LogSSLErrors("Configuring key and certificate");
     return false;
   }
   return true;
 }
 
 }  // namespace rtc
 
 #endif  // HAVE_OPENSSL_SSL_H