OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
11 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode. | 11 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode. |
12 | 12 |
13 #ifndef WEBRTC_BASE_SSLIDENTITY_H_ | 13 #ifndef WEBRTC_BASE_SSLIDENTITY_H_ |
14 #define WEBRTC_BASE_SSLIDENTITY_H_ | 14 #define WEBRTC_BASE_SSLIDENTITY_H_ |
15 | 15 |
16 #include <algorithm> | 16 #include <algorithm> |
17 #include <string> | 17 #include <string> |
18 #include <vector> | 18 #include <vector> |
19 | 19 |
20 #include "webrtc/base/buffer.h" | 20 #include "webrtc/base/buffer.h" |
21 #include "webrtc/base/checks.h" | |
21 #include "webrtc/base/messagedigest.h" | 22 #include "webrtc/base/messagedigest.h" |
22 | 23 |
23 namespace rtc { | 24 namespace rtc { |
24 | 25 |
25 // Forward declaration due to circular dependency with SSLCertificate. | 26 // Forward declaration due to circular dependency with SSLCertificate. |
26 class SSLCertChain; | 27 class SSLCertChain; |
27 | 28 |
28 // Abstract interface overridden by SSL library specific | 29 // Abstract interface overridden by SSL library specific |
29 // implementations. | 30 // implementations. |
30 | 31 |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
100 } | 101 } |
101 | 102 |
102 // Helper function for deleting a vector of certificates. | 103 // Helper function for deleting a vector of certificates. |
103 static void DeleteCert(SSLCertificate* cert) { delete cert; } | 104 static void DeleteCert(SSLCertificate* cert) { delete cert; } |
104 | 105 |
105 std::vector<SSLCertificate*> certs_; | 106 std::vector<SSLCertificate*> certs_; |
106 | 107 |
107 RTC_DISALLOW_COPY_AND_ASSIGN(SSLCertChain); | 108 RTC_DISALLOW_COPY_AND_ASSIGN(SSLCertChain); |
108 }; | 109 }; |
109 | 110 |
111 // KT_DEFAULT is currently an alias for KT_RSA. This is likely to change. | |
112 // KT_LAST is intended for vector declarations and loops over all key types; | |
113 // it does not represent any key type in itself. | |
110 // TODO(hbos,torbjorng): Don't change KT_DEFAULT without first updating | 114 // TODO(hbos,torbjorng): Don't change KT_DEFAULT without first updating |
111 // PeerConnectionFactory_nativeCreatePeerConnection's certificate generation | 115 // PeerConnectionFactory_nativeCreatePeerConnection's certificate generation |
112 // code. | 116 // code. |
113 enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_RSA }; | 117 enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_INVALID, KT_DEFAULT = KT_RSA }; |
juberti
2015/10/07 06:35:22
I didn't see any usage of KT_LAST in this CL. I co
hbos
2015/10/07 10:04:40
It is used today by dtlsidentitystore.h. It is pro
torbjorng (webrtc)
2015/10/07 13:30:03
I have the habit of putting in a _LAST in order fo
| |
118 | |
119 static const int kRsaDefaultModSize = 1024; | |
120 static const int kRsaDefaultExponent = 0x10001; // = 2^16+1 = 65537 | |
121 | |
122 struct RSAParams { | |
123 unsigned int mod_size; | |
124 unsigned int pub_exp; | |
125 }; | |
126 | |
127 enum ECCurve { EC_NIST_P256, /* EC_FANCY, */ EC_LAST }; | |
128 | |
129 class KeyParams { | |
130 public: | |
131 // Default ctor only needed by gtest, it would be nice to avoid this. | |
132 // We set grossly invalid parameters to discourage its use. | |
133 KeyParams() { | |
juberti
2015/10/07 06:35:22
This seems wrong to me. Why not init with KT_DEFAU
hbos
2015/10/07 10:04:40
(I would also prefer default constructor to create
torbjorng (webrtc)
2015/10/07 13:30:04
OK, I'll revert to that form.
| |
134 type_ = KT_INVALID; // Bad type. | |
135 memset(¶ms_, 0xff, sizeof(params_)); // Bad values. | |
136 } | |
137 | |
138 // Generate a KeyParams object from a simple KeyType, using default params. | |
139 explicit KeyParams(KeyType key_type) { | |
140 if (key_type == KT_ECDSA) { | |
141 type_ = KT_ECDSA; | |
142 params_.curve = EC_NIST_P256; | |
143 } else if (key_type == KT_RSA) { | |
144 type_ = KT_RSA; | |
145 params_.rsa.mod_size = kRsaDefaultModSize; | |
146 params_.rsa.pub_exp = kRsaDefaultExponent; | |
147 } else { | |
148 RTC_NOTREACHED(); | |
149 } | |
150 } | |
151 | |
152 // Generate a a KeyParams for RSA with explicit parameters. | |
153 static KeyParams RSA(int mod_size, int pub_exp) { | |
juberti
2015/10/07 06:35:22
I looked and you are correct; the style guide does
hbos
2015/10/07 10:04:40
Yay!
torbjorng (webrtc)
2015/10/07 13:30:03
Great! The style guide is not 100% clear here.
| |
154 KeyParams kt(KT_RSA); | |
155 kt.params_.rsa.mod_size = mod_size; | |
156 kt.params_.rsa.pub_exp = pub_exp; | |
157 return kt; | |
158 } | |
159 | |
160 // Generate a a KeyParams for RSA defaulting parameters. | |
161 static KeyParams RSA() { | |
162 KeyParams kt(KT_RSA); | |
163 kt.params_.rsa.mod_size = kRsaDefaultModSize; | |
164 kt.params_.rsa.pub_exp = kRsaDefaultExponent; | |
165 return kt; | |
166 } | |
167 | |
168 // Generate a a KeyParams for ECDSA specifying the curve. | |
169 static KeyParams ECDSA(ECCurve curve) { | |
170 KeyParams kt(KT_ECDSA); | |
171 kt.params_.curve = curve; | |
172 return kt; | |
173 } | |
174 | |
175 // Generate a a KeyParams for ECDSA defaulting the curve. | |
176 static KeyParams ECDSA() { | |
177 KeyParams kt(KT_ECDSA); | |
178 kt.params_.curve = EC_NIST_P256; | |
179 return kt; | |
180 } | |
181 | |
182 // Check validity of a KeyParams object. Since the factory functions have | |
183 // no way of returning errors, this function can be called after creation | |
184 // to make sure the parameters are OK. | |
185 bool IsValid() { | |
186 if (type_ == KT_RSA) { | |
187 return (params_.rsa.mod_size >= 1024 && params_.rsa.mod_size <= 8192 && | |
juberti
2015/10/07 06:35:22
These should probably be constants.
torbjorng (webrtc)
2015/10/07 13:30:04
Done.
| |
188 params_.rsa.pub_exp > params_.rsa.mod_size); | |
189 } else if (type_ == KT_ECDSA) { | |
190 return (params_.curve == EC_NIST_P256); | |
191 } | |
192 return false; | |
193 } | |
194 | |
195 RSAParams rsa_params() const { | |
196 RTC_DCHECK(type_ == KT_RSA); | |
197 return params_.rsa; | |
198 } | |
199 | |
200 ECCurve ec_curve() const { | |
201 RTC_DCHECK(type_ == KT_ECDSA); | |
202 return params_.curve; | |
203 } | |
204 | |
205 KeyType type() const { return type_; } | |
206 | |
207 private: | |
208 KeyType type_; | |
209 union { | |
210 RSAParams rsa; | |
211 ECCurve curve; | |
212 } params_; | |
213 }; | |
114 | 214 |
115 // TODO(hbos): Remove once rtc::KeyType (to be modified) and | 215 // TODO(hbos): Remove once rtc::KeyType (to be modified) and |
116 // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium | 216 // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium |
117 // appropriately we can change KeyType enum -> class without breaking Chromium. | 217 // appropriately we can change KeyType enum -> class without breaking Chromium. |
118 KeyType IntKeyTypeFamilyToKeyType(int key_type_family); | 218 KeyType IntKeyTypeFamilyToKeyType(int key_type_family); |
119 | 219 |
120 // Parameters for generating an identity for testing. If common_name is | 220 // Parameters for generating a certificate. If |common_name| is non-empty, it |
121 // non-empty, it will be used for the certificate's subject and issuer name, | 221 // will be used for the certificate's subject and issuer name, otherwise a |
122 // otherwise a random string will be used. |not_before| and |not_after| are | 222 // random string will be used. |
123 // offsets to the current time in number of seconds. | |
124 struct SSLIdentityParams { | 223 struct SSLIdentityParams { |
224 SSLIdentityParams(const KeyParams& key_params) : key_params(key_params) {} | |
juberti
2015/10/07 06:35:22
It seems odd to have a ctor that only initializes
torbjorng (webrtc)
2015/10/07 13:30:03
Ack. It ended up like this since the KeyParams de
| |
225 | |
125 std::string common_name; | 226 std::string common_name; |
126 int not_before; // in seconds. | 227 int not_before; // offset from current time in seconds. |
127 int not_after; // in seconds. | 228 int not_after; // offset from current time in seconds. |
128 KeyType key_type; | 229 KeyParams key_params; |
129 }; | 230 }; |
130 | 231 |
131 // Our identity in an SSL negotiation: a keypair and certificate (both | 232 // Our identity in an SSL negotiation: a keypair and certificate (both |
132 // with the same public key). | 233 // with the same public key). |
133 // This too is pretty much immutable once created. | 234 // This too is pretty much immutable once created. |
134 class SSLIdentity { | 235 class SSLIdentity { |
135 public: | 236 public: |
136 // Generates an identity (keypair and self-signed certificate). If | 237 // Generates an identity (keypair and self-signed certificate). If |
137 // common_name is non-empty, it will be used for the certificate's | 238 // common_name is non-empty, it will be used for the certificate's |
138 // subject and issuer name, otherwise a random string will be used. | 239 // subject and issuer name, otherwise a random string will be used. |
139 // Returns NULL on failure. | 240 // Returns NULL on failure. |
140 // Caller is responsible for freeing the returned object. | 241 // Caller is responsible for freeing the returned object. |
141 static SSLIdentity* Generate(const std::string& common_name, | 242 static SSLIdentity* Generate(const std::string& common_name, |
142 KeyType key_type); | 243 const KeyParams& key_param); |
244 static SSLIdentity* Generate(const std::string& common_name, | |
245 KeyType key_type) { | |
246 return Generate(common_name, KeyParams(key_type)); | |
247 } | |
143 | 248 |
144 // Generates an identity with the specified validity period. | 249 // Generates an identity with the specified validity period. |
145 static SSLIdentity* GenerateForTest(const SSLIdentityParams& params); | 250 static SSLIdentity* GenerateForTest(const SSLIdentityParams& params); |
146 | 251 |
147 // Construct an identity from a private key and a certificate. | 252 // Construct an identity from a private key and a certificate. |
148 static SSLIdentity* FromPEMStrings(const std::string& private_key, | 253 static SSLIdentity* FromPEMStrings(const std::string& private_key, |
149 const std::string& certificate); | 254 const std::string& certificate); |
150 | 255 |
151 virtual ~SSLIdentity() {} | 256 virtual ~SSLIdentity() {} |
152 | 257 |
(...skipping 15 matching lines...) Expand all Loading... | |
168 size_t length); | 273 size_t length); |
169 }; | 274 }; |
170 | 275 |
171 extern const char kPemTypeCertificate[]; | 276 extern const char kPemTypeCertificate[]; |
172 extern const char kPemTypeRsaPrivateKey[]; | 277 extern const char kPemTypeRsaPrivateKey[]; |
173 extern const char kPemTypeEcPrivateKey[]; | 278 extern const char kPemTypeEcPrivateKey[]; |
174 | 279 |
175 } // namespace rtc | 280 } // namespace rtc |
176 | 281 |
177 #endif // WEBRTC_BASE_SSLIDENTITY_H_ | 282 #endif // WEBRTC_BASE_SSLIDENTITY_H_ |
OLD | NEW |