OLD | NEW |
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
11 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode. | 11 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode. |
12 | 12 |
13 #ifndef WEBRTC_BASE_SSLIDENTITY_H_ | 13 #ifndef WEBRTC_BASE_SSLIDENTITY_H_ |
14 #define WEBRTC_BASE_SSLIDENTITY_H_ | 14 #define WEBRTC_BASE_SSLIDENTITY_H_ |
15 | 15 |
16 #include <algorithm> | 16 #include <algorithm> |
17 #include <string> | 17 #include <string> |
18 #include <vector> | 18 #include <vector> |
19 | 19 |
20 #include "webrtc/base/buffer.h" | 20 #include "webrtc/base/buffer.h" |
| 21 #include "webrtc/base/checks.h" |
21 #include "webrtc/base/messagedigest.h" | 22 #include "webrtc/base/messagedigest.h" |
22 | 23 |
23 namespace rtc { | 24 namespace rtc { |
24 | 25 |
25 // Forward declaration due to circular dependency with SSLCertificate. | 26 // Forward declaration due to circular dependency with SSLCertificate. |
26 class SSLCertChain; | 27 class SSLCertChain; |
27 | 28 |
28 // Abstract interface overridden by SSL library specific | 29 // Abstract interface overridden by SSL library specific |
29 // implementations. | 30 // implementations. |
30 | 31 |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
100 } | 101 } |
101 | 102 |
102 // Helper function for deleting a vector of certificates. | 103 // Helper function for deleting a vector of certificates. |
103 static void DeleteCert(SSLCertificate* cert) { delete cert; } | 104 static void DeleteCert(SSLCertificate* cert) { delete cert; } |
104 | 105 |
105 std::vector<SSLCertificate*> certs_; | 106 std::vector<SSLCertificate*> certs_; |
106 | 107 |
107 RTC_DISALLOW_COPY_AND_ASSIGN(SSLCertChain); | 108 RTC_DISALLOW_COPY_AND_ASSIGN(SSLCertChain); |
108 }; | 109 }; |
109 | 110 |
| 111 // KT_DEFAULT is currently an alias for KT_RSA. This is likely to change. |
| 112 // KT_LAST is intended for vector declarations and loops over all key types; |
| 113 // it does not represent any key type in itself. |
110 // TODO(hbos,torbjorng): Don't change KT_DEFAULT without first updating | 114 // TODO(hbos,torbjorng): Don't change KT_DEFAULT without first updating |
111 // PeerConnectionFactory_nativeCreatePeerConnection's certificate generation | 115 // PeerConnectionFactory_nativeCreatePeerConnection's certificate generation |
112 // code. | 116 // code. |
113 enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_RSA }; | 117 enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_RSA }; |
114 | 118 |
| 119 static const int kRsaDefaultModSize = 1024; |
| 120 static const int kRsaDefaultExponent = 0x10001; // = 2^16+1 = 65537 |
| 121 static const int kRsaMinModSize = 1024; |
| 122 static const int kRsaMaxModSize = 8192; |
| 123 |
| 124 struct RSAParams { |
| 125 unsigned int mod_size; |
| 126 unsigned int pub_exp; |
| 127 }; |
| 128 |
| 129 enum ECCurve { EC_NIST_P256, /* EC_FANCY, */ EC_LAST }; |
| 130 |
| 131 class KeyParams { |
| 132 public: |
| 133 // Generate a KeyParams object from a simple KeyType, using default params. |
| 134 explicit KeyParams(KeyType key_type = KT_DEFAULT) { |
| 135 if (key_type == KT_ECDSA) { |
| 136 type_ = KT_ECDSA; |
| 137 params_.curve = EC_NIST_P256; |
| 138 } else if (key_type == KT_RSA) { |
| 139 type_ = KT_RSA; |
| 140 params_.rsa.mod_size = kRsaDefaultModSize; |
| 141 params_.rsa.pub_exp = kRsaDefaultExponent; |
| 142 } else { |
| 143 RTC_NOTREACHED(); |
| 144 } |
| 145 } |
| 146 |
| 147 // Generate a a KeyParams for RSA with explicit parameters. |
| 148 static KeyParams RSA(int mod_size = kRsaDefaultModSize, |
| 149 int pub_exp = kRsaDefaultExponent) { |
| 150 KeyParams kt(KT_RSA); |
| 151 kt.params_.rsa.mod_size = mod_size; |
| 152 kt.params_.rsa.pub_exp = pub_exp; |
| 153 return kt; |
| 154 } |
| 155 |
| 156 // Generate a a KeyParams for ECDSA specifying the curve. |
| 157 static KeyParams ECDSA(ECCurve curve = EC_NIST_P256) { |
| 158 KeyParams kt(KT_ECDSA); |
| 159 kt.params_.curve = curve; |
| 160 return kt; |
| 161 } |
| 162 |
| 163 // Check validity of a KeyParams object. Since the factory functions have |
| 164 // no way of returning errors, this function can be called after creation |
| 165 // to make sure the parameters are OK. |
| 166 bool IsValid() { |
| 167 if (type_ == KT_RSA) { |
| 168 return (params_.rsa.mod_size >= kRsaMinModSize && |
| 169 params_.rsa.mod_size <= kRsaMaxModSize && |
| 170 params_.rsa.pub_exp > params_.rsa.mod_size); |
| 171 } else if (type_ == KT_ECDSA) { |
| 172 return (params_.curve == EC_NIST_P256); |
| 173 } |
| 174 return false; |
| 175 } |
| 176 |
| 177 RSAParams rsa_params() const { |
| 178 RTC_DCHECK(type_ == KT_RSA); |
| 179 return params_.rsa; |
| 180 } |
| 181 |
| 182 ECCurve ec_curve() const { |
| 183 RTC_DCHECK(type_ == KT_ECDSA); |
| 184 return params_.curve; |
| 185 } |
| 186 |
| 187 KeyType type() const { return type_; } |
| 188 |
| 189 private: |
| 190 KeyType type_; |
| 191 union { |
| 192 RSAParams rsa; |
| 193 ECCurve curve; |
| 194 } params_; |
| 195 }; |
| 196 |
115 // TODO(hbos): Remove once rtc::KeyType (to be modified) and | 197 // TODO(hbos): Remove once rtc::KeyType (to be modified) and |
116 // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium | 198 // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium |
117 // appropriately we can change KeyType enum -> class without breaking Chromium. | 199 // appropriately we can change KeyType enum -> class without breaking Chromium. |
118 KeyType IntKeyTypeFamilyToKeyType(int key_type_family); | 200 KeyType IntKeyTypeFamilyToKeyType(int key_type_family); |
119 | 201 |
120 // Parameters for generating an identity for testing. If common_name is | 202 // Parameters for generating a certificate. If |common_name| is non-empty, it |
121 // non-empty, it will be used for the certificate's subject and issuer name, | 203 // will be used for the certificate's subject and issuer name, otherwise a |
122 // otherwise a random string will be used. |not_before| and |not_after| are | 204 // random string will be used. |
123 // offsets to the current time in number of seconds. | |
124 struct SSLIdentityParams { | 205 struct SSLIdentityParams { |
125 std::string common_name; | 206 std::string common_name; |
126 int not_before; // in seconds. | 207 int not_before; // offset from current time in seconds. |
127 int not_after; // in seconds. | 208 int not_after; // offset from current time in seconds. |
128 KeyType key_type; | 209 KeyParams key_params; |
129 }; | 210 }; |
130 | 211 |
131 // Our identity in an SSL negotiation: a keypair and certificate (both | 212 // Our identity in an SSL negotiation: a keypair and certificate (both |
132 // with the same public key). | 213 // with the same public key). |
133 // This too is pretty much immutable once created. | 214 // This too is pretty much immutable once created. |
134 class SSLIdentity { | 215 class SSLIdentity { |
135 public: | 216 public: |
136 // Generates an identity (keypair and self-signed certificate). If | 217 // Generates an identity (keypair and self-signed certificate). If |
137 // common_name is non-empty, it will be used for the certificate's | 218 // common_name is non-empty, it will be used for the certificate's |
138 // subject and issuer name, otherwise a random string will be used. | 219 // subject and issuer name, otherwise a random string will be used. |
139 // Returns NULL on failure. | 220 // Returns NULL on failure. |
140 // Caller is responsible for freeing the returned object. | 221 // Caller is responsible for freeing the returned object. |
141 static SSLIdentity* Generate(const std::string& common_name, | 222 static SSLIdentity* Generate(const std::string& common_name, |
142 KeyType key_type); | 223 const KeyParams& key_param); |
| 224 static SSLIdentity* Generate(const std::string& common_name, |
| 225 KeyType key_type) { |
| 226 return Generate(common_name, KeyParams(key_type)); |
| 227 } |
143 | 228 |
144 // Generates an identity with the specified validity period. | 229 // Generates an identity with the specified validity period. |
145 static SSLIdentity* GenerateForTest(const SSLIdentityParams& params); | 230 static SSLIdentity* GenerateForTest(const SSLIdentityParams& params); |
146 | 231 |
147 // Construct an identity from a private key and a certificate. | 232 // Construct an identity from a private key and a certificate. |
148 static SSLIdentity* FromPEMStrings(const std::string& private_key, | 233 static SSLIdentity* FromPEMStrings(const std::string& private_key, |
149 const std::string& certificate); | 234 const std::string& certificate); |
150 | 235 |
151 virtual ~SSLIdentity() {} | 236 virtual ~SSLIdentity() {} |
152 | 237 |
(...skipping 15 matching lines...) Expand all Loading... |
168 size_t length); | 253 size_t length); |
169 }; | 254 }; |
170 | 255 |
171 extern const char kPemTypeCertificate[]; | 256 extern const char kPemTypeCertificate[]; |
172 extern const char kPemTypeRsaPrivateKey[]; | 257 extern const char kPemTypeRsaPrivateKey[]; |
173 extern const char kPemTypeEcPrivateKey[]; | 258 extern const char kPemTypeEcPrivateKey[]; |
174 | 259 |
175 } // namespace rtc | 260 } // namespace rtc |
176 | 261 |
177 #endif // WEBRTC_BASE_SSLIDENTITY_H_ | 262 #endif // WEBRTC_BASE_SSLIDENTITY_H_ |
OLD | NEW |