OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
(...skipping 15 matching lines...) Expand all Loading... | |
26 #include "webrtc/base/helpers.h" | 26 #include "webrtc/base/helpers.h" |
27 #include "webrtc/base/logging.h" | 27 #include "webrtc/base/logging.h" |
28 #include "webrtc/base/openssl.h" | 28 #include "webrtc/base/openssl.h" |
29 #include "webrtc/base/openssldigest.h" | 29 #include "webrtc/base/openssldigest.h" |
30 | 30 |
31 namespace rtc { | 31 namespace rtc { |
32 | 32 |
33 // We could have exposed a myriad of parameters for the crypto stuff, | 33 // We could have exposed a myriad of parameters for the crypto stuff, |
34 // but keeping it simple seems best. | 34 // but keeping it simple seems best. |
35 | 35 |
36 // Strength of generated keys. Those are RSA. | |
37 static const int KEY_LENGTH = 1024; | |
38 | |
39 // Random bits for certificate serial number | 36 // Random bits for certificate serial number |
40 static const int SERIAL_RAND_BITS = 64; | 37 static const int SERIAL_RAND_BITS = 64; |
41 | 38 |
42 // Certificate validity lifetime | 39 // Certificate validity lifetime |
43 static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily | 40 static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily |
44 // Certificate validity window. | 41 // Certificate validity window. |
45 // This is to compensate for slightly incorrect system clocks. | 42 // This is to compensate for slightly incorrect system clocks. |
46 static const int CERTIFICATE_WINDOW = -60*60*24; | 43 static const int CERTIFICATE_WINDOW = -60*60*24; |
47 | 44 |
48 // Generate a key pair. Caller is responsible for freeing the returned object. | 45 // Generate a key pair. Caller is responsible for freeing the returned object. |
49 static EVP_PKEY* MakeKey(KeyType key_type) { | 46 static EVP_PKEY* MakeKey(KeyTypeFull key_type) { |
hbos
2015/09/29 13:53:18
DCHECK that the parameters are in valid ranges etc
hbos
2015/10/01 14:42:43
Did you forget to address this or are you letting
torbjorng (webrtc)
2015/10/05 12:03:05
I let boringssl decide at this abstraction level.
| |
50 LOG(LS_INFO) << "Making key pair"; | 47 LOG(LS_INFO) << "Making key pair"; |
51 EVP_PKEY* pkey = EVP_PKEY_new(); | 48 EVP_PKEY* pkey = EVP_PKEY_new(); |
52 if (key_type == KT_RSA) { | 49 if (key_type.type() == KT_RSA) { |
50 int key_length = key_type.rsa_params().mod_size; | |
53 BIGNUM* exponent = BN_new(); | 51 BIGNUM* exponent = BN_new(); |
54 RSA* rsa = RSA_new(); | 52 RSA* rsa = RSA_new(); |
55 if (!pkey || !exponent || !rsa || | 53 if (!pkey || !exponent || !rsa || |
56 !BN_set_word(exponent, 0x10001) || // 65537 RSA exponent | 54 !BN_set_word(exponent, key_type.rsa_params().pub_exp) || |
57 !RSA_generate_key_ex(rsa, KEY_LENGTH, exponent, NULL) || | 55 !RSA_generate_key_ex(rsa, key_length, exponent, NULL) || |
58 !EVP_PKEY_assign_RSA(pkey, rsa)) { | 56 !EVP_PKEY_assign_RSA(pkey, rsa)) { |
59 EVP_PKEY_free(pkey); | 57 EVP_PKEY_free(pkey); |
60 BN_free(exponent); | 58 BN_free(exponent); |
61 RSA_free(rsa); | 59 RSA_free(rsa); |
62 LOG(LS_ERROR) << "Failed to make RSA key pair"; | 60 LOG(LS_ERROR) << "Failed to make RSA key pair"; |
63 return NULL; | 61 return NULL; |
64 } | 62 } |
65 // ownership of rsa struct was assigned, don't free it. | 63 // ownership of rsa struct was assigned, don't free it. |
66 BN_free(exponent); | 64 BN_free(exponent); |
67 } else if (key_type == KT_ECDSA) { | 65 } else if (key_type.type() == KT_ECDSA && |
66 key_type.ec_params() == EC_NIST_P256) { | |
68 EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | 67 EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
69 if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) || | 68 if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) || |
70 !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) { | 69 !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) { |
71 EVP_PKEY_free(pkey); | 70 EVP_PKEY_free(pkey); |
72 EC_KEY_free(ec_key); | 71 EC_KEY_free(ec_key); |
73 LOG(LS_ERROR) << "Failed to make EC key pair"; | 72 LOG(LS_ERROR) << "Failed to make EC key pair"; |
74 return NULL; | 73 return NULL; |
75 } | 74 } |
76 // ownership of ec_key struct was assigned, don't free it. | 75 // ownership of ec_key struct was assigned, don't free it. |
77 } else { | 76 } else { |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
148 static void LogSSLErrors(const std::string& prefix) { | 147 static void LogSSLErrors(const std::string& prefix) { |
149 char error_buf[200]; | 148 char error_buf[200]; |
150 unsigned long err; | 149 unsigned long err; |
151 | 150 |
152 while ((err = ERR_get_error()) != 0) { | 151 while ((err = ERR_get_error()) != 0) { |
153 ERR_error_string_n(err, error_buf, sizeof(error_buf)); | 152 ERR_error_string_n(err, error_buf, sizeof(error_buf)); |
154 LOG(LS_ERROR) << prefix << ": " << error_buf << "\n"; | 153 LOG(LS_ERROR) << prefix << ": " << error_buf << "\n"; |
155 } | 154 } |
156 } | 155 } |
157 | 156 |
158 OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyType key_type) { | 157 OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyTypeFull key_type) { |
159 EVP_PKEY* pkey = MakeKey(key_type); | 158 EVP_PKEY* pkey = MakeKey(key_type); |
160 if (!pkey) { | 159 if (!pkey) { |
161 LogSSLErrors("Generating key pair"); | 160 LogSSLErrors("Generating key pair"); |
162 return NULL; | 161 return NULL; |
163 } | 162 } |
164 return new OpenSSLKeyPair(pkey); | 163 return new OpenSSLKeyPair(pkey); |
165 } | 164 } |
166 | 165 |
167 OpenSSLKeyPair::~OpenSSLKeyPair() { | 166 OpenSSLKeyPair::~OpenSSLKeyPair() { |
168 EVP_PKEY_free(pkey_); | 167 EVP_PKEY_free(pkey_); |
(...skipping 216 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
385 OpenSSLCertificate::Generate(key_pair, params); | 384 OpenSSLCertificate::Generate(key_pair, params); |
386 if (certificate) | 385 if (certificate) |
387 return new OpenSSLIdentity(key_pair, certificate); | 386 return new OpenSSLIdentity(key_pair, certificate); |
388 delete key_pair; | 387 delete key_pair; |
389 } | 388 } |
390 LOG(LS_INFO) << "Identity generation failed"; | 389 LOG(LS_INFO) << "Identity generation failed"; |
391 return NULL; | 390 return NULL; |
392 } | 391 } |
393 | 392 |
394 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name, | 393 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name, |
395 KeyType key_type) { | 394 KeyTypeFull key_type) { |
396 SSLIdentityParams params; | 395 SSLIdentityParams params; |
397 params.common_name = common_name; | 396 params.common_name = common_name; |
398 params.not_before = CERTIFICATE_WINDOW; | 397 params.not_before = CERTIFICATE_WINDOW; |
399 params.not_after = CERTIFICATE_LIFETIME; | 398 params.not_after = CERTIFICATE_LIFETIME; |
400 params.key_type = key_type; | 399 params.key_type = key_type; |
401 return GenerateInternal(params); | 400 return GenerateInternal(params); |
402 } | 401 } |
403 | 402 |
404 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest( | 403 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest( |
405 const SSLIdentityParams& params) { | 404 const SSLIdentityParams& params) { |
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
450 SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) { | 449 SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) { |
451 LogSSLErrors("Configuring key and certificate"); | 450 LogSSLErrors("Configuring key and certificate"); |
452 return false; | 451 return false; |
453 } | 452 } |
454 return true; | 453 return true; |
455 } | 454 } |
456 | 455 |
457 } // namespace rtc | 456 } // namespace rtc |
458 | 457 |
459 #endif // HAVE_OPENSSL_SSL_H | 458 #endif // HAVE_OPENSSL_SSL_H |
OLD | NEW |