Provide RSA2048 as per RFC

webrtc/base/sslidentity.h

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 89 matching lines @@
   }
 
   // Helper function for deleting a vector of certificates.
   static void DeleteCert(SSLCertificate* cert) { delete cert; }
 
   std::vector<SSLCertificate*> certs_;
 
   RTC_DISALLOW_COPY_AND_ASSIGN(SSLCertChain);
 };
 
+// KT_DEFAULT is currently an alias for KT_RSA.  This is likely to change.
+// KT_LAST is intended for vector declarations and loops over all key types;
+// it does not represent any key type in itself.
 // TODO(hbos,torbjorng): Don't change KT_DEFAULT without first updating
 // PeerConnectionFactory_nativeCreatePeerConnection's certificate generation
 // code.
 enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_RSA };
 
+static const int kRsaDefaultModSize = 1024;
+static const int kRsaDefaultExponent = 0x10001;  // = 2^16+1 = 65537
+
+struct RSAParams {
+  int mod_size;
+  int pub_exp;
+};
+
+enum ECCurve { EC_NIST_P256, /* EC_FANCY, */ EC_LAST };
+
+class KeyParams {
+ public:
+  // Default ctor only needed by gtest, it would be nice to avoid this.
+  // We set grossly invalid parameters to discourage its use.
+  KeyParams() {

[hbos, 2015/10/01 14:42:43]

Hmm. If we have to have a default constructor for gtest reasons I think that's
fine, but what about constructing something default and valid instead? Even
though it's not a "necessary" constructor otherwise.

KeyParams() : KeyParams(KT_DEFAULT) {}

I really don't see the harm in having a parameterless constructor that creates
something default and usable.
But if you really want to discourage its usage then constructing something
invalid like this is fine with me.

[torbjorng (webrtc), 2015/10/01 15:20:49]

I think an API can be confusing if there are many redundant ways of
doing the same thing.  Also, that means one needs to maintain a
more complex API.

I prefer to have this make an undefined state.  Let's see what the other
reviewers think...

+    type_ = KT_LAST;                         // Invalid type.
+    memset(&params_, 0xff, sizeof params_);  // Bad values.

[hbos, 2015/10/01 14:42:43]

Change "sizeof params_" to "sizeof(params_)"

[torbjorng (webrtc), 2015/10/01 15:20:49]

OK.

+  }
+
+  // Generate a KeyParams object from a simple KeyType, using default params.
+  explicit KeyParams(KeyType key_type) {
+    if (key_type == KT_ECDSA) {
+      type_ = KT_ECDSA;
+      params_.curve = EC_NIST_P256;
+    } else {
+      type_ = KT_RSA;
+      params_.rsa.mod_size = kRsaDefaultModSize;
+      params_.rsa.pub_exp = kRsaDefaultExponent;
+    }
+  }
+
+  // Generate a a KeyParams for RSA with explicit parameters.
+  static KeyParams RSA(int mod_size, int pub_exp) {
+    KeyParams kt(KT_RSA);
+    kt.params_.rsa.mod_size = mod_size;
+    kt.params_.rsa.pub_exp = pub_exp;
+    return kt;
+  }
+
+  // Generate a a KeyParams for RSA defaulting parameters.
+  static KeyParams RSA() {
+    KeyParams kt(KT_RSA);
+    kt.params_.rsa.mod_size = kRsaDefaultModSize;
+    kt.params_.rsa.pub_exp = kRsaDefaultExponent;
+    return kt;
+  }
+
+  // Generate a a KeyParams for ECDSA specifying the curve.
+  static KeyParams ECDSA(ECCurve curve) {
+    KeyParams kt(KT_ECDSA);
+    kt.params_.curve = curve;
+    return kt;
+  }
+
+  // Generate a a KeyParams for ECDSA defaulting the curve.
+  static KeyParams ECDSA() {
+    KeyParams kt(KT_ECDSA);
+    kt.params_.curve = EC_NIST_P256;
+    return kt;
+  }
+
+  // Check validity of a KeyParams object.  Since the factory functions have

[hbos, 2015/10/01 14:42:43]

nit: remove double space after first sentence.

[torbjorng (webrtc), 2015/10/05 12:03:05]

Done.

+  // no way of returning errors, this function can be called after creation
+  // to make sure the parameters are OK.
+  bool isValid() {
+    if (this->type_ == KT_RSA && this->params_.rsa.mod_size >= 1024 &&
+        this->params_.rsa.mod_size <= 8192 &&
+        this->params_.rsa.pub_exp > this->params_.rsa.mod_size) {
+      return true;
+    }
+    if (this->type_ == KT_ECDSA) {
+      if (this->params_.curve == EC_NIST_P256)
+        return true;
+    }
+    return false;
+  }
+
+  RSAParams rsa_params() const {
+    // RTC_DCHECK(type_ == KT_RSA);
+    return params_.rsa;
+  }
+
+  ECCurve ec_curve() const {
+    // RTC_DCHECK(type_ == KT_ECDSA);
+    return params_.curve;
+  }
+
+  KeyType type() const { return type_; }
+
+ private:
+  KeyType type_;
+  union {
+    RSAParams rsa;
+    ECCurve curve;
+  } params_;
+};
+
 // TODO(hbos): Remove once rtc::KeyType (to be modified) and
 // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium
 // appropriately we can change KeyType enum -> class without breaking Chromium.
 KeyType IntKeyTypeFamilyToKeyType(int key_type_family);
 
-// Parameters for generating an identity for testing. If common_name is
-// non-empty, it will be used for the certificate's subject and issuer name,
-// otherwise a random string will be used. |not_before| and |not_after| are
-// offsets to the current time in number of seconds.
+// Parameters for generating an identity for. If common_name is non-empty, it
+// will be used for the certificate's subject and issuer name, otherwise a
+// random string will be used.
 struct SSLIdentityParams {
+  SSLIdentityParams(const KeyParams& key_params) : key_params(key_params) {}
+
   std::string common_name;
-  int not_before;  // in seconds.
-  int not_after;  // in seconds.
-  KeyType key_type;
+  int not_before;  // offset from current time in seconds.
+  int not_after;   // offset from current time in seconds.
+  KeyParams key_params;
 };
 
 // Our identity in an SSL negotiation: a keypair and certificate (both
 // with the same public key).
 // This too is pretty much immutable once created.
 class SSLIdentity {
  public:
   // Generates an identity (keypair and self-signed certificate). If
   // common_name is non-empty, it will be used for the certificate's
   // subject and issuer name, otherwise a random string will be used.
   // Returns NULL on failure.
   // Caller is responsible for freeing the returned object.
   static SSLIdentity* Generate(const std::string& common_name,
                                KeyType key_type);
+  static SSLIdentity* Generate(const std::string& common_name,
+                               const KeyParams& key_param);
 
   // Generates an identity with the specified validity period.
   static SSLIdentity* GenerateForTest(const SSLIdentityParams& params);
 
   // Construct an identity from a private key and a certificate.
   static SSLIdentity* FromPEMStrings(const std::string& private_key,
                                      const std::string& certificate);
 
   virtual ~SSLIdentity() {}
 
@@ skipping 15 matching lines @@
                               size_t length);
 };
 
 extern const char kPemTypeCertificate[];
 extern const char kPemTypeRsaPrivateKey[];
 extern const char kPemTypeEcPrivateKey[];
 
 }  // namespace rtc
 
 #endif  // WEBRTC_BASE_SSLIDENTITY_H_