Provide RSA2048 as per RFC

webrtc/base/opensslidentity.cc

Index: webrtc/base/opensslidentity.cc
diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc
index de4e6a771e04f5f0c1924ba83313f790a16988a2..673e56f81da0981eb11d8a185c763b098e742a5d 100644
--- a/webrtc/base/opensslidentity.cc
+++ b/webrtc/base/opensslidentity.cc
@@ -33,9 +33,6 @@ namespace rtc {
 // We could have exposed a myriad of parameters for the crypto stuff,
 // but keeping it simple seems best.
 
-// Strength of generated keys. Those are RSA.
-static const int KEY_LENGTH = 1024;
-
 // Random bits for certificate serial number
 static const int SERIAL_RAND_BITS = 64;
 
@@ -46,15 +43,16 @@ static const int CERTIFICATE_LIFETIME = 60*60*24*30;  // 30 days, arbitrarily
 static const int CERTIFICATE_WINDOW = -60*60*24;
 
 // Generate a key pair. Caller is responsible for freeing the returned object.
-static EVP_PKEY* MakeKey(KeyType key_type) {
+static EVP_PKEY* MakeKey(KeyTypeFull key_type) {

[hbos, 2015/09/29 13:53:18]

DCHECK that the parameters are in valid ranges etc.
Or perhaps return NULL and LOG(LS_ERROR) is more appropriate given that this is
what is done if the key type is not understood?

See my other comment about validating parameters @ KeyTypeFull.

[hbos, 2015/10/01 14:42:43]

Did you forget to address this or are you letting OpenSSL decide the validity
separately from our own IsValid()?

[torbjorng (webrtc), 2015/10/05 12:03:05]

I let boringssl decide at this abstraction level. The isValid method of
KeyParams) is an indication of what our code implements at a given time. It is a
good indication of what will work for Generate(), but it is possible that
boringssl at some point decides that e.g., 1024-bit keys in RSA are too weak to
be supported (IIRC they recently stopped allowing <= 1023 bit keys).

Calling isValid should be done at a higher level, if at all.

   LOG(LS_INFO) << "Making key pair";
   EVP_PKEY* pkey = EVP_PKEY_new();
-  if (key_type == KT_RSA) {
+  if (key_type.type() == KT_RSA) {
+    int key_length = key_type.rsa_params().mod_size;
     BIGNUM* exponent = BN_new();
     RSA* rsa = RSA_new();
     if (!pkey || !exponent || !rsa ||
-        !BN_set_word(exponent, 0x10001) ||  // 65537 RSA exponent
-        !RSA_generate_key_ex(rsa, KEY_LENGTH, exponent, NULL) ||
+        !BN_set_word(exponent, key_type.rsa_params().pub_exp) ||
+        !RSA_generate_key_ex(rsa, key_length, exponent, NULL) ||
         !EVP_PKEY_assign_RSA(pkey, rsa)) {
       EVP_PKEY_free(pkey);
       BN_free(exponent);
@@ -64,7 +62,8 @@ static EVP_PKEY* MakeKey(KeyType key_type) {
     }
     // ownership of rsa struct was assigned, don't free it.
     BN_free(exponent);
-  } else if (key_type == KT_ECDSA) {
+  } else if (key_type.type() == KT_ECDSA &&
+             key_type.ec_params() == EC_NIST_P256) {
     EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
     if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) ||
         !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) {
@@ -155,7 +154,7 @@ static void LogSSLErrors(const std::string& prefix) {
   }
 }
 
-OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyType key_type) {
+OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyTypeFull key_type) {
   EVP_PKEY* pkey = MakeKey(key_type);
   if (!pkey) {
     LogSSLErrors("Generating key pair");
@@ -392,7 +391,7 @@ OpenSSLIdentity* OpenSSLIdentity::GenerateInternal(
 }
 
 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name,
-                                           KeyType key_type) {
+                                           KeyTypeFull key_type) {
   SSLIdentityParams params;
   params.common_name = common_name;
   params.not_before = CERTIFICATE_WINDOW;