Index: webrtc/base/opensslidentity.cc |
diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc |
index de4e6a771e04f5f0c1924ba83313f790a16988a2..673e56f81da0981eb11d8a185c763b098e742a5d 100644 |
--- a/webrtc/base/opensslidentity.cc |
+++ b/webrtc/base/opensslidentity.cc |
@@ -33,9 +33,6 @@ namespace rtc { |
// We could have exposed a myriad of parameters for the crypto stuff, |
// but keeping it simple seems best. |
-// Strength of generated keys. Those are RSA. |
-static const int KEY_LENGTH = 1024; |
- |
// Random bits for certificate serial number |
static const int SERIAL_RAND_BITS = 64; |
@@ -46,15 +43,16 @@ static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily |
static const int CERTIFICATE_WINDOW = -60*60*24; |
// Generate a key pair. Caller is responsible for freeing the returned object. |
-static EVP_PKEY* MakeKey(KeyType key_type) { |
+static EVP_PKEY* MakeKey(KeyTypeFull key_type) { |
hbos
2015/09/29 13:53:18
DCHECK that the parameters are in valid ranges etc
hbos
2015/10/01 14:42:43
Did you forget to address this or are you letting
torbjorng (webrtc)
2015/10/05 12:03:05
I let boringssl decide at this abstraction level.
|
LOG(LS_INFO) << "Making key pair"; |
EVP_PKEY* pkey = EVP_PKEY_new(); |
- if (key_type == KT_RSA) { |
+ if (key_type.type() == KT_RSA) { |
+ int key_length = key_type.rsa_params().mod_size; |
BIGNUM* exponent = BN_new(); |
RSA* rsa = RSA_new(); |
if (!pkey || !exponent || !rsa || |
- !BN_set_word(exponent, 0x10001) || // 65537 RSA exponent |
- !RSA_generate_key_ex(rsa, KEY_LENGTH, exponent, NULL) || |
+ !BN_set_word(exponent, key_type.rsa_params().pub_exp) || |
+ !RSA_generate_key_ex(rsa, key_length, exponent, NULL) || |
!EVP_PKEY_assign_RSA(pkey, rsa)) { |
EVP_PKEY_free(pkey); |
BN_free(exponent); |
@@ -64,7 +62,8 @@ static EVP_PKEY* MakeKey(KeyType key_type) { |
} |
// ownership of rsa struct was assigned, don't free it. |
BN_free(exponent); |
- } else if (key_type == KT_ECDSA) { |
+ } else if (key_type.type() == KT_ECDSA && |
+ key_type.ec_params() == EC_NIST_P256) { |
EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) || |
!EVP_PKEY_assign_EC_KEY(pkey, ec_key)) { |
@@ -155,7 +154,7 @@ static void LogSSLErrors(const std::string& prefix) { |
} |
} |
-OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyType key_type) { |
+OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyTypeFull key_type) { |
EVP_PKEY* pkey = MakeKey(key_type); |
if (!pkey) { |
LogSSLErrors("Generating key pair"); |
@@ -392,7 +391,7 @@ OpenSSLIdentity* OpenSSLIdentity::GenerateInternal( |
} |
OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name, |
- KeyType key_type) { |
+ KeyTypeFull key_type) { |
SSLIdentityParams params; |
params.common_name = common_name; |
params.not_before = CERTIFICATE_WINDOW; |