OLD | NEW |
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
(...skipping 15 matching lines...) Expand all Loading... |
26 #include "webrtc/base/helpers.h" | 26 #include "webrtc/base/helpers.h" |
27 #include "webrtc/base/logging.h" | 27 #include "webrtc/base/logging.h" |
28 #include "webrtc/base/openssl.h" | 28 #include "webrtc/base/openssl.h" |
29 #include "webrtc/base/openssldigest.h" | 29 #include "webrtc/base/openssldigest.h" |
30 | 30 |
31 namespace rtc { | 31 namespace rtc { |
32 | 32 |
33 // We could have exposed a myriad of parameters for the crypto stuff, | 33 // We could have exposed a myriad of parameters for the crypto stuff, |
34 // but keeping it simple seems best. | 34 // but keeping it simple seems best. |
35 | 35 |
| 36 // Strength of generated keys. Those are RSA. |
| 37 static const int KEY_LENGTH = 1024; |
| 38 |
36 // Random bits for certificate serial number | 39 // Random bits for certificate serial number |
37 static const int SERIAL_RAND_BITS = 64; | 40 static const int SERIAL_RAND_BITS = 64; |
38 | 41 |
39 // Certificate validity lifetime | 42 // Certificate validity lifetime |
40 static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily | 43 static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily |
41 // Certificate validity window. | 44 // Certificate validity window. |
42 // This is to compensate for slightly incorrect system clocks. | 45 // This is to compensate for slightly incorrect system clocks. |
43 static const int CERTIFICATE_WINDOW = -60*60*24; | 46 static const int CERTIFICATE_WINDOW = -60*60*24; |
44 | 47 |
45 // Generate a key pair. Caller is responsible for freeing the returned object. | 48 // Generate a key pair. Caller is responsible for freeing the returned object. |
46 static EVP_PKEY* MakeKey(const KeyParams& key_params) { | 49 static EVP_PKEY* MakeKey(KeyType key_type) { |
47 LOG(LS_INFO) << "Making key pair"; | 50 LOG(LS_INFO) << "Making key pair"; |
48 EVP_PKEY* pkey = EVP_PKEY_new(); | 51 EVP_PKEY* pkey = EVP_PKEY_new(); |
49 if (key_params.type() == KT_RSA) { | 52 if (key_type == KT_RSA) { |
50 int key_length = key_params.rsa_params().mod_size; | |
51 BIGNUM* exponent = BN_new(); | 53 BIGNUM* exponent = BN_new(); |
52 RSA* rsa = RSA_new(); | 54 RSA* rsa = RSA_new(); |
53 if (!pkey || !exponent || !rsa || | 55 if (!pkey || !exponent || !rsa || |
54 !BN_set_word(exponent, key_params.rsa_params().pub_exp) || | 56 !BN_set_word(exponent, 0x10001) || // 65537 RSA exponent |
55 !RSA_generate_key_ex(rsa, key_length, exponent, NULL) || | 57 !RSA_generate_key_ex(rsa, KEY_LENGTH, exponent, NULL) || |
56 !EVP_PKEY_assign_RSA(pkey, rsa)) { | 58 !EVP_PKEY_assign_RSA(pkey, rsa)) { |
57 EVP_PKEY_free(pkey); | 59 EVP_PKEY_free(pkey); |
58 BN_free(exponent); | 60 BN_free(exponent); |
59 RSA_free(rsa); | 61 RSA_free(rsa); |
60 LOG(LS_ERROR) << "Failed to make RSA key pair"; | 62 LOG(LS_ERROR) << "Failed to make RSA key pair"; |
61 return NULL; | 63 return NULL; |
62 } | 64 } |
63 // ownership of rsa struct was assigned, don't free it. | 65 // ownership of rsa struct was assigned, don't free it. |
64 BN_free(exponent); | 66 BN_free(exponent); |
65 } else if (key_params.type() == KT_ECDSA) { | 67 } else if (key_type == KT_ECDSA) { |
66 if (key_params.ec_curve() == EC_NIST_P256) { | 68 EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
67 EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | 69 if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) || |
68 if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) || | 70 !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) { |
69 !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) { | |
70 EVP_PKEY_free(pkey); | |
71 EC_KEY_free(ec_key); | |
72 LOG(LS_ERROR) << "Failed to make EC key pair"; | |
73 return NULL; | |
74 } | |
75 // ownership of ec_key struct was assigned, don't free it. | |
76 } else { | |
77 // Add generation of any other curves here. | |
78 EVP_PKEY_free(pkey); | 71 EVP_PKEY_free(pkey); |
79 LOG(LS_ERROR) << "ECDSA key requested for unknown curve"; | 72 EC_KEY_free(ec_key); |
| 73 LOG(LS_ERROR) << "Failed to make EC key pair"; |
80 return NULL; | 74 return NULL; |
81 } | 75 } |
| 76 // ownership of ec_key struct was assigned, don't free it. |
82 } else { | 77 } else { |
83 EVP_PKEY_free(pkey); | 78 EVP_PKEY_free(pkey); |
84 LOG(LS_ERROR) << "Key type requested not understood"; | 79 LOG(LS_ERROR) << "Key type requested not understood"; |
85 return NULL; | 80 return NULL; |
86 } | 81 } |
87 | 82 |
88 LOG(LS_INFO) << "Returning key pair"; | 83 LOG(LS_INFO) << "Returning key pair"; |
89 return pkey; | 84 return pkey; |
90 } | 85 } |
91 | 86 |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
153 static void LogSSLErrors(const std::string& prefix) { | 148 static void LogSSLErrors(const std::string& prefix) { |
154 char error_buf[200]; | 149 char error_buf[200]; |
155 unsigned long err; | 150 unsigned long err; |
156 | 151 |
157 while ((err = ERR_get_error()) != 0) { | 152 while ((err = ERR_get_error()) != 0) { |
158 ERR_error_string_n(err, error_buf, sizeof(error_buf)); | 153 ERR_error_string_n(err, error_buf, sizeof(error_buf)); |
159 LOG(LS_ERROR) << prefix << ": " << error_buf << "\n"; | 154 LOG(LS_ERROR) << prefix << ": " << error_buf << "\n"; |
160 } | 155 } |
161 } | 156 } |
162 | 157 |
163 OpenSSLKeyPair* OpenSSLKeyPair::Generate(const KeyParams& key_params) { | 158 OpenSSLKeyPair* OpenSSLKeyPair::Generate(KeyType key_type) { |
164 EVP_PKEY* pkey = MakeKey(key_params); | 159 EVP_PKEY* pkey = MakeKey(key_type); |
165 if (!pkey) { | 160 if (!pkey) { |
166 LogSSLErrors("Generating key pair"); | 161 LogSSLErrors("Generating key pair"); |
167 return NULL; | 162 return NULL; |
168 } | 163 } |
169 return new OpenSSLKeyPair(pkey); | 164 return new OpenSSLKeyPair(pkey); |
170 } | 165 } |
171 | 166 |
172 OpenSSLKeyPair::~OpenSSLKeyPair() { | 167 OpenSSLKeyPair::~OpenSSLKeyPair() { |
173 EVP_PKEY_free(pkey_); | 168 EVP_PKEY_free(pkey_); |
174 } | 169 } |
(...skipping 202 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
377 OpenSSLCertificate* certificate) | 372 OpenSSLCertificate* certificate) |
378 : key_pair_(key_pair), certificate_(certificate) { | 373 : key_pair_(key_pair), certificate_(certificate) { |
379 ASSERT(key_pair != NULL); | 374 ASSERT(key_pair != NULL); |
380 ASSERT(certificate != NULL); | 375 ASSERT(certificate != NULL); |
381 } | 376 } |
382 | 377 |
383 OpenSSLIdentity::~OpenSSLIdentity() = default; | 378 OpenSSLIdentity::~OpenSSLIdentity() = default; |
384 | 379 |
385 OpenSSLIdentity* OpenSSLIdentity::GenerateInternal( | 380 OpenSSLIdentity* OpenSSLIdentity::GenerateInternal( |
386 const SSLIdentityParams& params) { | 381 const SSLIdentityParams& params) { |
387 OpenSSLKeyPair* key_pair = OpenSSLKeyPair::Generate(params.key_params); | 382 OpenSSLKeyPair* key_pair = OpenSSLKeyPair::Generate(params.key_type); |
388 if (key_pair) { | 383 if (key_pair) { |
389 OpenSSLCertificate* certificate = | 384 OpenSSLCertificate* certificate = |
390 OpenSSLCertificate::Generate(key_pair, params); | 385 OpenSSLCertificate::Generate(key_pair, params); |
391 if (certificate) | 386 if (certificate) |
392 return new OpenSSLIdentity(key_pair, certificate); | 387 return new OpenSSLIdentity(key_pair, certificate); |
393 delete key_pair; | 388 delete key_pair; |
394 } | 389 } |
395 LOG(LS_INFO) << "Identity generation failed"; | 390 LOG(LS_INFO) << "Identity generation failed"; |
396 return NULL; | 391 return NULL; |
397 } | 392 } |
398 | 393 |
399 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name, | 394 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name, |
400 const KeyParams& key_params) { | 395 KeyType key_type) { |
401 SSLIdentityParams params; | 396 SSLIdentityParams params; |
402 params.key_params = key_params; | |
403 params.common_name = common_name; | 397 params.common_name = common_name; |
404 params.not_before = CERTIFICATE_WINDOW; | 398 params.not_before = CERTIFICATE_WINDOW; |
405 params.not_after = CERTIFICATE_LIFETIME; | 399 params.not_after = CERTIFICATE_LIFETIME; |
| 400 params.key_type = key_type; |
406 return GenerateInternal(params); | 401 return GenerateInternal(params); |
407 } | 402 } |
408 | 403 |
409 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest( | 404 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest( |
410 const SSLIdentityParams& params) { | 405 const SSLIdentityParams& params) { |
411 return GenerateInternal(params); | 406 return GenerateInternal(params); |
412 } | 407 } |
413 | 408 |
414 SSLIdentity* OpenSSLIdentity::FromPEMStrings( | 409 SSLIdentity* OpenSSLIdentity::FromPEMStrings( |
415 const std::string& private_key, | 410 const std::string& private_key, |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
455 SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) { | 450 SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) { |
456 LogSSLErrors("Configuring key and certificate"); | 451 LogSSLErrors("Configuring key and certificate"); |
457 return false; | 452 return false; |
458 } | 453 } |
459 return true; | 454 return true; |
460 } | 455 } |
461 | 456 |
462 } // namespace rtc | 457 } // namespace rtc |
463 | 458 |
464 #endif // HAVE_OPENSSL_SSL_H | 459 #endif // HAVE_OPENSSL_SSL_H |
OLD | NEW |