OLD | NEW |
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
11 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode. | 11 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode. |
12 | 12 |
13 #ifndef WEBRTC_BASE_SSLIDENTITY_H_ | 13 #ifndef WEBRTC_BASE_SSLIDENTITY_H_ |
14 #define WEBRTC_BASE_SSLIDENTITY_H_ | 14 #define WEBRTC_BASE_SSLIDENTITY_H_ |
15 | 15 |
16 #include <algorithm> | 16 #include <algorithm> |
17 #include <string> | 17 #include <string> |
18 #include <vector> | 18 #include <vector> |
19 | 19 |
20 #include "webrtc/base/buffer.h" | 20 #include "webrtc/base/buffer.h" |
21 #include "webrtc/base/checks.h" | |
22 #include "webrtc/base/messagedigest.h" | 21 #include "webrtc/base/messagedigest.h" |
23 | 22 |
24 namespace rtc { | 23 namespace rtc { |
25 | 24 |
26 // Forward declaration due to circular dependency with SSLCertificate. | 25 // Forward declaration due to circular dependency with SSLCertificate. |
27 class SSLCertChain; | 26 class SSLCertChain; |
28 | 27 |
29 // Abstract interface overridden by SSL library specific | 28 // Abstract interface overridden by SSL library specific |
30 // implementations. | 29 // implementations. |
31 | 30 |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
101 } | 100 } |
102 | 101 |
103 // Helper function for deleting a vector of certificates. | 102 // Helper function for deleting a vector of certificates. |
104 static void DeleteCert(SSLCertificate* cert) { delete cert; } | 103 static void DeleteCert(SSLCertificate* cert) { delete cert; } |
105 | 104 |
106 std::vector<SSLCertificate*> certs_; | 105 std::vector<SSLCertificate*> certs_; |
107 | 106 |
108 RTC_DISALLOW_COPY_AND_ASSIGN(SSLCertChain); | 107 RTC_DISALLOW_COPY_AND_ASSIGN(SSLCertChain); |
109 }; | 108 }; |
110 | 109 |
111 // KT_DEFAULT is currently an alias for KT_RSA. This is likely to change. | |
112 // KT_LAST is intended for vector declarations and loops over all key types; | |
113 // it does not represent any key type in itself. | |
114 // TODO(hbos,torbjorng): Don't change KT_DEFAULT without first updating | 110 // TODO(hbos,torbjorng): Don't change KT_DEFAULT without first updating |
115 // PeerConnectionFactory_nativeCreatePeerConnection's certificate generation | 111 // PeerConnectionFactory_nativeCreatePeerConnection's certificate generation |
116 // code. | 112 // code. |
117 enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_RSA }; | 113 enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_RSA }; |
118 | 114 |
119 static const int kRsaDefaultModSize = 1024; | |
120 static const int kRsaDefaultExponent = 0x10001; // = 2^16+1 = 65537 | |
121 static const int kRsaMinModSize = 1024; | |
122 static const int kRsaMaxModSize = 8192; | |
123 | |
124 struct RSAParams { | |
125 unsigned int mod_size; | |
126 unsigned int pub_exp; | |
127 }; | |
128 | |
129 enum ECCurve { EC_NIST_P256, /* EC_FANCY, */ EC_LAST }; | |
130 | |
131 class KeyParams { | |
132 public: | |
133 // Generate a KeyParams object from a simple KeyType, using default params. | |
134 explicit KeyParams(KeyType key_type = KT_DEFAULT) { | |
135 if (key_type == KT_ECDSA) { | |
136 type_ = KT_ECDSA; | |
137 params_.curve = EC_NIST_P256; | |
138 } else if (key_type == KT_RSA) { | |
139 type_ = KT_RSA; | |
140 params_.rsa.mod_size = kRsaDefaultModSize; | |
141 params_.rsa.pub_exp = kRsaDefaultExponent; | |
142 } else { | |
143 RTC_NOTREACHED(); | |
144 } | |
145 } | |
146 | |
147 // Generate a a KeyParams for RSA with explicit parameters. | |
148 static KeyParams RSA(int mod_size = kRsaDefaultModSize, | |
149 int pub_exp = kRsaDefaultExponent) { | |
150 KeyParams kt(KT_RSA); | |
151 kt.params_.rsa.mod_size = mod_size; | |
152 kt.params_.rsa.pub_exp = pub_exp; | |
153 return kt; | |
154 } | |
155 | |
156 // Generate a a KeyParams for ECDSA specifying the curve. | |
157 static KeyParams ECDSA(ECCurve curve = EC_NIST_P256) { | |
158 KeyParams kt(KT_ECDSA); | |
159 kt.params_.curve = curve; | |
160 return kt; | |
161 } | |
162 | |
163 // Check validity of a KeyParams object. Since the factory functions have | |
164 // no way of returning errors, this function can be called after creation | |
165 // to make sure the parameters are OK. | |
166 bool IsValid() { | |
167 if (type_ == KT_RSA) { | |
168 return (params_.rsa.mod_size >= kRsaMinModSize && | |
169 params_.rsa.mod_size <= kRsaMaxModSize && | |
170 params_.rsa.pub_exp > params_.rsa.mod_size); | |
171 } else if (type_ == KT_ECDSA) { | |
172 return (params_.curve == EC_NIST_P256); | |
173 } | |
174 return false; | |
175 } | |
176 | |
177 RSAParams rsa_params() const { | |
178 RTC_DCHECK(type_ == KT_RSA); | |
179 return params_.rsa; | |
180 } | |
181 | |
182 ECCurve ec_curve() const { | |
183 RTC_DCHECK(type_ == KT_ECDSA); | |
184 return params_.curve; | |
185 } | |
186 | |
187 KeyType type() const { return type_; } | |
188 | |
189 private: | |
190 KeyType type_; | |
191 union { | |
192 RSAParams rsa; | |
193 ECCurve curve; | |
194 } params_; | |
195 }; | |
196 | |
197 // TODO(hbos): Remove once rtc::KeyType (to be modified) and | 115 // TODO(hbos): Remove once rtc::KeyType (to be modified) and |
198 // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium | 116 // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium |
199 // appropriately we can change KeyType enum -> class without breaking Chromium. | 117 // appropriately we can change KeyType enum -> class without breaking Chromium. |
200 KeyType IntKeyTypeFamilyToKeyType(int key_type_family); | 118 KeyType IntKeyTypeFamilyToKeyType(int key_type_family); |
201 | 119 |
202 // Parameters for generating a certificate. If |common_name| is non-empty, it | 120 // Parameters for generating an identity for testing. If common_name is |
203 // will be used for the certificate's subject and issuer name, otherwise a | 121 // non-empty, it will be used for the certificate's subject and issuer name, |
204 // random string will be used. | 122 // otherwise a random string will be used. |not_before| and |not_after| are |
| 123 // offsets to the current time in number of seconds. |
205 struct SSLIdentityParams { | 124 struct SSLIdentityParams { |
206 std::string common_name; | 125 std::string common_name; |
207 int not_before; // offset from current time in seconds. | 126 int not_before; // in seconds. |
208 int not_after; // offset from current time in seconds. | 127 int not_after; // in seconds. |
209 KeyParams key_params; | 128 KeyType key_type; |
210 }; | 129 }; |
211 | 130 |
212 // Our identity in an SSL negotiation: a keypair and certificate (both | 131 // Our identity in an SSL negotiation: a keypair and certificate (both |
213 // with the same public key). | 132 // with the same public key). |
214 // This too is pretty much immutable once created. | 133 // This too is pretty much immutable once created. |
215 class SSLIdentity { | 134 class SSLIdentity { |
216 public: | 135 public: |
217 // Generates an identity (keypair and self-signed certificate). If | 136 // Generates an identity (keypair and self-signed certificate). If |
218 // common_name is non-empty, it will be used for the certificate's | 137 // common_name is non-empty, it will be used for the certificate's |
219 // subject and issuer name, otherwise a random string will be used. | 138 // subject and issuer name, otherwise a random string will be used. |
220 // Returns NULL on failure. | 139 // Returns NULL on failure. |
221 // Caller is responsible for freeing the returned object. | 140 // Caller is responsible for freeing the returned object. |
222 static SSLIdentity* Generate(const std::string& common_name, | 141 static SSLIdentity* Generate(const std::string& common_name, |
223 const KeyParams& key_param); | 142 KeyType key_type); |
224 static SSLIdentity* Generate(const std::string& common_name, | |
225 KeyType key_type) { | |
226 return Generate(common_name, KeyParams(key_type)); | |
227 } | |
228 | 143 |
229 // Generates an identity with the specified validity period. | 144 // Generates an identity with the specified validity period. |
230 static SSLIdentity* GenerateForTest(const SSLIdentityParams& params); | 145 static SSLIdentity* GenerateForTest(const SSLIdentityParams& params); |
231 | 146 |
232 // Construct an identity from a private key and a certificate. | 147 // Construct an identity from a private key and a certificate. |
233 static SSLIdentity* FromPEMStrings(const std::string& private_key, | 148 static SSLIdentity* FromPEMStrings(const std::string& private_key, |
234 const std::string& certificate); | 149 const std::string& certificate); |
235 | 150 |
236 virtual ~SSLIdentity() {} | 151 virtual ~SSLIdentity() {} |
237 | 152 |
(...skipping 15 matching lines...) Expand all Loading... |
253 size_t length); | 168 size_t length); |
254 }; | 169 }; |
255 | 170 |
256 extern const char kPemTypeCertificate[]; | 171 extern const char kPemTypeCertificate[]; |
257 extern const char kPemTypeRsaPrivateKey[]; | 172 extern const char kPemTypeRsaPrivateKey[]; |
258 extern const char kPemTypeEcPrivateKey[]; | 173 extern const char kPemTypeEcPrivateKey[]; |
259 | 174 |
260 } // namespace rtc | 175 } // namespace rtc |
261 | 176 |
262 #endif // WEBRTC_BASE_SSLIDENTITY_H_ | 177 #endif // WEBRTC_BASE_SSLIDENTITY_H_ |
OLD | NEW |