Provide method for returning certificate expiration timestamp.

webrtc/base/opensslidentity.cc

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
 #if HAVE_OPENSSL_SSL_H
 
+#include <ctime>

[hbos, 2015/11/25 15:21:44]

The first include should be opensslidentity.h. I would place it above
<oppenssl/...> or above win32.h.

[torbjorng (webrtc), 2015/11/25 19:14:09]

Done.

+
 #include "webrtc/base/opensslidentity.h"
 
 // Must be included first before openssl headers.
 #include "webrtc/base/win32.h"  // NOLINT
 
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
@@ skipping 66 matching lines @@
   return pkey;
 }
 
 // Generate a self-signed certificate, with the public key from the
 // given key pair. Caller is responsible for freeing the returned object.
 static X509* MakeCertificate(EVP_PKEY* pkey, const SSLIdentityParams& params) {
   LOG(LS_INFO) << "Making certificate for " << params.common_name;
   X509* x509 = NULL;
   BIGNUM* serial_number = NULL;
   X509_NAME* name = NULL;
+  time_t epoch_off = 0;  // Time offset since epoch.

[hbos, 2015/11/25 15:21:44]

nit/optional: Is it a style in this file or personal preference to define this
variable at the top of the function? Personally I would define it where it's
used.

[torbjorng (webrtc), 2015/11/25 19:14:09]

Since it sets a value and since the function is full of gotos, putting it in the
usual place causes compilation failure.

 
   if ((x509=X509_new()) == NULL)
     goto error;
 
   if (!X509_set_pubkey(x509, pkey))
     goto error;
 
   // serial number
   // temporary reference to serial number inside x509 struct
   ASN1_INTEGER* asn1_serial_number;
@@ skipping 14 matching lines @@
   // clear during SSL negotiation, so there may be a privacy issue in
   // putting anything recognizable here.
   if ((name = X509_NAME_new()) == NULL ||
       !X509_NAME_add_entry_by_NID(
           name, NID_commonName, MBSTRING_UTF8,
           (unsigned char*)params.common_name.c_str(), -1, -1, 0) ||
       !X509_set_subject_name(x509, name) ||
       !X509_set_issuer_name(x509, name))
     goto error;
 
-  if (!X509_gmtime_adj(X509_get_notBefore(x509), params.not_before) ||
-      !X509_gmtime_adj(X509_get_notAfter(x509), params.not_after))
+  if (!X509_time_adj(X509_get_notBefore(x509), params.not_before, &epoch_off) ||
+      !X509_time_adj(X509_get_notAfter(x509), params.not_after, &epoch_off))
     goto error;
 
   if (!X509_sign(x509, pkey, EVP_sha256()))
     goto error;
 
   BN_free(serial_number);
   X509_NAME_free(name);
   LOG(LS_INFO) << "Returning certificate";
   return x509;
 
@@ skipping 221 matching lines @@
 
 void OpenSSLCertificate::AddReference() const {
   ASSERT(x509_ != NULL);
 #if defined(OPENSSL_IS_BORINGSSL)
   X509_up_ref(x509_);
 #else
   CRYPTO_add(&x509_->references, 1, CRYPTO_LOCK_X509);
 #endif
 }
 
+// Convert from std::tm to number of seconds from epoch.
+// Note that std::tm is relative to 1900-01-01.
+static int64_t TmToSeconds(const std::tm& tm) {
+  static short int cumul_days[12] = {0,   31,  59,  90,  120, 151,
+                                     181, 212, 243, 273, 304, 334};
+
+  int year = tm.tm_year + 1900;
+  int month = tm.tm_mon;
+  int day = tm.tm_mday - 1;
+  int hour = tm.tm_hour;
+  int min = tm.tm_min;
+  int sec = tm.tm_sec;
+
+  // If expiration time is in a leap year, number of days depends on exact date.
+  if (year % 4 == 0 && (year % 100 != 0 || year % 400 == 0)) {
+    if (month <= 2 - 1) {  // February or earlier (|month| is zero based).
+      day -= 1;
+    }
+  }
+
+  day += cumul_days[month];
+
+  // Add number of leap days between 1970 and the expiration time.
+  day += ((year / 4 - 1970 / 4) - (year / 100 - 1970 / 100) +
+          (year / 400 - 1970 / 400));
+
+  year -= 1970;
+  return ((((int64_t)year * 365 + day) * 24 + hour) * 60 + min) * 60 + sec;

[hbos, 2015/11/25 15:21:44]

I think style guide says static_cast<int64_t> instead even for stuff like this?

[torbjorng (webrtc), 2015/11/25 19:14:09]

Done.

+}
+
+#define ASN1_READ2(x, s, n)          \
+  do {                               \
+    x = 10 * s[0] + s[1] - '0' * 11; \
+    s += 2;                          \
+    n -= 2;                          \
+  } while (0)
+#define ASN1_READ4(x, s, n)                                       \
+  do {                                                            \
+    x = 1000 * s[0] + 100 * s[1] + 10 * s[2] + s[3] - '0' * 1111; \
+    s += 4;                                                       \
+    n -= 4;                                                       \
+  } while (0)

[hbos, 2015/11/25 15:21:44]

Macros are the devil. I think these should be functions instead (static
functions which are typically placed at the top in an anonymous namespace, code
style thingy).

+
+// Convert from ASN1 TIME as restricted by RFC 5280 to milliseconds from epoch.
+// If the ASN1_TIME cannot be read, return -1.  Use std::tm for intermediate
+// results in the way specified by Unix time functions.
+static int64_t ASN1TimeToMS(const ASN1_TIME* time) {
+  std::tm tm;
+  int year;
+  int month;
+  const unsigned char* s = (const unsigned char*)time->data;

[hbos, 2015/11/25 15:21:44]

Style guide: use static_cast. Wait, isn't this an unsigned char*? Then you don't
need a cast, non-const -> const is implicit.

[torbjorng (webrtc), 2015/11/25 19:14:09]

Done.

+  size_t bytes_left = time->length;

[hbos, 2015/11/25 15:21:44]

size_t is what should be used for stuff like this but I think time->length is
int, so maybe make bytes_left and int? (Even though if its not unsigned and
doesn't fit as size_t there must be a bug)

[torbjorng (webrtc), 2015/11/25 19:14:09]

OpenSSL uses 'int' for sizes.  I expect that to get fixed.

+
+  if (time->type == V_ASN1_UTCTIME) {
+    // ASN1 format: yymmddhhmm[ss]Z where the Z is literal, but RFC 5280
+    // requires us to only support exactly yymmddhhmmssZ.
+
+    if (bytes_left < 9)
+      return -1;
+
+    ASN1_READ2(year, s, bytes_left);
+    if (year < 70)
+      year += 100;
+  } else if (time->type == V_ASN1_GENERALIZEDTIME) {
+    // ASN1 format: yyyymmddhh[mm[ss[.fff]]]Z where the Z is literal, but
+    // RFC 5280 requires us to only support exactly yyyymmddhhmmssZ.
+
+    if (bytes_left < 11)
+      return -1;
+
+    ASN1_READ4(year, s, bytes_left);
+    year -= 1900;
+  } else {
+    return -1;
+  }
+
+  // Zeroing the entire structure helps with the defaulting of the minute and
+  // second fields, as well as a bunch of other (here unused) fields.
+  memset(&tm, 0, sizeof(tm));
+
+  tm.tm_year = year;
+  ASN1_READ2(month, s, bytes_left);
+  tm.tm_mon = month - 1;
+  ASN1_READ2(tm.tm_mday, s, bytes_left);
+  ASN1_READ2(tm.tm_hour, s, bytes_left);
+  ASN1_READ2(tm.tm_min, s, bytes_left);
+  ASN1_READ2(tm.tm_sec, s, bytes_left);

[hbos, 2015/11/25 15:21:44]

A short comment here and/or at the function definition would be nice. Same for
the usage above.

[torbjorng (webrtc), 2015/11/25 19:14:09]

Done.

+
+  if (bytes_left != 1 || s[0] != 'Z') {
+    // A final Z means UTC, mandated by RFC 5280, and compatible with OpenSSL.
+    return -1;
+  }
+
+  return 1000 * TmToSeconds(tm);
+}
+#undef ASN1_READ4
+#undef ASN1_READ2
+
+int64_t OpenSSLCertificate::CertificateExpirationTime() const {
+  ASN1_TIME* exptime = X509_get_notAfter(x509_);
+  return ASN1TimeToMS(exptime);
+}
+
 OpenSSLIdentity::OpenSSLIdentity(OpenSSLKeyPair* key_pair,
                                  OpenSSLCertificate* certificate)
     : key_pair_(key_pair), certificate_(certificate) {
   ASSERT(key_pair != NULL);
   ASSERT(certificate != NULL);
 }
 
 OpenSSLIdentity::~OpenSSLIdentity() = default;
 
 OpenSSLIdentity* OpenSSLIdentity::GenerateInternal(
     const SSLIdentityParams& params) {
   OpenSSLKeyPair* key_pair = OpenSSLKeyPair::Generate(params.key_params);
   if (key_pair) {
     OpenSSLCertificate* certificate =
         OpenSSLCertificate::Generate(key_pair, params);
     if (certificate)
       return new OpenSSLIdentity(key_pair, certificate);
     delete key_pair;
   }
   LOG(LS_INFO) << "Identity generation failed";
   return NULL;
 }
 
 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name,
                                            const KeyParams& key_params) {
   SSLIdentityParams params;
   params.key_params = key_params;
   params.common_name = common_name;
-  params.not_before = CERTIFICATE_WINDOW;
-  params.not_after = CERTIFICATE_LIFETIME;
+  time_t now = time(NULL);
+  params.not_before = now + CERTIFICATE_WINDOW;
+  params.not_after = now + CERTIFICATE_LIFETIME;
   return GenerateInternal(params);
 }
 
 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest(
     const SSLIdentityParams& params) {
   return GenerateInternal(params);
 }
 
 SSLIdentity* OpenSSLIdentity::FromPEMStrings(
     const std::string& private_key,
@@ skipping 39 matching lines @@
      SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) {
     LogSSLErrors("Configuring key and certificate");
     return false;
   }
   return true;
 }
 
 }  // namespace rtc
 
 #endif  // HAVE_OPENSSL_SSL_H