Provide method for returning certificate expiration timestamp.

webrtc/base/opensslidentity.cc

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
+#include <ctime>

[hbos, 2015/11/25 11:18:31]

Move this to the other includes, everything else in this file is inside the #if

[torbjorng (webrtc), 2015/11/25 14:27:11]

Done.

+
 #if HAVE_OPENSSL_SSL_H
 
 #include "webrtc/base/opensslidentity.h"
 
 // Must be included first before openssl headers.
 #include "webrtc/base/win32.h"  // NOLINT
 
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
@@ skipping 102 matching lines @@
   // clear during SSL negotiation, so there may be a privacy issue in
   // putting anything recognizable here.
   if ((name = X509_NAME_new()) == NULL ||
       !X509_NAME_add_entry_by_NID(
           name, NID_commonName, MBSTRING_UTF8,
           (unsigned char*)params.common_name.c_str(), -1, -1, 0) ||
       !X509_set_subject_name(x509, name) ||
       !X509_set_issuer_name(x509, name))
     goto error;
 
-  if (!X509_gmtime_adj(X509_get_notBefore(x509), params.not_before) ||
-      !X509_gmtime_adj(X509_get_notAfter(x509), params.not_after))
+  if (params.absolute_time) {
+    time_t zero = 0;  // Make time epoch based.
+    if (!X509_time_adj_ex(X509_get_notBefore(x509), 0, params.not_before,
+                          &zero) ||
+        !X509_time_adj_ex(X509_get_notAfter(x509), 0, params.not_after, &zero))
+      goto error;
+  } else {
+    if (!X509_time_adj_ex(X509_get_notBefore(x509), 0, params.not_before,
+                          NULL) ||
+        !X509_time_adj_ex(X509_get_notAfter(x509), 0, params.not_after, NULL))
     goto error;
+  }
 
   if (!X509_sign(x509, pkey, EVP_sha256()))
     goto error;
 
   BN_free(serial_number);
   X509_NAME_free(name);
   LOG(LS_INFO) << "Returning certificate";
   return x509;
 
  error:
@@ skipping 220 matching lines @@
 
 void OpenSSLCertificate::AddReference() const {
   ASSERT(x509_ != NULL);
 #if defined(OPENSSL_IS_BORINGSSL)
   X509_up_ref(x509_);
 #else
   CRYPTO_add(&x509_->references, 1, CRYPTO_LOCK_X509);
 #endif
 }
 
+// Convert from std::tm to number of seconds from epoch.
+// Note that std::tm is relative to 1900-01-01.
+static int64_t tm_to_seconds(const std::tm& tm) {
+  static short int cumul_days[12] = {0,   31,  59,  90,  120, 151,
+                                     181, 212, 243, 273, 304, 334};
+
+  int year = tm.tm_year + 1900;
+  int month = tm.tm_mon;
+  int day = tm.tm_mday - 1;
+  int hour = tm.tm_hour;
+  int min = tm.tm_min;
+  int sec = tm.tm_sec;
+
+  // If expiration time is in a leap year, number of days depends on exact date.
+  if (year % 4 == 0 && (year % 100 != 0 || year % 400 == 0)) {
+    if (month <= 2 - 1) {  // February or earlier (|month| is zero based).
+      day -= 1;
+    }
+  }
+
+  day += cumul_days[month];
+
+  // Add number of leap days between 1970 and the expiration time.
+  day += ((year / 4 - 1970 / 4) - (year / 100 - 1970 / 100) +
+          (year / 400 - 1970 / 400));
+
+  year -= 1970;
+  return ((((int64_t)year * 365 + day) * 24 + hour) * 60 + min) * 60 + sec;
+}
+
+#define ASN1_READ2(x)                \
+  do {                               \
+    x = 10 * s[0] + s[1] - '0' * 11; \
+    s += 2;                          \
+    bytes_left -= 2;                 \
+  } while (0)
+#define ASN1_READ4(x)                                             \
+  do {                                                            \
+    x = 1000 * s[0] + 100 * s[1] + 10 * s[2] + s[3] - '0' * 1111; \
+    s += 4;                                                       \
+    bytes_left -= 4;                                              \
+  } while (0)
+
+// Convert from ASN1 TIME as restricted by RFC 5280 to milliseconds from epoch.
+// If the ASN1_TIME cannot be read, return -1.  Use std::tm for intermediate
+// results in the way specified by Unix time functions.
+static int64_t asn1_time_to_time_t(const ASN1_TIME* time) {
+  std::tm tm;
+  int year;
+  int month;
+  const unsigned char* s = (const unsigned char*)time->data;
+  size_t bytes_left = time->length;
+
+  if (time->type == V_ASN1_UTCTIME) {
+    // ASN1 format: yymmddhhmm[ss]Z where the Z is literal, but RFC 5280 only
+    // requires us to support exactly yymmddhhmmssZ.
+
+    if (bytes_left < 9)
+      return -1;
+
+    ASN1_READ2(year);
+    if (year < 70)
+      year += 100;
+  } else if (time->type == V_ASN1_GENERALIZEDTIME) {
+    // ASN1 format: yyyymmddhh[mm[ss[.fff]]]Z where the Z is literal.  but
+    // RFC 5280 only requires us to support exactly yyyymmddhhmmssZ.
+
+    if (bytes_left < 11)
+      return -1;
+
+    ASN1_READ4(year);
+    year -= 1900;
+  } else {
+    return -1;
+  }
+
+  // Zeroing the entire structure helps with the defaulting of the minute and
+  // second fields, as well as a bunch of other (here unused) fields.
+  memset(&tm, 0, sizeof(tm));
+
+  tm.tm_year = year;
+  ASN1_READ2(month);
+  tm.tm_mon = month - 1;
+  ASN1_READ2(tm.tm_mday);
+  ASN1_READ2(tm.tm_hour);
+  ASN1_READ2(tm.tm_min);
+  ASN1_READ2(tm.tm_sec);
+
+  if (bytes_left != 1 || s[0] != 'Z') {
+    // A final Z means UTC, mandated by RFC 5280, and compatible with OpenSSL.
+    return -1;
+  }
+
+  return 1000 * tm_to_seconds(tm);
+}
+#undef ASN1_READ4
+#undef ASN1_READ2
+
+int64_t OpenSSLCertificate::CertificateExpirationTime() const {
+  ASN1_TIME* exptime = X509_get_notAfter(x509_);
+  return asn1_time_to_time_t(exptime);
+}
+
 OpenSSLIdentity::OpenSSLIdentity(OpenSSLKeyPair* key_pair,
                                  OpenSSLCertificate* certificate)
     : key_pair_(key_pair), certificate_(certificate) {
   ASSERT(key_pair != NULL);
   ASSERT(certificate != NULL);
 }
 
 OpenSSLIdentity::~OpenSSLIdentity() = default;
 
 OpenSSLIdentity* OpenSSLIdentity::GenerateInternal(
     const SSLIdentityParams& params) {
   OpenSSLKeyPair* key_pair = OpenSSLKeyPair::Generate(params.key_params);
   if (key_pair) {
     OpenSSLCertificate* certificate =
         OpenSSLCertificate::Generate(key_pair, params);
     if (certificate)
       return new OpenSSLIdentity(key_pair, certificate);
     delete key_pair;
   }
   LOG(LS_INFO) << "Identity generation failed";
   return NULL;
 }
 
 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name,
                                            const KeyParams& key_params) {
   SSLIdentityParams params;
   params.key_params = key_params;
   params.common_name = common_name;
+  params.absolute_time = false;
   params.not_before = CERTIFICATE_WINDOW;
   params.not_after = CERTIFICATE_LIFETIME;
   return GenerateInternal(params);
 }
 
 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest(
     const SSLIdentityParams& params) {
   return GenerateInternal(params);
 }
 
@@ skipping 41 matching lines @@
      SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) {
     LogSSLErrors("Configuring key and certificate");
     return false;
   }
   return true;
 }
 
 }  // namespace rtc
 
 #endif  // HAVE_OPENSSL_SSL_H