Implement certificate lifetime parameter as required by WebRTC RFC.

webrtc/base/opensslidentity.cc

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 18 matching lines @@
 #include "webrtc/base/openssldigest.h"
 
 namespace rtc {
 
 // We could have exposed a myriad of parameters for the crypto stuff,
 // but keeping it simple seems best.
 
 // Random bits for certificate serial number
 static const int SERIAL_RAND_BITS = 64;
 
-// Certificate validity lifetime
-static const int CERTIFICATE_LIFETIME = 60*60*24*30;  // 30 days, arbitrarily
-// Certificate validity window.
-// This is to compensate for slightly incorrect system clocks.
-static const int CERTIFICATE_WINDOW = -60*60*24;
-
 // Generate a key pair. Caller is responsible for freeing the returned object.
 static EVP_PKEY* MakeKey(const KeyParams& key_params) {
   LOG(LS_INFO) << "Making key pair";
   EVP_PKEY* pkey = EVP_PKEY_new();
   if (key_params.type() == KT_RSA) {
     int key_length = key_params.rsa_params().mod_size;
     BIGNUM* exponent = BN_new();
     RSA* rsa = RSA_new();
     if (!pkey || !exponent || !rsa ||
         !BN_set_word(exponent, key_params.rsa_params().pub_exp) ||
@@ skipping 352 matching lines @@
         OpenSSLCertificate::Generate(key_pair, params);
     if (certificate)
       return new OpenSSLIdentity(key_pair, certificate);
     delete key_pair;
   }
   LOG(LS_INFO) << "Identity generation failed";
   return NULL;
 }
 
 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name,
-                                           const KeyParams& key_params) {
+                                           const KeyParams& key_params,
+                                           time_t certificate_lifetime) {

[tommi, 2016/02/11 16:59:30]

does it make sense to DCHECK the validity of the certificate_lifetime value?

[torbjorng (webrtc), 2016/02/12 10:54:32]

Reply below.

   SSLIdentityParams params;
   params.key_params = key_params;
   params.common_name = common_name;
   time_t now = time(NULL);
   params.not_before = now + CERTIFICATE_WINDOW;
-  params.not_after = now + CERTIFICATE_LIFETIME;
+  params.not_after = now + certificate_lifetime;
+  RTC_DCHECK(params.not_before < params.not_after);

[tommi, 2016/02/11 16:59:30]

ah, perhaps this is enough... unless now is bogus.

[torbjorng (webrtc), 2016/02/12 10:54:32]

This is an intentionally somewhat week assertion, intended to avoid problems in
the low-level crypto library.

We set the not_before field (which is part of every certificate) to now - 1 day,
a behaviour which might be debatable but I retain. This CL allows explicit
setting of not_after (but not not_before), supplanting the previously hardwired
30 days.

Setting not_after to a (relative to now) negative value makes little sense
except for testing some predicate functions. It will cause peer rejection, which
is a benign failure.

   return GenerateInternal(params);
 }
 
 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest(
     const SSLIdentityParams& params) {
   return GenerateInternal(params);
 }
 
 SSLIdentity* OpenSSLIdentity::FromPEMStrings(
     const std::string& private_key,
@@ skipping 39 matching lines @@
      SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) {
     LogSSLErrors("Configuring key and certificate");
     return false;
   }
   return true;
 }
 
 }  // namespace rtc
 
 #endif  // HAVE_OPENSSL_SSL_H