Chromium Code Reviews Chromium Code Reviews
Issue 1683193003:
Implement certificate lifetime parameter as required by WebRTC RFC. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 29 #include "webrtc/base/openssldigest.h" | 29 #include "webrtc/base/openssldigest.h" |
| 30 | 30 |
| 31 namespace rtc { | 31 namespace rtc { |
| 32 | 32 |
| 33 // We could have exposed a myriad of parameters for the crypto stuff, | 33 // We could have exposed a myriad of parameters for the crypto stuff, |
| 34 // but keeping it simple seems best. | 34 // but keeping it simple seems best. |
| 35 | 35 |
| 36 // Random bits for certificate serial number | 36 // Random bits for certificate serial number |
| 37 static const int SERIAL_RAND_BITS = 64; | 37 static const int SERIAL_RAND_BITS = 64; |
| 38 | 38 |
| 39 // Certificate validity lifetime | |
| 40 static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily | |
| 41 // Certificate validity window. | |
| 42 // This is to compensate for slightly incorrect system clocks. | |
| 43 static const int CERTIFICATE_WINDOW = -60*60*24; | |
| 44 | |
| 45 // Generate a key pair. Caller is responsible for freeing the returned object. | 39 // Generate a key pair. Caller is responsible for freeing the returned object. |
| 46 static EVP_PKEY* MakeKey(const KeyParams& key_params) { | 40 static EVP_PKEY* MakeKey(const KeyParams& key_params) { |
| 47 LOG(LS_INFO) << "Making key pair"; | 41 LOG(LS_INFO) << "Making key pair"; |
| 48 EVP_PKEY* pkey = EVP_PKEY_new(); | 42 EVP_PKEY* pkey = EVP_PKEY_new(); |
| 49 if (key_params.type() == KT_RSA) { | 43 if (key_params.type() == KT_RSA) { |
| 50 int key_length = key_params.rsa_params().mod_size; | 44 int key_length = key_params.rsa_params().mod_size; |
| 51 BIGNUM* exponent = BN_new(); | 45 BIGNUM* exponent = BN_new(); |
| 52 RSA* rsa = RSA_new(); | 46 RSA* rsa = RSA_new(); |
| 53 if (!pkey || !exponent || !rsa || | 47 if (!pkey || !exponent || !rsa || |
| 54 !BN_set_word(exponent, key_params.rsa_params().pub_exp) || | 48 !BN_set_word(exponent, key_params.rsa_params().pub_exp) || |
| (...skipping 352 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 407 OpenSSLCertificate::Generate(key_pair, params); | 401 OpenSSLCertificate::Generate(key_pair, params); |
| 408 if (certificate) | 402 if (certificate) |
| 409 return new OpenSSLIdentity(key_pair, certificate); | 403 return new OpenSSLIdentity(key_pair, certificate); |
| 410 delete key_pair; | 404 delete key_pair; |
| 411 } | 405 } |
| 412 LOG(LS_INFO) << "Identity generation failed"; | 406 LOG(LS_INFO) << "Identity generation failed"; |
| 413 return NULL; | 407 return NULL; |
| 414 } | 408 } |
| 415 | 409 |
| 416 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name, | 410 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name, |
| 417 const KeyParams& key_params) { | 411 const KeyParams& key_params, |
| 412 time_t certificate_lifetime) { | |
| 418 SSLIdentityParams params; | 413 SSLIdentityParams params; |
| 419 params.key_params = key_params; | 414 params.key_params = key_params; |
| 420 params.common_name = common_name; | 415 params.common_name = common_name; |
| 421 time_t now = time(NULL); | 416 time_t now = time(NULL); |
| 422 params.not_before = now + CERTIFICATE_WINDOW; | 417 params.not_before = now + kCertificateWindow; |
| 423 params.not_after = now + CERTIFICATE_LIFETIME; | 418 params.not_after = now + certificate_lifetime; |
| 419 RTC_DCHECK(params.not_before < params.not_after); | |
|
Ryan Sleevi
2016/03/08 17:04:43
This is not a good DCHECK, because it's not a prog
torbjorng (webrtc)
2016/03/30 14:00:29
I am fixing this in a follow-up CL.
| |
| 424 return GenerateInternal(params); | 420 return GenerateInternal(params); |
| 425 } | 421 } |
| 426 | 422 |
| 427 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest( | 423 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest( |
| 428 const SSLIdentityParams& params) { | 424 const SSLIdentityParams& params) { |
| 429 return GenerateInternal(params); | 425 return GenerateInternal(params); |
| 430 } | 426 } |
| 431 | 427 |
| 432 SSLIdentity* OpenSSLIdentity::FromPEMStrings( | 428 SSLIdentity* OpenSSLIdentity::FromPEMStrings( |
| 433 const std::string& private_key, | 429 const std::string& private_key, |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 473 SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) { | 469 SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) { |
| 474 LogSSLErrors("Configuring key and certificate"); | 470 LogSSLErrors("Configuring key and certificate"); |
| 475 return false; | 471 return false; |
| 476 } | 472 } |
| 477 return true; | 473 return true; |
| 478 } | 474 } |
| 479 | 475 |
| 480 } // namespace rtc | 476 } // namespace rtc |
| 481 | 477 |
| 482 #endif // HAVE_OPENSSL_SSL_H | 478 #endif // HAVE_OPENSSL_SSL_H |
| OLD | NEW |
