RTCCertificate serialization.

webrtc/base/opensslidentity.cc

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 163 matching lines @@
 }
 
 void OpenSSLKeyPair::AddReference() {
 #if defined(OPENSSL_IS_BORINGSSL)
   EVP_PKEY_up_ref(pkey_);
 #else
   CRYPTO_add(&pkey_->references, 1, CRYPTO_LOCK_EVP_PKEY);
 #endif
 }
 
+std::string OpenSSLKeyPair::PrivateKeyToPemString() const {
+  BIO* temp_memory_bio = BIO_new(BIO_s_mem());

[nisse-webrtc, 2016/04/22 13:44:07]

I was a bit confused by the name if this class; I expected some explicit
representation of both public and private key.

If it's really representing a private key (as the new comparison operators
indicate), name this just ToPEMString, similarly to the method on
OpenSSLCertificate.

[hbos, 2016/04/25 14:23:23]

Hmm, confusing indeed.

The previously existing SSLIdentity/OpenSSLIdentity::FromPEMStrings constructs
OpenSSLKeyPair just from private key using PEM_read_bio_PrivateKey. This new
toPEM uses PEM_write_bio_PrivateKey. So at first I thought EVP_PKEY was just
private key information and that OpenSSLKeyPair was a misleading name. But
digging deeper, documentation confirms EVP_PKEY can contain both public and
private key information.

Even though we construct new EVP_PKEYs using "PrivateKey" PEMs, I just checked
with EVP_PKEY_missing_parameters and it returns 0 indicating that the EVP_PKEY
does have public key parameters present (or that the algorithm does not use
parameters). There exists PEM_read/write_bio_PUBKEY functions too (taking
EVP_PKEY), but they are not used by us.

Question: It turns out EVP_PKEY_cmp is a *public* key comparison function -
would this make the comparison less robust?

Since OpenSSLIdentity can be cloned using private key and certificate PEMs this
is all that is needed, but because of the key pair / private key confusion I
will be clear in the function name that this toPEM is for private key. I can
verify that EVP_PKEY_missing_parameters returns 0 though so that we don't end up
with a broken EVP_PKEY (although I don't know if PUBKEY is used given that the
OpenSSLCertificate must contain stuff like that too?).

[nisse-webrtc, 2016/04/27 08:05:46]

The private key always (are there any exceptions?) contains enough information
to make it trivial to derive the corresponding public key.

So to me, the difference between a "private key" and a "keypair" is more a
question of use. The private key is used for creating signatures (or decrypting
messages, but I guess we're only talking about signatures here?). While a
keypair, in addition, is intended to provide the corresponding public key to
others, possibly including additional meta data, certificates, etc.

[hbos, 2016/04/27 09:00:44]

Oh good, then the private key -> key pair makes sense.

I'm *guessing* that this is an OpenSSLKeyPair as opposed to an OpenSSLPrivateKey
simply because the private key is stored in a "key pair" in OpenSSL. The public
interfaces being implemented, SSLIdentity/SSLCertificate would only expose the
OpenSSLCertificate and its PEM (consisting of X509*). So the private key is only
useful for persistence/cloning, and is otherwise not public. And the public key
must be part of the certificate? So there would be some duplicate information.

[nisse-webrtc, 2016/04/27 09:08:57]

Yes. More or less by definition, a certificate consist of a public key, some
meta data, and a digital signature on it all.

(In theory, the certificate could omit the public key and only include a hash of
it. But that variation is not possible in x.509, as far as I'm aware).

[hbos, 2016/04/27 10:12:08]

Acknowledged.

+  if (!temp_memory_bio) {
+    LOG_F(LS_ERROR) << "Failed to allocate temporary memory bio";
+    RTC_NOTREACHED();
+    return "";
+  }
+  if (!PEM_write_bio_PrivateKey(
+      temp_memory_bio, pkey_, nullptr, nullptr, 0, nullptr, nullptr)) {
+    LOG_F(LS_ERROR) << "Failed to write private key";
+    BIO_free(temp_memory_bio);
+    RTC_NOTREACHED();
+    return "";
+  }
+  BIO_write(temp_memory_bio, "\0", 1);
+  char* buffer;
+  BIO_get_mem_data(temp_memory_bio, &buffer);
+  std::string priv_key_str = buffer;
+  BIO_free(temp_memory_bio);
+  return priv_key_str;
+}
+
+bool OpenSSLKeyPair::operator==(const OpenSSLKeyPair& other) const {
+  return EVP_PKEY_cmp(this->pkey_, other.pkey_) == 1;
+}
+
+bool OpenSSLKeyPair::operator!=(const OpenSSLKeyPair& other) const {
+  return !(*this == other);
+}
+
 #if !defined(NDEBUG)
 // Print a certificate to the log, for debugging.
 static void PrintCert(X509* x509) {
   BIO* temp_memory_bio = BIO_new(BIO_s_mem());
   if (!temp_memory_bio) {
     LOG_F(LS_ERROR) << "Failed to allocate temporary memory bio";
     return;
   }
   X509_print_ex(temp_memory_bio, x509, XN_FLAG_SEP_CPLUS_SPC, 0);
   BIO_write(temp_memory_bio, "\0", 1);
@@ skipping 167 matching lines @@
 
 void OpenSSLCertificate::AddReference() const {
   ASSERT(x509_ != NULL);
 #if defined(OPENSSL_IS_BORINGSSL)
   X509_up_ref(x509_);
 #else
   CRYPTO_add(&x509_->references, 1, CRYPTO_LOCK_X509);
 #endif
 }
 
+bool OpenSSLCertificate::operator==(const OpenSSLCertificate& other) const {
+  return X509_cmp(this->x509_, other.x509_) == 0;
+}
+
+bool OpenSSLCertificate::operator!=(const OpenSSLCertificate& other) const {
+  return !(*this == other);
+}
+
 // Documented in sslidentity.h.
 int64_t OpenSSLCertificate::CertificateExpirationTime() const {
   ASN1_TIME* expire_time = X509_get_notAfter(x509_);
   bool long_format;
 
   if (expire_time->type == V_ASN1_UTCTIME) {
     long_format = false;
   } else if (expire_time->type == V_ASN1_GENERALIZEDTIME) {
     long_format = true;
   } else {
@@ skipping 87 matching lines @@
 bool OpenSSLIdentity::ConfigureIdentity(SSL_CTX* ctx) {
   // 1 is the documented success return code.
   if (SSL_CTX_use_certificate(ctx, certificate_->x509()) != 1 ||
      SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) {
     LogSSLErrors("Configuring key and certificate");
     return false;
   }
   return true;
 }
 
+std::string OpenSSLIdentity::PrivateKeyToPemString() const {
+  return key_pair_->PrivateKeyToPemString();
+}
+
+bool OpenSSLIdentity::operator==(const OpenSSLIdentity& other) const {
+  return *this->key_pair_ == *other.key_pair_ &&
+         *this->certificate_ == *other.certificate_;
+}
+
+bool OpenSSLIdentity::operator!=(const OpenSSLIdentity& other) const {
+  return !(*this == other);
+}
+
 }  // namespace rtc
 
 #endif  // HAVE_OPENSSL_SSL_H