RTCCertificate serialization.

webrtc/base/opensslidentity.cc

Index: webrtc/base/opensslidentity.cc
diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc
index 9c2112e157c0dc71099b57a764c58c4e48d4c28b..8b35a70250797980900e38b23c794075da4dd716 100644
--- a/webrtc/base/opensslidentity.cc
+++ b/webrtc/base/opensslidentity.cc
@@ -181,6 +181,36 @@ void OpenSSLKeyPair::AddReference() {
 #endif
 }
 
+std::string OpenSSLKeyPair::PrivateKeyToPemString() const {
+  BIO* temp_memory_bio = BIO_new(BIO_s_mem());

[nisse-webrtc, 2016/04/22 13:44:07]

I was a bit confused by the name if this class; I expected some explicit
representation of both public and private key.

If it's really representing a private key (as the new comparison operators
indicate), name this just ToPEMString, similarly to the method on
OpenSSLCertificate.

[hbos, 2016/04/25 14:23:23]

Hmm, confusing indeed.

The previously existing SSLIdentity/OpenSSLIdentity::FromPEMStrings constructs
OpenSSLKeyPair just from private key using PEM_read_bio_PrivateKey. This new
toPEM uses PEM_write_bio_PrivateKey. So at first I thought EVP_PKEY was just
private key information and that OpenSSLKeyPair was a misleading name. But
digging deeper, documentation confirms EVP_PKEY can contain both public and
private key information.

Even though we construct new EVP_PKEYs using "PrivateKey" PEMs, I just checked
with EVP_PKEY_missing_parameters and it returns 0 indicating that the EVP_PKEY
does have public key parameters present (or that the algorithm does not use
parameters). There exists PEM_read/write_bio_PUBKEY functions too (taking
EVP_PKEY), but they are not used by us.

Question: It turns out EVP_PKEY_cmp is a *public* key comparison function -
would this make the comparison less robust?

Since OpenSSLIdentity can be cloned using private key and certificate PEMs this
is all that is needed, but because of the key pair / private key confusion I
will be clear in the function name that this toPEM is for private key. I can
verify that EVP_PKEY_missing_parameters returns 0 though so that we don't end up
with a broken EVP_PKEY (although I don't know if PUBKEY is used given that the
OpenSSLCertificate must contain stuff like that too?).

[nisse-webrtc, 2016/04/27 08:05:46]

The private key always (are there any exceptions?) contains enough information
to make it trivial to derive the corresponding public key.

So to me, the difference between a "private key" and a "keypair" is more a
question of use. The private key is used for creating signatures (or decrypting
messages, but I guess we're only talking about signatures here?). While a
keypair, in addition, is intended to provide the corresponding public key to
others, possibly including additional meta data, certificates, etc.

[hbos, 2016/04/27 09:00:44]

Oh good, then the private key -> key pair makes sense.

I'm *guessing* that this is an OpenSSLKeyPair as opposed to an OpenSSLPrivateKey
simply because the private key is stored in a "key pair" in OpenSSL. The public
interfaces being implemented, SSLIdentity/SSLCertificate would only expose the
OpenSSLCertificate and its PEM (consisting of X509*). So the private key is only
useful for persistence/cloning, and is otherwise not public. And the public key
must be part of the certificate? So there would be some duplicate information.

[nisse-webrtc, 2016/04/27 09:08:57]

Yes. More or less by definition, a certificate consist of a public key, some
meta data, and a digital signature on it all.

(In theory, the certificate could omit the public key and only include a hash of
it. But that variation is not possible in x.509, as far as I'm aware).

[hbos, 2016/04/27 10:12:08]

Acknowledged.

+  if (!temp_memory_bio) {
+    LOG_F(LS_ERROR) << "Failed to allocate temporary memory bio";
+    RTC_NOTREACHED();
+    return "";
+  }
+  if (!PEM_write_bio_PrivateKey(
+      temp_memory_bio, pkey_, nullptr, nullptr, 0, nullptr, nullptr)) {
+    LOG_F(LS_ERROR) << "Failed to write private key";
+    BIO_free(temp_memory_bio);
+    RTC_NOTREACHED();
+    return "";
+  }
+  BIO_write(temp_memory_bio, "\0", 1);
+  char* buffer;
+  BIO_get_mem_data(temp_memory_bio, &buffer);
+  std::string priv_key_str = buffer;
+  BIO_free(temp_memory_bio);
+  return priv_key_str;
+}
+
+bool OpenSSLKeyPair::operator==(const OpenSSLKeyPair& other) const {
+  return EVP_PKEY_cmp(this->pkey_, other.pkey_) == 1;
+}
+
+bool OpenSSLKeyPair::operator!=(const OpenSSLKeyPair& other) const {
+  return !(*this == other);
+}
+
 #if !defined(NDEBUG)
 // Print a certificate to the log, for debugging.
 static void PrintCert(X509* x509) {
@@ -368,6 +398,14 @@ void OpenSSLCertificate::AddReference() const {
 #endif
 }
 
+bool OpenSSLCertificate::operator==(const OpenSSLCertificate& other) const {
+  return X509_cmp(this->x509_, other.x509_) == 0;
+}
+
+bool OpenSSLCertificate::operator!=(const OpenSSLCertificate& other) const {
+  return !(*this == other);
+}
+
 // Documented in sslidentity.h.
 int64_t OpenSSLCertificate::CertificateExpirationTime() const {
   ASN1_TIME* expire_time = X509_get_notAfter(x509_);
@@ -475,6 +513,19 @@ bool OpenSSLIdentity::ConfigureIdentity(SSL_CTX* ctx) {
   return true;
 }
 
+std::string OpenSSLIdentity::PrivateKeyToPemString() const {
+  return key_pair_->PrivateKeyToPemString();
+}
+
+bool OpenSSLIdentity::operator==(const OpenSSLIdentity& other) const {
+  return *this->key_pair_ == *other.key_pair_ &&
+         *this->certificate_ == *other.certificate_;
+}
+
+bool OpenSSLIdentity::operator!=(const OpenSSLIdentity& other) const {
+  return !(*this == other);
+}
+
 }  // namespace rtc
 
 #endif  // HAVE_OPENSSL_SSL_H