Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(413)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: webrtc/base/sslidentity.cc

Issue 2877023002: Move webrtc/{base => rtc_base} (Closed)
Patch Set: update presubmit.py and DEPS include rules Created 3 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « webrtc/base/sslidentity.h ('k') | webrtc/base/sslidentity_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode.
12 #include "webrtc/base/sslidentity.h"
13
14 #include <ctime>
15 #include <string>
16
17 #include "webrtc/base/base64.h"
18 #include "webrtc/base/checks.h"
19 #include "webrtc/base/logging.h"
20 #include "webrtc/base/opensslidentity.h"
21 #include "webrtc/base/sslfingerprint.h"
22
23 namespace rtc {
24
25 const char kPemTypeCertificate[] = "CERTIFICATE";
26 const char kPemTypeRsaPrivateKey[] = "RSA PRIVATE KEY";
27 const char kPemTypeEcPrivateKey[] = "EC PRIVATE KEY";
28
29 SSLCertificateStats::SSLCertificateStats(
30 std::string&& fingerprint,
31 std::string&& fingerprint_algorithm,
32 std::string&& base64_certificate,
33 std::unique_ptr<SSLCertificateStats>&& issuer)
34 : fingerprint(std::move(fingerprint)),
35 fingerprint_algorithm(std::move(fingerprint_algorithm)),
36 base64_certificate(std::move(base64_certificate)),
37 issuer(std::move(issuer)) {
38 }
39
40 SSLCertificateStats::~SSLCertificateStats() {
41 }
42
43 std::unique_ptr<SSLCertificateStats> SSLCertificate::GetStats() const {
44 // We have a certificate and optionally a chain of certificates. This forms a
45 // linked list, starting with |this|, then the first element of |chain| and
46 // ending with the last element of |chain|. The "issuer" of a certificate is
47 // the next certificate in the chain. Stats are produced for each certificate
48 // in the list. Here, the "issuer" is the issuer's stats.
49 std::unique_ptr<SSLCertChain> chain = GetChain();
50 std::unique_ptr<SSLCertificateStats> issuer;
51 if (chain) {
52 // The loop runs in reverse so that the |issuer| is known before the
53 // |cert|'s stats.
54 for (ptrdiff_t i = chain->GetSize() - 1; i >= 0; --i) {
55 const SSLCertificate* cert = &chain->Get(i);
56 issuer = cert->GetStats(std::move(issuer));
57 }
58 }
59 return GetStats(std::move(issuer));
60 }
61
62 std::unique_ptr<SSLCertificateStats> SSLCertificate::GetStats(
63 std::unique_ptr<SSLCertificateStats> issuer) const {
64 // TODO(bemasc): Move this computation to a helper class that caches these
65 // values to reduce CPU use in |StatsCollector::GetStats|. This will require
66 // adding a fast |SSLCertificate::Equals| to detect certificate changes.
67 std::string digest_algorithm;
68 if (!GetSignatureDigestAlgorithm(&digest_algorithm))
69 return nullptr;
70
71 // |SSLFingerprint::Create| can fail if the algorithm returned by
72 // |SSLCertificate::GetSignatureDigestAlgorithm| is not supported by the
73 // implementation of |SSLCertificate::ComputeDigest|. This currently happens
74 // with MD5- and SHA-224-signed certificates when linked to libNSS.
75 std::unique_ptr<SSLFingerprint> ssl_fingerprint(
76 SSLFingerprint::Create(digest_algorithm, this));
77 if (!ssl_fingerprint)
78 return nullptr;
79 std::string fingerprint = ssl_fingerprint->GetRfc4572Fingerprint();
80
81 Buffer der_buffer;
82 ToDER(&der_buffer);
83 std::string der_base64;
84 Base64::EncodeFromArray(der_buffer.data(), der_buffer.size(), &der_base64);
85
86 return std::unique_ptr<SSLCertificateStats>(new SSLCertificateStats(
87 std::move(fingerprint),
88 std::move(digest_algorithm),
89 std::move(der_base64),
90 std::move(issuer)));
91 }
92
93 KeyParams::KeyParams(KeyType key_type) {
94 if (key_type == KT_ECDSA) {
95 type_ = KT_ECDSA;
96 params_.curve = EC_NIST_P256;
97 } else if (key_type == KT_RSA) {
98 type_ = KT_RSA;
99 params_.rsa.mod_size = kRsaDefaultModSize;
100 params_.rsa.pub_exp = kRsaDefaultExponent;
101 } else {
102 RTC_NOTREACHED();
103 }
104 }
105
106 // static
107 KeyParams KeyParams::RSA(int mod_size, int pub_exp) {
108 KeyParams kt(KT_RSA);
109 kt.params_.rsa.mod_size = mod_size;
110 kt.params_.rsa.pub_exp = pub_exp;
111 return kt;
112 }
113
114 // static
115 KeyParams KeyParams::ECDSA(ECCurve curve) {
116 KeyParams kt(KT_ECDSA);
117 kt.params_.curve = curve;
118 return kt;
119 }
120
121 bool KeyParams::IsValid() const {
122 if (type_ == KT_RSA) {
123 return (params_.rsa.mod_size >= kRsaMinModSize &&
124 params_.rsa.mod_size <= kRsaMaxModSize &&
125 params_.rsa.pub_exp > params_.rsa.mod_size);
126 } else if (type_ == KT_ECDSA) {
127 return (params_.curve == EC_NIST_P256);
128 }
129 return false;
130 }
131
132 RSAParams KeyParams::rsa_params() const {
133 RTC_DCHECK(type_ == KT_RSA);
134 return params_.rsa;
135 }
136
137 ECCurve KeyParams::ec_curve() const {
138 RTC_DCHECK(type_ == KT_ECDSA);
139 return params_.curve;
140 }
141
142 KeyType IntKeyTypeFamilyToKeyType(int key_type_family) {
143 return static_cast<KeyType>(key_type_family);
144 }
145
146 bool SSLIdentity::PemToDer(const std::string& pem_type,
147 const std::string& pem_string,
148 std::string* der) {
149 // Find the inner body. We need this to fulfill the contract of
150 // returning pem_length.
151 size_t header = pem_string.find("-----BEGIN " + pem_type + "-----");
152 if (header == std::string::npos)
153 return false;
154
155 size_t body = pem_string.find("\n", header);
156 if (body == std::string::npos)
157 return false;
158
159 size_t trailer = pem_string.find("-----END " + pem_type + "-----");
160 if (trailer == std::string::npos)
161 return false;
162
163 std::string inner = pem_string.substr(body + 1, trailer - (body + 1));
164
165 *der = Base64::Decode(inner, Base64::DO_PARSE_WHITE |
166 Base64::DO_PAD_ANY |
167 Base64::DO_TERM_BUFFER);
168 return true;
169 }
170
171 std::string SSLIdentity::DerToPem(const std::string& pem_type,
172 const unsigned char* data,
173 size_t length) {
174 std::stringstream result;
175
176 result << "-----BEGIN " << pem_type << "-----\n";
177
178 std::string b64_encoded;
179 Base64::EncodeFromArray(data, length, &b64_encoded);
180
181 // Divide the Base-64 encoded data into 64-character chunks, as per
182 // 4.3.2.4 of RFC 1421.
183 static const size_t kChunkSize = 64;
184 size_t chunks = (b64_encoded.size() + (kChunkSize - 1)) / kChunkSize;
185 for (size_t i = 0, chunk_offset = 0; i < chunks;
186 ++i, chunk_offset += kChunkSize) {
187 result << b64_encoded.substr(chunk_offset, kChunkSize);
188 result << "\n";
189 }
190
191 result << "-----END " << pem_type << "-----\n";
192
193 return result.str();
194 }
195
196 SSLCertChain::SSLCertChain(const std::vector<SSLCertificate*>& certs) {
197 RTC_DCHECK(!certs.empty());
198 certs_.resize(certs.size());
199 std::transform(certs.begin(), certs.end(), certs_.begin(), DupCert);
200 }
201
202 SSLCertChain::SSLCertChain(const SSLCertificate* cert) {
203 certs_.push_back(cert->GetReference());
204 }
205
206 SSLCertChain::~SSLCertChain() {
207 std::for_each(certs_.begin(), certs_.end(), DeleteCert);
208 }
209
210 // static
211 SSLCertificate* SSLCertificate::FromPEMString(const std::string& pem_string) {
212 return OpenSSLCertificate::FromPEMString(pem_string);
213 }
214
215 // static
216 SSLIdentity* SSLIdentity::GenerateWithExpiration(const std::string& common_name,
217 const KeyParams& key_params,
218 time_t certificate_lifetime) {
219 return OpenSSLIdentity::GenerateWithExpiration(common_name, key_params,
220 certificate_lifetime);
221 }
222
223 // static
224 SSLIdentity* SSLIdentity::Generate(const std::string& common_name,
225 const KeyParams& key_params) {
226 return OpenSSLIdentity::GenerateWithExpiration(
227 common_name, key_params, kDefaultCertificateLifetimeInSeconds);
228 }
229
230 // static
231 SSLIdentity* SSLIdentity::Generate(const std::string& common_name,
232 KeyType key_type) {
233 return OpenSSLIdentity::GenerateWithExpiration(
234 common_name, KeyParams(key_type), kDefaultCertificateLifetimeInSeconds);
235 }
236
237 SSLIdentity* SSLIdentity::GenerateForTest(const SSLIdentityParams& params) {
238 return OpenSSLIdentity::GenerateForTest(params);
239 }
240
241 // static
242 SSLIdentity* SSLIdentity::FromPEMStrings(const std::string& private_key,
243 const std::string& certificate) {
244 return OpenSSLIdentity::FromPEMStrings(private_key, certificate);
245 }
246
247 bool operator==(const SSLIdentity& a, const SSLIdentity& b) {
248 return static_cast<const OpenSSLIdentity&>(a) ==
249 static_cast<const OpenSSLIdentity&>(b);
250 }
251 bool operator!=(const SSLIdentity& a, const SSLIdentity& b) {
252 return !(a == b);
253 }
254
255 // Read |n| bytes from ASN1 number string at *|pp| and return the numeric value.
256 // Update *|pp| and *|np| to reflect number of read bytes.
257 static inline int ASN1ReadInt(const unsigned char** pp, size_t* np, size_t n) {
258 const unsigned char* p = *pp;
259 int x = 0;
260 for (size_t i = 0; i < n; i++)
261 x = 10 * x + p[i] - '0';
262 *pp = p + n;
263 *np = *np - n;
264 return x;
265 }
266
267 int64_t ASN1TimeToSec(const unsigned char* s, size_t length, bool long_format) {
268 size_t bytes_left = length;
269
270 // Make sure the string ends with Z. Doing it here protects the strspn call
271 // from running off the end of the string in Z's absense.
272 if (length == 0 || s[length - 1] != 'Z')
273 return -1;
274
275 // Make sure we only have ASCII digits so that we don't need to clutter the
276 // code below and ASN1ReadInt with error checking.
277 size_t n = strspn(reinterpret_cast<const char*>(s), "0123456789");
278 if (n + 1 != length)
279 return -1;
280
281 int year;
282
283 // Read out ASN1 year, in either 2-char "UTCTIME" or 4-char "GENERALIZEDTIME"
284 // format. Both format use UTC in this context.
285 if (long_format) {
286 // ASN1 format: yyyymmddhh[mm[ss[.fff]]]Z where the Z is literal, but
287 // RFC 5280 requires us to only support exactly yyyymmddhhmmssZ.
288
289 if (bytes_left < 11)
290 return -1;
291
292 year = ASN1ReadInt(&s, &bytes_left, 4);
293 year -= 1900;
294 } else {
295 // ASN1 format: yymmddhhmm[ss]Z where the Z is literal, but RFC 5280
296 // requires us to only support exactly yymmddhhmmssZ.
297
298 if (bytes_left < 9)
299 return -1;
300
301 year = ASN1ReadInt(&s, &bytes_left, 2);
302 if (year < 50) // Per RFC 5280 4.1.2.5.1
303 year += 100;
304 }
305
306 std::tm tm;
307 tm.tm_year = year;
308
309 // Read out remaining ASN1 time data and store it in |tm| in documented
310 // std::tm format.
311 tm.tm_mon = ASN1ReadInt(&s, &bytes_left, 2) - 1;
312 tm.tm_mday = ASN1ReadInt(&s, &bytes_left, 2);
313 tm.tm_hour = ASN1ReadInt(&s, &bytes_left, 2);
314 tm.tm_min = ASN1ReadInt(&s, &bytes_left, 2);
315 tm.tm_sec = ASN1ReadInt(&s, &bytes_left, 2);
316
317 if (bytes_left != 1) {
318 // Now just Z should remain. Its existence was asserted above.
319 return -1;
320 }
321
322 return TmToSeconds(tm);
323 }
324
325 } // namespace rtc
OLDNEW
« no previous file with comments | « webrtc/base/sslidentity.h ('k') | webrtc/base/sslidentity_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698