Implement GetChain for OpenSSLCertificate.

webrtc/rtc_base/opensslidentity.cc

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
 #include "webrtc/rtc_base/opensslidentity.h"
 
 #include <memory>
 
 // Must be included first before openssl headers.
 #include "webrtc/rtc_base/win32.h"  // NOLINT
 
 #include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/bn.h>
 #include <openssl/rsa.h>
-#include <openssl/crypto.h>
 
 #include "webrtc/rtc_base/checks.h"
 #include "webrtc/rtc_base/helpers.h"
 #include "webrtc/rtc_base/logging.h"
 #include "webrtc/rtc_base/openssl.h"
 #include "webrtc/rtc_base/openssldigest.h"
 
 namespace rtc {
 
 // We could have exposed a myriad of parameters for the crypto stuff,
@@ skipping 102 matching lines @@
     goto error;
 
   if (!X509_sign(x509, pkey, EVP_sha256()))
     goto error;
 
   BN_free(serial_number);
   X509_NAME_free(name);
   LOG(LS_INFO) << "Returning certificate";
   return x509;
 
- error:
+error:
   BN_free(serial_number);
   X509_NAME_free(name);
   X509_free(x509);
   return nullptr;
 }
 
 // This dumps the SSL error stack to the log.
 static void LogSSLErrors(const std::string& prefix) {
   char error_buf[200];
   unsigned long err;
@@ skipping 53 matching lines @@
 #endif
 }
 
 std::string OpenSSLKeyPair::PrivateKeyToPEMString() const {
   BIO* temp_memory_bio = BIO_new(BIO_s_mem());
   if (!temp_memory_bio) {
     LOG_F(LS_ERROR) << "Failed to allocate temporary memory bio";
     RTC_NOTREACHED();
     return "";
   }
-  if (!PEM_write_bio_PrivateKey(
-      temp_memory_bio, pkey_, nullptr, nullptr, 0, nullptr, nullptr)) {
+  if (!PEM_write_bio_PrivateKey(temp_memory_bio, pkey_, nullptr, nullptr, 0,
+                                nullptr, nullptr)) {
     LOG_F(LS_ERROR) << "Failed to write private key";
     BIO_free(temp_memory_bio);
     RTC_NOTREACHED();
     return "";
   }
   BIO_write(temp_memory_bio, "\0", 1);
   char* buffer;
   BIO_get_mem_data(temp_memory_bio, &buffer);
   std::string priv_key_str = buffer;
   BIO_free(temp_memory_bio);
@@ skipping 39 matching lines @@
   }
   X509_print_ex(temp_memory_bio, x509, XN_FLAG_SEP_CPLUS_SPC, 0);
   BIO_write(temp_memory_bio, "\0", 1);
   char* buffer;
   BIO_get_mem_data(temp_memory_bio, &buffer);
   LOG(LS_VERBOSE) << buffer;
   BIO_free(temp_memory_bio);
 }
 #endif
 
+OpenSSLCertificate::OpenSSLCertificate(X509* x509) : x509_(x509) {
+  AddReference(x509_);
+}
+
+OpenSSLCertificate::OpenSSLCertificate(STACK_OF(X509) * chain) {
+  x509_ = sk_X509_value(chain, 0);
+  LOG(LS_INFO) << "leaf_cert:" << x509_->name;

[Taylor Brandstetter, 2017/09/26 00:57:26]

Are these logs statements intended to be in the final CL? Maybe should be
LS_VERBOSE?

[pthatcher1, 2017/09/26 20:55:07]

Even at verbose level I'm not sure they are worth having in there. 

+  AddReference(x509_);
+  for (size_t i = 1; i < sk_X509_num(chain); ++i) {

[Taylor Brandstetter, 2017/09/26 00:57:26]

May be a dumb question, but is there a reason for the chain not including the
leaf cert?

+    X509* x509 = sk_X509_value(chain, i);
+    AddReference(x509);
+    LOG(LS_INFO) << "parent certificate name:" << x509->name;
+    cert_chain_.push_back(new OpenSSLCertificate(x509));

[pthatcher1, 2017/09/26 20:55:07]

Passing in the x509 here cause the constructor to take ownership and
AddReference.  But you also AddReference two lines up.  Does that mean two
references are added?

+  }
+}
+
 OpenSSLCertificate* OpenSSLCertificate::Generate(
-    OpenSSLKeyPair* key_pair, const SSLIdentityParams& params) {
+    OpenSSLKeyPair* key_pair,
+    const SSLIdentityParams& params) {
   SSLIdentityParams actual_params(params);
   if (actual_params.common_name.empty()) {
     // Use a random string, arbitrarily 8chars long.
     actual_params.common_name = CreateRandomString(8);
   }
   X509* x509 = MakeCertificate(key_pair->pkey(), actual_params);
   if (!x509) {
     LogSSLErrors("Generating certificate");
     return nullptr;
   }
@@ skipping 62 matching lines @@
       // Unknown algorithm.  There are several unhandled options that are less
       // common and more complex.
       LOG(LS_ERROR) << "Unknown signature algorithm NID: " << nid;
       algorithm->clear();
       return false;
   }
   return true;
 }
 
 std::unique_ptr<SSLCertChain> OpenSSLCertificate::GetChain() const {
-  // Chains are not yet supported when using OpenSSL.
-  // OpenSSLStreamAdapter::SSLVerifyCallback currently requires the remote
-  // certificate to be self-signed.
-  return nullptr;
+  if (cert_chain_.empty()) {
+    return nullptr;
+  }
+  std::vector<SSLCertificate*> new_certs(cert_chain_.size());
+  std::transform(cert_chain_.begin(), cert_chain_.end(), new_certs.begin(),
+                 [](OpenSSLCertificate* cert) -> SSLCertificate* {
+                   return cert->GetReference();
+                 });
+  std::unique_ptr<SSLCertChain> chain(new SSLCertChain(new_certs));
+  std::for_each(new_certs.begin(), new_certs.end(),
+                [](SSLCertificate* cert) { delete cert; });

[pthatcher1, 2017/09/26 20:55:07]

I find this confusing.  We create a copy of the vector by calling GetReference
on each one, then pass that into SSLCertChain, but then we delete all of them
references?  If this is the right way to do it, I'd like a comment explaining
why it's done this way.

+  return chain;
 }
 
 bool OpenSSLCertificate::ComputeDigest(const std::string& algorithm,
                                        unsigned char* digest,
                                        size_t size,
                                        size_t* length) const {
   return ComputeDigest(x509_, algorithm, digest, size, length);
 }
 
 bool OpenSSLCertificate::ComputeDigest(const X509* x509,
@@ skipping 15 matching lines @@
   *length = n;
 
   return true;
 }
 
 OpenSSLCertificate::~OpenSSLCertificate() {
   X509_free(x509_);
 }
 
 OpenSSLCertificate* OpenSSLCertificate::GetReference() const {
-  return new OpenSSLCertificate(x509_);
+  if (cert_chain_.empty()) {
+    return new OpenSSLCertificate(x509_);
+  }
+  STACK_OF(X509)* stack_x509 = sk_X509_new_null();
+  sk_X509_push(stack_x509, x509_);
+  LOG(LS_INFO) << "Push cert to stack:" << x509_->name;

[Taylor Brandstetter, 2017/09/26 00:57:26]

Same question about log messages. Should be verbose or be removed.

+  for (auto cert_it = cert_chain_.begin(); cert_it != cert_chain_.end();
+       ++cert_it) {
+    LOG(LS_INFO) << "Push cert to stack:" << (*cert_it)->x509()->name;
+    sk_X509_push(stack_x509, (*cert_it)->x509());
+  }
+  return new OpenSSLCertificate(stack_x509);
 }
 
 std::string OpenSSLCertificate::ToPEMString() const {
   BIO* bio = BIO_new(BIO_s_mem());
   if (!bio) {
     FATAL() << "unreachable code";
   }
   if (!PEM_write_bio_X509(bio, x509_)) {
     BIO_free(bio);
     FATAL() << "unreachable code";
@@ skipping 18 matching lines @@
   if (!i2d_X509_bio(bio, x509_)) {
     BIO_free(bio);
     FATAL() << "unreachable code";
   }
   char* data;
   size_t length = BIO_get_mem_data(bio, &data);
   der_buffer->SetData(data, length);
   BIO_free(bio);
 }
 
-void OpenSSLCertificate::AddReference() const {
-  RTC_DCHECK(x509_ != nullptr);
+void OpenSSLCertificate::AddReference(X509* x509) const {
+  RTC_DCHECK(x509 != nullptr);
 #if defined(OPENSSL_IS_BORINGSSL)
-  X509_up_ref(x509_);
+  X509_up_ref(x509);
 #else
-  CRYPTO_add(&x509_->references, 1, CRYPTO_LOCK_X509);
+  CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
 #endif
 }
 
 bool OpenSSLCertificate::operator==(const OpenSSLCertificate& other) const {
   return X509_cmp(this->x509_, other.x509_) == 0;
 }
 
 bool OpenSSLCertificate::operator!=(const OpenSSLCertificate& other) const {
   return !(*this == other);
 }
@@ skipping 50 matching lines @@
   if (params.not_before > params.not_after)
     return nullptr;
   return GenerateInternal(params);
 }
 
 OpenSSLIdentity* OpenSSLIdentity::GenerateForTest(
     const SSLIdentityParams& params) {
   return GenerateInternal(params);
 }
 
-SSLIdentity* OpenSSLIdentity::FromPEMStrings(
-    const std::string& private_key,
-    const std::string& certificate) {
+SSLIdentity* OpenSSLIdentity::FromPEMStrings(const std::string& private_key,
+                                             const std::string& certificate) {
   std::unique_ptr<OpenSSLCertificate> cert(
       OpenSSLCertificate::FromPEMString(certificate));
   if (!cert) {
     LOG(LS_ERROR) << "Failed to create OpenSSLCertificate from PEM string.";
     return nullptr;
   }
 
   OpenSSLKeyPair* key_pair =
       OpenSSLKeyPair::FromPrivateKeyPEMString(private_key);
   if (!key_pair) {
     LOG(LS_ERROR) << "Failed to create key pair from PEM string.";
     return nullptr;
   }
 
-  return new OpenSSLIdentity(key_pair,
-                             cert.release());
+  return new OpenSSLIdentity(key_pair, cert.release());
 }
 
 const OpenSSLCertificate& OpenSSLIdentity::certificate() const {
   return *certificate_;
 }
 
 OpenSSLIdentity* OpenSSLIdentity::GetReference() const {
   return new OpenSSLIdentity(key_pair_->GetReference(),
                              certificate_->GetReference());
 }
 
 bool OpenSSLIdentity::ConfigureIdentity(SSL_CTX* ctx) {
   // 1 is the documented success return code.
   if (SSL_CTX_use_certificate(ctx, certificate_->x509()) != 1 ||
-     SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) {
+      SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) {
     LogSSLErrors("Configuring key and certificate");
     return false;
   }
   return true;
 }
 
 std::string OpenSSLIdentity::PrivateKeyToPEMString() const {
   return key_pair_->PrivateKeyToPEMString();
 }
 
 std::string OpenSSLIdentity::PublicKeyToPEMString() const {
   return key_pair_->PublicKeyToPEMString();
 }
 
 bool OpenSSLIdentity::operator==(const OpenSSLIdentity& other) const {
   return *this->key_pair_ == *other.key_pair_ &&
          *this->certificate_ == *other.certificate_;
 }
 
 bool OpenSSLIdentity::operator!=(const OpenSSLIdentity& other) const {
   return !(*this == other);
 }
 
 }  // namespace rtc