Implement GetChain for OpenSSLCertificate.

webrtc/rtc_base/opensslidentity.cc

 /*
  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
 #include "webrtc/rtc_base/opensslidentity.h"
 
+#include <algorithm>
 #include <memory>
+#include <vector>
 
 // Must be included first before openssl headers.
 #include "webrtc/rtc_base/win32.h"  // NOLINT
 
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/crypto.h>
@@ skipping 247 matching lines @@
   }
   X509_print_ex(temp_memory_bio, x509, XN_FLAG_SEP_CPLUS_SPC, 0);
   BIO_write(temp_memory_bio, "\0", 1);
   char* buffer;
   BIO_get_mem_data(temp_memory_bio, &buffer);
   LOG(LS_VERBOSE) << buffer;
   BIO_free(temp_memory_bio);
 }
 #endif
 
+OpenSSLCertificate::OpenSSLCertificate(X509* x509) : x509_(x509) {
+  AddReference(x509_);
+}
+
+OpenSSLCertificate::OpenSSLCertificate(STACK_OF(X509) * chain) {
+  x509_ = sk_X509_value(chain, 0);
+  AddReference(x509_);
+  for (size_t i = 1; i < sk_X509_num(chain); ++i) {
+    X509* x509 = sk_X509_value(chain, i);
+    cert_chain_.push_back(new OpenSSLCertificate(x509));
+  }
+}
+
 OpenSSLCertificate* OpenSSLCertificate::Generate(
-    OpenSSLKeyPair* key_pair, const SSLIdentityParams& params) {
+    OpenSSLKeyPair* key_pair,
+    const SSLIdentityParams& params) {
   SSLIdentityParams actual_params(params);
   if (actual_params.common_name.empty()) {
     // Use a random string, arbitrarily 8chars long.
     actual_params.common_name = CreateRandomString(8);
   }
   X509* x509 = MakeCertificate(key_pair->pkey(), actual_params);
   if (!x509) {
     LogSSLErrors("Generating certificate");
     return nullptr;
   }
@@ skipping 62 matching lines @@
       // Unknown algorithm.  There are several unhandled options that are less
       // common and more complex.
       LOG(LS_ERROR) << "Unknown signature algorithm NID: " << nid;
       algorithm->clear();
       return false;
   }
   return true;
 }
 
 std::unique_ptr<SSLCertChain> OpenSSLCertificate::GetChain() const {
-  // Chains are not yet supported when using OpenSSL.
-  // OpenSSLStreamAdapter::SSLVerifyCallback currently requires the remote
-  // certificate to be self-signed.
-  return nullptr;
+  if (cert_chain_.empty()) {
+    return nullptr;
+  }
+  std::vector<SSLCertificate*> new_certs(cert_chain_.size());
+  std::transform(cert_chain_.begin(), cert_chain_.end(), new_certs.begin(),
+                 [](OpenSSLCertificate* cert) -> SSLCertificate* {
+                   return cert->GetReference();
+                 });
+  std::unique_ptr<SSLCertChain> chain(new SSLCertChain(new_certs));
+  std::for_each(new_certs.begin(), new_certs.end(),
+                [](SSLCertificate* cert) { delete cert; });

[davidben_webrtc, 2017/09/26 23:21:46]

This does unnecessarily allocations since you don't get to take advantage of
std::vector's move constructor. What should be going on is:

1. SSLCertChain internally stores std::vector<std::unique_ptr<SSLCertificate>>.
This avoids its destructor logic.

2. SSLCertChain has a constructor of type:

  explicit SSLCertChain(std::vector<std::unique_ptr<SSLCertificate>> certs);

whose implementation is

SSLCertChain::SSLCertChain(std::vector<std::unique_ptr<SSLCertificate>> certs)
    : certs_(std::move(certs)) {}

3. new_certs is a std::vector<std::unique_ptr<SSLCertificate>>. You probably
want to use WrapUnique from rtc_base/ptr_util.h.

I went and did steps 1 and 2 for you, but Gerrit's not letting me upload.
pthatcher, do you know if something's wrong with my ACLs?

+  return chain;
 }
 
 bool OpenSSLCertificate::ComputeDigest(const std::string& algorithm,
                                        unsigned char* digest,
                                        size_t size,
                                        size_t* length) const {
   return ComputeDigest(x509_, algorithm, digest, size, length);
 }
 
 bool OpenSSLCertificate::ComputeDigest(const X509* x509,
@@ skipping 15 matching lines @@
   *length = n;
 
   return true;
 }
 
 OpenSSLCertificate::~OpenSSLCertificate() {
   X509_free(x509_);
 }
 
 OpenSSLCertificate* OpenSSLCertificate::GetReference() const {
-  return new OpenSSLCertificate(x509_);
+  if (cert_chain_.empty()) {
+    return new OpenSSLCertificate(x509_);
+  }
+  STACK_OF(X509)* stack_x509 = sk_X509_new_null();
+  sk_X509_push(stack_x509, x509_);
+  for (auto cert_it = cert_chain_.begin(); cert_it != cert_chain_.end();
+       ++cert_it) {
+    sk_X509_push(stack_x509, (*cert_it)->x509());
+  }
+  return new OpenSSLCertificate(stack_x509);

[davidben_webrtc, 2017/09/26 23:21:46]

This seems unnecessarily complicated. You could add a constructor that takes the
std::vector<OpenSSLCertificate> form or just make OpenSSLCertificate store
STACK_OF(X509) natively.

 }
 
 std::string OpenSSLCertificate::ToPEMString() const {
   BIO* bio = BIO_new(BIO_s_mem());
   if (!bio) {
     FATAL() << "unreachable code";
   }
   if (!PEM_write_bio_X509(bio, x509_)) {
     BIO_free(bio);
     FATAL() << "unreachable code";
@@ skipping 18 matching lines @@
   if (!i2d_X509_bio(bio, x509_)) {
     BIO_free(bio);
     FATAL() << "unreachable code";
   }
   char* data;
   size_t length = BIO_get_mem_data(bio, &data);
   der_buffer->SetData(data, length);
   BIO_free(bio);
 }
 
-void OpenSSLCertificate::AddReference() const {
-  RTC_DCHECK(x509_ != nullptr);
+void OpenSSLCertificate::AddReference(X509* x509) const {
+  RTC_DCHECK(x509 != nullptr);
 #if defined(OPENSSL_IS_BORINGSSL)
-  X509_up_ref(x509_);
+  X509_up_ref(x509);
 #else
-  CRYPTO_add(&x509_->references, 1, CRYPTO_LOCK_X509);
+  CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
 #endif
 }
 
 bool OpenSSLCertificate::operator==(const OpenSSLCertificate& other) const {
   return X509_cmp(this->x509_, other.x509_) == 0;
 }
 
 bool OpenSSLCertificate::operator!=(const OpenSSLCertificate& other) const {
   return !(*this == other);
 }
@@ skipping 108 matching lines @@
 bool OpenSSLIdentity::operator==(const OpenSSLIdentity& other) const {
   return *this->key_pair_ == *other.key_pair_ &&
          *this->certificate_ == *other.certificate_;
 }
 
 bool OpenSSLIdentity::operator!=(const OpenSSLIdentity& other) const {
   return !(*this == other);
 }
 
 }  // namespace rtc