OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
3 * | 3 * |
4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
9 */ | 9 */ |
10 | 10 |
11 #include "webrtc/rtc_base/opensslidentity.h" | 11 #include "webrtc/rtc_base/opensslidentity.h" |
12 | 12 |
13 #include <algorithm> | |
13 #include <memory> | 14 #include <memory> |
15 #include <vector> | |
14 | 16 |
15 // Must be included first before openssl headers. | 17 // Must be included first before openssl headers. |
16 #include "webrtc/rtc_base/win32.h" // NOLINT | 18 #include "webrtc/rtc_base/win32.h" // NOLINT |
17 | 19 |
18 #include <openssl/bio.h> | 20 #include <openssl/bio.h> |
19 #include <openssl/err.h> | 21 #include <openssl/err.h> |
20 #include <openssl/pem.h> | 22 #include <openssl/pem.h> |
21 #include <openssl/bn.h> | 23 #include <openssl/bn.h> |
22 #include <openssl/rsa.h> | 24 #include <openssl/rsa.h> |
23 #include <openssl/crypto.h> | 25 #include <openssl/crypto.h> |
(...skipping 247 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
271 } | 273 } |
272 X509_print_ex(temp_memory_bio, x509, XN_FLAG_SEP_CPLUS_SPC, 0); | 274 X509_print_ex(temp_memory_bio, x509, XN_FLAG_SEP_CPLUS_SPC, 0); |
273 BIO_write(temp_memory_bio, "\0", 1); | 275 BIO_write(temp_memory_bio, "\0", 1); |
274 char* buffer; | 276 char* buffer; |
275 BIO_get_mem_data(temp_memory_bio, &buffer); | 277 BIO_get_mem_data(temp_memory_bio, &buffer); |
276 LOG(LS_VERBOSE) << buffer; | 278 LOG(LS_VERBOSE) << buffer; |
277 BIO_free(temp_memory_bio); | 279 BIO_free(temp_memory_bio); |
278 } | 280 } |
279 #endif | 281 #endif |
280 | 282 |
283 OpenSSLCertificate::OpenSSLCertificate(X509* x509) : x509_(x509) { | |
284 AddReference(x509_); | |
285 } | |
286 | |
287 OpenSSLCertificate::OpenSSLCertificate(STACK_OF(X509) * chain) { | |
288 x509_ = sk_X509_value(chain, 0); | |
289 AddReference(x509_); | |
290 for (size_t i = 1; i < sk_X509_num(chain); ++i) { | |
291 X509* x509 = sk_X509_value(chain, i); | |
292 cert_chain_.push_back(new OpenSSLCertificate(x509)); | |
293 } | |
294 } | |
295 | |
281 OpenSSLCertificate* OpenSSLCertificate::Generate( | 296 OpenSSLCertificate* OpenSSLCertificate::Generate( |
282 OpenSSLKeyPair* key_pair, const SSLIdentityParams& params) { | 297 OpenSSLKeyPair* key_pair, |
298 const SSLIdentityParams& params) { | |
283 SSLIdentityParams actual_params(params); | 299 SSLIdentityParams actual_params(params); |
284 if (actual_params.common_name.empty()) { | 300 if (actual_params.common_name.empty()) { |
285 // Use a random string, arbitrarily 8chars long. | 301 // Use a random string, arbitrarily 8chars long. |
286 actual_params.common_name = CreateRandomString(8); | 302 actual_params.common_name = CreateRandomString(8); |
287 } | 303 } |
288 X509* x509 = MakeCertificate(key_pair->pkey(), actual_params); | 304 X509* x509 = MakeCertificate(key_pair->pkey(), actual_params); |
289 if (!x509) { | 305 if (!x509) { |
290 LogSSLErrors("Generating certificate"); | 306 LogSSLErrors("Generating certificate"); |
291 return nullptr; | 307 return nullptr; |
292 } | 308 } |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
355 // Unknown algorithm. There are several unhandled options that are less | 371 // Unknown algorithm. There are several unhandled options that are less |
356 // common and more complex. | 372 // common and more complex. |
357 LOG(LS_ERROR) << "Unknown signature algorithm NID: " << nid; | 373 LOG(LS_ERROR) << "Unknown signature algorithm NID: " << nid; |
358 algorithm->clear(); | 374 algorithm->clear(); |
359 return false; | 375 return false; |
360 } | 376 } |
361 return true; | 377 return true; |
362 } | 378 } |
363 | 379 |
364 std::unique_ptr<SSLCertChain> OpenSSLCertificate::GetChain() const { | 380 std::unique_ptr<SSLCertChain> OpenSSLCertificate::GetChain() const { |
365 // Chains are not yet supported when using OpenSSL. | 381 if (cert_chain_.empty()) { |
366 // OpenSSLStreamAdapter::SSLVerifyCallback currently requires the remote | 382 return nullptr; |
367 // certificate to be self-signed. | 383 } |
368 return nullptr; | 384 std::vector<SSLCertificate*> new_certs(cert_chain_.size()); |
385 std::transform(cert_chain_.begin(), cert_chain_.end(), new_certs.begin(), | |
386 [](OpenSSLCertificate* cert) -> SSLCertificate* { | |
387 return cert->GetReference(); | |
388 }); | |
389 std::unique_ptr<SSLCertChain> chain(new SSLCertChain(new_certs)); | |
390 std::for_each(new_certs.begin(), new_certs.end(), | |
391 [](SSLCertificate* cert) { delete cert; }); | |
davidben_webrtc
2017/09/26 23:21:46
This does unnecessarily allocations since you don'
| |
392 return chain; | |
369 } | 393 } |
370 | 394 |
371 bool OpenSSLCertificate::ComputeDigest(const std::string& algorithm, | 395 bool OpenSSLCertificate::ComputeDigest(const std::string& algorithm, |
372 unsigned char* digest, | 396 unsigned char* digest, |
373 size_t size, | 397 size_t size, |
374 size_t* length) const { | 398 size_t* length) const { |
375 return ComputeDigest(x509_, algorithm, digest, size, length); | 399 return ComputeDigest(x509_, algorithm, digest, size, length); |
376 } | 400 } |
377 | 401 |
378 bool OpenSSLCertificate::ComputeDigest(const X509* x509, | 402 bool OpenSSLCertificate::ComputeDigest(const X509* x509, |
(...skipping 15 matching lines...) Expand all Loading... | |
394 *length = n; | 418 *length = n; |
395 | 419 |
396 return true; | 420 return true; |
397 } | 421 } |
398 | 422 |
399 OpenSSLCertificate::~OpenSSLCertificate() { | 423 OpenSSLCertificate::~OpenSSLCertificate() { |
400 X509_free(x509_); | 424 X509_free(x509_); |
401 } | 425 } |
402 | 426 |
403 OpenSSLCertificate* OpenSSLCertificate::GetReference() const { | 427 OpenSSLCertificate* OpenSSLCertificate::GetReference() const { |
404 return new OpenSSLCertificate(x509_); | 428 if (cert_chain_.empty()) { |
429 return new OpenSSLCertificate(x509_); | |
430 } | |
431 STACK_OF(X509)* stack_x509 = sk_X509_new_null(); | |
432 sk_X509_push(stack_x509, x509_); | |
433 for (auto cert_it = cert_chain_.begin(); cert_it != cert_chain_.end(); | |
434 ++cert_it) { | |
435 sk_X509_push(stack_x509, (*cert_it)->x509()); | |
436 } | |
437 return new OpenSSLCertificate(stack_x509); | |
davidben_webrtc
2017/09/26 23:21:46
This seems unnecessarily complicated. You could ad
| |
405 } | 438 } |
406 | 439 |
407 std::string OpenSSLCertificate::ToPEMString() const { | 440 std::string OpenSSLCertificate::ToPEMString() const { |
408 BIO* bio = BIO_new(BIO_s_mem()); | 441 BIO* bio = BIO_new(BIO_s_mem()); |
409 if (!bio) { | 442 if (!bio) { |
410 FATAL() << "unreachable code"; | 443 FATAL() << "unreachable code"; |
411 } | 444 } |
412 if (!PEM_write_bio_X509(bio, x509_)) { | 445 if (!PEM_write_bio_X509(bio, x509_)) { |
413 BIO_free(bio); | 446 BIO_free(bio); |
414 FATAL() << "unreachable code"; | 447 FATAL() << "unreachable code"; |
(...skipping 18 matching lines...) Expand all Loading... | |
433 if (!i2d_X509_bio(bio, x509_)) { | 466 if (!i2d_X509_bio(bio, x509_)) { |
434 BIO_free(bio); | 467 BIO_free(bio); |
435 FATAL() << "unreachable code"; | 468 FATAL() << "unreachable code"; |
436 } | 469 } |
437 char* data; | 470 char* data; |
438 size_t length = BIO_get_mem_data(bio, &data); | 471 size_t length = BIO_get_mem_data(bio, &data); |
439 der_buffer->SetData(data, length); | 472 der_buffer->SetData(data, length); |
440 BIO_free(bio); | 473 BIO_free(bio); |
441 } | 474 } |
442 | 475 |
443 void OpenSSLCertificate::AddReference() const { | 476 void OpenSSLCertificate::AddReference(X509* x509) const { |
444 RTC_DCHECK(x509_ != nullptr); | 477 RTC_DCHECK(x509 != nullptr); |
445 #if defined(OPENSSL_IS_BORINGSSL) | 478 #if defined(OPENSSL_IS_BORINGSSL) |
446 X509_up_ref(x509_); | 479 X509_up_ref(x509); |
447 #else | 480 #else |
448 CRYPTO_add(&x509_->references, 1, CRYPTO_LOCK_X509); | 481 CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509); |
449 #endif | 482 #endif |
450 } | 483 } |
451 | 484 |
452 bool OpenSSLCertificate::operator==(const OpenSSLCertificate& other) const { | 485 bool OpenSSLCertificate::operator==(const OpenSSLCertificate& other) const { |
453 return X509_cmp(this->x509_, other.x509_) == 0; | 486 return X509_cmp(this->x509_, other.x509_) == 0; |
454 } | 487 } |
455 | 488 |
456 bool OpenSSLCertificate::operator!=(const OpenSSLCertificate& other) const { | 489 bool OpenSSLCertificate::operator!=(const OpenSSLCertificate& other) const { |
457 return !(*this == other); | 490 return !(*this == other); |
458 } | 491 } |
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
567 bool OpenSSLIdentity::operator==(const OpenSSLIdentity& other) const { | 600 bool OpenSSLIdentity::operator==(const OpenSSLIdentity& other) const { |
568 return *this->key_pair_ == *other.key_pair_ && | 601 return *this->key_pair_ == *other.key_pair_ && |
569 *this->certificate_ == *other.certificate_; | 602 *this->certificate_ == *other.certificate_; |
570 } | 603 } |
571 | 604 |
572 bool OpenSSLIdentity::operator!=(const OpenSSLIdentity& other) const { | 605 bool OpenSSLIdentity::operator!=(const OpenSSLIdentity& other) const { |
573 return !(*this == other); | 606 return !(*this == other); |
574 } | 607 } |
575 | 608 |
576 } // namespace rtc | 609 } // namespace rtc |
OLD | NEW |