Chromium Code Reviews Chromium Code Reviews
Issue 3010363002:
Implement GetChain for OpenSSLCertificate.
| Index: webrtc/rtc_base/opensslidentity.cc |
| diff --git a/webrtc/rtc_base/opensslidentity.cc b/webrtc/rtc_base/opensslidentity.cc |
| index a6b6e1c38eb908e076356d6c219bf2befb1293f3..5beb03723d79a18c0b184904c4599f5424d09661 100644 |
| --- a/webrtc/rtc_base/opensslidentity.cc |
| +++ b/webrtc/rtc_base/opensslidentity.cc |
| @@ -10,7 +10,9 @@ |
| #include "webrtc/rtc_base/opensslidentity.h" |
| +#include <algorithm> |
| #include <memory> |
| +#include <vector> |
| // Must be included first before openssl headers. |
| #include "webrtc/rtc_base/win32.h" // NOLINT |
| @@ -278,8 +280,22 @@ static void PrintCert(X509* x509) { |
| } |
| #endif |
| +OpenSSLCertificate::OpenSSLCertificate(X509* x509) : x509_(x509) { |
| + AddReference(x509_); |
| +} |
| + |
| +OpenSSLCertificate::OpenSSLCertificate(STACK_OF(X509) * chain) { |
| + x509_ = sk_X509_value(chain, 0); |
| + AddReference(x509_); |
| + for (size_t i = 1; i < sk_X509_num(chain); ++i) { |
| + X509* x509 = sk_X509_value(chain, i); |
| + cert_chain_.push_back(new OpenSSLCertificate(x509)); |
| + } |
| +} |
| + |
| OpenSSLCertificate* OpenSSLCertificate::Generate( |
| - OpenSSLKeyPair* key_pair, const SSLIdentityParams& params) { |
| + OpenSSLKeyPair* key_pair, |
| + const SSLIdentityParams& params) { |
| SSLIdentityParams actual_params(params); |
| if (actual_params.common_name.empty()) { |
| // Use a random string, arbitrarily 8chars long. |
| @@ -362,10 +378,18 @@ bool OpenSSLCertificate::GetSignatureDigestAlgorithm( |
| } |
| std::unique_ptr<SSLCertChain> OpenSSLCertificate::GetChain() const { |
| - // Chains are not yet supported when using OpenSSL. |
| - // OpenSSLStreamAdapter::SSLVerifyCallback currently requires the remote |
| - // certificate to be self-signed. |
| - return nullptr; |
| + if (cert_chain_.empty()) { |
| + return nullptr; |
| + } |
| + std::vector<SSLCertificate*> new_certs(cert_chain_.size()); |
| + std::transform(cert_chain_.begin(), cert_chain_.end(), new_certs.begin(), |
| + [](OpenSSLCertificate* cert) -> SSLCertificate* { |
| + return cert->GetReference(); |
| + }); |
| + std::unique_ptr<SSLCertChain> chain(new SSLCertChain(new_certs)); |
| + std::for_each(new_certs.begin(), new_certs.end(), |
| + [](SSLCertificate* cert) { delete cert; }); |
|
davidben_webrtc
2017/09/26 23:21:46
This does unnecessarily allocations since you don'
|
| + return chain; |
| } |
| bool OpenSSLCertificate::ComputeDigest(const std::string& algorithm, |
| @@ -401,7 +425,16 @@ OpenSSLCertificate::~OpenSSLCertificate() { |
| } |
| OpenSSLCertificate* OpenSSLCertificate::GetReference() const { |
| - return new OpenSSLCertificate(x509_); |
| + if (cert_chain_.empty()) { |
| + return new OpenSSLCertificate(x509_); |
| + } |
| + STACK_OF(X509)* stack_x509 = sk_X509_new_null(); |
| + sk_X509_push(stack_x509, x509_); |
| + for (auto cert_it = cert_chain_.begin(); cert_it != cert_chain_.end(); |
| + ++cert_it) { |
| + sk_X509_push(stack_x509, (*cert_it)->x509()); |
| + } |
| + return new OpenSSLCertificate(stack_x509); |
|
davidben_webrtc
2017/09/26 23:21:46
This seems unnecessarily complicated. You could ad
|
| } |
| std::string OpenSSLCertificate::ToPEMString() const { |
| @@ -440,12 +473,12 @@ void OpenSSLCertificate::ToDER(Buffer* der_buffer) const { |
| BIO_free(bio); |
| } |
| -void OpenSSLCertificate::AddReference() const { |
| - RTC_DCHECK(x509_ != nullptr); |
| +void OpenSSLCertificate::AddReference(X509* x509) const { |
| + RTC_DCHECK(x509 != nullptr); |
| #if defined(OPENSSL_IS_BORINGSSL) |
| - X509_up_ref(x509_); |
| + X509_up_ref(x509); |
| #else |
| - CRYPTO_add(&x509_->references, 1, CRYPTO_LOCK_X509); |
| + CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509); |
| #endif |
| } |
