Gitiles
Code Review Sign In
gerrit.openfyde.cn / webrtc.googlesource.com / src / 22a8f98dd55b2a36146f5d97775464dcc595ded0 / . / rtc_base / sslidentity.cc
blob: 41eb35d5f52b6737e71b9336140eb73cc9771a2e [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]1/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11// Handling of certificates and keypairs for SSLStreamAdapter's peer mode.
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]12#include "rtc_base/sslidentity.h"
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]13
Yves Gerey988cc082018-10-23 12:03:01 +0200[diff] [blame]14#include <string.h>
15#include <time.h>
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]16#include <string>
17
Yves Gerey988cc082018-10-23 12:03:01 +0200[diff] [blame]18#include "rtc_base/checks.h"
19#include "rtc_base/opensslidentity.h"
20#include "rtc_base/sslcertificate.h"
21#include "rtc_base/strings/string_builder.h"
22#include "rtc_base/third_party/base64/base64.h"
23#include "rtc_base/timeutils.h"
deadbeeff33491e2017-01-20 17:01:45 -0800[diff] [blame]24
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]25namespace rtc {
26
Benjamin Wrightd6f86e82018-05-08 13:12:25 -0700[diff] [blame]27//////////////////////////////////////////////////////////////////////
Benjamin Wright22a8f982018-10-28 18:39:00 -0700[diff] [blame^]28// Helper Functions
29//////////////////////////////////////////////////////////////////////
30
31namespace {
32// Read |n| bytes from ASN1 number string at *|pp| and return the numeric value.
33// Update *|pp| and *|np| to reflect number of read bytes.
34// TODO(bugs.webrtc.org/9860) - Remove this code.
35inline int ASN1ReadInt(const unsigned char** pp, size_t* np, size_t n) {
36 const unsigned char* p = *pp;
37 int x = 0;
38 for (size_t i = 0; i < n; i++) {
39 x = 10 * x + p[i] - '0';
40 }
41 *pp = p + n;
42 *np = *np - n;
43 return x;
44}
45
46} // namespace
47
48// TODO(bugs.webrtc.org/9860) - Remove this code.
49int64_t ASN1TimeToSec(const unsigned char* s, size_t length, bool long_format) {
50 size_t bytes_left = length;
51 // Make sure the string ends with Z. Doing it here protects the strspn call
52 // from running off the end of the string in Z's absense.
53 if (length == 0 || s[length - 1] != 'Z') {
54 return -1;
55 }
56 // Make sure we only have ASCII digits so that we don't need to clutter the
57 // code below and ASN1ReadInt with error checking.
58 size_t n = strspn(reinterpret_cast<const char*>(s), "0123456789");
59 if (n + 1 != length) {
60 return -1;
61 }
62 // Read out ASN1 year, in either 2-char "UTCTIME" or 4-char "GENERALIZEDTIME"
63 // format. Both format use UTC in this context.
64 int year = 0;
65 if (long_format) {
66 // ASN1 format: yyyymmddhh[mm[ss[.fff]]]Z where the Z is literal, but
67 // RFC 5280 requires us to only support exactly yyyymmddhhmmssZ.
68 if (bytes_left < 11) {
69 return -1;
70 }
71 year = ASN1ReadInt(&s, &bytes_left, 4);
72 year -= 1900;
73 } else {
74 // ASN1 format: yymmddhhmm[ss]Z where the Z is literal, but RFC 5280
75 // requires us to only support exactly yymmddhhmmssZ.
76 if (bytes_left < 9) {
77 return -1;
78 }
79 year = ASN1ReadInt(&s, &bytes_left, 2);
80 // Per RFC 5280 4.1.2.5.1
81 if (year < 50) {
82 year += 100;
83 }
84 }
85
86 // Read out remaining ASN1 time data and store it in |tm| in documented
87 // std::tm format.
88 tm tm;
89 tm.tm_year = year;
90 tm.tm_mon = ASN1ReadInt(&s, &bytes_left, 2) - 1;
91 tm.tm_mday = ASN1ReadInt(&s, &bytes_left, 2);
92 tm.tm_hour = ASN1ReadInt(&s, &bytes_left, 2);
93 tm.tm_min = ASN1ReadInt(&s, &bytes_left, 2);
94 tm.tm_sec = ASN1ReadInt(&s, &bytes_left, 2);
95
96 // Now just Z should remain. Its existence was asserted above.
97 if (bytes_left != 1) {
98 return -1;
99 }
100 return TmToSeconds(tm);
101}
102
103//////////////////////////////////////////////////////////////////////
Benjamin Wrightd6f86e82018-05-08 13:12:25 -0700[diff] [blame]104// KeyParams
105//////////////////////////////////////////////////////////////////////
106
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]107const char kPemTypeCertificate[] = "CERTIFICATE";
108const char kPemTypeRsaPrivateKey[] = "RSA PRIVATE KEY";
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]109const char kPemTypeEcPrivateKey[] = "EC PRIVATE KEY";
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]110
torbjorng4e572472015-10-08 09:42:49 -0700[diff] [blame]111KeyParams::KeyParams(KeyType key_type) {
112 if (key_type == KT_ECDSA) {
113 type_ = KT_ECDSA;
114 params_.curve = EC_NIST_P256;
115 } else if (key_type == KT_RSA) {
116 type_ = KT_RSA;
117 params_.rsa.mod_size = kRsaDefaultModSize;
118 params_.rsa.pub_exp = kRsaDefaultExponent;
119 } else {
120 RTC_NOTREACHED();
121 }
122}
123
124// static
125KeyParams KeyParams::RSA(int mod_size, int pub_exp) {
126 KeyParams kt(KT_RSA);
127 kt.params_.rsa.mod_size = mod_size;
128 kt.params_.rsa.pub_exp = pub_exp;
129 return kt;
130}
131
132// static
133KeyParams KeyParams::ECDSA(ECCurve curve) {
134 KeyParams kt(KT_ECDSA);
135 kt.params_.curve = curve;
136 return kt;
137}
138
139bool KeyParams::IsValid() const {
140 if (type_ == KT_RSA) {
141 return (params_.rsa.mod_size >= kRsaMinModSize &&
142 params_.rsa.mod_size <= kRsaMaxModSize &&
143 params_.rsa.pub_exp > params_.rsa.mod_size);
144 } else if (type_ == KT_ECDSA) {
145 return (params_.curve == EC_NIST_P256);
146 }
147 return false;
148}
149
150RSAParams KeyParams::rsa_params() const {
151 RTC_DCHECK(type_ == KT_RSA);
152 return params_.rsa;
153}
154
155ECCurve KeyParams::ec_curve() const {
156 RTC_DCHECK(type_ == KT_ECDSA);
157 return params_.curve;
158}
159
Henrik Boström9b5476d2015-09-22 14:12:57 +0200[diff] [blame]160KeyType IntKeyTypeFamilyToKeyType(int key_type_family) {
161 return static_cast<KeyType>(key_type_family);
162}
163
Benjamin Wrightd6f86e82018-05-08 13:12:25 -0700[diff] [blame]164//////////////////////////////////////////////////////////////////////
165// SSLIdentity
166//////////////////////////////////////////////////////////////////////
167
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]168bool SSLIdentity::PemToDer(const std::string& pem_type,
169 const std::string& pem_string,
170 std::string* der) {
Benjamin Wright22a8f982018-10-28 18:39:00 -0700[diff] [blame^]171 // Find the inner body. We need this to fulfill the contract of returning
172 // pem_length.
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]173 size_t header = pem_string.find("-----BEGIN " + pem_type + "-----");
Benjamin Wright22a8f982018-10-28 18:39:00 -0700[diff] [blame^]174 if (header == std::string::npos) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]175 return false;
Benjamin Wright22a8f982018-10-28 18:39:00 -0700[diff] [blame^]176 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]177 size_t body = pem_string.find("\n", header);
Benjamin Wright22a8f982018-10-28 18:39:00 -0700[diff] [blame^]178 if (body == std::string::npos) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]179 return false;
Benjamin Wright22a8f982018-10-28 18:39:00 -0700[diff] [blame^]180 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]181 size_t trailer = pem_string.find("-----END " + pem_type + "-----");
Benjamin Wright22a8f982018-10-28 18:39:00 -0700[diff] [blame^]182 if (trailer == std::string::npos) {
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]183 return false;
Benjamin Wright22a8f982018-10-28 18:39:00 -0700[diff] [blame^]184 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]185 std::string inner = pem_string.substr(body + 1, trailer - (body + 1));
Yves Gerey665174f2018-06-19 15:03:05 +0200[diff] [blame]186 *der = Base64::Decode(inner, Base64::DO_PARSE_WHITE | Base64::DO_PAD_ANY |
187 Base64::DO_TERM_BUFFER);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]188 return true;
189}
190
191std::string SSLIdentity::DerToPem(const std::string& pem_type,
192 const unsigned char* data,
193 size_t length) {
Jonas Olsson366a50c2018-09-06 13:41:30 +0200[diff] [blame]194 rtc::StringBuilder result;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]195 result << "-----BEGIN " << pem_type << "-----\n";
196
197 std::string b64_encoded;
198 Base64::EncodeFromArray(data, length, &b64_encoded);
Benjamin Wright22a8f982018-10-28 18:39:00 -0700[diff] [blame^]199 // Divide the Base-64 encoded data into 64-character chunks, as per 4.3.2.4
200 // of RFC 1421.
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]201 static const size_t kChunkSize = 64;
202 size_t chunks = (b64_encoded.size() + (kChunkSize - 1)) / kChunkSize;
203 for (size_t i = 0, chunk_offset = 0; i < chunks;
204 ++i, chunk_offset += kChunkSize) {
205 result << b64_encoded.substr(chunk_offset, kChunkSize);
206 result << "\n";
207 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]208 result << "-----END " << pem_type << "-----\n";
Jonas Olsson84df1c72018-09-14 16:59:32 +0200[diff] [blame]209 return result.Release();
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]210}
211
Torbjorn Granlunda3dc79e2016-02-16 13:33:53 +0100[diff] [blame]212// static
Torbjorn Granlund1d846b22016-03-31 16:21:04 +0200[diff] [blame]213SSLIdentity* SSLIdentity::GenerateWithExpiration(const std::string& common_name,
214 const KeyParams& key_params,
215 time_t certificate_lifetime) {
216 return OpenSSLIdentity::GenerateWithExpiration(common_name, key_params,
217 certificate_lifetime);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]218}
219
Torbjorn Granlunda3dc79e2016-02-16 13:33:53 +0100[diff] [blame]220// static
221SSLIdentity* SSLIdentity::Generate(const std::string& common_name,
222 const KeyParams& key_params) {
Torbjorn Granlund1d846b22016-03-31 16:21:04 +0200[diff] [blame]223 return OpenSSLIdentity::GenerateWithExpiration(
224 common_name, key_params, kDefaultCertificateLifetimeInSeconds);
Torbjorn Granlunda3dc79e2016-02-16 13:33:53 +0100[diff] [blame]225}
226
227// static
228SSLIdentity* SSLIdentity::Generate(const std::string& common_name,
229 KeyType key_type) {
Torbjorn Granlund1d846b22016-03-31 16:21:04 +0200[diff] [blame]230 return OpenSSLIdentity::GenerateWithExpiration(
231 common_name, KeyParams(key_type), kDefaultCertificateLifetimeInSeconds);
Torbjorn Granlunda3dc79e2016-02-16 13:33:53 +0100[diff] [blame]232}
233
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]234SSLIdentity* SSLIdentity::GenerateForTest(const SSLIdentityParams& params) {
235 return OpenSSLIdentity::GenerateForTest(params);
236}
237
Torbjorn Granlunda3dc79e2016-02-16 13:33:53 +0100[diff] [blame]238// static
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]239SSLIdentity* SSLIdentity::FromPEMStrings(const std::string& private_key,
240 const std::string& certificate) {
241 return OpenSSLIdentity::FromPEMStrings(private_key, certificate);
242}
243
Jian Cui0a8798b2017-11-16 16:58:02 -0800[diff] [blame]244// static
245SSLIdentity* SSLIdentity::FromPEMChainStrings(
246 const std::string& private_key,
247 const std::string& certificate_chain) {
248 return OpenSSLIdentity::FromPEMChainStrings(private_key, certificate_chain);
249}
250
hbos6b470a92016-04-28 05:14:21 -0700[diff] [blame]251bool operator==(const SSLIdentity& a, const SSLIdentity& b) {
252 return static_cast<const OpenSSLIdentity&>(a) ==
253 static_cast<const OpenSSLIdentity&>(b);
254}
255bool operator!=(const SSLIdentity& a, const SSLIdentity& b) {
256 return !(a == b);
257}
258
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]259} // namespace rtc