Gitiles
Code Review Sign In
gerrit.openfyde.cn / webrtc.googlesource.com / src / bf853f273255388d39bfd84c7f00088213daa1cf / . / talk / base / nssidentity.cc
blob: b58788880d88e1181c40ac7b07b15e2e671aa2fb [file] [log] [blame]
henrike@webrtc.org28e20752013-07-10 00:45:36 +0000[diff] [blame]1/*
2 * libjingle
3 * Copyright 2012, Google Inc.
4 * Copyright 2012, RTFM, Inc.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
20 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
21 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
22 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
23 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
24 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
26 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#if HAVE_CONFIG_H
30#include "config.h"
31#endif // HAVE_CONFIG_H
32
33#if HAVE_NSS_SSL_H
34
35#include "talk/base/nssidentity.h"
36
37#include <string>
38
39#include "cert.h"
40#include "cryptohi.h"
41#include "keyhi.h"
42#include "nss.h"
43#include "pk11pub.h"
44#include "sechash.h"
45
46#include "talk/base/base64.h"
47#include "talk/base/logging.h"
48#include "talk/base/helpers.h"
49#include "talk/base/nssstreamadapter.h"
50
51namespace talk_base {
52
53// Helper function to parse PEM-encoded DER.
54static bool PemToDer(const std::string& pem_type,
55 const std::string& pem_string,
56 std::string* der) {
57 // Find the inner body. We need this to fulfill the contract of
58 // returning pem_length.
59 size_t header = pem_string.find("-----BEGIN " + pem_type + "-----");
60 if (header == std::string::npos)
61 return false;
62
63 size_t body = pem_string.find("\n", header);
64 if (body == std::string::npos)
65 return false;
66
67 size_t trailer = pem_string.find("-----END " + pem_type + "-----");
68 if (trailer == std::string::npos)
69 return false;
70
71 std::string inner = pem_string.substr(body + 1, trailer - (body + 1));
72
73 *der = Base64::Decode(inner, Base64::DO_PARSE_WHITE |
74 Base64::DO_PAD_ANY |
75 Base64::DO_TERM_BUFFER);
76 return true;
77}
78
79static std::string DerToPem(const std::string& pem_type,
80 const unsigned char *data,
81 size_t length) {
82 std::stringstream result;
83
84 result << "-----BEGIN " << pem_type << "-----\n";
85
86 std::string tmp;
87 Base64::EncodeFromArray(data, length, &tmp);
88 result << tmp;
89
90 result << "-----END " << pem_type << "-----\n";
91
92 return result.str();
93}
94
95NSSKeyPair::~NSSKeyPair() {
96 if (privkey_)
97 SECKEY_DestroyPrivateKey(privkey_);
98 if (pubkey_)
99 SECKEY_DestroyPublicKey(pubkey_);
100}
101
102NSSKeyPair *NSSKeyPair::Generate() {
103 SECKEYPrivateKey *privkey = NULL;
104 SECKEYPublicKey *pubkey = NULL;
105 PK11RSAGenParams rsaparams;
106 rsaparams.keySizeInBits = 1024;
107 rsaparams.pe = 0x010001; // 65537 -- a common RSA public exponent.
108
109 privkey = PK11_GenerateKeyPair(NSSContext::GetSlot(),
110 CKM_RSA_PKCS_KEY_PAIR_GEN,
111 &rsaparams, &pubkey, PR_FALSE /*permanent*/,
112 PR_FALSE /*sensitive*/, NULL);
113 if (!privkey) {
114 LOG(LS_ERROR) << "Couldn't generate key pair";
115 return NULL;
116 }
117
118 return new NSSKeyPair(privkey, pubkey);
119}
120
121// Just make a copy.
122NSSKeyPair *NSSKeyPair::GetReference() {
123 SECKEYPrivateKey *privkey = SECKEY_CopyPrivateKey(privkey_);
124 if (!privkey)
125 return NULL;
126
127 SECKEYPublicKey *pubkey = SECKEY_CopyPublicKey(pubkey_);
128 if (!pubkey) {
129 SECKEY_DestroyPrivateKey(privkey);
130 return NULL;
131 }
132
133 return new NSSKeyPair(privkey, pubkey);
134}
135
136NSSCertificate *NSSCertificate::FromPEMString(const std::string &pem_string) {
137 std::string der;
138 if (!PemToDer("CERTIFICATE", pem_string, &der))
139 return NULL;
140
141 SECItem der_cert;
142 der_cert.data = reinterpret_cast<unsigned char *>(const_cast<char *>(
143 der.data()));
144 der_cert.len = der.size();
145 CERTCertificate *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
146 &der_cert, NULL, PR_FALSE, PR_TRUE);
147
148 if (!cert)
149 return NULL;
150
151 return new NSSCertificate(cert);
152}
153
154NSSCertificate *NSSCertificate::GetReference() const {
155 CERTCertificate *certificate = CERT_DupCertificate(certificate_);
156 if (!certificate)
157 return NULL;
158
159 return new NSSCertificate(certificate);
160}
161
162std::string NSSCertificate::ToPEMString() const {
163 return DerToPem("CERTIFICATE",
164 certificate_->derCert.data,
165 certificate_->derCert.len);
166}
167
168bool NSSCertificate::GetDigestLength(const std::string &algorithm,
169 std::size_t *length) {
170 const SECHashObject *ho;
171
172 if (!GetDigestObject(algorithm, &ho))
173 return false;
174
175 *length = ho->length;
176
177 return true;
178}
179
180bool NSSCertificate::ComputeDigest(const std::string &algorithm,
181 unsigned char *digest, std::size_t size,
182 std::size_t *length) const {
183 const SECHashObject *ho;
184
185 if (!GetDigestObject(algorithm, &ho))
186 return false;
187
188 if (size < ho->length) // Sanity check for fit
189 return false;
190
191 SECStatus rv = HASH_HashBuf(ho->type, digest,
192 certificate_->derCert.data,
193 certificate_->derCert.len);
194 if (rv != SECSuccess)
195 return false;
196
197 *length = ho->length;
198
199 return true;
200}
201
202bool NSSCertificate::Equals(const NSSCertificate *tocompare) const {
203 if (!certificate_->derCert.len)
204 return false;
205 if (!tocompare->certificate_->derCert.len)
206 return false;
207
208 if (certificate_->derCert.len != tocompare->certificate_->derCert.len)
209 return false;
210
211 return memcmp(certificate_->derCert.data,
212 tocompare->certificate_->derCert.data,
213 certificate_->derCert.len) == 0;
214}
215
216
217bool NSSCertificate::GetDigestObject(const std::string &algorithm,
218 const SECHashObject **hop) {
219 const SECHashObject *ho;
220 HASH_HashType hash_type;
221
222 if (algorithm == DIGEST_SHA_1) {
223 hash_type = HASH_AlgSHA1;
224 // HASH_AlgSHA224 is not supported in the chromium linux build system.
225#if 0
226 } else if (algorithm == DIGEST_SHA_224) {
227 hash_type = HASH_AlgSHA224;
228#endif
229 } else if (algorithm == DIGEST_SHA_256) {
230 hash_type = HASH_AlgSHA256;
231 } else if (algorithm == DIGEST_SHA_384) {
232 hash_type = HASH_AlgSHA384;
233 } else if (algorithm == DIGEST_SHA_512) {
234 hash_type = HASH_AlgSHA512;
235 } else {
236 return false;
237 }
238
239 ho = HASH_GetHashObject(hash_type);
240
241 ASSERT(ho->length >= 20); // Can't happen
242 *hop = ho;
243
244 return true;
245}
246
247
248NSSIdentity *NSSIdentity::Generate(const std::string &common_name) {
249 std::string subject_name_string = "CN=" + common_name;
250 CERTName *subject_name = CERT_AsciiToName(
251 const_cast<char *>(subject_name_string.c_str()));
252 NSSIdentity *identity = NULL;
253 CERTSubjectPublicKeyInfo *spki = NULL;
254 CERTCertificateRequest *certreq = NULL;
255 CERTValidity *validity;
256 CERTCertificate *certificate = NULL;
257 NSSKeyPair *keypair = NSSKeyPair::Generate();
258 SECItem inner_der;
259 SECStatus rv;
260 PLArenaPool* arena;
261 SECItem signed_cert;
262 PRTime not_before, not_after;
263 PRTime now = PR_Now();
264 PRTime one_day;
265
266 inner_der.len = 0;
267 inner_der.data = NULL;
268
269 if (!keypair) {
270 LOG(LS_ERROR) << "Couldn't generate key pair";
271 goto fail;
272 }
273
274 if (!subject_name) {
275 LOG(LS_ERROR) << "Couldn't convert subject name " << subject_name;
276 goto fail;
277 }
278
279 spki = SECKEY_CreateSubjectPublicKeyInfo(keypair->pubkey());
280 if (!spki) {
281 LOG(LS_ERROR) << "Couldn't create SPKI";
282 goto fail;
283 }
284
285 certreq = CERT_CreateCertificateRequest(subject_name, spki, NULL);
286 if (!certreq) {
287 LOG(LS_ERROR) << "Couldn't create certificate signing request";
288 goto fail;
289 }
290
291 one_day = 86400;
292 one_day *= PR_USEC_PER_SEC;
293 not_before = now - one_day;
294 not_after = now + 30 * one_day;
295
296 validity = CERT_CreateValidity(not_before, not_after);
297 if (!validity) {
298 LOG(LS_ERROR) << "Couldn't create validity";
299 goto fail;
300 }
301
302 unsigned long serial;
303 // Note: This serial in principle could collide, but it's unlikely
304 rv = PK11_GenerateRandom(reinterpret_cast<unsigned char *>(&serial),
305 sizeof(serial));
306 if (rv != SECSuccess) {
307 LOG(LS_ERROR) << "Couldn't generate random serial";
308 goto fail;
309 }
310
311 certificate = CERT_CreateCertificate(serial, subject_name, validity, certreq);
312 if (!certificate) {
313 LOG(LS_ERROR) << "Couldn't create certificate";
314 goto fail;
315 }
316
317 arena = certificate->arena;
318
319 rv = SECOID_SetAlgorithmID(arena, &certificate->signature,
320 SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
321 if (rv != SECSuccess)
322 goto fail;
323
324 // Set version to X509v3.
325 *(certificate->version.data) = 2;
326 certificate->version.len = 1;
327
328 if (!SEC_ASN1EncodeItem(arena, &inner_der, certificate,
329 SEC_ASN1_GET(CERT_CertificateTemplate)))
330 goto fail;
331
332 rv = SEC_DerSignData(arena, &signed_cert, inner_der.data, inner_der.len,
333 keypair->privkey(),
334 SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION);
335 if (rv != SECSuccess) {
336 LOG(LS_ERROR) << "Couldn't sign certificate";
337 goto fail;
338 }
339 certificate->derCert = signed_cert;
340
341 identity = new NSSIdentity(keypair, new NSSCertificate(certificate));
342
343 goto done;
344
345 fail:
346 delete keypair;
347 CERT_DestroyCertificate(certificate);
348
349 done:
350 if (subject_name) CERT_DestroyName(subject_name);
351 if (spki) SECKEY_DestroySubjectPublicKeyInfo(spki);
352 if (certreq) CERT_DestroyCertificateRequest(certreq);
353 if (validity) CERT_DestroyValidity(validity);
354 return identity;
355}
356
357SSLIdentity* NSSIdentity::FromPEMStrings(const std::string& private_key,
358 const std::string& certificate) {
359 std::string private_key_der;
360 if (!PemToDer(
361 "RSA PRIVATE KEY", private_key, &private_key_der))
362 return NULL;
363
364 SECItem private_key_item;
365 private_key_item.data =
366 reinterpret_cast<unsigned char *>(
367 const_cast<char *>(private_key_der.c_str()));
368 private_key_item.len = private_key_der.size();
369
370 const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT |
371 KU_DIGITAL_SIGNATURE;
372
373 SECKEYPrivateKey* privkey = NULL;
374 SECStatus rv =
375 PK11_ImportDERPrivateKeyInfoAndReturnKey(NSSContext::GetSlot(),
376 &private_key_item,
377 NULL, NULL, PR_FALSE, PR_FALSE,
378 key_usage, &privkey, NULL);
379 if (rv != SECSuccess) {
380 LOG(LS_ERROR) << "Couldn't import private key";
381 return NULL;
382 }
383
384 SECKEYPublicKey *pubkey = SECKEY_ConvertToPublicKey(privkey);
385 if (rv != SECSuccess) {
386 SECKEY_DestroyPrivateKey(privkey);
387 LOG(LS_ERROR) << "Couldn't convert private key to public key";
388 return NULL;
389 }
390
391 // Assign to a scoped_ptr so we don't leak on error.
392 scoped_ptr<NSSKeyPair> keypair(new NSSKeyPair(privkey, pubkey));
393
394 scoped_ptr<NSSCertificate> cert(NSSCertificate::FromPEMString(certificate));
395 if (!cert) {
396 LOG(LS_ERROR) << "Couldn't parse certificate";
397 return NULL;
398 }
399
400 // TODO(ekr@rtfm.com): Check the public key against the certificate.
401
402 return new NSSIdentity(keypair.release(), cert.release());
403}
404
405NSSIdentity *NSSIdentity::GetReference() const {
406 NSSKeyPair *keypair = keypair_->GetReference();
407 if (!keypair)
408 return NULL;
409
410 NSSCertificate *certificate = certificate_->GetReference();
411 if (!certificate) {
412 delete keypair;
413 return NULL;
414 }
415
416 return new NSSIdentity(keypair, certificate);
417}
418
419
420NSSCertificate &NSSIdentity::certificate() const {
421 return *certificate_;
422}
423
424
425} // talk_base namespace
426
427#endif // HAVE_NSS_SSL_H
428