Gitiles
Code Review Sign In
gerrit.openfyde.cn / webrtc.googlesource.com / src / 91053e7c5a743f4a92f5079844b0747c927f3bbd / . / talk / base / nssidentity.cc
blob: c660aee0a516a5c7563e5037f11905c8e25d1f3c [file] [log] [blame]
henrike@webrtc.org28e20752013-07-10 00:45:36 +0000[diff] [blame]1/*
2 * libjingle
3 * Copyright 2012, Google Inc.
4 * Copyright 2012, RTFM, Inc.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
20 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
21 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
22 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
23 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
24 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
26 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#if HAVE_CONFIG_H
30#include "config.h"
31#endif // HAVE_CONFIG_H
32
33#if HAVE_NSS_SSL_H
34
35#include "talk/base/nssidentity.h"
36
37#include <string>
38
39#include "cert.h"
40#include "cryptohi.h"
41#include "keyhi.h"
42#include "nss.h"
43#include "pk11pub.h"
44#include "sechash.h"
45
henrike@webrtc.org28e20752013-07-10 00:45:36 +0000[diff] [blame]46#include "talk/base/logging.h"
47#include "talk/base/helpers.h"
48#include "talk/base/nssstreamadapter.h"
49
50namespace talk_base {
51
henrike@webrtc.org28e20752013-07-10 00:45:36 +0000[diff] [blame]52NSSKeyPair::~NSSKeyPair() {
53 if (privkey_)
54 SECKEY_DestroyPrivateKey(privkey_);
55 if (pubkey_)
56 SECKEY_DestroyPublicKey(pubkey_);
57}
58
59NSSKeyPair *NSSKeyPair::Generate() {
60 SECKEYPrivateKey *privkey = NULL;
61 SECKEYPublicKey *pubkey = NULL;
62 PK11RSAGenParams rsaparams;
63 rsaparams.keySizeInBits = 1024;
64 rsaparams.pe = 0x010001; // 65537 -- a common RSA public exponent.
65
66 privkey = PK11_GenerateKeyPair(NSSContext::GetSlot(),
67 CKM_RSA_PKCS_KEY_PAIR_GEN,
68 &rsaparams, &pubkey, PR_FALSE /*permanent*/,
69 PR_FALSE /*sensitive*/, NULL);
70 if (!privkey) {
71 LOG(LS_ERROR) << "Couldn't generate key pair";
72 return NULL;
73 }
74
75 return new NSSKeyPair(privkey, pubkey);
76}
77
78// Just make a copy.
79NSSKeyPair *NSSKeyPair::GetReference() {
80 SECKEYPrivateKey *privkey = SECKEY_CopyPrivateKey(privkey_);
81 if (!privkey)
82 return NULL;
83
84 SECKEYPublicKey *pubkey = SECKEY_CopyPublicKey(pubkey_);
85 if (!pubkey) {
86 SECKEY_DestroyPrivateKey(privkey);
87 return NULL;
88 }
89
90 return new NSSKeyPair(privkey, pubkey);
91}
92
93NSSCertificate *NSSCertificate::FromPEMString(const std::string &pem_string) {
94 std::string der;
wu@webrtc.org91053e72013-08-10 07:18:04 +0000[diff] [blame^]95 if (!SSLIdentity::PemToDer(kPemTypeCertificate, pem_string, &der))
henrike@webrtc.org28e20752013-07-10 00:45:36 +0000[diff] [blame]96 return NULL;
97
98 SECItem der_cert;
99 der_cert.data = reinterpret_cast<unsigned char *>(const_cast<char *>(
100 der.data()));
101 der_cert.len = der.size();
102 CERTCertificate *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
103 &der_cert, NULL, PR_FALSE, PR_TRUE);
104
105 if (!cert)
106 return NULL;
107
108 return new NSSCertificate(cert);
109}
110
111NSSCertificate *NSSCertificate::GetReference() const {
112 CERTCertificate *certificate = CERT_DupCertificate(certificate_);
113 if (!certificate)
114 return NULL;
115
116 return new NSSCertificate(certificate);
117}
118
119std::string NSSCertificate::ToPEMString() const {
wu@webrtc.org91053e72013-08-10 07:18:04 +0000[diff] [blame^]120 return SSLIdentity::DerToPem(kPemTypeCertificate,
121 certificate_->derCert.data,
122 certificate_->derCert.len);
henrike@webrtc.org28e20752013-07-10 00:45:36 +0000[diff] [blame]123}
124
125bool NSSCertificate::GetDigestLength(const std::string &algorithm,
126 std::size_t *length) {
127 const SECHashObject *ho;
128
129 if (!GetDigestObject(algorithm, &ho))
130 return false;
131
132 *length = ho->length;
133
134 return true;
135}
136
137bool NSSCertificate::ComputeDigest(const std::string &algorithm,
138 unsigned char *digest, std::size_t size,
139 std::size_t *length) const {
140 const SECHashObject *ho;
141
142 if (!GetDigestObject(algorithm, &ho))
143 return false;
144
145 if (size < ho->length) // Sanity check for fit
146 return false;
147
148 SECStatus rv = HASH_HashBuf(ho->type, digest,
149 certificate_->derCert.data,
150 certificate_->derCert.len);
151 if (rv != SECSuccess)
152 return false;
153
154 *length = ho->length;
155
156 return true;
157}
158
159bool NSSCertificate::Equals(const NSSCertificate *tocompare) const {
160 if (!certificate_->derCert.len)
161 return false;
162 if (!tocompare->certificate_->derCert.len)
163 return false;
164
165 if (certificate_->derCert.len != tocompare->certificate_->derCert.len)
166 return false;
167
168 return memcmp(certificate_->derCert.data,
169 tocompare->certificate_->derCert.data,
170 certificate_->derCert.len) == 0;
171}
172
173
174bool NSSCertificate::GetDigestObject(const std::string &algorithm,
175 const SECHashObject **hop) {
176 const SECHashObject *ho;
177 HASH_HashType hash_type;
178
179 if (algorithm == DIGEST_SHA_1) {
180 hash_type = HASH_AlgSHA1;
181 // HASH_AlgSHA224 is not supported in the chromium linux build system.
182#if 0
183 } else if (algorithm == DIGEST_SHA_224) {
184 hash_type = HASH_AlgSHA224;
185#endif
186 } else if (algorithm == DIGEST_SHA_256) {
187 hash_type = HASH_AlgSHA256;
188 } else if (algorithm == DIGEST_SHA_384) {
189 hash_type = HASH_AlgSHA384;
190 } else if (algorithm == DIGEST_SHA_512) {
191 hash_type = HASH_AlgSHA512;
192 } else {
193 return false;
194 }
195
196 ho = HASH_GetHashObject(hash_type);
197
198 ASSERT(ho->length >= 20); // Can't happen
199 *hop = ho;
200
201 return true;
202}
203
204
205NSSIdentity *NSSIdentity::Generate(const std::string &common_name) {
206 std::string subject_name_string = "CN=" + common_name;
207 CERTName *subject_name = CERT_AsciiToName(
208 const_cast<char *>(subject_name_string.c_str()));
209 NSSIdentity *identity = NULL;
210 CERTSubjectPublicKeyInfo *spki = NULL;
211 CERTCertificateRequest *certreq = NULL;
212 CERTValidity *validity;
213 CERTCertificate *certificate = NULL;
214 NSSKeyPair *keypair = NSSKeyPair::Generate();
215 SECItem inner_der;
216 SECStatus rv;
217 PLArenaPool* arena;
218 SECItem signed_cert;
219 PRTime not_before, not_after;
220 PRTime now = PR_Now();
221 PRTime one_day;
222
223 inner_der.len = 0;
224 inner_der.data = NULL;
225
226 if (!keypair) {
227 LOG(LS_ERROR) << "Couldn't generate key pair";
228 goto fail;
229 }
230
231 if (!subject_name) {
232 LOG(LS_ERROR) << "Couldn't convert subject name " << subject_name;
233 goto fail;
234 }
235
236 spki = SECKEY_CreateSubjectPublicKeyInfo(keypair->pubkey());
237 if (!spki) {
238 LOG(LS_ERROR) << "Couldn't create SPKI";
239 goto fail;
240 }
241
242 certreq = CERT_CreateCertificateRequest(subject_name, spki, NULL);
243 if (!certreq) {
244 LOG(LS_ERROR) << "Couldn't create certificate signing request";
245 goto fail;
246 }
247
248 one_day = 86400;
249 one_day *= PR_USEC_PER_SEC;
250 not_before = now - one_day;
251 not_after = now + 30 * one_day;
252
253 validity = CERT_CreateValidity(not_before, not_after);
254 if (!validity) {
255 LOG(LS_ERROR) << "Couldn't create validity";
256 goto fail;
257 }
258
259 unsigned long serial;
260 // Note: This serial in principle could collide, but it's unlikely
261 rv = PK11_GenerateRandom(reinterpret_cast<unsigned char *>(&serial),
262 sizeof(serial));
263 if (rv != SECSuccess) {
264 LOG(LS_ERROR) << "Couldn't generate random serial";
265 goto fail;
266 }
267
268 certificate = CERT_CreateCertificate(serial, subject_name, validity, certreq);
269 if (!certificate) {
270 LOG(LS_ERROR) << "Couldn't create certificate";
271 goto fail;
272 }
273
274 arena = certificate->arena;
275
276 rv = SECOID_SetAlgorithmID(arena, &certificate->signature,
277 SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
278 if (rv != SECSuccess)
279 goto fail;
280
281 // Set version to X509v3.
282 *(certificate->version.data) = 2;
283 certificate->version.len = 1;
284
285 if (!SEC_ASN1EncodeItem(arena, &inner_der, certificate,
286 SEC_ASN1_GET(CERT_CertificateTemplate)))
287 goto fail;
288
289 rv = SEC_DerSignData(arena, &signed_cert, inner_der.data, inner_der.len,
290 keypair->privkey(),
291 SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION);
292 if (rv != SECSuccess) {
293 LOG(LS_ERROR) << "Couldn't sign certificate";
294 goto fail;
295 }
296 certificate->derCert = signed_cert;
297
298 identity = new NSSIdentity(keypair, new NSSCertificate(certificate));
299
300 goto done;
301
302 fail:
303 delete keypair;
304 CERT_DestroyCertificate(certificate);
305
306 done:
307 if (subject_name) CERT_DestroyName(subject_name);
308 if (spki) SECKEY_DestroySubjectPublicKeyInfo(spki);
309 if (certreq) CERT_DestroyCertificateRequest(certreq);
310 if (validity) CERT_DestroyValidity(validity);
311 return identity;
312}
313
314SSLIdentity* NSSIdentity::FromPEMStrings(const std::string& private_key,
315 const std::string& certificate) {
316 std::string private_key_der;
wu@webrtc.org91053e72013-08-10 07:18:04 +0000[diff] [blame^]317 if (!SSLIdentity::PemToDer(
318 kPemTypeRsaPrivateKey, private_key, &private_key_der))
henrike@webrtc.org28e20752013-07-10 00:45:36 +0000[diff] [blame]319 return NULL;
320
321 SECItem private_key_item;
322 private_key_item.data =
323 reinterpret_cast<unsigned char *>(
324 const_cast<char *>(private_key_der.c_str()));
325 private_key_item.len = private_key_der.size();
326
327 const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT |
328 KU_DIGITAL_SIGNATURE;
329
330 SECKEYPrivateKey* privkey = NULL;
331 SECStatus rv =
332 PK11_ImportDERPrivateKeyInfoAndReturnKey(NSSContext::GetSlot(),
333 &private_key_item,
334 NULL, NULL, PR_FALSE, PR_FALSE,
335 key_usage, &privkey, NULL);
336 if (rv != SECSuccess) {
337 LOG(LS_ERROR) << "Couldn't import private key";
338 return NULL;
339 }
340
341 SECKEYPublicKey *pubkey = SECKEY_ConvertToPublicKey(privkey);
342 if (rv != SECSuccess) {
343 SECKEY_DestroyPrivateKey(privkey);
344 LOG(LS_ERROR) << "Couldn't convert private key to public key";
345 return NULL;
346 }
347
348 // Assign to a scoped_ptr so we don't leak on error.
349 scoped_ptr<NSSKeyPair> keypair(new NSSKeyPair(privkey, pubkey));
350
351 scoped_ptr<NSSCertificate> cert(NSSCertificate::FromPEMString(certificate));
352 if (!cert) {
353 LOG(LS_ERROR) << "Couldn't parse certificate";
354 return NULL;
355 }
356
357 // TODO(ekr@rtfm.com): Check the public key against the certificate.
358
359 return new NSSIdentity(keypair.release(), cert.release());
360}
361
362NSSIdentity *NSSIdentity::GetReference() const {
363 NSSKeyPair *keypair = keypair_->GetReference();
364 if (!keypair)
365 return NULL;
366
367 NSSCertificate *certificate = certificate_->GetReference();
368 if (!certificate) {
369 delete keypair;
370 return NULL;
371 }
372
373 return new NSSIdentity(keypair, certificate);
374}
375
376
377NSSCertificate &NSSIdentity::certificate() const {
378 return *certificate_;
379}
380
381
382} // talk_base namespace
383
384#endif // HAVE_NSS_SSL_H
385