Gitiles
Code Review Sign In
gerrit.openfyde.cn / webrtc.googlesource.com / src / aba0633aafaaea7a49f90c7ae6bdcf62c258e11e / . / rtc_base / sslidentity.h
blob: d17d38bacd352c5d0fe57276e0af13a10ff889a5 [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]1/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11// Handling of certificates and keypairs for SSLStreamAdapter's peer mode.
12
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]13#ifndef RTC_BASE_SSLIDENTITY_H_
14#define RTC_BASE_SSLIDENTITY_H_
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]15
Yves Gerey2e00abc2018-10-05 15:39:24 +0200[diff] [blame]16#include <ctime>
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]17#include <string>
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]18
Benjamin Wrightd6f86e82018-05-08 13:12:25 -0700[diff] [blame]19#include "rtc_base/sslcertificate.h"
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]20
21namespace rtc {
22
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]23// KT_LAST is intended for vector declarations and loops over all key types;
24// it does not represent any key type in itself.
25// KT_DEFAULT is used as the default KeyType for KeyParams.
26enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_ECDSA };
27
28static const int kRsaDefaultModSize = 1024;
29static const int kRsaDefaultExponent = 0x10001; // = 2^16+1 = 65537
30static const int kRsaMinModSize = 1024;
31static const int kRsaMaxModSize = 8192;
32
33// Certificate default validity lifetime.
34static const int kDefaultCertificateLifetimeInSeconds =
35 60 * 60 * 24 * 30; // 30 days
36// Certificate validity window.
37// This is to compensate for slightly incorrect system clocks.
38static const int kCertificateWindowInSeconds = -60 * 60 * 24;
39
40struct RSAParams {
41 unsigned int mod_size;
42 unsigned int pub_exp;
43};
44
45enum ECCurve { EC_NIST_P256, /* EC_FANCY, */ EC_LAST };
46
47class KeyParams {
48 public:
49 // Generate a KeyParams object from a simple KeyType, using default params.
50 explicit KeyParams(KeyType key_type = KT_DEFAULT);
51
52 // Generate a a KeyParams for RSA with explicit parameters.
53 static KeyParams RSA(int mod_size = kRsaDefaultModSize,
54 int pub_exp = kRsaDefaultExponent);
55
56 // Generate a a KeyParams for ECDSA specifying the curve.
57 static KeyParams ECDSA(ECCurve curve = EC_NIST_P256);
58
59 // Check validity of a KeyParams object. Since the factory functions have
60 // no way of returning errors, this function can be called after creation
61 // to make sure the parameters are OK.
62 bool IsValid() const;
63
64 RSAParams rsa_params() const;
65
66 ECCurve ec_curve() const;
67
68 KeyType type() const { return type_; }
69
70 private:
71 KeyType type_;
72 union {
73 RSAParams rsa;
74 ECCurve curve;
75 } params_;
76};
77
78// TODO(hbos): Remove once rtc::KeyType (to be modified) and
79// blink::WebRTCKeyType (to be landed) match. By using this function in Chromium
80// appropriately we can change KeyType enum -> class without breaking Chromium.
81KeyType IntKeyTypeFamilyToKeyType(int key_type_family);
82
83// Parameters for generating a certificate. If |common_name| is non-empty, it
84// will be used for the certificate's subject and issuer name, otherwise a
85// random string will be used.
86struct SSLIdentityParams {
87 std::string common_name;
88 time_t not_before; // Absolute time since epoch in seconds.
89 time_t not_after; // Absolute time since epoch in seconds.
90 KeyParams key_params;
91};
92
93// Our identity in an SSL negotiation: a keypair and certificate (both
94// with the same public key).
95// This too is pretty much immutable once created.
96class SSLIdentity {
97 public:
98 // Generates an identity (keypair and self-signed certificate). If
99 // |common_name| is non-empty, it will be used for the certificate's subject
100 // and issuer name, otherwise a random string will be used. The key type and
101 // parameters are defined in |key_param|. The certificate's lifetime in
102 // seconds from the current time is defined in |certificate_lifetime|; it
103 // should be a non-negative number.
104 // Returns null on failure.
105 // Caller is responsible for freeing the returned object.
106 static SSLIdentity* GenerateWithExpiration(const std::string& common_name,
107 const KeyParams& key_param,
108 time_t certificate_lifetime);
109 static SSLIdentity* Generate(const std::string& common_name,
110 const KeyParams& key_param);
111 static SSLIdentity* Generate(const std::string& common_name,
112 KeyType key_type);
113
114 // Generates an identity with the specified validity period.
115 // TODO(torbjorng): Now that Generate() accepts relevant params, make tests
116 // use that instead of this function.
117 static SSLIdentity* GenerateForTest(const SSLIdentityParams& params);
118
119 // Construct an identity from a private key and a certificate.
120 static SSLIdentity* FromPEMStrings(const std::string& private_key,
121 const std::string& certificate);
122
Jian Cui0a8798b2017-11-16 16:58:02 -0800[diff] [blame]123 // Construct an identity from a private key and a certificate chain.
124 static SSLIdentity* FromPEMChainStrings(const std::string& private_key,
125 const std::string& certificate_chain);
126
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]127 virtual ~SSLIdentity() {}
128
129 // Returns a new SSLIdentity object instance wrapping the same
130 // identity information.
131 // Caller is responsible for freeing the returned object.
132 // TODO(hbos,torbjorng): Rename to a less confusing name.
133 virtual SSLIdentity* GetReference() const = 0;
134
Taylor Brandstetterc3928662018-02-23 13:04:51 -0800[diff] [blame]135 // Returns a temporary reference to the end-entity (leaf) certificate.
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]136 virtual const SSLCertificate& certificate() const = 0;
Taylor Brandstetterc3928662018-02-23 13:04:51 -0800[diff] [blame]137 // Returns a temporary reference to the entire certificate chain.
138 virtual const SSLCertChain& cert_chain() const = 0;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]139 virtual std::string PrivateKeyToPEMString() const = 0;
140 virtual std::string PublicKeyToPEMString() const = 0;
141
142 // Helpers for parsing converting between PEM and DER format.
143 static bool PemToDer(const std::string& pem_type,
144 const std::string& pem_string,
145 std::string* der);
146 static std::string DerToPem(const std::string& pem_type,
147 const unsigned char* data,
148 size_t length);
149};
150
151bool operator==(const SSLIdentity& a, const SSLIdentity& b);
152bool operator!=(const SSLIdentity& a, const SSLIdentity& b);
153
154// Convert from ASN1 time as restricted by RFC 5280 to seconds from 1970-01-01
155// 00.00 ("epoch"). If the ASN1 time cannot be read, return -1. The data at
156// |s| is not 0-terminated; its char count is defined by |length|.
157int64_t ASN1TimeToSec(const unsigned char* s, size_t length, bool long_format);
158
159extern const char kPemTypeCertificate[];
160extern const char kPemTypeRsaPrivateKey[];
161extern const char kPemTypeEcPrivateKey[];
162
163} // namespace rtc
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]164
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]165#endif // RTC_BASE_SSLIDENTITY_H_