Gitiles
Code Review Sign In
gerrit.openfyde.cn / webrtc.googlesource.com / src / dd21474da5bd180d1692100045f9d6dbb9ee857f / . / rtc_base / sslidentity.h
blob: 1379d733be5f4f1a2f877c64f5d3fba5fe79ffb5 [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]1/*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11// Handling of certificates and keypairs for SSLStreamAdapter's peer mode.
12
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]13#ifndef RTC_BASE_SSLIDENTITY_H_
14#define RTC_BASE_SSLIDENTITY_H_
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]15
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]16#include <algorithm>
17#include <memory>
18#include <string>
19#include <vector>
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]20
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]21#include "rtc_base/buffer.h"
22#include "rtc_base/constructormagic.h"
23#include "rtc_base/messagedigest.h"
Benjamin Wrightd6f86e82018-05-08 13:12:25 -0700[diff] [blame]24#include "rtc_base/sslcertificate.h"
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]25#include "rtc_base/timeutils.h"
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]26
27namespace rtc {
28
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]29// KT_LAST is intended for vector declarations and loops over all key types;
30// it does not represent any key type in itself.
31// KT_DEFAULT is used as the default KeyType for KeyParams.
32enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_ECDSA };
33
34static const int kRsaDefaultModSize = 1024;
35static const int kRsaDefaultExponent = 0x10001; // = 2^16+1 = 65537
36static const int kRsaMinModSize = 1024;
37static const int kRsaMaxModSize = 8192;
38
39// Certificate default validity lifetime.
40static const int kDefaultCertificateLifetimeInSeconds =
41 60 * 60 * 24 * 30; // 30 days
42// Certificate validity window.
43// This is to compensate for slightly incorrect system clocks.
44static const int kCertificateWindowInSeconds = -60 * 60 * 24;
45
46struct RSAParams {
47 unsigned int mod_size;
48 unsigned int pub_exp;
49};
50
51enum ECCurve { EC_NIST_P256, /* EC_FANCY, */ EC_LAST };
52
53class KeyParams {
54 public:
55 // Generate a KeyParams object from a simple KeyType, using default params.
56 explicit KeyParams(KeyType key_type = KT_DEFAULT);
57
58 // Generate a a KeyParams for RSA with explicit parameters.
59 static KeyParams RSA(int mod_size = kRsaDefaultModSize,
60 int pub_exp = kRsaDefaultExponent);
61
62 // Generate a a KeyParams for ECDSA specifying the curve.
63 static KeyParams ECDSA(ECCurve curve = EC_NIST_P256);
64
65 // Check validity of a KeyParams object. Since the factory functions have
66 // no way of returning errors, this function can be called after creation
67 // to make sure the parameters are OK.
68 bool IsValid() const;
69
70 RSAParams rsa_params() const;
71
72 ECCurve ec_curve() const;
73
74 KeyType type() const { return type_; }
75
76 private:
77 KeyType type_;
78 union {
79 RSAParams rsa;
80 ECCurve curve;
81 } params_;
82};
83
84// TODO(hbos): Remove once rtc::KeyType (to be modified) and
85// blink::WebRTCKeyType (to be landed) match. By using this function in Chromium
86// appropriately we can change KeyType enum -> class without breaking Chromium.
87KeyType IntKeyTypeFamilyToKeyType(int key_type_family);
88
89// Parameters for generating a certificate. If |common_name| is non-empty, it
90// will be used for the certificate's subject and issuer name, otherwise a
91// random string will be used.
92struct SSLIdentityParams {
93 std::string common_name;
94 time_t not_before; // Absolute time since epoch in seconds.
95 time_t not_after; // Absolute time since epoch in seconds.
96 KeyParams key_params;
97};
98
99// Our identity in an SSL negotiation: a keypair and certificate (both
100// with the same public key).
101// This too is pretty much immutable once created.
102class SSLIdentity {
103 public:
104 // Generates an identity (keypair and self-signed certificate). If
105 // |common_name| is non-empty, it will be used for the certificate's subject
106 // and issuer name, otherwise a random string will be used. The key type and
107 // parameters are defined in |key_param|. The certificate's lifetime in
108 // seconds from the current time is defined in |certificate_lifetime|; it
109 // should be a non-negative number.
110 // Returns null on failure.
111 // Caller is responsible for freeing the returned object.
112 static SSLIdentity* GenerateWithExpiration(const std::string& common_name,
113 const KeyParams& key_param,
114 time_t certificate_lifetime);
115 static SSLIdentity* Generate(const std::string& common_name,
116 const KeyParams& key_param);
117 static SSLIdentity* Generate(const std::string& common_name,
118 KeyType key_type);
119
120 // Generates an identity with the specified validity period.
121 // TODO(torbjorng): Now that Generate() accepts relevant params, make tests
122 // use that instead of this function.
123 static SSLIdentity* GenerateForTest(const SSLIdentityParams& params);
124
125 // Construct an identity from a private key and a certificate.
126 static SSLIdentity* FromPEMStrings(const std::string& private_key,
127 const std::string& certificate);
128
Jian Cui0a8798b2017-11-16 16:58:02 -0800[diff] [blame]129 // Construct an identity from a private key and a certificate chain.
130 static SSLIdentity* FromPEMChainStrings(const std::string& private_key,
131 const std::string& certificate_chain);
132
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]133 virtual ~SSLIdentity() {}
134
135 // Returns a new SSLIdentity object instance wrapping the same
136 // identity information.
137 // Caller is responsible for freeing the returned object.
138 // TODO(hbos,torbjorng): Rename to a less confusing name.
139 virtual SSLIdentity* GetReference() const = 0;
140
Taylor Brandstetterc3928662018-02-23 13:04:51 -0800[diff] [blame]141 // Returns a temporary reference to the end-entity (leaf) certificate.
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]142 virtual const SSLCertificate& certificate() const = 0;
Taylor Brandstetterc3928662018-02-23 13:04:51 -0800[diff] [blame]143 // Returns a temporary reference to the entire certificate chain.
144 virtual const SSLCertChain& cert_chain() const = 0;
Henrik Kjellanderec78f1c2017-06-29 07:52:50 +0200[diff] [blame]145 virtual std::string PrivateKeyToPEMString() const = 0;
146 virtual std::string PublicKeyToPEMString() const = 0;
147
148 // Helpers for parsing converting between PEM and DER format.
149 static bool PemToDer(const std::string& pem_type,
150 const std::string& pem_string,
151 std::string* der);
152 static std::string DerToPem(const std::string& pem_type,
153 const unsigned char* data,
154 size_t length);
155};
156
157bool operator==(const SSLIdentity& a, const SSLIdentity& b);
158bool operator!=(const SSLIdentity& a, const SSLIdentity& b);
159
160// Convert from ASN1 time as restricted by RFC 5280 to seconds from 1970-01-01
161// 00.00 ("epoch"). If the ASN1 time cannot be read, return -1. The data at
162// |s| is not 0-terminated; its char count is defined by |length|.
163int64_t ASN1TimeToSec(const unsigned char* s, size_t length, bool long_format);
164
165extern const char kPemTypeCertificate[];
166extern const char kPemTypeRsaPrivateKey[];
167extern const char kPemTypeEcPrivateKey[];
168
169} // namespace rtc
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]170
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]171#endif // RTC_BASE_SSLIDENTITY_H_