ssl_identity.h 6.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173
  1. /*
  2. * Copyright 2004 The WebRTC Project Authors. All rights reserved.
  3. *
  4. * Use of this source code is governed by a BSD-style license
  5. * that can be found in the LICENSE file in the root of the source
  6. * tree. An additional intellectual property rights grant can be found
  7. * in the file PATENTS. All contributing project authors may
  8. * be found in the AUTHORS file in the root of the source tree.
  9. */
  10. // Handling of certificates and keypairs for SSLStreamAdapter's peer mode.
  11. #ifndef RTC_BASE_SSL_IDENTITY_H_
  12. #define RTC_BASE_SSL_IDENTITY_H_
  13. #include <stdint.h>
  14. #include <ctime>
  15. #include <memory>
  16. #include <string>
  17. #include "rtc_base/deprecation.h"
  18. #include "rtc_base/system/rtc_export.h"
  19. namespace rtc {
  20. class SSLCertChain;
  21. class SSLCertificate;
  22. // KT_LAST is intended for vector declarations and loops over all key types;
  23. // it does not represent any key type in itself.
  24. // KT_DEFAULT is used as the default KeyType for KeyParams.
  25. enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_ECDSA };
  26. static const int kRsaDefaultModSize = 1024;
  27. static const int kRsaDefaultExponent = 0x10001; // = 2^16+1 = 65537
  28. static const int kRsaMinModSize = 1024;
  29. static const int kRsaMaxModSize = 8192;
  30. // Certificate default validity lifetime.
  31. static const int kDefaultCertificateLifetimeInSeconds =
  32. 60 * 60 * 24 * 30; // 30 days
  33. // Certificate validity window.
  34. // This is to compensate for slightly incorrect system clocks.
  35. static const int kCertificateWindowInSeconds = -60 * 60 * 24;
  36. struct RSAParams {
  37. unsigned int mod_size;
  38. unsigned int pub_exp;
  39. };
  40. enum ECCurve { EC_NIST_P256, /* EC_FANCY, */ EC_LAST };
  41. class RTC_EXPORT KeyParams {
  42. public:
  43. // Generate a KeyParams object from a simple KeyType, using default params.
  44. explicit KeyParams(KeyType key_type = KT_DEFAULT);
  45. // Generate a a KeyParams for RSA with explicit parameters.
  46. static KeyParams RSA(int mod_size = kRsaDefaultModSize,
  47. int pub_exp = kRsaDefaultExponent);
  48. // Generate a a KeyParams for ECDSA specifying the curve.
  49. static KeyParams ECDSA(ECCurve curve = EC_NIST_P256);
  50. // Check validity of a KeyParams object. Since the factory functions have
  51. // no way of returning errors, this function can be called after creation
  52. // to make sure the parameters are OK.
  53. bool IsValid() const;
  54. RSAParams rsa_params() const;
  55. ECCurve ec_curve() const;
  56. KeyType type() const { return type_; }
  57. private:
  58. KeyType type_;
  59. union {
  60. RSAParams rsa;
  61. ECCurve curve;
  62. } params_;
  63. };
  64. // TODO(hbos): Remove once rtc::KeyType (to be modified) and
  65. // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium
  66. // appropriately we can change KeyType enum -> class without breaking Chromium.
  67. KeyType IntKeyTypeFamilyToKeyType(int key_type_family);
  68. // Parameters for generating a certificate. If |common_name| is non-empty, it
  69. // will be used for the certificate's subject and issuer name, otherwise a
  70. // random string will be used.
  71. struct SSLIdentityParams {
  72. std::string common_name;
  73. time_t not_before; // Absolute time since epoch in seconds.
  74. time_t not_after; // Absolute time since epoch in seconds.
  75. KeyParams key_params;
  76. };
  77. // Our identity in an SSL negotiation: a keypair and certificate (both
  78. // with the same public key).
  79. // This too is pretty much immutable once created.
  80. class RTC_EXPORT SSLIdentity {
  81. public:
  82. // Generates an identity (keypair and self-signed certificate). If
  83. // |common_name| is non-empty, it will be used for the certificate's subject
  84. // and issuer name, otherwise a random string will be used. The key type and
  85. // parameters are defined in |key_param|. The certificate's lifetime in
  86. // seconds from the current time is defined in |certificate_lifetime|; it
  87. // should be a non-negative number.
  88. // Returns null on failure.
  89. // Caller is responsible for freeing the returned object.
  90. static std::unique_ptr<SSLIdentity> Create(const std::string& common_name,
  91. const KeyParams& key_param,
  92. time_t certificate_lifetime);
  93. static std::unique_ptr<SSLIdentity> Create(const std::string& common_name,
  94. const KeyParams& key_param);
  95. static std::unique_ptr<SSLIdentity> Create(const std::string& common_name,
  96. KeyType key_type);
  97. // Allows fine-grained control over expiration time.
  98. static std::unique_ptr<SSLIdentity> CreateForTest(
  99. const SSLIdentityParams& params);
  100. // Construct an identity from a private key and a certificate.
  101. static std::unique_ptr<SSLIdentity> CreateFromPEMStrings(
  102. const std::string& private_key,
  103. const std::string& certificate);
  104. // Construct an identity from a private key and a certificate chain.
  105. static std::unique_ptr<SSLIdentity> CreateFromPEMChainStrings(
  106. const std::string& private_key,
  107. const std::string& certificate_chain);
  108. virtual ~SSLIdentity() {}
  109. // Returns a new SSLIdentity object instance wrapping the same
  110. // identity information.
  111. std::unique_ptr<SSLIdentity> Clone() const { return CloneInternal(); }
  112. // Returns a temporary reference to the end-entity (leaf) certificate.
  113. virtual const SSLCertificate& certificate() const = 0;
  114. // Returns a temporary reference to the entire certificate chain.
  115. virtual const SSLCertChain& cert_chain() const = 0;
  116. virtual std::string PrivateKeyToPEMString() const = 0;
  117. virtual std::string PublicKeyToPEMString() const = 0;
  118. // Helpers for parsing converting between PEM and DER format.
  119. static bool PemToDer(const std::string& pem_type,
  120. const std::string& pem_string,
  121. std::string* der);
  122. static std::string DerToPem(const std::string& pem_type,
  123. const unsigned char* data,
  124. size_t length);
  125. protected:
  126. virtual std::unique_ptr<SSLIdentity> CloneInternal() const = 0;
  127. };
  128. bool operator==(const SSLIdentity& a, const SSLIdentity& b);
  129. bool operator!=(const SSLIdentity& a, const SSLIdentity& b);
  130. // Convert from ASN1 time as restricted by RFC 5280 to seconds from 1970-01-01
  131. // 00.00 ("epoch"). If the ASN1 time cannot be read, return -1. The data at
  132. // |s| is not 0-terminated; its char count is defined by |length|.
  133. int64_t ASN1TimeToSec(const unsigned char* s, size_t length, bool long_format);
  134. extern const char kPemTypeCertificate[];
  135. extern const char kPemTypeRsaPrivateKey[];
  136. extern const char kPemTypeEcPrivateKey[];
  137. } // namespace rtc
  138. #endif // RTC_BASE_SSL_IDENTITY_H_