1 /* 2 * libjingle 3 * Copyright 2004, Google Inc. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 3. The name of the author may not be used to endorse or promote products 14 * derived from this software without specific prior written permission. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED 17 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 18 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 19 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 20 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 21 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 22 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 24 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 25 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode. 29 30 #ifndef TALK_BASE_SSLIDENTITY_H_ 31 #define TALK_BASE_SSLIDENTITY_H_ 32 33 #include <algorithm> 34 #include <string> 35 #include <vector> 36 37 #include "talk/base/buffer.h" 38 #include "talk/base/messagedigest.h" 39 40 namespace talk_base { 41 42 // Forward declaration due to circular dependency with SSLCertificate. 43 class SSLCertChain; 44 45 // Abstract interface overridden by SSL library specific 46 // implementations. 47 48 // A somewhat opaque type used to encapsulate a certificate. 49 // Wraps the SSL library's notion of a certificate, with reference counting. 50 // The SSLCertificate object is pretty much immutable once created. 51 // (The OpenSSL implementation only does reference counting and 52 // possibly caching of intermediate results.) 53 class SSLCertificate { 54 public: 55 // Parses and build a certificate from a PEM encoded string. 56 // Returns NULL on failure. 57 // The length of the string representation of the certificate is 58 // stored in *pem_length if it is non-NULL, and only if 59 // parsing was successful. 60 // Caller is responsible for freeing the returned object. 61 static SSLCertificate* FromPEMString(const std::string& pem_string); 62 virtual ~SSLCertificate() {} 63 64 // Returns a new SSLCertificate object instance wrapping the same 65 // underlying certificate, including its chain if present. 66 // Caller is responsible for freeing the returned object. 67 virtual SSLCertificate* GetReference() const = 0; 68 69 // Provides the cert chain, or returns false. The caller owns the chain. 70 // The chain includes a copy of each certificate, excluding the leaf. 71 virtual bool GetChain(SSLCertChain** chain) const = 0; 72 73 // Returns a PEM encoded string representation of the certificate. 74 virtual std::string ToPEMString() const = 0; 75 76 // Provides a DER encoded binary representation of the certificate. 77 virtual void ToDER(Buffer* der_buffer) const = 0; 78 79 // Gets the name of the digest algorithm that was used to compute this 80 // certificate's signature. 81 virtual bool GetSignatureDigestAlgorithm(std::string* algorithm) const = 0; 82 83 // Compute the digest of the certificate given algorithm 84 virtual bool ComputeDigest(const std::string &algorithm, 85 unsigned char* digest, std::size_t size, 86 std::size_t* length) const = 0; 87 }; 88 89 // SSLCertChain is a simple wrapper for a vector of SSLCertificates. It serves 90 // primarily to ensure proper memory management (especially deletion) of the 91 // SSLCertificate pointers. 92 class SSLCertChain { 93 public: 94 // These constructors copy the provided SSLCertificate(s), so the caller 95 // retains ownership. 96 explicit SSLCertChain(const std::vector<SSLCertificate*>& certs) { 97 ASSERT(!certs.empty()); 98 certs_.resize(certs.size()); 99 std::transform(certs.begin(), certs.end(), certs_.begin(), DupCert); 100 } 101 explicit SSLCertChain(const SSLCertificate* cert) { 102 certs_.push_back(cert->GetReference()); 103 } 104 105 ~SSLCertChain() { 106 std::for_each(certs_.begin(), certs_.end(), DeleteCert); 107 } 108 109 // Vector access methods. 110 size_t GetSize() const { return certs_.size(); } 111 112 // Returns a temporary reference, only valid until the chain is destroyed. 113 const SSLCertificate& Get(size_t pos) const { return *(certs_[pos]); } 114 115 // Returns a new SSLCertChain object instance wrapping the same underlying 116 // certificate chain. Caller is responsible for freeing the returned object. 117 SSLCertChain* Copy() const { 118 return new SSLCertChain(certs_); 119 } 120 121 private: 122 // Helper function for duplicating a vector of certificates. 123 static SSLCertificate* DupCert(const SSLCertificate* cert) { 124 return cert->GetReference(); 125 } 126 127 // Helper function for deleting a vector of certificates. 128 static void DeleteCert(SSLCertificate* cert) { delete cert; } 129 130 std::vector<SSLCertificate*> certs_; 131 132 DISALLOW_COPY_AND_ASSIGN(SSLCertChain); 133 }; 134 135 // Our identity in an SSL negotiation: a keypair and certificate (both 136 // with the same public key). 137 // This too is pretty much immutable once created. 138 class SSLIdentity { 139 public: 140 // Generates an identity (keypair and self-signed certificate). If 141 // common_name is non-empty, it will be used for the certificate's 142 // subject and issuer name, otherwise a random string will be used. 143 // Returns NULL on failure. 144 // Caller is responsible for freeing the returned object. 145 static SSLIdentity* Generate(const std::string& common_name); 146 147 // Construct an identity from a private key and a certificate. 148 static SSLIdentity* FromPEMStrings(const std::string& private_key, 149 const std::string& certificate); 150 151 virtual ~SSLIdentity() {} 152 153 // Returns a new SSLIdentity object instance wrapping the same 154 // identity information. 155 // Caller is responsible for freeing the returned object. 156 virtual SSLIdentity* GetReference() const = 0; 157 158 // Returns a temporary reference to the certificate. 159 virtual const SSLCertificate& certificate() const = 0; 160 161 // Helpers for parsing converting between PEM and DER format. 162 static bool PemToDer(const std::string& pem_type, 163 const std::string& pem_string, 164 std::string* der); 165 static std::string DerToPem(const std::string& pem_type, 166 const unsigned char* data, 167 size_t length); 168 }; 169 170 extern const char kPemTypeCertificate[]; 171 extern const char kPemTypeRsaPrivateKey[]; 172 173 } // namespace talk_base 174 175 #endif // TALK_BASE_SSLIDENTITY_H_ 176
