1 /* 2 * libjingle 3 * Copyright 2004--2008, Google Inc. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 3. The name of the author may not be used to endorse or promote products 14 * derived from this software without specific prior written permission. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED 17 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 18 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 19 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 20 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 21 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 22 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 24 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 25 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #ifndef TALK_BASE_NSSIDENTITY_H_ 29 #define TALK_BASE_NSSIDENTITY_H_ 30 31 #include <string> 32 33 #include "cert.h" 34 #include "nspr.h" 35 #include "hasht.h" 36 #include "keythi.h" 37 38 #include "talk/base/common.h" 39 #include "talk/base/logging.h" 40 #include "talk/base/scoped_ptr.h" 41 #include "talk/base/sslidentity.h" 42 43 namespace talk_base { 44 45 class NSSKeyPair { 46 public: 47 NSSKeyPair(SECKEYPrivateKey* privkey, SECKEYPublicKey* pubkey) : 48 privkey_(privkey), pubkey_(pubkey) {} 49 ~NSSKeyPair(); 50 51 // Generate a 1024-bit RSA key pair. 52 static NSSKeyPair* Generate(); 53 NSSKeyPair* GetReference(); 54 55 SECKEYPrivateKey* privkey() const { return privkey_; } 56 SECKEYPublicKey * pubkey() const { return pubkey_; } 57 58 private: 59 SECKEYPrivateKey* privkey_; 60 SECKEYPublicKey* pubkey_; 61 62 DISALLOW_EVIL_CONSTRUCTORS(NSSKeyPair); 63 }; 64 65 66 class NSSCertificate : public SSLCertificate { 67 public: 68 static NSSCertificate* FromPEMString(const std::string& pem_string); 69 // The caller retains ownership of the argument to all the constructors, 70 // and the constructor makes a copy. 71 explicit NSSCertificate(CERTCertificate* cert); 72 explicit NSSCertificate(CERTCertList* cert_list); 73 virtual ~NSSCertificate() { 74 if (certificate_) 75 CERT_DestroyCertificate(certificate_); 76 } 77 78 virtual NSSCertificate* GetReference() const; 79 80 virtual std::string ToPEMString() const; 81 82 virtual void ToDER(Buffer* der_buffer) const; 83 84 virtual bool GetSignatureDigestAlgorithm(std::string* algorithm) const; 85 86 virtual bool ComputeDigest(const std::string& algorithm, 87 unsigned char* digest, 88 size_t size, 89 size_t* length) const; 90 91 virtual bool GetChain(SSLCertChain** chain) const; 92 93 CERTCertificate* certificate() { return certificate_; } 94 95 // Performs minimal checks to determine if the list is a valid chain. This 96 // only checks that each certificate certifies the preceding certificate, 97 // and ignores many other certificate features such as expiration dates. 98 static bool IsValidChain(const CERTCertList* cert_list); 99 100 // Helper function to get the length of a digest 101 static bool GetDigestLength(const std::string& algorithm, size_t* length); 102 103 // Comparison. Only the certificate itself is considered, not the chain. 104 bool Equals(const NSSCertificate* tocompare) const; 105 106 private: 107 NSSCertificate(CERTCertificate* cert, SSLCertChain* chain); 108 static bool GetDigestObject(const std::string& algorithm, 109 const SECHashObject** hash_object); 110 111 CERTCertificate* certificate_; 112 scoped_ptr<SSLCertChain> chain_; 113 114 DISALLOW_EVIL_CONSTRUCTORS(NSSCertificate); 115 }; 116 117 // Represents a SSL key pair and certificate for NSS. 118 class NSSIdentity : public SSLIdentity { 119 public: 120 static NSSIdentity* Generate(const std::string& common_name); 121 static NSSIdentity* GenerateForTest(const SSLIdentityParams& params); 122 static SSLIdentity* FromPEMStrings(const std::string& private_key, 123 const std::string& certificate); 124 virtual ~NSSIdentity() { 125 LOG(LS_INFO) << "Destroying NSS identity"; 126 } 127 128 virtual NSSIdentity* GetReference() const; 129 virtual NSSCertificate& certificate() const; 130 131 NSSKeyPair* keypair() const { return keypair_.get(); } 132 133 private: 134 NSSIdentity(NSSKeyPair* keypair, NSSCertificate* cert) : 135 keypair_(keypair), certificate_(cert) {} 136 137 static NSSIdentity* GenerateInternal(const SSLIdentityParams& params); 138 139 talk_base::scoped_ptr<NSSKeyPair> keypair_; 140 talk_base::scoped_ptr<NSSCertificate> certificate_; 141 142 DISALLOW_EVIL_CONSTRUCTORS(NSSIdentity); 143 }; 144 145 } // namespace talk_base 146 147 #endif // TALK_BASE_NSSIDENTITY_H_ 148