Home | History | Annotate | Download | only in base 
      1 /*
      2  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
      3  *
      4  *  Use of this source code is governed by a BSD-style license
      5  *  that can be found in the LICENSE file in the root of the source
      6  *  tree. An additional intellectual property rights grant can be found
      7  *  in the file PATENTS.  All contributing project authors may
      8  *  be found in the AUTHORS file in the root of the source tree.
      9  */
     10 
     11 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode.
     12 
     13 #ifndef WEBRTC_BASE_SSLIDENTITY_H_
     14 #define WEBRTC_BASE_SSLIDENTITY_H_
     15 
     16 #include <algorithm>
     17 #include <string>
     18 #include <vector>
     19 
     20 #include "webrtc/base/buffer.h"
     21 #include "webrtc/base/messagedigest.h"
     22 
     23 namespace rtc {
     24 
     25 // Forward declaration due to circular dependency with SSLCertificate.
     26 class SSLCertChain;
     27 
     28 // Abstract interface overridden by SSL library specific
     29 // implementations.
     30 
     31 // A somewhat opaque type used to encapsulate a certificate.
     32 // Wraps the SSL library's notion of a certificate, with reference counting.
     33 // The SSLCertificate object is pretty much immutable once created.
     34 // (The OpenSSL implementation only does reference counting and
     35 // possibly caching of intermediate results.)
     36 class SSLCertificate {
     37  public:
     38   // Parses and build a certificate from a PEM encoded string.
     39   // Returns NULL on failure.
     40   // The length of the string representation of the certificate is
     41   // stored in *pem_length if it is non-NULL, and only if
     42   // parsing was successful.
     43   // Caller is responsible for freeing the returned object.
     44   static SSLCertificate* FromPEMString(const std::string& pem_string);
     45   virtual ~SSLCertificate() {}
     46 
     47   // Returns a new SSLCertificate object instance wrapping the same
     48   // underlying certificate, including its chain if present.
     49   // Caller is responsible for freeing the returned object.
     50   virtual SSLCertificate* GetReference() const = 0;
     51 
     52   // Provides the cert chain, or returns false.  The caller owns the chain.
     53   // The chain includes a copy of each certificate, excluding the leaf.
     54   virtual bool GetChain(SSLCertChain** chain) const = 0;
     55 
     56   // Returns a PEM encoded string representation of the certificate.
     57   virtual std::string ToPEMString() const = 0;
     58 
     59   // Provides a DER encoded binary representation of the certificate.
     60   virtual void ToDER(Buffer* der_buffer) const = 0;
     61 
     62   // Gets the name of the digest algorithm that was used to compute this
     63   // certificate's signature.
     64   virtual bool GetSignatureDigestAlgorithm(std::string* algorithm) const = 0;
     65 
     66   // Compute the digest of the certificate given algorithm
     67   virtual bool ComputeDigest(const std::string& algorithm,
     68                              unsigned char* digest,
     69                              size_t size,
     70                              size_t* length) const = 0;
     71 };
     72 
     73 // SSLCertChain is a simple wrapper for a vector of SSLCertificates. It serves
     74 // primarily to ensure proper memory management (especially deletion) of the
     75 // SSLCertificate pointers.
     76 class SSLCertChain {
     77  public:
     78   // These constructors copy the provided SSLCertificate(s), so the caller
     79   // retains ownership.
     80   explicit SSLCertChain(const std::vector<SSLCertificate*>& certs) {
     81     ASSERT(!certs.empty());
     82     certs_.resize(certs.size());
     83     std::transform(certs.begin(), certs.end(), certs_.begin(), DupCert);
     84   }
     85   explicit SSLCertChain(const SSLCertificate* cert) {
     86     certs_.push_back(cert->GetReference());
     87   }
     88 
     89   ~SSLCertChain() {
     90     std::for_each(certs_.begin(), certs_.end(), DeleteCert);
     91   }
     92 
     93   // Vector access methods.
     94   size_t GetSize() const { return certs_.size(); }
     95 
     96   // Returns a temporary reference, only valid until the chain is destroyed.
     97   const SSLCertificate& Get(size_t pos) const { return *(certs_[pos]); }
     98 
     99   // Returns a new SSLCertChain object instance wrapping the same underlying
    100   // certificate chain.  Caller is responsible for freeing the returned object.
    101   SSLCertChain* Copy() const {
    102     return new SSLCertChain(certs_);
    103   }
    104 
    105  private:
    106   // Helper function for duplicating a vector of certificates.
    107   static SSLCertificate* DupCert(const SSLCertificate* cert) {
    108     return cert->GetReference();
    109   }
    110 
    111   // Helper function for deleting a vector of certificates.
    112   static void DeleteCert(SSLCertificate* cert) { delete cert; }
    113 
    114   std::vector<SSLCertificate*> certs_;
    115 
    116   DISALLOW_COPY_AND_ASSIGN(SSLCertChain);
    117 };
    118 
    119 // Parameters for generating an identity for testing. If common_name is
    120 // non-empty, it will be used for the certificate's subject and issuer name,
    121 // otherwise a random string will be used. |not_before| and |not_after| are
    122 // offsets to the current time in number of seconds.
    123 struct SSLIdentityParams {
    124   std::string common_name;
    125   int not_before;  // in seconds.
    126   int not_after;  // in seconds.
    127 };
    128 
    129 // Our identity in an SSL negotiation: a keypair and certificate (both
    130 // with the same public key).
    131 // This too is pretty much immutable once created.
    132 class SSLIdentity {
    133  public:
    134   // Generates an identity (keypair and self-signed certificate). If
    135   // common_name is non-empty, it will be used for the certificate's
    136   // subject and issuer name, otherwise a random string will be used.
    137   // Returns NULL on failure.
    138   // Caller is responsible for freeing the returned object.
    139   static SSLIdentity* Generate(const std::string& common_name);
    140 
    141   // Generates an identity with the specified validity period.
    142   static SSLIdentity* GenerateForTest(const SSLIdentityParams& params);
    143 
    144   // Construct an identity from a private key and a certificate.
    145   static SSLIdentity* FromPEMStrings(const std::string& private_key,
    146                                      const std::string& certificate);
    147 
    148   virtual ~SSLIdentity() {}
    149 
    150   // Returns a new SSLIdentity object instance wrapping the same
    151   // identity information.
    152   // Caller is responsible for freeing the returned object.
    153   virtual SSLIdentity* GetReference() const = 0;
    154 
    155   // Returns a temporary reference to the certificate.
    156   virtual const SSLCertificate& certificate() const = 0;
    157 
    158   // Helpers for parsing converting between PEM and DER format.
    159   static bool PemToDer(const std::string& pem_type,
    160                        const std::string& pem_string,
    161                        std::string* der);
    162   static std::string DerToPem(const std::string& pem_type,
    163                               const unsigned char* data,
    164                               size_t length);
    165 };
    166 
    167 extern const char kPemTypeCertificate[];
    168 extern const char kPemTypeRsaPrivateKey[];
    169 
    170 }  // namespace rtc
    171 
    172 #endif  // WEBRTC_BASE_SSLIDENTITY_H_
    173