| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. | 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 * | 3 * |
| 4 * Use of this source code is governed by a BSD-style license | 4 * Use of this source code is governed by a BSD-style license |
| 5 * that can be found in the LICENSE file in the root of the source | 5 * that can be found in the LICENSE file in the root of the source |
| 6 * tree. An additional intellectual property rights grant can be found | 6 * tree. An additional intellectual property rights grant can be found |
| 7 * in the file PATENTS. All contributing project authors may | 7 * in the file PATENTS. All contributing project authors may |
| 8 * be found in the AUTHORS file in the root of the source tree. | 8 * be found in the AUTHORS file in the root of the source tree. |
| 9 */ | 9 */ |
| 10 | 10 |
| 11 #include "rtc_base/opensslidentity.h" | 11 #include "rtc_base/opensslidentity.h" |
| 12 | 12 |
| 13 #include <algorithm> |
| 13 #include <memory> | 14 #include <memory> |
| 15 #include <vector> |
| 14 | 16 |
| 15 // Must be included first before openssl headers. | 17 // Must be included first before openssl headers. |
| 16 #include "rtc_base/win32.h" // NOLINT | 18 #include "rtc_base/win32.h" // NOLINT |
| 17 | 19 |
| 18 #include <openssl/bio.h> | 20 #include <openssl/bio.h> |
| 19 #include <openssl/err.h> | 21 #include <openssl/err.h> |
| 20 #include <openssl/pem.h> | 22 #include <openssl/pem.h> |
| 21 #include <openssl/bn.h> | 23 #include <openssl/bn.h> |
| 22 #include <openssl/rsa.h> | 24 #include <openssl/rsa.h> |
| 23 #include <openssl/crypto.h> | 25 #include <openssl/crypto.h> |
| (...skipping 247 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 271 } | 273 } |
| 272 X509_print_ex(temp_memory_bio, x509, XN_FLAG_SEP_CPLUS_SPC, 0); | 274 X509_print_ex(temp_memory_bio, x509, XN_FLAG_SEP_CPLUS_SPC, 0); |
| 273 BIO_write(temp_memory_bio, "\0", 1); | 275 BIO_write(temp_memory_bio, "\0", 1); |
| 274 char* buffer; | 276 char* buffer; |
| 275 BIO_get_mem_data(temp_memory_bio, &buffer); | 277 BIO_get_mem_data(temp_memory_bio, &buffer); |
| 276 LOG(LS_VERBOSE) << buffer; | 278 LOG(LS_VERBOSE) << buffer; |
| 277 BIO_free(temp_memory_bio); | 279 BIO_free(temp_memory_bio); |
| 278 } | 280 } |
| 279 #endif | 281 #endif |
| 280 | 282 |
| 283 OpenSSLCertificate::OpenSSLCertificate(X509* x509) : x509_(x509) { |
| 284 AddReference(x509_); |
| 285 } |
| 286 |
| 287 OpenSSLCertificate::OpenSSLCertificate(STACK_OF(X509) * chain) { |
| 288 x509_ = sk_X509_value(chain, 0); |
| 289 AddReference(x509_); |
| 290 for (size_t i = 1; i < sk_X509_num(chain); ++i) { |
| 291 X509* x509 = sk_X509_value(chain, i); |
| 292 cert_chain_.push_back(new OpenSSLCertificate(x509)); |
| 293 } |
| 294 } |
| 295 |
| 281 OpenSSLCertificate* OpenSSLCertificate::Generate( | 296 OpenSSLCertificate* OpenSSLCertificate::Generate( |
| 282 OpenSSLKeyPair* key_pair, const SSLIdentityParams& params) { | 297 OpenSSLKeyPair* key_pair, const SSLIdentityParams& params) { |
| 283 SSLIdentityParams actual_params(params); | 298 SSLIdentityParams actual_params(params); |
| 284 if (actual_params.common_name.empty()) { | 299 if (actual_params.common_name.empty()) { |
| 285 // Use a random string, arbitrarily 8chars long. | 300 // Use a random string, arbitrarily 8chars long. |
| 286 actual_params.common_name = CreateRandomString(8); | 301 actual_params.common_name = CreateRandomString(8); |
| 287 } | 302 } |
| 288 X509* x509 = MakeCertificate(key_pair->pkey(), actual_params); | 303 X509* x509 = MakeCertificate(key_pair->pkey(), actual_params); |
| 289 if (!x509) { | 304 if (!x509) { |
| 290 LogSSLErrors("Generating certificate"); | 305 LogSSLErrors("Generating certificate"); |
| 291 return nullptr; | 306 return nullptr; |
| 292 } | 307 } |
| 293 #if !defined(NDEBUG) | 308 #if !defined(NDEBUG) |
| 294 PrintCert(x509); | 309 PrintCert(x509); |
| 295 #endif | 310 #endif |
| 296 OpenSSLCertificate* ret = new OpenSSLCertificate(x509); | 311 OpenSSLCertificate* ret = new OpenSSLCertificate(x509); |
| 297 X509_free(x509); | 312 X509_free(x509); |
| 298 return ret; | 313 return ret; |
| 299 } | 314 } |
| 300 | 315 |
| 301 OpenSSLCertificate* OpenSSLCertificate::FromPEMString( | 316 OpenSSLCertificate* OpenSSLCertificate::FromPEMString( |
| 302 const std::string& pem_string) { | 317 const std::string& pem_string) { |
| 303 BIO* bio = BIO_new_mem_buf(const_cast<char*>(pem_string.c_str()), -1); | 318 BIO* bio = BIO_new_mem_buf(const_cast<char*>(pem_string.c_str()), -1); |
| 304 if (!bio) | 319 if (!bio) |
| 305 return nullptr; | 320 return nullptr; |
| 306 BIO_set_mem_eof_return(bio, 0); | 321 BIO_set_mem_eof_return(bio, 0); |
| 307 X509* x509 = | 322 X509* x509 = |
| 308 PEM_read_bio_X509(bio, nullptr, nullptr, const_cast<char*>("\0")); | 323 PEM_read_bio_X509(bio, nullptr, nullptr, const_cast<char*>("\0")); |
| 324 STACK_OF(X509)* x509s = sk_X509_new_null(); |
| 325 while (x509 != nullptr) { |
| 326 sk_X509_push(x509s, x509); |
| 327 x509 = PEM_read_bio_X509(bio, nullptr, nullptr, const_cast<char*>("\0")); |
| 328 } |
| 309 BIO_free(bio); // Frees the BIO, but not the pointed-to string. | 329 BIO_free(bio); // Frees the BIO, but not the pointed-to string. |
| 310 | 330 |
| 311 if (!x509) | 331 if (sk_X509_num(x509s) == 0) |
| 312 return nullptr; | 332 return nullptr; |
| 313 | 333 |
| 314 OpenSSLCertificate* ret = new OpenSSLCertificate(x509); | 334 OpenSSLCertificate* ret = new OpenSSLCertificate(x509s); |
| 315 X509_free(x509); | 335 sk_X509_pop_free(x509s, X509_free); |
| 316 return ret; | 336 return ret; |
| 317 } | 337 } |
| 318 | 338 |
| 319 // NOTE: This implementation only functions correctly after InitializeSSL | 339 // NOTE: This implementation only functions correctly after InitializeSSL |
| 320 // and before CleanupSSL. | 340 // and before CleanupSSL. |
| 321 bool OpenSSLCertificate::GetSignatureDigestAlgorithm( | 341 bool OpenSSLCertificate::GetSignatureDigestAlgorithm( |
| 322 std::string* algorithm) const { | 342 std::string* algorithm) const { |
| 323 int nid = OBJ_obj2nid(x509_->sig_alg->algorithm); | 343 int nid = OBJ_obj2nid(x509_->sig_alg->algorithm); |
| 324 switch (nid) { | 344 switch (nid) { |
| 325 case NID_md5WithRSA: | 345 case NID_md5WithRSA: |
| (...skipping 29 matching lines...) Expand all Loading... |
| 355 // Unknown algorithm. There are several unhandled options that are less | 375 // Unknown algorithm. There are several unhandled options that are less |
| 356 // common and more complex. | 376 // common and more complex. |
| 357 LOG(LS_ERROR) << "Unknown signature algorithm NID: " << nid; | 377 LOG(LS_ERROR) << "Unknown signature algorithm NID: " << nid; |
| 358 algorithm->clear(); | 378 algorithm->clear(); |
| 359 return false; | 379 return false; |
| 360 } | 380 } |
| 361 return true; | 381 return true; |
| 362 } | 382 } |
| 363 | 383 |
| 364 std::unique_ptr<SSLCertChain> OpenSSLCertificate::GetChain() const { | 384 std::unique_ptr<SSLCertChain> OpenSSLCertificate::GetChain() const { |
| 365 // Chains are not yet supported when using OpenSSL. | 385 if (cert_chain_.empty()) { |
| 366 // OpenSSLStreamAdapter::SSLVerifyCallback currently requires the remote | 386 return nullptr; |
| 367 // certificate to be self-signed. | 387 } |
| 368 return nullptr; | 388 std::unique_ptr<SSLCertChain> chain(new SSLCertChain(cert_chain_)); |
| 389 return chain; |
| 369 } | 390 } |
| 370 | 391 |
| 371 bool OpenSSLCertificate::ComputeDigest(const std::string& algorithm, | 392 bool OpenSSLCertificate::ComputeDigest(const std::string& algorithm, |
| 372 unsigned char* digest, | 393 unsigned char* digest, |
| 373 size_t size, | 394 size_t size, |
| 374 size_t* length) const { | 395 size_t* length) const { |
| 375 return ComputeDigest(x509_, algorithm, digest, size, length); | 396 return ComputeDigest(x509_, algorithm, digest, size, length); |
| 376 } | 397 } |
| 377 | 398 |
| 378 bool OpenSSLCertificate::ComputeDigest(const X509* x509, | 399 bool OpenSSLCertificate::ComputeDigest(const X509* x509, |
| (...skipping 12 matching lines...) Expand all Loading... |
| 391 | 412 |
| 392 X509_digest(x509, md, digest, &n); | 413 X509_digest(x509, md, digest, &n); |
| 393 | 414 |
| 394 *length = n; | 415 *length = n; |
| 395 | 416 |
| 396 return true; | 417 return true; |
| 397 } | 418 } |
| 398 | 419 |
| 399 OpenSSLCertificate::~OpenSSLCertificate() { | 420 OpenSSLCertificate::~OpenSSLCertificate() { |
| 400 X509_free(x509_); | 421 X509_free(x509_); |
| 422 for (SSLCertificate* cert : cert_chain_) { |
| 423 delete cert; |
| 424 } |
| 425 } |
| 426 |
| 427 X509* OpenSSLCertificate::GetX509Reference() const { |
| 428 if (x509_ != nullptr) { |
| 429 AddReference(x509_); |
| 430 } |
| 431 return x509_; |
| 401 } | 432 } |
| 402 | 433 |
| 403 OpenSSLCertificate* OpenSSLCertificate::GetReference() const { | 434 OpenSSLCertificate* OpenSSLCertificate::GetReference() const { |
| 404 return new OpenSSLCertificate(x509_); | 435 STACK_OF(X509)* stack_x509 = sk_X509_new_null(); |
| 436 sk_X509_push(stack_x509, x509_); |
| 437 for (auto cert_it = cert_chain_.begin(); cert_it != cert_chain_.end(); |
| 438 ++cert_it) { |
| 439 OpenSSLCertificate* cert = reinterpret_cast<OpenSSLCertificate*>(*cert_it); |
| 440 sk_X509_push(stack_x509, cert->x509()); |
| 441 } |
| 442 return new OpenSSLCertificate(stack_x509); |
| 405 } | 443 } |
| 406 | 444 |
| 407 std::string OpenSSLCertificate::ToPEMString() const { | 445 std::string OpenSSLCertificate::ToPEMString() const { |
| 408 BIO* bio = BIO_new(BIO_s_mem()); | 446 BIO* bio = BIO_new(BIO_s_mem()); |
| 409 if (!bio) { | 447 if (!bio) { |
| 410 FATAL() << "unreachable code"; | 448 FATAL() << "unreachable code"; |
| 411 } | 449 } |
| 412 if (!PEM_write_bio_X509(bio, x509_)) { | 450 if (!PEM_write_bio_X509(bio, x509_)) { |
| 413 BIO_free(bio); | 451 BIO_free(bio); |
| 414 FATAL() << "unreachable code"; | 452 FATAL() << "unreachable code"; |
| 415 } | 453 } |
| 416 BIO_write(bio, "\0", 1); | 454 BIO_write(bio, "\0", 1); |
| 417 char* buffer; | 455 char* buffer; |
| 418 BIO_get_mem_data(bio, &buffer); | 456 BIO_get_mem_data(bio, &buffer); |
| 419 std::string ret(buffer); | 457 std::string ret(buffer); |
| 420 BIO_free(bio); | 458 BIO_free(bio); |
| 459 for (size_t i = 0; i < cert_chain_.size(); ++i) { |
| 460 OpenSSLCertificate* cert = |
| 461 reinterpret_cast<OpenSSLCertificate*>(cert_chain_[i]); |
| 462 ret += cert->ToPEMString(); |
| 463 } |
| 421 return ret; | 464 return ret; |
| 422 } | 465 } |
| 423 | 466 |
| 424 void OpenSSLCertificate::ToDER(Buffer* der_buffer) const { | 467 void OpenSSLCertificate::ToDER(Buffer* der_buffer) const { |
| 425 // In case of failure, make sure to leave the buffer empty. | 468 // In case of failure, make sure to leave the buffer empty. |
| 426 der_buffer->SetSize(0); | 469 der_buffer->SetSize(0); |
| 427 | 470 |
| 428 // Calculates the DER representation of the certificate, from scratch. | 471 // Calculates the DER representation of the certificate, from scratch. |
| 429 BIO* bio = BIO_new(BIO_s_mem()); | 472 BIO* bio = BIO_new(BIO_s_mem()); |
| 430 if (!bio) { | 473 if (!bio) { |
| 431 FATAL() << "unreachable code"; | 474 FATAL() << "unreachable code"; |
| 432 } | 475 } |
| 433 if (!i2d_X509_bio(bio, x509_)) { | 476 if (!i2d_X509_bio(bio, x509_)) { |
| 434 BIO_free(bio); | 477 BIO_free(bio); |
| 435 FATAL() << "unreachable code"; | 478 FATAL() << "unreachable code"; |
| 436 } | 479 } |
| 437 char* data; | 480 char* data; |
| 438 size_t length = BIO_get_mem_data(bio, &data); | 481 size_t length = BIO_get_mem_data(bio, &data); |
| 439 der_buffer->SetData(data, length); | 482 der_buffer->SetData(data, length); |
| 440 BIO_free(bio); | 483 BIO_free(bio); |
| 441 } | 484 } |
| 442 | 485 |
| 443 void OpenSSLCertificate::AddReference() const { | 486 void OpenSSLCertificate::AddReference(X509* x509) const { |
| 444 RTC_DCHECK(x509_ != nullptr); | 487 RTC_DCHECK(x509 != nullptr); |
| 445 #if defined(OPENSSL_IS_BORINGSSL) | 488 #if defined(OPENSSL_IS_BORINGSSL) |
| 446 X509_up_ref(x509_); | 489 X509_up_ref(x509); |
| 447 #else | 490 #else |
| 448 CRYPTO_add(&x509_->references, 1, CRYPTO_LOCK_X509); | 491 CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509); |
| 449 #endif | 492 #endif |
| 450 } | 493 } |
| 451 | 494 |
| 452 bool OpenSSLCertificate::operator==(const OpenSSLCertificate& other) const { | 495 bool OpenSSLCertificate::operator==(const OpenSSLCertificate& other) const { |
| 496 if (this->cert_chain_.size() != other.cert_chain_.size()) { |
| 497 return false; |
| 498 } |
| 499 for (size_t i = 0; i < cert_chain_.size(); ++i) { |
| 500 OpenSSLCertificate* cert = |
| 501 reinterpret_cast<OpenSSLCertificate*>(cert_chain_[i]); |
| 502 OpenSSLCertificate* other_cert = |
| 503 reinterpret_cast<OpenSSLCertificate*>(other.cert_chain_[i]); |
| 504 if (*cert != *other_cert) { |
| 505 return false; |
| 506 } |
| 507 } |
| 453 return X509_cmp(this->x509_, other.x509_) == 0; | 508 return X509_cmp(this->x509_, other.x509_) == 0; |
| 454 } | 509 } |
| 455 | 510 |
| 456 bool OpenSSLCertificate::operator!=(const OpenSSLCertificate& other) const { | 511 bool OpenSSLCertificate::operator!=(const OpenSSLCertificate& other) const { |
| 457 return !(*this == other); | 512 return !(*this == other); |
| 458 } | 513 } |
| 459 | 514 |
| 460 // Documented in sslidentity.h. | 515 // Documented in sslidentity.h. |
| 461 int64_t OpenSSLCertificate::CertificateExpirationTime() const { | 516 int64_t OpenSSLCertificate::CertificateExpirationTime() const { |
| 462 ASN1_TIME* expire_time = X509_get_notAfter(x509_); | 517 ASN1_TIME* expire_time = X509_get_notAfter(x509_); |
| (...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 546 certificate_->GetReference()); | 601 certificate_->GetReference()); |
| 547 } | 602 } |
| 548 | 603 |
| 549 bool OpenSSLIdentity::ConfigureIdentity(SSL_CTX* ctx) { | 604 bool OpenSSLIdentity::ConfigureIdentity(SSL_CTX* ctx) { |
| 550 // 1 is the documented success return code. | 605 // 1 is the documented success return code. |
| 551 if (SSL_CTX_use_certificate(ctx, certificate_->x509()) != 1 || | 606 if (SSL_CTX_use_certificate(ctx, certificate_->x509()) != 1 || |
| 552 SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) { | 607 SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) { |
| 553 LogSSLErrors("Configuring key and certificate"); | 608 LogSSLErrors("Configuring key and certificate"); |
| 554 return false; | 609 return false; |
| 555 } | 610 } |
| 611 // If Chains are available, use it. |
| 612 std::unique_ptr<SSLCertChain> cert_chain = certificate_->GetChain(); |
| 613 for (size_t i = 0; cert_chain != nullptr && i < cert_chain->GetSize(); ++i) { |
| 614 const OpenSSLCertificate* cert = |
| 615 reinterpret_cast<const OpenSSLCertificate*>(&cert_chain->Get(i)); |
| 616 if (!SSL_CTX_add_extra_chain_cert(ctx, cert->GetX509Reference())) { |
| 617 LogSSLErrors("Configuring intermediate certificate"); |
| 618 return false; |
| 619 } |
| 620 } |
| 556 return true; | 621 return true; |
| 557 } | 622 } |
| 558 | 623 |
| 559 std::string OpenSSLIdentity::PrivateKeyToPEMString() const { | 624 std::string OpenSSLIdentity::PrivateKeyToPEMString() const { |
| 560 return key_pair_->PrivateKeyToPEMString(); | 625 return key_pair_->PrivateKeyToPEMString(); |
| 561 } | 626 } |
| 562 | 627 |
| 563 std::string OpenSSLIdentity::PublicKeyToPEMString() const { | 628 std::string OpenSSLIdentity::PublicKeyToPEMString() const { |
| 564 return key_pair_->PublicKeyToPEMString(); | 629 return key_pair_->PublicKeyToPEMString(); |
| 565 } | 630 } |
| 566 | 631 |
| 567 bool OpenSSLIdentity::operator==(const OpenSSLIdentity& other) const { | 632 bool OpenSSLIdentity::operator==(const OpenSSLIdentity& other) const { |
| 568 return *this->key_pair_ == *other.key_pair_ && | 633 return *this->key_pair_ == *other.key_pair_ && |
| 569 *this->certificate_ == *other.certificate_; | 634 *this->certificate_ == *other.certificate_; |
| 570 } | 635 } |
| 571 | 636 |
| 572 bool OpenSSLIdentity::operator!=(const OpenSSLIdentity& other) const { | 637 bool OpenSSLIdentity::operator!=(const OpenSSLIdentity& other) const { |
| 573 return !(*this == other); | 638 return !(*this == other); |
| 574 } | 639 } |
| 575 | 640 |
| 576 } // namespace rtc | 641 } // namespace rtc |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3010363002:
Implement GetChain for OpenSSLCertificate.
