1 /*
2  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
3  *
4  *  Use of this source code is governed by a BSD-style license
5  *  that can be found in the LICENSE file in the root of the source
6  *  tree. An additional intellectual property rights grant can be found
7  *  in the file PATENTS.  All contributing project authors may
8  *  be found in the AUTHORS file in the root of the source tree.
9  */
10 
11 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode.
12 
13 #ifndef RTC_BASE_SSL_IDENTITY_H_
14 #define RTC_BASE_SSL_IDENTITY_H_
15 
16 #include <stdint.h>
17 #include <ctime>
18 #include <memory>
19 #include <string>
20 
21 #include "rtc_base/deprecation.h"
22 #include "rtc_base/system/rtc_export.h"
23 
24 namespace rtc {
25 
26 class SSLCertChain;
27 class SSLCertificate;
28 
29 // KT_LAST is intended for vector declarations and loops over all key types;
30 // it does not represent any key type in itself.
31 // KT_DEFAULT is used as the default KeyType for KeyParams.
32 enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_ECDSA };
33 
34 static const int kRsaDefaultModSize = 1024;
35 static const int kRsaDefaultExponent = 0x10001;  // = 2^16+1 = 65537
36 static const int kRsaMinModSize = 1024;
37 static const int kRsaMaxModSize = 8192;
38 
39 // Certificate default validity lifetime.
40 static const int kDefaultCertificateLifetimeInSeconds =
41     60 * 60 * 24 * 30;  // 30 days
42 // Certificate validity window.
43 // This is to compensate for slightly incorrect system clocks.
44 static const int kCertificateWindowInSeconds = -60 * 60 * 24;
45 
46 struct RSAParams {
47   unsigned int mod_size;
48   unsigned int pub_exp;
49 };
50 
51 enum ECCurve { EC_NIST_P256, /* EC_FANCY, */ EC_LAST };
52 
53 class RTC_EXPORT KeyParams {
54  public:
55   // Generate a KeyParams object from a simple KeyType, using default params.
56   explicit KeyParams(KeyType key_type = KT_DEFAULT);
57 
58   // Generate a a KeyParams for RSA with explicit parameters.
59   static KeyParams RSA(int mod_size = kRsaDefaultModSize,
60                        int pub_exp = kRsaDefaultExponent);
61 
62   // Generate a a KeyParams for ECDSA specifying the curve.
63   static KeyParams ECDSA(ECCurve curve = EC_NIST_P256);
64 
65   // Check validity of a KeyParams object. Since the factory functions have
66   // no way of returning errors, this function can be called after creation
67   // to make sure the parameters are OK.
68   bool IsValid() const;
69 
70   RSAParams rsa_params() const;
71 
72   ECCurve ec_curve() const;
73 
type()74   KeyType type() const { return type_; }
75 
76  private:
77   KeyType type_;
78   union {
79     RSAParams rsa;
80     ECCurve curve;
81   } params_;
82 };
83 
84 // TODO(hbos): Remove once rtc::KeyType (to be modified) and
85 // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium
86 // appropriately we can change KeyType enum -> class without breaking Chromium.
87 KeyType IntKeyTypeFamilyToKeyType(int key_type_family);
88 
89 // Parameters for generating a certificate. If |common_name| is non-empty, it
90 // will be used for the certificate's subject and issuer name, otherwise a
91 // random string will be used.
92 struct SSLIdentityParams {
93   std::string common_name;
94   time_t not_before;  // Absolute time since epoch in seconds.
95   time_t not_after;   // Absolute time since epoch in seconds.
96   KeyParams key_params;
97 };
98 
99 // Our identity in an SSL negotiation: a keypair and certificate (both
100 // with the same public key).
101 // This too is pretty much immutable once created.
102 class RTC_EXPORT SSLIdentity {
103  public:
104   // Generates an identity (keypair and self-signed certificate). If
105   // |common_name| is non-empty, it will be used for the certificate's subject
106   // and issuer name, otherwise a random string will be used. The key type and
107   // parameters are defined in |key_param|. The certificate's lifetime in
108   // seconds from the current time is defined in |certificate_lifetime|; it
109   // should be a non-negative number.
110   // Returns null on failure.
111   // Caller is responsible for freeing the returned object.
112   static std::unique_ptr<SSLIdentity> Create(const std::string& common_name,
113                                              const KeyParams& key_param,
114                                              time_t certificate_lifetime);
115   static std::unique_ptr<SSLIdentity> Create(const std::string& common_name,
116                                              const KeyParams& key_param);
117   static std::unique_ptr<SSLIdentity> Create(const std::string& common_name,
118                                              KeyType key_type);
119 
120   // Allows fine-grained control over expiration time.
121   static std::unique_ptr<SSLIdentity> CreateForTest(
122       const SSLIdentityParams& params);
123 
124   // Construct an identity from a private key and a certificate.
125   static std::unique_ptr<SSLIdentity> CreateFromPEMStrings(
126       const std::string& private_key,
127       const std::string& certificate);
128 
129   // Construct an identity from a private key and a certificate chain.
130   static std::unique_ptr<SSLIdentity> CreateFromPEMChainStrings(
131       const std::string& private_key,
132       const std::string& certificate_chain);
133 
~SSLIdentity()134   virtual ~SSLIdentity() {}
135 
136   // Returns a new SSLIdentity object instance wrapping the same
137   // identity information.
Clone()138   std::unique_ptr<SSLIdentity> Clone() const { return CloneInternal(); }
139 
140   // Returns a temporary reference to the end-entity (leaf) certificate.
141   virtual const SSLCertificate& certificate() const = 0;
142   // Returns a temporary reference to the entire certificate chain.
143   virtual const SSLCertChain& cert_chain() const = 0;
144   virtual std::string PrivateKeyToPEMString() const = 0;
145   virtual std::string PublicKeyToPEMString() const = 0;
146 
147   // Helpers for parsing converting between PEM and DER format.
148   static bool PemToDer(const std::string& pem_type,
149                        const std::string& pem_string,
150                        std::string* der);
151   static std::string DerToPem(const std::string& pem_type,
152                               const unsigned char* data,
153                               size_t length);
154 
155  protected:
156   virtual std::unique_ptr<SSLIdentity> CloneInternal() const = 0;
157 };
158 
159 bool operator==(const SSLIdentity& a, const SSLIdentity& b);
160 bool operator!=(const SSLIdentity& a, const SSLIdentity& b);
161 
162 // Convert from ASN1 time as restricted by RFC 5280 to seconds from 1970-01-01
163 // 00.00 ("epoch").  If the ASN1 time cannot be read, return -1.  The data at
164 // |s| is not 0-terminated; its char count is defined by |length|.
165 int64_t ASN1TimeToSec(const unsigned char* s, size_t length, bool long_format);
166 
167 extern const char kPemTypeCertificate[];
168 extern const char kPemTypeRsaPrivateKey[];
169 extern const char kPemTypeEcPrivateKey[];
170 
171 }  // namespace rtc
172 
173 #endif  // RTC_BASE_SSL_IDENTITY_H_
174