henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2004 The WebRTC Project Authors. All rights reserved. |
| 3 | * |
| 4 | * Use of this source code is governed by a BSD-style license |
| 5 | * that can be found in the LICENSE file in the root of the source |
| 6 | * tree. An additional intellectual property rights grant can be found |
| 7 | * in the file PATENTS. All contributing project authors may |
| 8 | * be found in the AUTHORS file in the root of the source tree. |
| 9 | */ |
| 10 | |
Steve Anton | 10542f2 | 2019-01-11 09:11:00 -0800 | [diff] [blame^] | 11 | #include "rtc_base/openssl_identity.h" |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 12 | |
jbauch | 555604a | 2016-04-26 03:13:22 -0700 | [diff] [blame] | 13 | #include <memory> |
Benjamin Wright | d6f86e8 | 2018-05-08 13:12:25 -0700 | [diff] [blame] | 14 | #include <utility> |
| 15 | #include <vector> |
jbauch | 555604a | 2016-04-26 03:13:22 -0700 | [diff] [blame] | 16 | |
Mirko Bonadei | e062385 | 2018-02-01 11:17:40 +0100 | [diff] [blame] | 17 | #if defined(WEBRTC_WIN) |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 18 | // Must be included first before openssl headers. |
Mirko Bonadei | 92ea95e | 2017-09-15 06:47:31 +0200 | [diff] [blame] | 19 | #include "rtc_base/win32.h" // NOLINT |
Yves Gerey | 665174f | 2018-06-19 15:03:05 +0200 | [diff] [blame] | 20 | #endif // WEBRTC_WIN |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 21 | |
| 22 | #include <openssl/bio.h> |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 23 | #include <openssl/bn.h> |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 24 | #include <openssl/err.h> |
| 25 | #include <openssl/pem.h> |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 26 | #include <openssl/rsa.h> |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 27 | |
Yves Gerey | 988cc08 | 2018-10-23 12:03:01 +0200 | [diff] [blame] | 28 | #include <stdint.h> |
| 29 | |
Karl Wiberg | 918f50c | 2018-07-05 11:40:33 +0200 | [diff] [blame] | 30 | #include "absl/memory/memory.h" |
Mirko Bonadei | 92ea95e | 2017-09-15 06:47:31 +0200 | [diff] [blame] | 31 | #include "rtc_base/checks.h" |
Mirko Bonadei | 92ea95e | 2017-09-15 06:47:31 +0200 | [diff] [blame] | 32 | #include "rtc_base/logging.h" |
Mirko Bonadei | a041f92 | 2018-05-23 10:22:36 +0200 | [diff] [blame] | 33 | #include "rtc_base/numerics/safe_conversions.h" |
Mirko Bonadei | 92ea95e | 2017-09-15 06:47:31 +0200 | [diff] [blame] | 34 | #include "rtc_base/openssl.h" |
Steve Anton | 10542f2 | 2019-01-11 09:11:00 -0800 | [diff] [blame^] | 35 | #include "rtc_base/openssl_utility.h" |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 36 | |
| 37 | namespace rtc { |
| 38 | |
| 39 | // We could have exposed a myriad of parameters for the crypto stuff, |
| 40 | // but keeping it simple seems best. |
| 41 | |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 42 | // Generate a key pair. Caller is responsible for freeing the returned object. |
torbjorng | 4e57247 | 2015-10-08 09:42:49 -0700 | [diff] [blame] | 43 | static EVP_PKEY* MakeKey(const KeyParams& key_params) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 44 | RTC_LOG(LS_INFO) << "Making key pair"; |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 45 | EVP_PKEY* pkey = EVP_PKEY_new(); |
torbjorng | 4e57247 | 2015-10-08 09:42:49 -0700 | [diff] [blame] | 46 | if (key_params.type() == KT_RSA) { |
| 47 | int key_length = key_params.rsa_params().mod_size; |
Torbjorn Granlund | b6d4ec4 | 2015-08-17 14:08:59 +0200 | [diff] [blame] | 48 | BIGNUM* exponent = BN_new(); |
| 49 | RSA* rsa = RSA_new(); |
| 50 | if (!pkey || !exponent || !rsa || |
torbjorng | 4e57247 | 2015-10-08 09:42:49 -0700 | [diff] [blame] | 51 | !BN_set_word(exponent, key_params.rsa_params().pub_exp) || |
deadbeef | 37f5ecf | 2017-02-27 14:06:41 -0800 | [diff] [blame] | 52 | !RSA_generate_key_ex(rsa, key_length, exponent, nullptr) || |
Torbjorn Granlund | b6d4ec4 | 2015-08-17 14:08:59 +0200 | [diff] [blame] | 53 | !EVP_PKEY_assign_RSA(pkey, rsa)) { |
| 54 | EVP_PKEY_free(pkey); |
| 55 | BN_free(exponent); |
| 56 | RSA_free(rsa); |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 57 | RTC_LOG(LS_ERROR) << "Failed to make RSA key pair"; |
deadbeef | 37f5ecf | 2017-02-27 14:06:41 -0800 | [diff] [blame] | 58 | return nullptr; |
Torbjorn Granlund | b6d4ec4 | 2015-08-17 14:08:59 +0200 | [diff] [blame] | 59 | } |
| 60 | // ownership of rsa struct was assigned, don't free it. |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 61 | BN_free(exponent); |
torbjorng | 4e57247 | 2015-10-08 09:42:49 -0700 | [diff] [blame] | 62 | } else if (key_params.type() == KT_ECDSA) { |
| 63 | if (key_params.ec_curve() == EC_NIST_P256) { |
| 64 | EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
ssaroha | bbfed52 | 2016-12-11 18:42:07 -0800 | [diff] [blame] | 65 | |
| 66 | // Ensure curve name is included when EC key is serialized. |
| 67 | // Without this call, OpenSSL versions before 1.1.0 will create |
| 68 | // certificates that don't work for TLS. |
| 69 | // This is a no-op for BoringSSL and OpenSSL 1.1.0+ |
| 70 | EC_KEY_set_asn1_flag(ec_key, OPENSSL_EC_NAMED_CURVE); |
| 71 | |
torbjorng | 4e57247 | 2015-10-08 09:42:49 -0700 | [diff] [blame] | 72 | if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) || |
| 73 | !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) { |
| 74 | EVP_PKEY_free(pkey); |
| 75 | EC_KEY_free(ec_key); |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 76 | RTC_LOG(LS_ERROR) << "Failed to make EC key pair"; |
deadbeef | 37f5ecf | 2017-02-27 14:06:41 -0800 | [diff] [blame] | 77 | return nullptr; |
torbjorng | 4e57247 | 2015-10-08 09:42:49 -0700 | [diff] [blame] | 78 | } |
| 79 | // ownership of ec_key struct was assigned, don't free it. |
| 80 | } else { |
| 81 | // Add generation of any other curves here. |
Torbjorn Granlund | b6d4ec4 | 2015-08-17 14:08:59 +0200 | [diff] [blame] | 82 | EVP_PKEY_free(pkey); |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 83 | RTC_LOG(LS_ERROR) << "ECDSA key requested for unknown curve"; |
deadbeef | 37f5ecf | 2017-02-27 14:06:41 -0800 | [diff] [blame] | 84 | return nullptr; |
Torbjorn Granlund | b6d4ec4 | 2015-08-17 14:08:59 +0200 | [diff] [blame] | 85 | } |
Torbjorn Granlund | b6d4ec4 | 2015-08-17 14:08:59 +0200 | [diff] [blame] | 86 | } else { |
| 87 | EVP_PKEY_free(pkey); |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 88 | RTC_LOG(LS_ERROR) << "Key type requested not understood"; |
deadbeef | 37f5ecf | 2017-02-27 14:06:41 -0800 | [diff] [blame] | 89 | return nullptr; |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 90 | } |
Torbjorn Granlund | b6d4ec4 | 2015-08-17 14:08:59 +0200 | [diff] [blame] | 91 | |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 92 | RTC_LOG(LS_INFO) << "Returning key pair"; |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 93 | return pkey; |
| 94 | } |
| 95 | |
torbjorng | 4e57247 | 2015-10-08 09:42:49 -0700 | [diff] [blame] | 96 | OpenSSLKeyPair* OpenSSLKeyPair::Generate(const KeyParams& key_params) { |
| 97 | EVP_PKEY* pkey = MakeKey(key_params); |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 98 | if (!pkey) { |
Benjamin Wright | d6f86e8 | 2018-05-08 13:12:25 -0700 | [diff] [blame] | 99 | openssl::LogSSLErrors("Generating key pair"); |
deadbeef | 37f5ecf | 2017-02-27 14:06:41 -0800 | [diff] [blame] | 100 | return nullptr; |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 101 | } |
| 102 | return new OpenSSLKeyPair(pkey); |
| 103 | } |
| 104 | |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 105 | OpenSSLKeyPair* OpenSSLKeyPair::FromPrivateKeyPEMString( |
| 106 | const std::string& pem_string) { |
| 107 | BIO* bio = BIO_new_mem_buf(const_cast<char*>(pem_string.c_str()), -1); |
| 108 | if (!bio) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 109 | RTC_LOG(LS_ERROR) << "Failed to create a new BIO buffer."; |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 110 | return nullptr; |
| 111 | } |
| 112 | BIO_set_mem_eof_return(bio, 0); |
| 113 | EVP_PKEY* pkey = |
| 114 | PEM_read_bio_PrivateKey(bio, nullptr, nullptr, const_cast<char*>("\0")); |
| 115 | BIO_free(bio); // Frees the BIO, but not the pointed-to string. |
| 116 | if (!pkey) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 117 | RTC_LOG(LS_ERROR) << "Failed to create the private key from PEM string."; |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 118 | return nullptr; |
| 119 | } |
| 120 | if (EVP_PKEY_missing_parameters(pkey) != 0) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 121 | RTC_LOG(LS_ERROR) |
| 122 | << "The resulting key pair is missing public key parameters."; |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 123 | EVP_PKEY_free(pkey); |
| 124 | return nullptr; |
| 125 | } |
| 126 | return new OpenSSLKeyPair(pkey); |
| 127 | } |
| 128 | |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 129 | OpenSSLKeyPair::~OpenSSLKeyPair() { |
| 130 | EVP_PKEY_free(pkey_); |
| 131 | } |
| 132 | |
kwiberg@webrtc.org | 67186fe | 2015-03-09 22:21:53 +0000 | [diff] [blame] | 133 | OpenSSLKeyPair* OpenSSLKeyPair::GetReference() { |
| 134 | AddReference(); |
| 135 | return new OpenSSLKeyPair(pkey_); |
| 136 | } |
| 137 | |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 138 | void OpenSSLKeyPair::AddReference() { |
Jiayang Liu | 770cc38 | 2015-05-28 15:36:29 -0700 | [diff] [blame] | 139 | EVP_PKEY_up_ref(pkey_); |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 140 | } |
| 141 | |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 142 | std::string OpenSSLKeyPair::PrivateKeyToPEMString() const { |
| 143 | BIO* temp_memory_bio = BIO_new(BIO_s_mem()); |
| 144 | if (!temp_memory_bio) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 145 | RTC_LOG_F(LS_ERROR) << "Failed to allocate temporary memory bio"; |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 146 | RTC_NOTREACHED(); |
| 147 | return ""; |
| 148 | } |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 149 | if (!PEM_write_bio_PrivateKey(temp_memory_bio, pkey_, nullptr, nullptr, 0, |
| 150 | nullptr, nullptr)) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 151 | RTC_LOG_F(LS_ERROR) << "Failed to write private key"; |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 152 | BIO_free(temp_memory_bio); |
| 153 | RTC_NOTREACHED(); |
| 154 | return ""; |
| 155 | } |
| 156 | BIO_write(temp_memory_bio, "\0", 1); |
| 157 | char* buffer; |
| 158 | BIO_get_mem_data(temp_memory_bio, &buffer); |
| 159 | std::string priv_key_str = buffer; |
| 160 | BIO_free(temp_memory_bio); |
| 161 | return priv_key_str; |
| 162 | } |
| 163 | |
| 164 | std::string OpenSSLKeyPair::PublicKeyToPEMString() const { |
| 165 | BIO* temp_memory_bio = BIO_new(BIO_s_mem()); |
| 166 | if (!temp_memory_bio) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 167 | RTC_LOG_F(LS_ERROR) << "Failed to allocate temporary memory bio"; |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 168 | RTC_NOTREACHED(); |
| 169 | return ""; |
| 170 | } |
| 171 | if (!PEM_write_bio_PUBKEY(temp_memory_bio, pkey_)) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 172 | RTC_LOG_F(LS_ERROR) << "Failed to write public key"; |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 173 | BIO_free(temp_memory_bio); |
| 174 | RTC_NOTREACHED(); |
| 175 | return ""; |
| 176 | } |
| 177 | BIO_write(temp_memory_bio, "\0", 1); |
| 178 | char* buffer; |
| 179 | BIO_get_mem_data(temp_memory_bio, &buffer); |
| 180 | std::string pub_key_str = buffer; |
| 181 | BIO_free(temp_memory_bio); |
| 182 | return pub_key_str; |
| 183 | } |
| 184 | |
| 185 | bool OpenSSLKeyPair::operator==(const OpenSSLKeyPair& other) const { |
| 186 | return EVP_PKEY_cmp(this->pkey_, other.pkey_) == 1; |
| 187 | } |
| 188 | |
| 189 | bool OpenSSLKeyPair::operator!=(const OpenSSLKeyPair& other) const { |
| 190 | return !(*this == other); |
| 191 | } |
| 192 | |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 193 | OpenSSLIdentity::OpenSSLIdentity( |
| 194 | std::unique_ptr<OpenSSLKeyPair> key_pair, |
| 195 | std::unique_ptr<OpenSSLCertificate> certificate) |
| 196 | : key_pair_(std::move(key_pair)) { |
| 197 | RTC_DCHECK(key_pair_ != nullptr); |
deadbeef | 37f5ecf | 2017-02-27 14:06:41 -0800 | [diff] [blame] | 198 | RTC_DCHECK(certificate != nullptr); |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 199 | std::vector<std::unique_ptr<SSLCertificate>> certs; |
| 200 | certs.push_back(std::move(certificate)); |
| 201 | cert_chain_.reset(new SSLCertChain(std::move(certs))); |
| 202 | } |
| 203 | |
| 204 | OpenSSLIdentity::OpenSSLIdentity(std::unique_ptr<OpenSSLKeyPair> key_pair, |
| 205 | std::unique_ptr<SSLCertChain> cert_chain) |
| 206 | : key_pair_(std::move(key_pair)), cert_chain_(std::move(cert_chain)) { |
| 207 | RTC_DCHECK(key_pair_ != nullptr); |
| 208 | RTC_DCHECK(cert_chain_ != nullptr); |
kwiberg@webrtc.org | 67186fe | 2015-03-09 22:21:53 +0000 | [diff] [blame] | 209 | } |
| 210 | |
| 211 | OpenSSLIdentity::~OpenSSLIdentity() = default; |
| 212 | |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 213 | OpenSSLIdentity* OpenSSLIdentity::GenerateInternal( |
| 214 | const SSLIdentityParams& params) { |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 215 | std::unique_ptr<OpenSSLKeyPair> key_pair( |
| 216 | OpenSSLKeyPair::Generate(params.key_params)); |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 217 | if (key_pair) { |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 218 | std::unique_ptr<OpenSSLCertificate> certificate( |
| 219 | OpenSSLCertificate::Generate(key_pair.get(), params)); |
| 220 | if (certificate != nullptr) |
| 221 | return new OpenSSLIdentity(std::move(key_pair), std::move(certificate)); |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 222 | } |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 223 | RTC_LOG(LS_INFO) << "Identity generation failed"; |
deadbeef | 37f5ecf | 2017-02-27 14:06:41 -0800 | [diff] [blame] | 224 | return nullptr; |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 225 | } |
| 226 | |
Torbjorn Granlund | 1d846b2 | 2016-03-31 16:21:04 +0200 | [diff] [blame] | 227 | OpenSSLIdentity* OpenSSLIdentity::GenerateWithExpiration( |
| 228 | const std::string& common_name, |
| 229 | const KeyParams& key_params, |
| 230 | time_t certificate_lifetime) { |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 231 | SSLIdentityParams params; |
torbjorng | 4e57247 | 2015-10-08 09:42:49 -0700 | [diff] [blame] | 232 | params.key_params = key_params; |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 233 | params.common_name = common_name; |
deadbeef | 37f5ecf | 2017-02-27 14:06:41 -0800 | [diff] [blame] | 234 | time_t now = time(nullptr); |
Torbjorn Granlund | 1d846b2 | 2016-03-31 16:21:04 +0200 | [diff] [blame] | 235 | params.not_before = now + kCertificateWindowInSeconds; |
torbjorng | e8dc081 | 2016-02-15 09:35:54 -0800 | [diff] [blame] | 236 | params.not_after = now + certificate_lifetime; |
Torbjorn Granlund | 1d846b2 | 2016-03-31 16:21:04 +0200 | [diff] [blame] | 237 | if (params.not_before > params.not_after) |
| 238 | return nullptr; |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 239 | return GenerateInternal(params); |
| 240 | } |
| 241 | |
| 242 | OpenSSLIdentity* OpenSSLIdentity::GenerateForTest( |
| 243 | const SSLIdentityParams& params) { |
| 244 | return GenerateInternal(params); |
| 245 | } |
| 246 | |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 247 | SSLIdentity* OpenSSLIdentity::FromPEMStrings(const std::string& private_key, |
| 248 | const std::string& certificate) { |
jbauch | 555604a | 2016-04-26 03:13:22 -0700 | [diff] [blame] | 249 | std::unique_ptr<OpenSSLCertificate> cert( |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 250 | OpenSSLCertificate::FromPEMString(certificate)); |
| 251 | if (!cert) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 252 | RTC_LOG(LS_ERROR) << "Failed to create OpenSSLCertificate from PEM string."; |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 253 | return nullptr; |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 254 | } |
| 255 | |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 256 | std::unique_ptr<OpenSSLKeyPair> key_pair( |
| 257 | OpenSSLKeyPair::FromPrivateKeyPEMString(private_key)); |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 258 | if (!key_pair) { |
Mirko Bonadei | 675513b | 2017-11-09 11:09:25 +0100 | [diff] [blame] | 259 | RTC_LOG(LS_ERROR) << "Failed to create key pair from PEM string."; |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 260 | return nullptr; |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 261 | } |
| 262 | |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 263 | return new OpenSSLIdentity(std::move(key_pair), std::move(cert)); |
| 264 | } |
| 265 | |
| 266 | SSLIdentity* OpenSSLIdentity::FromPEMChainStrings( |
| 267 | const std::string& private_key, |
| 268 | const std::string& certificate_chain) { |
Yves Gerey | 665174f | 2018-06-19 15:03:05 +0200 | [diff] [blame] | 269 | BIO* bio = BIO_new_mem_buf(certificate_chain.data(), |
| 270 | rtc::dchecked_cast<int>(certificate_chain.size())); |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 271 | if (!bio) |
| 272 | return nullptr; |
| 273 | BIO_set_mem_eof_return(bio, 0); |
| 274 | std::vector<std::unique_ptr<SSLCertificate>> certs; |
| 275 | while (true) { |
| 276 | X509* x509 = |
| 277 | PEM_read_bio_X509(bio, nullptr, nullptr, const_cast<char*>("\0")); |
| 278 | if (x509 == nullptr) { |
| 279 | uint32_t err = ERR_peek_error(); |
| 280 | if (ERR_GET_LIB(err) == ERR_LIB_PEM && |
| 281 | ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { |
| 282 | break; |
| 283 | } |
| 284 | RTC_LOG(LS_ERROR) << "Failed to parse certificate from PEM string."; |
| 285 | BIO_free(bio); |
| 286 | return nullptr; |
| 287 | } |
| 288 | certs.emplace_back(new OpenSSLCertificate(x509)); |
| 289 | X509_free(x509); |
| 290 | } |
| 291 | BIO_free(bio); |
| 292 | if (certs.empty()) { |
| 293 | RTC_LOG(LS_ERROR) << "Found no certificates in PEM string."; |
| 294 | return nullptr; |
| 295 | } |
| 296 | |
| 297 | std::unique_ptr<OpenSSLKeyPair> key_pair( |
| 298 | OpenSSLKeyPair::FromPrivateKeyPEMString(private_key)); |
| 299 | if (!key_pair) { |
| 300 | RTC_LOG(LS_ERROR) << "Failed to create key pair from PEM string."; |
| 301 | return nullptr; |
| 302 | } |
| 303 | |
| 304 | return new OpenSSLIdentity(std::move(key_pair), |
Karl Wiberg | 918f50c | 2018-07-05 11:40:33 +0200 | [diff] [blame] | 305 | absl::make_unique<SSLCertChain>(std::move(certs))); |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 306 | } |
| 307 | |
kwiberg@webrtc.org | 67186fe | 2015-03-09 22:21:53 +0000 | [diff] [blame] | 308 | const OpenSSLCertificate& OpenSSLIdentity::certificate() const { |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 309 | return *static_cast<const OpenSSLCertificate*>(&cert_chain_->Get(0)); |
kwiberg@webrtc.org | 67186fe | 2015-03-09 22:21:53 +0000 | [diff] [blame] | 310 | } |
| 311 | |
Taylor Brandstetter | c392866 | 2018-02-23 13:04:51 -0800 | [diff] [blame] | 312 | const SSLCertChain& OpenSSLIdentity::cert_chain() const { |
| 313 | return *cert_chain_.get(); |
| 314 | } |
| 315 | |
kwiberg@webrtc.org | 67186fe | 2015-03-09 22:21:53 +0000 | [diff] [blame] | 316 | OpenSSLIdentity* OpenSSLIdentity::GetReference() const { |
Karl Wiberg | 918f50c | 2018-07-05 11:40:33 +0200 | [diff] [blame] | 317 | return new OpenSSLIdentity(absl::WrapUnique(key_pair_->GetReference()), |
Steve Anton | f25303e | 2018-10-16 15:23:31 -0700 | [diff] [blame] | 318 | cert_chain_->Clone()); |
kwiberg@webrtc.org | 67186fe | 2015-03-09 22:21:53 +0000 | [diff] [blame] | 319 | } |
| 320 | |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 321 | bool OpenSSLIdentity::ConfigureIdentity(SSL_CTX* ctx) { |
| 322 | // 1 is the documented success return code. |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 323 | const OpenSSLCertificate* cert = &certificate(); |
| 324 | if (SSL_CTX_use_certificate(ctx, cert->x509()) != 1 || |
| 325 | SSL_CTX_use_PrivateKey(ctx, key_pair_->pkey()) != 1) { |
Benjamin Wright | d6f86e8 | 2018-05-08 13:12:25 -0700 | [diff] [blame] | 326 | openssl::LogSSLErrors("Configuring key and certificate"); |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 327 | return false; |
| 328 | } |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 329 | // If a chain is available, use it. |
| 330 | for (size_t i = 1; i < cert_chain_->GetSize(); ++i) { |
| 331 | cert = static_cast<const OpenSSLCertificate*>(&cert_chain_->Get(i)); |
| 332 | if (SSL_CTX_add1_chain_cert(ctx, cert->x509()) != 1) { |
Benjamin Wright | d6f86e8 | 2018-05-08 13:12:25 -0700 | [diff] [blame] | 333 | openssl::LogSSLErrors("Configuring intermediate certificate"); |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 334 | return false; |
| 335 | } |
| 336 | } |
| 337 | |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 338 | return true; |
| 339 | } |
| 340 | |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 341 | std::string OpenSSLIdentity::PrivateKeyToPEMString() const { |
| 342 | return key_pair_->PrivateKeyToPEMString(); |
| 343 | } |
| 344 | |
| 345 | std::string OpenSSLIdentity::PublicKeyToPEMString() const { |
| 346 | return key_pair_->PublicKeyToPEMString(); |
| 347 | } |
| 348 | |
| 349 | bool OpenSSLIdentity::operator==(const OpenSSLIdentity& other) const { |
| 350 | return *this->key_pair_ == *other.key_pair_ && |
Jian Cui | 0a8798b | 2017-11-16 16:58:02 -0800 | [diff] [blame] | 351 | this->certificate() == other.certificate(); |
hbos | 6b470a9 | 2016-04-28 05:14:21 -0700 | [diff] [blame] | 352 | } |
| 353 | |
| 354 | bool OpenSSLIdentity::operator!=(const OpenSSLIdentity& other) const { |
| 355 | return !(*this == other); |
| 356 | } |
| 357 | |
henrike@webrtc.org | f048872 | 2014-05-13 18:00:26 +0000 | [diff] [blame] | 358 | } // namespace rtc |