1*d9f75844SAndroid Build Coastguard Worker /* 2*d9f75844SAndroid Build Coastguard Worker * Copyright 2004 The WebRTC Project Authors. All rights reserved. 3*d9f75844SAndroid Build Coastguard Worker * 4*d9f75844SAndroid Build Coastguard Worker * Use of this source code is governed by a BSD-style license 5*d9f75844SAndroid Build Coastguard Worker * that can be found in the LICENSE file in the root of the source 6*d9f75844SAndroid Build Coastguard Worker * tree. An additional intellectual property rights grant can be found 7*d9f75844SAndroid Build Coastguard Worker * in the file PATENTS. All contributing project authors may 8*d9f75844SAndroid Build Coastguard Worker * be found in the AUTHORS file in the root of the source tree. 9*d9f75844SAndroid Build Coastguard Worker */ 10*d9f75844SAndroid Build Coastguard Worker 11*d9f75844SAndroid Build Coastguard Worker // Handling of certificates and keypairs for SSLStreamAdapter's peer mode. 12*d9f75844SAndroid Build Coastguard Worker 13*d9f75844SAndroid Build Coastguard Worker #ifndef RTC_BASE_SSL_IDENTITY_H_ 14*d9f75844SAndroid Build Coastguard Worker #define RTC_BASE_SSL_IDENTITY_H_ 15*d9f75844SAndroid Build Coastguard Worker 16*d9f75844SAndroid Build Coastguard Worker #include <stdint.h> 17*d9f75844SAndroid Build Coastguard Worker 18*d9f75844SAndroid Build Coastguard Worker #include <ctime> 19*d9f75844SAndroid Build Coastguard Worker #include <memory> 20*d9f75844SAndroid Build Coastguard Worker #include <string> 21*d9f75844SAndroid Build Coastguard Worker 22*d9f75844SAndroid Build Coastguard Worker #include "absl/strings/string_view.h" 23*d9f75844SAndroid Build Coastguard Worker #include "rtc_base/system/rtc_export.h" 24*d9f75844SAndroid Build Coastguard Worker 25*d9f75844SAndroid Build Coastguard Worker namespace rtc { 26*d9f75844SAndroid Build Coastguard Worker 27*d9f75844SAndroid Build Coastguard Worker class SSLCertChain; 28*d9f75844SAndroid Build Coastguard Worker class SSLCertificate; 29*d9f75844SAndroid Build Coastguard Worker 30*d9f75844SAndroid Build Coastguard Worker // KT_LAST is intended for vector declarations and loops over all key types; 31*d9f75844SAndroid Build Coastguard Worker // it does not represent any key type in itself. 32*d9f75844SAndroid Build Coastguard Worker // KT_DEFAULT is used as the default KeyType for KeyParams. 33*d9f75844SAndroid Build Coastguard Worker enum KeyType { KT_RSA, KT_ECDSA, KT_LAST, KT_DEFAULT = KT_ECDSA }; 34*d9f75844SAndroid Build Coastguard Worker 35*d9f75844SAndroid Build Coastguard Worker static const int kRsaDefaultModSize = 1024; 36*d9f75844SAndroid Build Coastguard Worker static const int kRsaDefaultExponent = 0x10001; // = 2^16+1 = 65537 37*d9f75844SAndroid Build Coastguard Worker static const int kRsaMinModSize = 1024; 38*d9f75844SAndroid Build Coastguard Worker static const int kRsaMaxModSize = 8192; 39*d9f75844SAndroid Build Coastguard Worker 40*d9f75844SAndroid Build Coastguard Worker // Certificate default validity lifetime. 41*d9f75844SAndroid Build Coastguard Worker static const int kDefaultCertificateLifetimeInSeconds = 42*d9f75844SAndroid Build Coastguard Worker 60 * 60 * 24 * 30; // 30 days 43*d9f75844SAndroid Build Coastguard Worker // Certificate validity window. 44*d9f75844SAndroid Build Coastguard Worker // This is to compensate for slightly incorrect system clocks. 45*d9f75844SAndroid Build Coastguard Worker static const int kCertificateWindowInSeconds = -60 * 60 * 24; 46*d9f75844SAndroid Build Coastguard Worker 47*d9f75844SAndroid Build Coastguard Worker struct RSAParams { 48*d9f75844SAndroid Build Coastguard Worker unsigned int mod_size; 49*d9f75844SAndroid Build Coastguard Worker unsigned int pub_exp; 50*d9f75844SAndroid Build Coastguard Worker }; 51*d9f75844SAndroid Build Coastguard Worker 52*d9f75844SAndroid Build Coastguard Worker enum ECCurve { EC_NIST_P256, /* EC_FANCY, */ EC_LAST }; 53*d9f75844SAndroid Build Coastguard Worker 54*d9f75844SAndroid Build Coastguard Worker class RTC_EXPORT KeyParams { 55*d9f75844SAndroid Build Coastguard Worker public: 56*d9f75844SAndroid Build Coastguard Worker // Generate a KeyParams object from a simple KeyType, using default params. 57*d9f75844SAndroid Build Coastguard Worker explicit KeyParams(KeyType key_type = KT_DEFAULT); 58*d9f75844SAndroid Build Coastguard Worker 59*d9f75844SAndroid Build Coastguard Worker // Generate a a KeyParams for RSA with explicit parameters. 60*d9f75844SAndroid Build Coastguard Worker static KeyParams RSA(int mod_size = kRsaDefaultModSize, 61*d9f75844SAndroid Build Coastguard Worker int pub_exp = kRsaDefaultExponent); 62*d9f75844SAndroid Build Coastguard Worker 63*d9f75844SAndroid Build Coastguard Worker // Generate a a KeyParams for ECDSA specifying the curve. 64*d9f75844SAndroid Build Coastguard Worker static KeyParams ECDSA(ECCurve curve = EC_NIST_P256); 65*d9f75844SAndroid Build Coastguard Worker 66*d9f75844SAndroid Build Coastguard Worker // Check validity of a KeyParams object. Since the factory functions have 67*d9f75844SAndroid Build Coastguard Worker // no way of returning errors, this function can be called after creation 68*d9f75844SAndroid Build Coastguard Worker // to make sure the parameters are OK. 69*d9f75844SAndroid Build Coastguard Worker bool IsValid() const; 70*d9f75844SAndroid Build Coastguard Worker 71*d9f75844SAndroid Build Coastguard Worker RSAParams rsa_params() const; 72*d9f75844SAndroid Build Coastguard Worker 73*d9f75844SAndroid Build Coastguard Worker ECCurve ec_curve() const; 74*d9f75844SAndroid Build Coastguard Worker type()75*d9f75844SAndroid Build Coastguard Worker KeyType type() const { return type_; } 76*d9f75844SAndroid Build Coastguard Worker 77*d9f75844SAndroid Build Coastguard Worker private: 78*d9f75844SAndroid Build Coastguard Worker KeyType type_; 79*d9f75844SAndroid Build Coastguard Worker union { 80*d9f75844SAndroid Build Coastguard Worker RSAParams rsa; 81*d9f75844SAndroid Build Coastguard Worker ECCurve curve; 82*d9f75844SAndroid Build Coastguard Worker } params_; 83*d9f75844SAndroid Build Coastguard Worker }; 84*d9f75844SAndroid Build Coastguard Worker 85*d9f75844SAndroid Build Coastguard Worker // TODO(hbos): Remove once rtc::KeyType (to be modified) and 86*d9f75844SAndroid Build Coastguard Worker // blink::WebRTCKeyType (to be landed) match. By using this function in Chromium 87*d9f75844SAndroid Build Coastguard Worker // appropriately we can change KeyType enum -> class without breaking Chromium. 88*d9f75844SAndroid Build Coastguard Worker KeyType IntKeyTypeFamilyToKeyType(int key_type_family); 89*d9f75844SAndroid Build Coastguard Worker 90*d9f75844SAndroid Build Coastguard Worker // Parameters for generating a certificate. If `common_name` is non-empty, it 91*d9f75844SAndroid Build Coastguard Worker // will be used for the certificate's subject and issuer name, otherwise a 92*d9f75844SAndroid Build Coastguard Worker // random string will be used. 93*d9f75844SAndroid Build Coastguard Worker struct SSLIdentityParams { 94*d9f75844SAndroid Build Coastguard Worker std::string common_name; 95*d9f75844SAndroid Build Coastguard Worker time_t not_before; // Absolute time since epoch in seconds. 96*d9f75844SAndroid Build Coastguard Worker time_t not_after; // Absolute time since epoch in seconds. 97*d9f75844SAndroid Build Coastguard Worker KeyParams key_params; 98*d9f75844SAndroid Build Coastguard Worker }; 99*d9f75844SAndroid Build Coastguard Worker 100*d9f75844SAndroid Build Coastguard Worker // Our identity in an SSL negotiation: a keypair and certificate (both 101*d9f75844SAndroid Build Coastguard Worker // with the same public key). 102*d9f75844SAndroid Build Coastguard Worker // This too is pretty much immutable once created. 103*d9f75844SAndroid Build Coastguard Worker class RTC_EXPORT SSLIdentity { 104*d9f75844SAndroid Build Coastguard Worker public: 105*d9f75844SAndroid Build Coastguard Worker // Generates an identity (keypair and self-signed certificate). If 106*d9f75844SAndroid Build Coastguard Worker // `common_name` is non-empty, it will be used for the certificate's subject 107*d9f75844SAndroid Build Coastguard Worker // and issuer name, otherwise a random string will be used. The key type and 108*d9f75844SAndroid Build Coastguard Worker // parameters are defined in `key_param`. The certificate's lifetime in 109*d9f75844SAndroid Build Coastguard Worker // seconds from the current time is defined in `certificate_lifetime`; it 110*d9f75844SAndroid Build Coastguard Worker // should be a non-negative number. 111*d9f75844SAndroid Build Coastguard Worker // Returns null on failure. 112*d9f75844SAndroid Build Coastguard Worker // Caller is responsible for freeing the returned object. 113*d9f75844SAndroid Build Coastguard Worker static std::unique_ptr<SSLIdentity> Create(absl::string_view common_name, 114*d9f75844SAndroid Build Coastguard Worker const KeyParams& key_param, 115*d9f75844SAndroid Build Coastguard Worker time_t certificate_lifetime); 116*d9f75844SAndroid Build Coastguard Worker static std::unique_ptr<SSLIdentity> Create(absl::string_view common_name, 117*d9f75844SAndroid Build Coastguard Worker const KeyParams& key_param); 118*d9f75844SAndroid Build Coastguard Worker static std::unique_ptr<SSLIdentity> Create(absl::string_view common_name, 119*d9f75844SAndroid Build Coastguard Worker KeyType key_type); 120*d9f75844SAndroid Build Coastguard Worker 121*d9f75844SAndroid Build Coastguard Worker // Allows fine-grained control over expiration time. 122*d9f75844SAndroid Build Coastguard Worker static std::unique_ptr<SSLIdentity> CreateForTest( 123*d9f75844SAndroid Build Coastguard Worker const SSLIdentityParams& params); 124*d9f75844SAndroid Build Coastguard Worker 125*d9f75844SAndroid Build Coastguard Worker // Construct an identity from a private key and a certificate. 126*d9f75844SAndroid Build Coastguard Worker static std::unique_ptr<SSLIdentity> CreateFromPEMStrings( 127*d9f75844SAndroid Build Coastguard Worker absl::string_view private_key, 128*d9f75844SAndroid Build Coastguard Worker absl::string_view certificate); 129*d9f75844SAndroid Build Coastguard Worker 130*d9f75844SAndroid Build Coastguard Worker // Construct an identity from a private key and a certificate chain. 131*d9f75844SAndroid Build Coastguard Worker static std::unique_ptr<SSLIdentity> CreateFromPEMChainStrings( 132*d9f75844SAndroid Build Coastguard Worker absl::string_view private_key, 133*d9f75844SAndroid Build Coastguard Worker absl::string_view certificate_chain); 134*d9f75844SAndroid Build Coastguard Worker ~SSLIdentity()135*d9f75844SAndroid Build Coastguard Worker virtual ~SSLIdentity() {} 136*d9f75844SAndroid Build Coastguard Worker 137*d9f75844SAndroid Build Coastguard Worker // Returns a new SSLIdentity object instance wrapping the same 138*d9f75844SAndroid Build Coastguard Worker // identity information. Clone()139*d9f75844SAndroid Build Coastguard Worker std::unique_ptr<SSLIdentity> Clone() const { return CloneInternal(); } 140*d9f75844SAndroid Build Coastguard Worker 141*d9f75844SAndroid Build Coastguard Worker // Returns a temporary reference to the end-entity (leaf) certificate. 142*d9f75844SAndroid Build Coastguard Worker virtual const SSLCertificate& certificate() const = 0; 143*d9f75844SAndroid Build Coastguard Worker // Returns a temporary reference to the entire certificate chain. 144*d9f75844SAndroid Build Coastguard Worker virtual const SSLCertChain& cert_chain() const = 0; 145*d9f75844SAndroid Build Coastguard Worker virtual std::string PrivateKeyToPEMString() const = 0; 146*d9f75844SAndroid Build Coastguard Worker virtual std::string PublicKeyToPEMString() const = 0; 147*d9f75844SAndroid Build Coastguard Worker 148*d9f75844SAndroid Build Coastguard Worker // Helpers for parsing converting between PEM and DER format. 149*d9f75844SAndroid Build Coastguard Worker static bool PemToDer(absl::string_view pem_type, 150*d9f75844SAndroid Build Coastguard Worker absl::string_view pem_string, 151*d9f75844SAndroid Build Coastguard Worker std::string* der); 152*d9f75844SAndroid Build Coastguard Worker static std::string DerToPem(absl::string_view pem_type, 153*d9f75844SAndroid Build Coastguard Worker const unsigned char* data, 154*d9f75844SAndroid Build Coastguard Worker size_t length); 155*d9f75844SAndroid Build Coastguard Worker 156*d9f75844SAndroid Build Coastguard Worker protected: 157*d9f75844SAndroid Build Coastguard Worker virtual std::unique_ptr<SSLIdentity> CloneInternal() const = 0; 158*d9f75844SAndroid Build Coastguard Worker }; 159*d9f75844SAndroid Build Coastguard Worker 160*d9f75844SAndroid Build Coastguard Worker bool operator==(const SSLIdentity& a, const SSLIdentity& b); 161*d9f75844SAndroid Build Coastguard Worker bool operator!=(const SSLIdentity& a, const SSLIdentity& b); 162*d9f75844SAndroid Build Coastguard Worker 163*d9f75844SAndroid Build Coastguard Worker // Convert from ASN1 time as restricted by RFC 5280 to seconds from 1970-01-01 164*d9f75844SAndroid Build Coastguard Worker // 00.00 ("epoch"). If the ASN1 time cannot be read, return -1. The data at 165*d9f75844SAndroid Build Coastguard Worker // `s` is not 0-terminated; its char count is defined by `length`. 166*d9f75844SAndroid Build Coastguard Worker int64_t ASN1TimeToSec(const unsigned char* s, size_t length, bool long_format); 167*d9f75844SAndroid Build Coastguard Worker 168*d9f75844SAndroid Build Coastguard Worker extern const char kPemTypeCertificate[]; 169*d9f75844SAndroid Build Coastguard Worker extern const char kPemTypeRsaPrivateKey[]; 170*d9f75844SAndroid Build Coastguard Worker extern const char kPemTypeEcPrivateKey[]; 171*d9f75844SAndroid Build Coastguard Worker 172*d9f75844SAndroid Build Coastguard Worker } // namespace rtc 173*d9f75844SAndroid Build Coastguard Worker 174*d9f75844SAndroid Build Coastguard Worker #endif // RTC_BASE_SSL_IDENTITY_H_ 175