/* * libjingle * Copyright 2004, Google Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ // Handling of certificates and keypairs for SSLStreamAdapter's peer mode. #ifndef TALK_BASE_SSLIDENTITY_H_ #define TALK_BASE_SSLIDENTITY_H_ #include #include #include #include "talk/base/buffer.h" #include "talk/base/messagedigest.h" namespace talk_base { // Forward declaration due to circular dependency with SSLCertificate. class SSLCertChain; // Abstract interface overridden by SSL library specific // implementations. // A somewhat opaque type used to encapsulate a certificate. // Wraps the SSL library's notion of a certificate, with reference counting. // The SSLCertificate object is pretty much immutable once created. // (The OpenSSL implementation only does reference counting and // possibly caching of intermediate results.) class SSLCertificate { public: // Parses and build a certificate from a PEM encoded string. // Returns NULL on failure. // The length of the string representation of the certificate is // stored in *pem_length if it is non-NULL, and only if // parsing was successful. // Caller is responsible for freeing the returned object. static SSLCertificate* FromPEMString(const std::string& pem_string); virtual ~SSLCertificate() {} // Returns a new SSLCertificate object instance wrapping the same // underlying certificate, including its chain if present. // Caller is responsible for freeing the returned object. virtual SSLCertificate* GetReference() const = 0; // Provides the cert chain, or returns false. The caller owns the chain. // The chain includes a copy of each certificate, excluding the leaf. virtual bool GetChain(SSLCertChain** chain) const = 0; // Returns a PEM encoded string representation of the certificate. virtual std::string ToPEMString() const = 0; // Provides a DER encoded binary representation of the certificate. virtual void ToDER(Buffer* der_buffer) const = 0; // Gets the name of the digest algorithm that was used to compute this // certificate's signature. virtual bool GetSignatureDigestAlgorithm(std::string* algorithm) const = 0; // Compute the digest of the certificate given algorithm virtual bool ComputeDigest(const std::string& algorithm, unsigned char* digest, size_t size, size_t* length) const = 0; }; // SSLCertChain is a simple wrapper for a vector of SSLCertificates. It serves // primarily to ensure proper memory management (especially deletion) of the // SSLCertificate pointers. class SSLCertChain { public: // These constructors copy the provided SSLCertificate(s), so the caller // retains ownership. explicit SSLCertChain(const std::vector& certs) { ASSERT(!certs.empty()); certs_.resize(certs.size()); std::transform(certs.begin(), certs.end(), certs_.begin(), DupCert); } explicit SSLCertChain(const SSLCertificate* cert) { certs_.push_back(cert->GetReference()); } ~SSLCertChain() { std::for_each(certs_.begin(), certs_.end(), DeleteCert); } // Vector access methods. size_t GetSize() const { return certs_.size(); } // Returns a temporary reference, only valid until the chain is destroyed. const SSLCertificate& Get(size_t pos) const { return *(certs_[pos]); } // Returns a new SSLCertChain object instance wrapping the same underlying // certificate chain. Caller is responsible for freeing the returned object. SSLCertChain* Copy() const { return new SSLCertChain(certs_); } private: // Helper function for duplicating a vector of certificates. static SSLCertificate* DupCert(const SSLCertificate* cert) { return cert->GetReference(); } // Helper function for deleting a vector of certificates. static void DeleteCert(SSLCertificate* cert) { delete cert; } std::vector certs_; DISALLOW_COPY_AND_ASSIGN(SSLCertChain); }; // Parameters for generating an identity for testing. If common_name is // non-empty, it will be used for the certificate's subject and issuer name, // otherwise a random string will be used. |not_before| and |not_after| are // offsets to the current time in number of seconds. struct SSLIdentityParams { std::string common_name; int not_before; // in seconds. int not_after; // in seconds. }; // Our identity in an SSL negotiation: a keypair and certificate (both // with the same public key). // This too is pretty much immutable once created. class SSLIdentity { public: // Generates an identity (keypair and self-signed certificate). If // common_name is non-empty, it will be used for the certificate's // subject and issuer name, otherwise a random string will be used. // Returns NULL on failure. // Caller is responsible for freeing the returned object. static SSLIdentity* Generate(const std::string& common_name); // Generates an identity with the specified validity period. static SSLIdentity* GenerateForTest(const SSLIdentityParams& params); // Construct an identity from a private key and a certificate. static SSLIdentity* FromPEMStrings(const std::string& private_key, const std::string& certificate); virtual ~SSLIdentity() {} // Returns a new SSLIdentity object instance wrapping the same // identity information. // Caller is responsible for freeing the returned object. virtual SSLIdentity* GetReference() const = 0; // Returns a temporary reference to the certificate. virtual const SSLCertificate& certificate() const = 0; // Helpers for parsing converting between PEM and DER format. static bool PemToDer(const std::string& pem_type, const std::string& pem_string, std::string* der); static std::string DerToPem(const std::string& pem_type, const unsigned char* data, size_t length); }; extern const char kPemTypeCertificate[]; extern const char kPemTypeRsaPrivateKey[]; } // namespace talk_base #endif // TALK_BASE_SSLIDENTITY_H_