Misc OpenSSL fixes

improving the error message from PEM parsing and adding a few DCHECKs Tested locally with OpenSSL 3.x BUG=webrtc:42225468 Change-Id: Ia2ff1e5826f486060db73bee979e2703fc6c5823 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/358441 Reviewed-by: Harald Alvestrand <hta@webrtc.org> Commit-Queue: Philipp Hancke <phancke@meta.com> Reviewed-by: David Benjamin <davidben@webrtc.org> Cr-Commit-Position: refs/heads/main@{#42776}
2024-08-09 11:56:33 -07:00 · 2024-08-09 11:56:33 -07:00 · cfd83744d9
commit cfd83744d9
parent 3ee2161cc9
4 changed files with 12 additions and 5 deletions
--- a/rtc_base/openssl_certificate.cc
+++ b/rtc_base/openssl_certificate.cc
@ -56,6 +56,7 @@ static void PrintCert(X509* x509) {
 // Generate a self-signed certificate, with the public key from the
 // given key pair. Caller is responsible for freeing the returned object.
 static X509* MakeCertificate(EVP_PKEY* pkey, const SSLIdentityParams& params) {
+  RTC_DCHECK(pkey != nullptr);
  RTC_LOG(LS_INFO) << "Making certificate for " << params.common_name;

  ASN1_INTEGER* asn1_serial_number = nullptr;
@ -95,8 +96,8 @@ static X509* MakeCertificate(EVP_PKEY* pkey, const SSLIdentityParams& params) {
  name.reset(X509_NAME_new());
  if (name == nullptr ||
      !X509_NAME_add_entry_by_NID(name.get(), NID_commonName, MBSTRING_UTF8,
-                                  (unsigned char*)params.common_name.c_str(),
-                                  -1, -1, 0) ||
+                                  (unsigned char*)params.common_name.data(), -1,
+                                  -1, 0) ||
      !X509_set_subject_name(x509.get(), name.get()) ||
      !X509_set_issuer_name(x509.get(), name.get())) {
    return nullptr;
--- a/rtc_base/openssl_identity.cc
+++ b/rtc_base/openssl_identity.cc
@ -79,8 +79,11 @@ std::unique_ptr<OpenSSLIdentity> OpenSSLIdentity::CreateWithExpiration(
  time_t now = time(nullptr);
  params.not_before = now + kCertificateWindowInSeconds;
  params.not_after = now + certificate_lifetime;
-  if (params.not_before > params.not_after)
+  if (params.not_before > params.not_after) {
+    RTC_LOG(LS_ERROR)
+        << "Іdentity generated failed, not_before is after not_after.";
    return nullptr;
+  }
  return CreateInternal(params);
 }

@ -127,7 +130,8 @@ std::unique_ptr<SSLIdentity> OpenSSLIdentity::CreateFromPEMChainStrings(
          ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
        break;
      }
-      RTC_LOG(LS_ERROR) << "Failed to parse certificate from PEM string.";
+      RTC_LOG(LS_ERROR) << "Failed to parse certificate from PEM string: "
+                        << ERR_reason_error_string(err);
      BIO_free(bio);
      return nullptr;
    }
--- a/rtc_base/rtc_certificate.cc
+++ b/rtc_base/rtc_certificate.cc
@ -21,7 +21,7 @@ namespace rtc {

 scoped_refptr<RTCCertificate> RTCCertificate::Create(
    std::unique_ptr<SSLIdentity> identity) {
-  // Explicit new to access proteced constructor.
+  // Explicit new to access protected constructor.
  return rtc::scoped_refptr<RTCCertificate>(
      new RTCCertificate(identity.release()));
 }
--- a/rtc_base/ssl_stream_adapter_unittest.cc
+++ b/rtc_base/ssl_stream_adapter_unittest.cc
@ -493,6 +493,8 @@ class SSLStreamAdapterTestBase : public ::testing::Test,
            : rtc::SSLPeerCertificateDigestError::VERIFICATION_FAILED;

    RTC_LOG(LS_INFO) << "Setting peer identities by digest";
+    RTC_DCHECK(server_identity());
+    RTC_DCHECK(client_identity());

    rv = server_identity()->certificate().ComputeDigest(
        digest_algorithm_, server_digest, digest_length_, &server_digest_len);