Implement certificate lifetime parameter as required by WebRTC RFC.

BUG=chromium:569005 Review URL: https://codereview.webrtc.org/1683193003 Cr-Commit-Position: refs/heads/master@{#11629}
2016-02-15 09:35:54 -08:00 · 2016-02-15 09:35:54 -08:00 · e8dc081c35
commit e8dc081c35
parent b1ae3a45d0
5 changed files with 39 additions and 25 deletions
--- a/webrtc/base/opensslidentity.cc
+++ b/webrtc/base/opensslidentity.cc
@ -36,12 +36,6 @@ namespace rtc {
 // Random bits for certificate serial number
 static const int SERIAL_RAND_BITS = 64;

-// Certificate validity lifetime
-static const int CERTIFICATE_LIFETIME = 60*60*24*30;  // 30 days, arbitrarily
-// Certificate validity window.
-// This is to compensate for slightly incorrect system clocks.
-static const int CERTIFICATE_WINDOW = -60*60*24;
-
 // Generate a key pair. Caller is responsible for freeing the returned object.
 static EVP_PKEY* MakeKey(const KeyParams& key_params) {
  LOG(LS_INFO) << "Making key pair";
@ -414,13 +408,15 @@ OpenSSLIdentity* OpenSSLIdentity::GenerateInternal(
 }

 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name,
-                                           const KeyParams& key_params) {
+                                           const KeyParams& key_params,
+                                           time_t certificate_lifetime) {
  SSLIdentityParams params;
  params.key_params = key_params;
  params.common_name = common_name;
  time_t now = time(NULL);
-  params.not_before = now + CERTIFICATE_WINDOW;
-  params.not_after = now + CERTIFICATE_LIFETIME;
+  params.not_before = now + kCertificateWindow;
+  params.not_after = now + certificate_lifetime;
+  RTC_DCHECK(params.not_before < params.not_after);
  return GenerateInternal(params);
 }

--- a/webrtc/base/opensslidentity.h
+++ b/webrtc/base/opensslidentity.h
@ -102,7 +102,8 @@ class OpenSSLCertificate : public SSLCertificate {
 class OpenSSLIdentity : public SSLIdentity {
 public:
  static OpenSSLIdentity* Generate(const std::string& common_name,
-                                   const KeyParams& key_params);
+                                   const KeyParams& key_params,
+                                   time_t certificate_lifetime);
  static OpenSSLIdentity* GenerateForTest(const SSLIdentityParams& params);
  static SSLIdentity* FromPEMStrings(const std::string& private_key,
                                     const std::string& certificate);
--- a/webrtc/base/sslidentity.cc
+++ b/webrtc/base/sslidentity.cc
@ -159,8 +159,10 @@ SSLCertificate* SSLCertificate::FromPEMString(const std::string& pem_string) {
 }

 SSLIdentity* SSLIdentity::Generate(const std::string& common_name,
-                                   const KeyParams& key_params) {
-  return OpenSSLIdentity::Generate(common_name, key_params);
+                                   const KeyParams& key_params,
+                                   time_t certificate_lifetime) {
+  return OpenSSLIdentity::Generate(common_name, key_params,
+                                   certificate_lifetime);
 }

 SSLIdentity* SSLIdentity::GenerateForTest(const SSLIdentityParams& params) {
--- a/webrtc/base/sslidentity.h
+++ b/webrtc/base/sslidentity.h
@ -36,7 +36,7 @@ class SSLCertChain;
 // possibly caching of intermediate results.)
 class SSLCertificate {
 public:
-  // Parses and build a certificate from a PEM encoded string.
+  // Parses and builds a certificate from a PEM encoded string.
  // Returns NULL on failure.
  // The length of the string representation of the certificate is
  // stored in *pem_length if it is non-NULL, and only if
@ -125,6 +125,12 @@ static const int kRsaDefaultExponent = 0x10001;  // = 2^16+1 = 65537
 static const int kRsaMinModSize = 1024;
 static const int kRsaMaxModSize = 8192;

+// Certificate default validity lifetime.
+static const int kDefaultCertificateLifetime = 60 * 60 * 24 * 30;  // 30 days
+// Certificate validity window.
+// This is to compensate for slightly incorrect system clocks.
+static const int kCertificateWindow = -60 * 60 * 24;
+
 struct RSAParams {
  unsigned int mod_size;
  unsigned int pub_exp;
@ -184,18 +190,28 @@ struct SSLIdentityParams {
 class SSLIdentity {
 public:
  // Generates an identity (keypair and self-signed certificate). If
-  // common_name is non-empty, it will be used for the certificate's
-  // subject and issuer name, otherwise a random string will be used.
+  // |common_name| is non-empty, it will be used for the certificate's subject
+  // and issuer name, otherwise a random string will be used. The key type and
+  // parameters are defined in |key_param|. The certificate's lifetime in
+  // seconds from the current time is defined in |certificate_lifetime|; it
+  // should be a non-negative number.
  // Returns NULL on failure.
  // Caller is responsible for freeing the returned object.
  static SSLIdentity* Generate(const std::string& common_name,
-                               const KeyParams& key_param);
+                               const KeyParams& key_param,
+                               time_t certificate_lifetime);
+  static SSLIdentity* Generate(const std::string& common_name,
+                               const KeyParams& key_param) {
+    return Generate(common_name, key_param, kDefaultCertificateLifetime);
+  }
  static SSLIdentity* Generate(const std::string& common_name,
                               KeyType key_type) {
    return Generate(common_name, KeyParams(key_type));
  }

  // Generates an identity with the specified validity period.
+  // TODO(torbjorng): Now that Generate() accepts relevant params, make tests
+  // use that instead of this function.
  static SSLIdentity* GenerateForTest(const SSLIdentityParams& params);

  // Construct an identity from a private key and a certificate.
--- a/webrtc/base/sslidentity_unittest.cc
+++ b/webrtc/base/sslidentity_unittest.cc
@ -387,18 +387,17 @@ class SSLIdentityExpirationTest : public testing::Test {
  }

  void TestExpireTime(int times) {
+    // We test just ECDSA here since what we're out to exercise is the
+    // interfaces for expiration setting and reading.
    for (int i = 0; i < times; i++) {
-      rtc::SSLIdentityParams params;
-      params.common_name = "";
-      params.not_before = 0;
      // We limit the time to < 2^31 here, i.e., we stay before 2038, since else
      // we hit time offset limitations in OpenSSL on some 32-bit systems.
-      params.not_after = rtc::CreateRandomId() % 0x80000000;
-      // We test just ECDSA here since what we're out to exercise here is the
-      // code for expiration setting and reading.
-      params.key_params = rtc::KeyParams::ECDSA(rtc::EC_NIST_P256);
-      SSLIdentity* identity = rtc::SSLIdentity::GenerateForTest(params);
-      EXPECT_EQ(params.not_after,
+      time_t now = time(NULL);
+      time_t lifetime = rtc::CreateRandomId() % (0x80000000 - now);
+      rtc::KeyParams key_params = rtc::KeyParams::ECDSA(rtc::EC_NIST_P256);
+      SSLIdentity* identity =
+          rtc::SSLIdentity::Generate("", key_params, lifetime);
+      EXPECT_EQ(now + lifetime,
                identity->certificate().CertificateExpirationTime());
      delete identity;
    }