Misc OpenSSL fixes

improving the error message from PEM parsing and adding a few DCHECKs
Tested locally with OpenSSL 3.x

BUG=webrtc:42225468

Change-Id: Ia2ff1e5826f486060db73bee979e2703fc6c5823
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/358441
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Commit-Queue: Philipp Hancke <phancke@meta.com>
Reviewed-by: David Benjamin <davidben@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#42776}
diff --git a/rtc_base/openssl_certificate.cc b/rtc_base/openssl_certificate.cc
index 46ff576..fcc2946 100644
--- a/rtc_base/openssl_certificate.cc
+++ b/rtc_base/openssl_certificate.cc
@@ -56,6 +56,7 @@
 // Generate a self-signed certificate, with the public key from the
 // given key pair. Caller is responsible for freeing the returned object.
 static X509* MakeCertificate(EVP_PKEY* pkey, const SSLIdentityParams& params) {
+  RTC_DCHECK(pkey != nullptr);
   RTC_LOG(LS_INFO) << "Making certificate for " << params.common_name;
 
   ASN1_INTEGER* asn1_serial_number = nullptr;
@@ -95,8 +96,8 @@
   name.reset(X509_NAME_new());
   if (name == nullptr ||
       !X509_NAME_add_entry_by_NID(name.get(), NID_commonName, MBSTRING_UTF8,
-                                  (unsigned char*)params.common_name.c_str(),
-                                  -1, -1, 0) ||
+                                  (unsigned char*)params.common_name.data(), -1,
+                                  -1, 0) ||
       !X509_set_subject_name(x509.get(), name.get()) ||
       !X509_set_issuer_name(x509.get(), name.get())) {
     return nullptr;
diff --git a/rtc_base/openssl_identity.cc b/rtc_base/openssl_identity.cc
index 1864978..9ddd178 100644
--- a/rtc_base/openssl_identity.cc
+++ b/rtc_base/openssl_identity.cc
@@ -79,8 +79,11 @@
   time_t now = time(nullptr);
   params.not_before = now + kCertificateWindowInSeconds;
   params.not_after = now + certificate_lifetime;
-  if (params.not_before > params.not_after)
+  if (params.not_before > params.not_after) {
+    RTC_LOG(LS_ERROR)
+        << "Іdentity generated failed, not_before is after not_after.";
     return nullptr;
+  }
   return CreateInternal(params);
 }
 
@@ -127,7 +130,8 @@
           ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
         break;
       }
-      RTC_LOG(LS_ERROR) << "Failed to parse certificate from PEM string.";
+      RTC_LOG(LS_ERROR) << "Failed to parse certificate from PEM string: "
+                        << ERR_reason_error_string(err);
       BIO_free(bio);
       return nullptr;
     }
diff --git a/rtc_base/rtc_certificate.cc b/rtc_base/rtc_certificate.cc
index e0b6b32..93e5f15 100644
--- a/rtc_base/rtc_certificate.cc
+++ b/rtc_base/rtc_certificate.cc
@@ -21,7 +21,7 @@
 
 scoped_refptr<RTCCertificate> RTCCertificate::Create(
     std::unique_ptr<SSLIdentity> identity) {
-  // Explicit new to access proteced constructor.
+  // Explicit new to access protected constructor.
   return rtc::scoped_refptr<RTCCertificate>(
       new RTCCertificate(identity.release()));
 }
diff --git a/rtc_base/ssl_stream_adapter_unittest.cc b/rtc_base/ssl_stream_adapter_unittest.cc
index 1e45a57b..12780d3 100644
--- a/rtc_base/ssl_stream_adapter_unittest.cc
+++ b/rtc_base/ssl_stream_adapter_unittest.cc
@@ -493,6 +493,8 @@
             : rtc::SSLPeerCertificateDigestError::VERIFICATION_FAILED;
 
     RTC_LOG(LS_INFO) << "Setting peer identities by digest";
+    RTC_DCHECK(server_identity());
+    RTC_DCHECK(client_identity());
 
     rv = server_identity()->certificate().ComputeDigest(
         digest_algorithm_, server_digest, digest_length_, &server_digest_len);