Implement certificate lifetime parameter as required by WebRTC RFC.
BUG=chromium:569005
Review URL: https://codereview.webrtc.org/1683193003
Cr-Commit-Position: refs/heads/master@{#11629}
diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc
index 7185571..0260387 100644
--- a/webrtc/base/opensslidentity.cc
+++ b/webrtc/base/opensslidentity.cc
@@ -36,12 +36,6 @@
// Random bits for certificate serial number
static const int SERIAL_RAND_BITS = 64;
-// Certificate validity lifetime
-static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily
-// Certificate validity window.
-// This is to compensate for slightly incorrect system clocks.
-static const int CERTIFICATE_WINDOW = -60*60*24;
-
// Generate a key pair. Caller is responsible for freeing the returned object.
static EVP_PKEY* MakeKey(const KeyParams& key_params) {
LOG(LS_INFO) << "Making key pair";
@@ -414,13 +408,15 @@
}
OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name,
- const KeyParams& key_params) {
+ const KeyParams& key_params,
+ time_t certificate_lifetime) {
SSLIdentityParams params;
params.key_params = key_params;
params.common_name = common_name;
time_t now = time(NULL);
- params.not_before = now + CERTIFICATE_WINDOW;
- params.not_after = now + CERTIFICATE_LIFETIME;
+ params.not_before = now + kCertificateWindow;
+ params.not_after = now + certificate_lifetime;
+ RTC_DCHECK(params.not_before < params.not_after);
return GenerateInternal(params);
}
diff --git a/webrtc/base/opensslidentity.h b/webrtc/base/opensslidentity.h
index c8aa69a..dda50be 100644
--- a/webrtc/base/opensslidentity.h
+++ b/webrtc/base/opensslidentity.h
@@ -102,7 +102,8 @@
class OpenSSLIdentity : public SSLIdentity {
public:
static OpenSSLIdentity* Generate(const std::string& common_name,
- const KeyParams& key_params);
+ const KeyParams& key_params,
+ time_t certificate_lifetime);
static OpenSSLIdentity* GenerateForTest(const SSLIdentityParams& params);
static SSLIdentity* FromPEMStrings(const std::string& private_key,
const std::string& certificate);
diff --git a/webrtc/base/sslidentity.cc b/webrtc/base/sslidentity.cc
index 5f6b686..536e3aa 100644
--- a/webrtc/base/sslidentity.cc
+++ b/webrtc/base/sslidentity.cc
@@ -159,8 +159,10 @@
}
SSLIdentity* SSLIdentity::Generate(const std::string& common_name,
- const KeyParams& key_params) {
- return OpenSSLIdentity::Generate(common_name, key_params);
+ const KeyParams& key_params,
+ time_t certificate_lifetime) {
+ return OpenSSLIdentity::Generate(common_name, key_params,
+ certificate_lifetime);
}
SSLIdentity* SSLIdentity::GenerateForTest(const SSLIdentityParams& params) {
diff --git a/webrtc/base/sslidentity.h b/webrtc/base/sslidentity.h
index a143ee4..0f81929 100644
--- a/webrtc/base/sslidentity.h
+++ b/webrtc/base/sslidentity.h
@@ -36,7 +36,7 @@
// possibly caching of intermediate results.)
class SSLCertificate {
public:
- // Parses and build a certificate from a PEM encoded string.
+ // Parses and builds a certificate from a PEM encoded string.
// Returns NULL on failure.
// The length of the string representation of the certificate is
// stored in *pem_length if it is non-NULL, and only if
@@ -125,6 +125,12 @@
static const int kRsaMinModSize = 1024;
static const int kRsaMaxModSize = 8192;
+// Certificate default validity lifetime.
+static const int kDefaultCertificateLifetime = 60 * 60 * 24 * 30; // 30 days
+// Certificate validity window.
+// This is to compensate for slightly incorrect system clocks.
+static const int kCertificateWindow = -60 * 60 * 24;
+
struct RSAParams {
unsigned int mod_size;
unsigned int pub_exp;
@@ -184,18 +190,28 @@
class SSLIdentity {
public:
// Generates an identity (keypair and self-signed certificate). If
- // common_name is non-empty, it will be used for the certificate's
- // subject and issuer name, otherwise a random string will be used.
+ // |common_name| is non-empty, it will be used for the certificate's subject
+ // and issuer name, otherwise a random string will be used. The key type and
+ // parameters are defined in |key_param|. The certificate's lifetime in
+ // seconds from the current time is defined in |certificate_lifetime|; it
+ // should be a non-negative number.
// Returns NULL on failure.
// Caller is responsible for freeing the returned object.
static SSLIdentity* Generate(const std::string& common_name,
- const KeyParams& key_param);
+ const KeyParams& key_param,
+ time_t certificate_lifetime);
+ static SSLIdentity* Generate(const std::string& common_name,
+ const KeyParams& key_param) {
+ return Generate(common_name, key_param, kDefaultCertificateLifetime);
+ }
static SSLIdentity* Generate(const std::string& common_name,
KeyType key_type) {
return Generate(common_name, KeyParams(key_type));
}
// Generates an identity with the specified validity period.
+ // TODO(torbjorng): Now that Generate() accepts relevant params, make tests
+ // use that instead of this function.
static SSLIdentity* GenerateForTest(const SSLIdentityParams& params);
// Construct an identity from a private key and a certificate.
diff --git a/webrtc/base/sslidentity_unittest.cc b/webrtc/base/sslidentity_unittest.cc
index 3582edb..8e25fe97 100644
--- a/webrtc/base/sslidentity_unittest.cc
+++ b/webrtc/base/sslidentity_unittest.cc
@@ -387,18 +387,17 @@
}
void TestExpireTime(int times) {
+ // We test just ECDSA here since what we're out to exercise is the
+ // interfaces for expiration setting and reading.
for (int i = 0; i < times; i++) {
- rtc::SSLIdentityParams params;
- params.common_name = "";
- params.not_before = 0;
// We limit the time to < 2^31 here, i.e., we stay before 2038, since else
// we hit time offset limitations in OpenSSL on some 32-bit systems.
- params.not_after = rtc::CreateRandomId() % 0x80000000;
- // We test just ECDSA here since what we're out to exercise here is the
- // code for expiration setting and reading.
- params.key_params = rtc::KeyParams::ECDSA(rtc::EC_NIST_P256);
- SSLIdentity* identity = rtc::SSLIdentity::GenerateForTest(params);
- EXPECT_EQ(params.not_after,
+ time_t now = time(NULL);
+ time_t lifetime = rtc::CreateRandomId() % (0x80000000 - now);
+ rtc::KeyParams key_params = rtc::KeyParams::ECDSA(rtc::EC_NIST_P256);
+ SSLIdentity* identity =
+ rtc::SSLIdentity::Generate("", key_params, lifetime);
+ EXPECT_EQ(now + lifetime,
identity->certificate().CertificateExpirationTime());
delete identity;
}
