1 /*
2 * Copyright 2020 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11 #include "rtc_base/boringssl_identity.h"
12
13 #include <openssl/bio.h>
14 #include <openssl/err.h>
15 #include <openssl/pem.h>
16 #include <openssl/pool.h>
17 #include <stdint.h>
18 #include <string.h>
19
20 #include <memory>
21 #include <utility>
22 #include <vector>
23
24 #include "absl/memory/memory.h"
25 #include "absl/strings/string_view.h"
26 #include "rtc_base/checks.h"
27 #include "rtc_base/logging.h"
28 #include "rtc_base/numerics/safe_conversions.h"
29 #include "rtc_base/openssl.h"
30 #include "rtc_base/openssl_utility.h"
31
32 namespace rtc {
33
BoringSSLIdentity(std::unique_ptr<OpenSSLKeyPair> key_pair,std::unique_ptr<BoringSSLCertificate> certificate)34 BoringSSLIdentity::BoringSSLIdentity(
35 std::unique_ptr<OpenSSLKeyPair> key_pair,
36 std::unique_ptr<BoringSSLCertificate> certificate)
37 : key_pair_(std::move(key_pair)) {
38 RTC_DCHECK(key_pair_ != nullptr);
39 RTC_DCHECK(certificate != nullptr);
40 std::vector<std::unique_ptr<SSLCertificate>> certs;
41 certs.push_back(std::move(certificate));
42 cert_chain_.reset(new SSLCertChain(std::move(certs)));
43 }
44
BoringSSLIdentity(std::unique_ptr<OpenSSLKeyPair> key_pair,std::unique_ptr<SSLCertChain> cert_chain)45 BoringSSLIdentity::BoringSSLIdentity(std::unique_ptr<OpenSSLKeyPair> key_pair,
46 std::unique_ptr<SSLCertChain> cert_chain)
47 : key_pair_(std::move(key_pair)), cert_chain_(std::move(cert_chain)) {
48 RTC_DCHECK(key_pair_ != nullptr);
49 RTC_DCHECK(cert_chain_ != nullptr);
50 }
51
52 BoringSSLIdentity::~BoringSSLIdentity() = default;
53
CreateInternal(const SSLIdentityParams & params)54 std::unique_ptr<BoringSSLIdentity> BoringSSLIdentity::CreateInternal(
55 const SSLIdentityParams& params) {
56 auto key_pair = OpenSSLKeyPair::Generate(params.key_params);
57 if (key_pair) {
58 std::unique_ptr<BoringSSLCertificate> certificate(
59 BoringSSLCertificate::Generate(key_pair.get(), params));
60 if (certificate != nullptr) {
61 return absl::WrapUnique(
62 new BoringSSLIdentity(std::move(key_pair), std::move(certificate)));
63 }
64 }
65 RTC_LOG(LS_ERROR) << "Identity generation failed.";
66 return nullptr;
67 }
68
69 // static
CreateWithExpiration(absl::string_view common_name,const KeyParams & key_params,time_t certificate_lifetime)70 std::unique_ptr<BoringSSLIdentity> BoringSSLIdentity::CreateWithExpiration(
71 absl::string_view common_name,
72 const KeyParams& key_params,
73 time_t certificate_lifetime) {
74 SSLIdentityParams params;
75 params.key_params = key_params;
76 params.common_name = std::string(common_name);
77 time_t now = time(nullptr);
78 params.not_before = now + kCertificateWindowInSeconds;
79 params.not_after = now + certificate_lifetime;
80 if (params.not_before > params.not_after)
81 return nullptr;
82 return CreateInternal(params);
83 }
84
CreateForTest(const SSLIdentityParams & params)85 std::unique_ptr<BoringSSLIdentity> BoringSSLIdentity::CreateForTest(
86 const SSLIdentityParams& params) {
87 return CreateInternal(params);
88 }
89
CreateFromPEMStrings(absl::string_view private_key,absl::string_view certificate)90 std::unique_ptr<SSLIdentity> BoringSSLIdentity::CreateFromPEMStrings(
91 absl::string_view private_key,
92 absl::string_view certificate) {
93 std::unique_ptr<BoringSSLCertificate> cert(
94 BoringSSLCertificate::FromPEMString(certificate));
95 if (!cert) {
96 RTC_LOG(LS_ERROR)
97 << "Failed to create BoringSSLCertificate from PEM string.";
98 return nullptr;
99 }
100
101 auto key_pair = OpenSSLKeyPair::FromPrivateKeyPEMString(private_key);
102 if (!key_pair) {
103 RTC_LOG(LS_ERROR) << "Failed to create key pair from PEM string.";
104 return nullptr;
105 }
106
107 return absl::WrapUnique(
108 new BoringSSLIdentity(std::move(key_pair), std::move(cert)));
109 }
110
CreateFromPEMChainStrings(absl::string_view private_key,absl::string_view certificate_chain)111 std::unique_ptr<SSLIdentity> BoringSSLIdentity::CreateFromPEMChainStrings(
112 absl::string_view private_key,
113 absl::string_view certificate_chain) {
114 bssl::UniquePtr<BIO> bio(
115 BIO_new_mem_buf(certificate_chain.data(),
116 rtc::dchecked_cast<int>(certificate_chain.size())));
117 if (!bio) {
118 return nullptr;
119 }
120 BIO_set_mem_eof_return(bio.get(), 0);
121 std::vector<std::unique_ptr<SSLCertificate>> certs;
122 while (true) {
123 char* name;
124 char* header;
125 unsigned char* data;
126 long len; // NOLINT
127 int ret = PEM_read_bio(bio.get(), &name, &header, &data, &len);
128 if (ret == 0) {
129 uint32_t err = ERR_peek_error();
130 if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
131 ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
132 break;
133 }
134 RTC_LOG(LS_ERROR) << "Failed to parse certificate from PEM string.";
135 return nullptr;
136 }
137 bssl::UniquePtr<char> owned_name(name);
138 bssl::UniquePtr<char> owned_header(header);
139 bssl::UniquePtr<unsigned char> owned_data(data);
140 if (strcmp(owned_name.get(), PEM_STRING_X509) != 0) {
141 RTC_LOG(LS_ERROR)
142 << "Non-certificate found while parsing certificate chain: "
143 << owned_name.get();
144 return nullptr;
145 }
146 bssl::UniquePtr<CRYPTO_BUFFER> crypto_buffer(
147 CRYPTO_BUFFER_new(data, len, openssl::GetBufferPool()));
148 if (!crypto_buffer) {
149 return nullptr;
150 }
151 certs.emplace_back(new BoringSSLCertificate(std::move(crypto_buffer)));
152 }
153 if (certs.empty()) {
154 RTC_LOG(LS_ERROR) << "Found no certificates in PEM string.";
155 return nullptr;
156 }
157
158 auto key_pair = OpenSSLKeyPair::FromPrivateKeyPEMString(private_key);
159 if (!key_pair) {
160 RTC_LOG(LS_ERROR) << "Failed to create key pair from PEM string.";
161 return nullptr;
162 }
163
164 return absl::WrapUnique(new BoringSSLIdentity(
165 std::move(key_pair), std::make_unique<SSLCertChain>(std::move(certs))));
166 }
167
certificate() const168 const BoringSSLCertificate& BoringSSLIdentity::certificate() const {
169 return *static_cast<const BoringSSLCertificate*>(&cert_chain_->Get(0));
170 }
171
cert_chain() const172 const SSLCertChain& BoringSSLIdentity::cert_chain() const {
173 return *cert_chain_.get();
174 }
175
CloneInternal() const176 std::unique_ptr<SSLIdentity> BoringSSLIdentity::CloneInternal() const {
177 // We cannot use std::make_unique here because the referenced
178 // BoringSSLIdentity constructor is private.
179 return absl::WrapUnique(
180 new BoringSSLIdentity(key_pair_->Clone(), cert_chain_->Clone()));
181 }
182
ConfigureIdentity(SSL_CTX * ctx)183 bool BoringSSLIdentity::ConfigureIdentity(SSL_CTX* ctx) {
184 std::vector<CRYPTO_BUFFER*> cert_buffers;
185 for (size_t i = 0; i < cert_chain_->GetSize(); ++i) {
186 cert_buffers.push_back(
187 static_cast<const BoringSSLCertificate*>(&cert_chain_->Get(i))
188 ->cert_buffer());
189 }
190 // 1 is the documented success return code.
191 if (1 != SSL_CTX_set_chain_and_key(ctx, &cert_buffers[0], cert_buffers.size(),
192 key_pair_->pkey(), nullptr)) {
193 openssl::LogSSLErrors("Configuring key and certificate");
194 return false;
195 }
196 return true;
197 }
198
PrivateKeyToPEMString() const199 std::string BoringSSLIdentity::PrivateKeyToPEMString() const {
200 return key_pair_->PrivateKeyToPEMString();
201 }
202
PublicKeyToPEMString() const203 std::string BoringSSLIdentity::PublicKeyToPEMString() const {
204 return key_pair_->PublicKeyToPEMString();
205 }
206
operator ==(const BoringSSLIdentity & other) const207 bool BoringSSLIdentity::operator==(const BoringSSLIdentity& other) const {
208 return *this->key_pair_ == *other.key_pair_ &&
209 this->certificate() == other.certificate();
210 }
211
operator !=(const BoringSSLIdentity & other) const212 bool BoringSSLIdentity::operator!=(const BoringSSLIdentity& other) const {
213 return !(*this == other);
214 }
215
216 } // namespace rtc
217