3 * Copyright 2004, Google Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
17 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
19 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
20 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
22 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 // Handling of certificates and keypairs for SSLStreamAdapter's peer mode.
30 #ifndef TALK_BASE_SSLIDENTITY_H_
31 #define TALK_BASE_SSLIDENTITY_H_
37 #include "talk/base/buffer.h"
38 #include "talk/base/messagedigest.h"
42 // Forward declaration due to circular dependency with SSLCertificate.
45 // Abstract interface overridden by SSL library specific
48 // A somewhat opaque type used to encapsulate a certificate.
49 // Wraps the SSL library's notion of a certificate, with reference counting.
50 // The SSLCertificate object is pretty much immutable once created.
51 // (The OpenSSL implementation only does reference counting and
52 // possibly caching of intermediate results.)
53 class SSLCertificate {
55 // Parses and build a certificate from a PEM encoded string.
56 // Returns NULL on failure.
57 // The length of the string representation of the certificate is
58 // stored in *pem_length if it is non-NULL, and only if
59 // parsing was successful.
60 // Caller is responsible for freeing the returned object.
61 static SSLCertificate* FromPEMString(const std::string& pem_string);
62 virtual ~SSLCertificate() {}
64 // Returns a new SSLCertificate object instance wrapping the same
65 // underlying certificate, including its chain if present.
66 // Caller is responsible for freeing the returned object.
67 virtual SSLCertificate* GetReference() const = 0;
69 // Provides the cert chain, or returns false. The caller owns the chain.
70 // The chain includes a copy of each certificate, excluding the leaf.
71 virtual bool GetChain(SSLCertChain** chain) const = 0;
73 // Returns a PEM encoded string representation of the certificate.
74 virtual std::string ToPEMString() const = 0;
76 // Provides a DER encoded binary representation of the certificate.
77 virtual void ToDER(Buffer* der_buffer) const = 0;
79 // Gets the name of the digest algorithm that was used to compute this
80 // certificate's signature.
81 virtual bool GetSignatureDigestAlgorithm(std::string* algorithm) const = 0;
83 // Compute the digest of the certificate given algorithm
84 virtual bool ComputeDigest(const std::string &algorithm,
85 unsigned char* digest, std::size_t size,
86 std::size_t* length) const = 0;
89 // SSLCertChain is a simple wrapper for a vector of SSLCertificates. It serves
90 // primarily to ensure proper memory management (especially deletion) of the
91 // SSLCertificate pointers.
94 // These constructors copy the provided SSLCertificate(s), so the caller
96 explicit SSLCertChain(const std::vector<SSLCertificate*>& certs) {
97 ASSERT(!certs.empty());
98 certs_.resize(certs.size());
99 std::transform(certs.begin(), certs.end(), certs_.begin(), DupCert);
101 explicit SSLCertChain(const SSLCertificate* cert) {
102 certs_.push_back(cert->GetReference());
106 std::for_each(certs_.begin(), certs_.end(), DeleteCert);
109 // Vector access methods.
110 size_t GetSize() const { return certs_.size(); }
112 // Returns a temporary reference, only valid until the chain is destroyed.
113 const SSLCertificate& Get(size_t pos) const { return *(certs_[pos]); }
115 // Returns a new SSLCertChain object instance wrapping the same underlying
116 // certificate chain. Caller is responsible for freeing the returned object.
117 SSLCertChain* Copy() const {
118 return new SSLCertChain(certs_);
122 // Helper function for duplicating a vector of certificates.
123 static SSLCertificate* DupCert(const SSLCertificate* cert) {
124 return cert->GetReference();
127 // Helper function for deleting a vector of certificates.
128 static void DeleteCert(SSLCertificate* cert) { delete cert; }
130 std::vector<SSLCertificate*> certs_;
132 DISALLOW_COPY_AND_ASSIGN(SSLCertChain);
135 // Our identity in an SSL negotiation: a keypair and certificate (both
136 // with the same public key).
137 // This too is pretty much immutable once created.
140 // Generates an identity (keypair and self-signed certificate). If
141 // common_name is non-empty, it will be used for the certificate's
142 // subject and issuer name, otherwise a random string will be used.
143 // Returns NULL on failure.
144 // Caller is responsible for freeing the returned object.
145 static SSLIdentity* Generate(const std::string& common_name);
147 // Construct an identity from a private key and a certificate.
148 static SSLIdentity* FromPEMStrings(const std::string& private_key,
149 const std::string& certificate);
151 virtual ~SSLIdentity() {}
153 // Returns a new SSLIdentity object instance wrapping the same
154 // identity information.
155 // Caller is responsible for freeing the returned object.
156 virtual SSLIdentity* GetReference() const = 0;
158 // Returns a temporary reference to the certificate.
159 virtual const SSLCertificate& certificate() const = 0;
161 // Helpers for parsing converting between PEM and DER format.
162 static bool PemToDer(const std::string& pem_type,
163 const std::string& pem_string,
165 static std::string DerToPem(const std::string& pem_type,
166 const unsigned char* data,
170 extern const char kPemTypeCertificate[];
171 extern const char kPemTypeRsaPrivateKey[];
173 } // namespace talk_base
175 #endif // TALK_BASE_SSLIDENTITY_H_