RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
/*
|
|
|
|
|
* Copyright 2016 The WebRTC project authors. All Rights Reserved.
|
|
|
|
|
*
|
|
|
|
|
* Use of this source code is governed by a BSD-style license
|
|
|
|
|
* that can be found in the LICENSE file in the root of the source
|
|
|
|
|
* tree. An additional intellectual property rights grant can be found
|
|
|
|
|
* in the file PATENTS. All contributing project authors may
|
|
|
|
|
* be found in the AUTHORS file in the root of the source tree.
|
|
|
|
|
*/
|
|
|
|
|
|
2019-01-11 09:11:00 -08:00
|
|
|
#include "rtc_base/rtc_certificate_generator.h"
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
|
2025-01-17 13:19:45 +00:00
|
|
|
#include <cstdint>
|
2016-04-26 03:13:22 -07:00
|
|
|
#include <memory>
|
2024-08-29 13:00:40 +00:00
|
|
|
#include <optional>
|
2025-01-17 13:19:45 +00:00
|
|
|
#include <utility>
|
2016-04-26 03:13:22 -07:00
|
|
|
|
2025-01-17 13:19:45 +00:00
|
|
|
#include "api/scoped_refptr.h"
|
|
|
|
|
#include "api/test/rtc_error_matchers.h"
|
|
|
|
|
#include "api/units/time_delta.h"
|
2017-09-15 06:47:31 +02:00
|
|
|
#include "rtc_base/checks.h"
|
2025-01-17 13:19:45 +00:00
|
|
|
#include "rtc_base/rtc_certificate.h"
|
|
|
|
|
#include "rtc_base/ssl_identity.h"
|
2017-09-15 06:47:31 +02:00
|
|
|
#include "rtc_base/thread.h"
|
2025-01-17 13:19:45 +00:00
|
|
|
#include "test/gmock.h"
|
2018-11-28 16:47:49 +01:00
|
|
|
#include "test/gtest.h"
|
2025-01-17 13:19:45 +00:00
|
|
|
#include "test/wait_until.h"
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
|
|
|
|
|
namespace rtc {
|
|
|
|
|
|
2022-08-22 16:39:34 +02:00
|
|
|
class RTCCertificateGeneratorFixture {
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
public:
|
|
|
|
|
RTCCertificateGeneratorFixture()
|
|
|
|
|
: signaling_thread_(Thread::Current()),
|
2017-07-14 14:44:46 -07:00
|
|
|
worker_thread_(Thread::Create()),
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
generate_async_completed_(false) {
|
|
|
|
|
RTC_CHECK(signaling_thread_);
|
|
|
|
|
RTC_CHECK(worker_thread_->Start());
|
|
|
|
|
generator_.reset(
|
|
|
|
|
new RTCCertificateGenerator(signaling_thread_, worker_thread_.get()));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
RTCCertificateGenerator* generator() const { return generator_.get(); }
|
|
|
|
|
RTCCertificate* certificate() const { return certificate_.get(); }
|
|
|
|
|
|
2022-08-22 16:39:34 +02:00
|
|
|
RTCCertificateGeneratorInterface::Callback OnGenerated() {
|
|
|
|
|
return [this](scoped_refptr<RTCCertificate> certificate) mutable {
|
|
|
|
|
RTC_CHECK(signaling_thread_->IsCurrent());
|
|
|
|
|
certificate_ = std::move(certificate);
|
|
|
|
|
generate_async_completed_ = true;
|
|
|
|
|
};
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool GenerateAsyncCompleted() {
|
|
|
|
|
RTC_CHECK(signaling_thread_->IsCurrent());
|
|
|
|
|
if (generate_async_completed_) {
|
|
|
|
|
// Reset flag so that future generation requests are not considered done.
|
|
|
|
|
generate_async_completed_ = false;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected:
|
|
|
|
|
Thread* const signaling_thread_;
|
2016-04-26 03:13:22 -07:00
|
|
|
std::unique_ptr<Thread> worker_thread_;
|
|
|
|
|
std::unique_ptr<RTCCertificateGenerator> generator_;
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
scoped_refptr<RTCCertificate> certificate_;
|
|
|
|
|
bool generate_async_completed_;
|
|
|
|
|
};
|
|
|
|
|
|
2019-04-09 15:11:12 +02:00
|
|
|
class RTCCertificateGeneratorTest : public ::testing::Test {
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
public:
|
|
|
|
|
protected:
|
2025-01-17 13:19:45 +00:00
|
|
|
static constexpr webrtc::TimeDelta kGenerationTimeoutMs =
|
|
|
|
|
webrtc::TimeDelta::Millis(10000);
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
|
2022-05-20 09:12:57 +02:00
|
|
|
rtc::AutoThread main_thread_;
|
2022-08-22 16:39:34 +02:00
|
|
|
RTCCertificateGeneratorFixture fixture_;
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
TEST_F(RTCCertificateGeneratorTest, GenerateECDSA) {
|
2018-06-21 11:48:25 +02:00
|
|
|
EXPECT_TRUE(RTCCertificateGenerator::GenerateCertificate(KeyParams::ECDSA(),
|
2024-08-29 13:00:40 +00:00
|
|
|
std::nullopt));
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TEST_F(RTCCertificateGeneratorTest, GenerateRSA) {
|
2018-06-21 11:48:25 +02:00
|
|
|
EXPECT_TRUE(RTCCertificateGenerator::GenerateCertificate(KeyParams::RSA(),
|
2024-08-29 13:00:40 +00:00
|
|
|
std::nullopt));
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TEST_F(RTCCertificateGeneratorTest, GenerateAsyncECDSA) {
|
2022-08-22 16:39:34 +02:00
|
|
|
EXPECT_FALSE(fixture_.certificate());
|
|
|
|
|
fixture_.generator()->GenerateCertificateAsync(
|
2024-08-29 13:00:40 +00:00
|
|
|
KeyParams::ECDSA(), std::nullopt, fixture_.OnGenerated());
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
// Until generation has completed, the certificate is null. Since this is an
|
|
|
|
|
// async call, generation must not have completed until we process messages
|
2021-07-26 16:03:14 +02:00
|
|
|
// posted to this thread (which is done by `EXPECT_TRUE_WAIT`).
|
2022-08-22 16:39:34 +02:00
|
|
|
EXPECT_FALSE(fixture_.GenerateAsyncCompleted());
|
|
|
|
|
EXPECT_FALSE(fixture_.certificate());
|
2025-01-17 13:19:45 +00:00
|
|
|
EXPECT_THAT(
|
|
|
|
|
webrtc::WaitUntil([&] { return fixture_.GenerateAsyncCompleted(); },
|
|
|
|
|
::testing::IsTrue(), {.timeout = kGenerationTimeoutMs}),
|
|
|
|
|
webrtc::IsRtcOk());
|
2022-08-22 16:39:34 +02:00
|
|
|
EXPECT_TRUE(fixture_.certificate());
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TEST_F(RTCCertificateGeneratorTest, GenerateWithExpires) {
|
|
|
|
|
// By generating two certificates with different expiration we can compare the
|
|
|
|
|
// two expiration times relative to each other without knowing the current
|
|
|
|
|
// time relative to epoch, 1970-01-01T00:00:00Z. This verifies that the
|
|
|
|
|
// expiration parameter is correctly used relative to the generator's clock,
|
|
|
|
|
// but does not verify that this clock is relative to epoch.
|
|
|
|
|
|
|
|
|
|
// Generate a certificate that expires immediately.
|
|
|
|
|
scoped_refptr<RTCCertificate> cert_a =
|
2018-06-21 11:48:25 +02:00
|
|
|
RTCCertificateGenerator::GenerateCertificate(KeyParams::ECDSA(), 0);
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
EXPECT_TRUE(cert_a);
|
|
|
|
|
|
|
|
|
|
// Generate a certificate that expires in one minute.
|
|
|
|
|
const uint64_t kExpiresMs = 60000;
|
|
|
|
|
scoped_refptr<RTCCertificate> cert_b =
|
2018-06-21 11:48:25 +02:00
|
|
|
RTCCertificateGenerator::GenerateCertificate(KeyParams::ECDSA(),
|
|
|
|
|
kExpiresMs);
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
EXPECT_TRUE(cert_b);
|
|
|
|
|
|
2021-07-26 16:03:14 +02:00
|
|
|
// Verify that `cert_b` expires approximately `kExpiresMs` after `cert_a`
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
// (allowing a +/- 1 second plus maximum generation time difference).
|
|
|
|
|
EXPECT_GT(cert_b->Expires(), cert_a->Expires());
|
|
|
|
|
uint64_t expires_diff = cert_b->Expires() - cert_a->Expires();
|
|
|
|
|
EXPECT_GE(expires_diff, kExpiresMs);
|
2025-01-17 13:19:45 +00:00
|
|
|
EXPECT_LE(expires_diff, kExpiresMs + 2 * kGenerationTimeoutMs.ms() + 1000);
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TEST_F(RTCCertificateGeneratorTest, GenerateWithInvalidParamsShouldFail) {
|
|
|
|
|
KeyParams invalid_params = KeyParams::RSA(0, 0);
|
|
|
|
|
EXPECT_FALSE(invalid_params.IsValid());
|
|
|
|
|
|
2018-06-21 11:48:25 +02:00
|
|
|
EXPECT_FALSE(RTCCertificateGenerator::GenerateCertificate(invalid_params,
|
2024-08-29 13:00:40 +00:00
|
|
|
std::nullopt));
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
|
2024-08-29 13:00:40 +00:00
|
|
|
fixture_.generator()->GenerateCertificateAsync(invalid_params, std::nullopt,
|
2022-08-22 16:39:34 +02:00
|
|
|
fixture_.OnGenerated());
|
2025-01-17 13:19:45 +00:00
|
|
|
EXPECT_THAT(
|
|
|
|
|
webrtc::WaitUntil([&] { return fixture_.GenerateAsyncCompleted(); },
|
|
|
|
|
::testing::IsTrue(), {.timeout = kGenerationTimeoutMs}),
|
|
|
|
|
webrtc::IsRtcOk());
|
2022-08-22 16:39:34 +02:00
|
|
|
EXPECT_FALSE(fixture_.certificate());
|
RTCCertificateGenerator added.
This is a new way of generating RTCCertificate objects that is meant
to replace DtlsIdentityStoreInterface and all of its implementations
(clean up work).
It is similar to the identity store in that it generates on the worker
thread and does callback on the signaling thread, but:
- It does not generate identities in the background that you did not
ask for (preemptive generation made more sense before certificates
were parameterized, not so much anymore, and ECDSA which will be most
common takes like <=2 ms to generate).
- As such this code is less complicated than the store's code.
- The API is different, it takes Optional<uint64_t> expires and it
returns RTCCertificates, not SSLIdentities.
- It supports a blocking version of GenerateCertificate that can be
called from any thread, necessary for Chrome which can generate
certificates before the signaling/worker threads have been
initialized as WebRTC-threads (Chrome can invoke this version on
the worker thread outside of WebRTC).
This CL does not remove the identity store, only adds the alternative.
Follow-up CLs will start using it, the store will be removed once it
is no longer used anywhere.
BUG=webrtc:5707, webrtc:5708
R=hta@webrtc.org, torbjorng@webrtc.org
Review URL: https://codereview.webrtc.org/1883813002 .
Cr-Commit-Position: refs/heads/master@{#12381}
2016-04-15 17:55:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
} // namespace rtc
|