Generates the DTLS identity in browser process and returns it to render process.

content/browser/media/dtls_identity_store.cc

Index: content/browser/media/dtls_identity_store.cc
diff --git a/content/browser/media/dtls_identity_store.cc b/content/browser/media/dtls_identity_store.cc
new file mode 100644
index 0000000000000000000000000000000000000000..99c743c43f97ccb425a8ab8a32664417c1850bcf
--- /dev/null
+++ b/content/browser/media/dtls_identity_store.cc
@@ -0,0 +1,104 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+#include "content/browser/media/dtls_identity_store.h"
+
+#include <cert.h>

[Ryan Sleevi, 2013/06/04 19:13:52]

BUG: You cannot depend on this header directly in content/. This can ONLY be
used in NSS-only files.

Same with all types used beyond.

That is, it MAY be acceptable to separate the design into dtls_identity_store,
dtls_identity_store_nss, and dtls_identity_store_openssl, but please think
carefully about the design before doing so. We have intentional abstractions
like crypto/ and net/ to give you implementation-agnostic types.

+
+#include "base/bind.h"
+#include "base/location.h"
+#include "base/logging.h"
+#include "base/rand_util.h"
+#include "base/task_runner.h"
+#include "base/threading/worker_pool.h"
+#include "content/public/browser/browser_thread.h"
+#include "crypto/ec_private_key.h"
+#include "googleurl/src/gurl.h"
+#include "net/cert/x509_util_nss.h"

[Ryan Sleevi, 2013/06/04 19:13:52]

BUG: You cannot depend on this header directly in content/. This can ONLY be
used in NSS-only files.

[jiayl, 2013/06/04 20:23:10]

Can I add a new method similar to CreateDomainBoundCertEC to x509_util.h and put
the implementation in x509_util_nss.cc calling the existing
CreateSelfSignedCert?

[Ryan Sleevi, 2013/06/04 21:14:59]

We'll want to tackle that in a separate CL.

+
+namespace {
+
+static void GenerateIdentityWorker(
+    const GURL& url,
+    const std::string& identity_name,
+    const std::string& common_name,
+    const content::DTLSIdentityStore::OnCompleteCallback& callback) {
+  std::string certificate;
+  std::vector<uint8> private_key_info;
+
+  int serial_number = base::RandInt(0, std::numeric_limits<int>::max());
+  base::Time not_valid_before = base::Time::Now();
+  base::Time not_valid_after =
+      not_valid_before + base::TimeDelta::FromDays(30);
+
+  scoped_ptr<crypto::ECPrivateKey> key(crypto::ECPrivateKey::Create());
+  if (!key.get()) {
+    DLOG(ERROR) << "Unable to create key pair for client";
+    return;
+  }
+
+  CERTCertificate* cert = net::x509_util::CreateSelfSignedCert(
+      key->public_key(), key->key(), "CN=" + identity_name,
+      serial_number, not_valid_before, not_valid_after);
+  if (cert == NULL) {
+    DLOG(ERROR) << "Unable to create x509 cert for client";
+    return;
+  }
+  certificate.append(reinterpret_cast<char*>(cert->derCert.data),
+                     cert->derCert.len);
+  CERT_DestroyCertificate(cert);
+  cert = NULL;
+
+  if (!key->ExportEncryptedPrivateKey("", 1, &private_key_info)) {
+    DLOG(ERROR) << "Unable to export private key";
+    return;
+  }
+
+  std::string priveta_key(private_key_info.begin(), private_key_info.end());
+
+  content::BrowserThread::PostTask(
+      content::BrowserThread::UI,
+      FROM_HERE,
+      base::Bind(callback, certificate, priveta_key));
+}
+
+}  // namespace
+
+namespace content {
+
+DTLSIdentityStore* DTLSIdentityStore::GetInstance() {
+  return Singleton<DTLSIdentityStore>::get();
+}
+
+DTLSIdentityStore::DTLSIdentityStore() :
+    task_runner_(base::WorkerPool::GetTaskRunner(true)) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+}
+
+DTLSIdentityStore::DTLSIdentityStore(
+    const scoped_refptr<base::TaskRunner>& task_runner) :
+    task_runner_(task_runner) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+}
+
+DTLSIdentityStore::~DTLSIdentityStore() {
+}
+
+void DTLSIdentityStore::GetOrGenerateIdentity(
+    const GURL& url,
+    const std::string& identity_name,
+    const std::string& common_name,
+    const OnCompleteCallback& callback) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+
+  // TODO(jiayl): find the cert in the persistent store and generate a new one
+  // only when not found.
+  task_runner_->PostTask(
+      FROM_HERE,
+      base::Bind(&GenerateIdentityWorker,
+                 url, identity_name, common_name, callback));
+}
+
+}  // namespace content