Generates the DTLS identity in browser process and returns it to render process.

content/browser/media/dtls_identity_store.cc

Index: content/browser/media/dtls_identity_store.cc
diff --git a/content/browser/media/dtls_identity_store.cc b/content/browser/media/dtls_identity_store.cc
new file mode 100644
index 0000000000000000000000000000000000000000..2ae0cefee6e16e3d7713fc69844c0dbad1a142ab
--- /dev/null
+++ b/content/browser/media/dtls_identity_store.cc
@@ -0,0 +1,107 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/media/dtls_identity_store.h"
+
+#include <cert.h>
+
+#include "base/bind.h"
+#include "base/location.h"
+#include "base/logging.h"
+#include "base/rand_util.h"
+#include "base/task_runner.h"
+#include "base/threading/worker_pool.h"
+#include "content/public/browser/browser_thread.h"
+#include "crypto/ec_private_key.h"
+#include "googleurl/src/gurl.h"
+#include "net/cert/x509_util_nss.h"
+
+namespace content {
+
+namespace {
+
+static void GenerateIdentityWorker(
+    const GURL& origin,
+    const std::string& identity_name,
+    const std::string& common_name,
+    const DTLSIdentityStore::OnCompleteCallback& callback) {
+  std::string certificate;
+  std::vector<uint8> private_key_info;
+
+  int serial_number = base::RandInt(0, std::numeric_limits<int>::max());
+  base::Time not_valid_before = base::Time::Now();
+  base::Time not_valid_after = not_valid_before + base::TimeDelta::FromDays(30);
+
+  scoped_ptr<crypto::ECPrivateKey> key(crypto::ECPrivateKey::Create());
+  if (!key.get()) {
+    DLOG(ERROR) << "Unable to create key pair for client";
+    return;

[Ryan Sleevi, 2013/06/06 23:57:37]

BUG: As highlighted in the PostTaskAndReply comment below, this actually makes
it impossible for the caller to distinguish when creation fails, because their
callback is never invoked (line 66). This will lead to hung state machines.

[jiayl, 2013/06/13 21:50:45]

Done.

+  }
+
+  CERTCertificate* cert =
+      net::x509_util::CreateSelfSignedCert(key->public_key(),
+                                           key->key(),
+                                           "CN=" + common_name,
+                                           serial_number,
+                                           not_valid_before,
+                                           not_valid_after);
+  if (cert == NULL) {

[Ryan Sleevi, 2013/06/06 23:57:37]

if (!cert) {

[jiayl, 2013/06/13 21:50:45]

Done.

+    DLOG(ERROR) << "Unable to create x509 cert for client";
+    return;
+  }
+  certificate.append(reinterpret_cast<char*>(cert->derCert.data),
+                     cert->derCert.len);
+  CERT_DestroyCertificate(cert);
+  cert = NULL;

[Ryan Sleevi, 2013/06/06 23:57:37]

style: Don't include this = NULL - such assignments are seen as superflous.

[jiayl, 2013/06/13 21:50:45]

Done.

+
+  if (!key->ExportEncryptedPrivateKey("", 1, &private_key_info)) {
+    DLOG(ERROR) << "Unable to export private key";
+    return;
+  }
+
+  std::string private_key(private_key_info.begin(), private_key_info.end());
+
+  DLOG(INFO) << "DTLSIdentityStore: a new identity is gnerated.";

[Ryan Sleevi, 2013/06/06 23:57:37]

typo: s/gnerated/generated
STYLE: Don't log this. It provides no real actionable information. If you
absolutely, positively believe it should be logged (and I think I'll disagree
with you if so), then this should be a DVLOG(3) or something otherwise
"unchatty". 

[jiayl, 2013/06/13 21:50:45]

Done.

+  BrowserThread::PostTask(BrowserThread::IO,
+                          FROM_HERE,
+                          base::Bind(callback, certificate, private_key));

[Ryan Sleevi, 2013/06/06 23:57:37]

DESIGN: Do not structure the PostTask interaction like this.

Instead, use PostTaskAndReply/PostTaskAndReplyWithResult to handle the
marshalling for ensuring that |callback| is invoked on the right thread.

[jiayl, 2013/06/13 21:50:45]

Done.

+}
+
+}  // namespace
+
+DTLSIdentityStore* DTLSIdentityStore::GetInstance() {
+  return Singleton<DTLSIdentityStore>::get();
+}

[Ryan Sleevi, 2013/06/06 23:57:37]

Again, no go for Singletons.

[jiayl, 2013/06/13 21:50:45]

Done.

+
+DTLSIdentityStore::DTLSIdentityStore()
+    : task_runner_(base::WorkerPool::GetTaskRunner(true)) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+}
+
+DTLSIdentityStore::DTLSIdentityStore(
+    const scoped_refptr<base::TaskRunner>& task_runner)
+    : task_runner_(task_runner) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+}
+
+DTLSIdentityStore::~DTLSIdentityStore() {}
+
+void DTLSIdentityStore::RequestIdentity(const GURL& origin,
+                                        const std::string& identity_name,
+                                        const std::string& common_name,
+                                        const OnCompleteCallback& callback) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+
+  DLOG(INFO) << "DTLSIdentityStore: start generating identity.";
+  // TODO(jiayl): find the cert in the persistent store and generate a new one
+  // only when not found.
+  task_runner_->PostTask(FROM_HERE,
+                         base::Bind(&GenerateIdentityWorker,
+                                    origin,
+                                    identity_name,
+                                    common_name,
+                                    callback));

[Ryan Sleevi, 2013/06/06 23:57:37]

std::string* private_key = new std::string;
std::string* cert = new std::string;
PostTaskAndReply(
  task_runner_.get(),
  FROM_HERE,
  base::Bind(&GenerateIdentityWorker, origin, identity_name, common_name,
private_key, cert),
  base::Bind(callback, base::Owned(private_key), base::Owned(cert)));

[jiayl, 2013/06/13 21:50:45]

Done.

+}
+
+}  // namespace content