RTCPeerConnection.generateCertificate: Optionally specify expiration.

content/renderer/media/peer_connection_identity_store.cc

Index: content/renderer/media/peer_connection_identity_store.cc
diff --git a/content/renderer/media/peer_connection_identity_store.cc b/content/renderer/media/peer_connection_identity_store.cc
index c6f432dc6c465c0553ca3fd97c04beab9657e4fa..e7b9b338a03331540fac5da4e748ec018d9306bd 100644
--- a/content/renderer/media/peer_connection_identity_store.cc
+++ b/content/renderer/media/peer_connection_identity_store.cc
@@ -17,6 +17,7 @@ namespace {
 const char kIdentityName[] = "WebRTC";
 static unsigned int kRSAChromiumKeyLength = 1024;
 static unsigned int kRSAChromiumPubExp = 0x10001;
+static uint64_t kYearInSeconds = 365 * 24 * 60 * 60;
 
 // Bridges identity requests between the main render thread and libjingle's
 // signaling thread.
@@ -116,6 +117,7 @@ PeerConnectionIdentityStore::~PeerConnectionIdentityStore() {
 
 void PeerConnectionIdentityStore::RequestIdentity(
     rtc::KeyParams key_params,
+    rtc::Optional<uint64_t> expires_ms,

[tommi (sloooow) - chröme, 2016/03/04 09:55:40]

Is there a reason why the arguments need to be passed by value?

[hbos_chromium, 2016/03/04 12:24:11]

No, will update webrtc interface to use const&, roll and then update this.

     const rtc::scoped_refptr<webrtc::DtlsIdentityRequestObserver>& observer) {
   DCHECK(signaling_thread_->BelongsToCurrentThread());
   DCHECK(observer);
@@ -127,7 +129,8 @@ void PeerConnectionIdentityStore::RequestIdentity(
   // header file(s).
   if (key_params.type() == rtc::KT_RSA &&
       key_params.rsa_params().mod_size == kRSAChromiumKeyLength &&
-      key_params.rsa_params().pub_exp == kRSAChromiumPubExp) {
+      key_params.rsa_params().pub_exp == kRSAChromiumPubExp &&
+      !expires_ms) {
     // Use Chromium identity generation code for its hardwired parameters (RSA,
     // 1024, 0x10001). This generation code is preferred over WebRTC generation
     // code due to the performance benefits of caching.
@@ -140,8 +143,18 @@ void PeerConnectionIdentityStore::RequestIdentity(
   } else {
     // Fall back on WebRTC identity generation code for everything else, e.g.
     // RSA with any other parameters or ECDSA. These will not be cached.
-    scoped_ptr<rtc::SSLIdentity> identity(rtc::SSLIdentity::Generate(
-        kIdentityName, key_params));
+    scoped_ptr<rtc::SSLIdentity> identity;
+    if (!expires_ms) {
+      identity.reset(rtc::SSLIdentity::Generate(kIdentityName, key_params));
+    } else {
+      uint64_t expires_s = *expires_ms / 1000;
+      // Limit the expiration time to something reasonable (a year). This also
+      // ensures that the value is not too large for time_t.

[hbos_chromium, 2016/03/04 09:26:31]

Spec: "a user agent may choose to limit the period over which an RTCCertificate
is valid"

[tommi (sloooow) - chröme, 2016/03/04 09:55:40]

Was there a discussion on what is reasonable or is a year arbitrarily chosen?
(I'm not disagreeing with it, just curious)

[hbos_chromium, 2016/03/04 12:24:11]

Rather arbitrarily, could have chosen something else. (We need some sort of
check here though since uint64_t could be larger than time_t.)

+      if (expires_s > kYearInSeconds)
+        expires_s = kYearInSeconds;
+      identity.reset(rtc::SSLIdentity::Generate(
+          kIdentityName, key_params, static_cast<time_t>(expires_s)));
+    }
 
     // Invoke |observer| callbacks asynchronously. The callbacks of
     // DtlsIdentityStoreInterface implementations have to be async.