DescriptionRemove PeerConnectionIdentityStore and related messaging/storage code.
Motivation and Background:
This is the Chromium implementation of WebRTC's DtlsIdentityStoreInterface,
which allows generating/requesting identities/certificates to be used for the
DTLS handshake by a peer connection.
Originally, RSA-1024 was the only ciphersuite used and this store was optimized
for this by preemptively generating and caching. After certificate generation
was parameterized[1], RSA-2048 support mandated by spec and ECDSA P-256 being
the default certificate type[2], WebRTC crypto code[3] was updated to be
parameterized.
Due to the parameterization we wanted to move over to use the fully
parameterized WebRTC crypto code and stop maintaining two crypto paths. But
during the transition, when RSA-1024 was still the default, we wanted to take
advantage of the performance benefits of the PeerConnectionIdentityStore. The
compromise was an "if request to generate RSA-1024 use this code, else use
WebRTC crypto code". After having switched the default to ECDSA, performance was
no longer an issue and PeerConnectionIdentityStore was no longer used. (Note
that applications insisting on using RSA-1024 (not recommended, weaker) by
explicitly generating it with RTCPeerConnection.generateCertificate have the
ability to reuse certificates with persistent storage in IndexedDB[4] for
performance instead. For RSA-2048 this is what you'd have to do anyway, or
generate every time.)
After this change we will be able to remove DtlsIdentityStoreInterface in favor
of rtc::RTCCertificateGeneratorInterface, rtc::RTCCertificateGenerator being the
implementation used by default.
Changes:
- Remove PeerConnectionIdentityStore and classes specifically related to its
functionality. Remove related unittests and update gypi files.
- Update code to stop using WebRTCIdentityStore, WebRTCIdentityServiceHost and
WebRTCIdentityService.
- On startup, delete the SQL database files (after a 120s delay) for
WebRTCIdentityStore if present. These files are no longer created or
referenced, but a client upgrading might otherwise still have these files on
disk since earlier versions of Chrome.
[1] https://w3c.github.io/webrtc-pc/archives/20160125/webrtc.html#widl-RTCPeerConnection-generateCertificate-Promise-RTCCertificate--AlgorithmIdentifier-keygenAlgorithm
[2] https://w3c.github.io/webrtc-pc/archives/20160125/webrtc.html#sec.cert-mgmt
[3] By "WebRTC crypto code" I mean SSLIdentity::Generate and new API relying on
it, rtc::RTCCertificateGenerator / rtc::RTCCertificate.
[4] https://w3c.github.io/webrtc-pc/archives/20160125/webrtc.html#dictionary-rtcconfiguration-members
BUG=webrtc:5708, webrtc:5707
Committed: https://crrev.com/faf3baf7db0e031ffaacfa5cf18e0626ab1ed284
Cr-Commit-Position: refs/heads/master@{#403448}
Patch Set 1 #
Total comments: 2
Patch Set 2 : Rebase with master #Patch Set 3 : Removed webrtc_indetity from browser_protocol.json #Patch Set 4 : Rebase with master #Patch Set 5 : Delete WebRTCIdentityStore files on startup (browser_prefs.cc) #
Total comments: 2
Patch Set 6 : Delete WebRTCIdentityStore DB on File thread #
Total comments: 2
Patch Set 7 : Rebase with master #Patch Set 8 : Make it compile on WIN too with FILE_PATH_LITERAL #Patch Set 9 : Rebase with master again #Patch Set 10 : Correction: Post to FILE thread (was accidentally posting to IO thread) #Patch Set 11 : Delayed deletion by 120s #Messages
Total messages: 35 (12 generated)
|