diff options
| -rw-r--r-- | libs/binder/RpcTransportTls.cpp | 10 | ||||
| -rw-r--r-- | libs/binder/include/binder/RpcCertificateVerifier.h | 32 | ||||
| -rw-r--r-- | libs/binder/include_tls/binder/RpcTransportTls.h | 8 | ||||
| -rw-r--r-- | libs/binder/tests/Android.bp | 1 | ||||
| -rw-r--r-- | libs/binder/tests/RpcCertificateVerifierSimple.cpp | 28 | ||||
| -rw-r--r-- | libs/binder/tests/RpcCertificateVerifierSimple.h | 29 | ||||
| -rw-r--r-- | libs/binder/tests/binderRpcTest.cpp | 13 |
7 files changed, 114 insertions, 7 deletions
diff --git a/libs/binder/RpcTransportTls.cpp b/libs/binder/RpcTransportTls.cpp index 834c929ef4..bcf3254781 100644 --- a/libs/binder/RpcTransportTls.cpp +++ b/libs/binder/RpcTransportTls.cpp @@ -537,8 +537,14 @@ const char* RpcTransportCtxFactoryTls::toCString() const { return "tls"; } -std::unique_ptr<RpcTransportCtxFactory> RpcTransportCtxFactoryTls::make() { - return std::unique_ptr<RpcTransportCtxFactoryTls>(new RpcTransportCtxFactoryTls()); +std::unique_ptr<RpcTransportCtxFactory> RpcTransportCtxFactoryTls::make( + std::shared_ptr<RpcCertificateVerifier> verifier) { + if (verifier == nullptr) { + ALOGE("%s: Must provide a certificate verifier", __PRETTY_FUNCTION__); + return nullptr; + } + return std::unique_ptr<RpcTransportCtxFactoryTls>( + new RpcTransportCtxFactoryTls(std::move(verifier))); } } // namespace android diff --git a/libs/binder/include/binder/RpcCertificateVerifier.h b/libs/binder/include/binder/RpcCertificateVerifier.h new file mode 100644 index 0000000000..97af31cea1 --- /dev/null +++ b/libs/binder/include/binder/RpcCertificateVerifier.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <openssl/ssl.h> +#include <utils/Errors.h> + +namespace android { + +// An interface with a function that verifies a peer certificate. It is a wrapper over the custom +// verify function (see SSL_CTX_set_custom_verify). +class RpcCertificateVerifier { +public: + virtual ~RpcCertificateVerifier() = default; + virtual status_t verify(const X509* peerCert, uint8_t* outAlert) = 0; +}; + +} // namespace android diff --git a/libs/binder/include_tls/binder/RpcTransportTls.h b/libs/binder/include_tls/binder/RpcTransportTls.h index 531aaa9b64..f26a3e95f5 100644 --- a/libs/binder/include_tls/binder/RpcTransportTls.h +++ b/libs/binder/include_tls/binder/RpcTransportTls.h @@ -18,6 +18,7 @@ #pragma once +#include <binder/RpcCertificateVerifier.h> #include <binder/RpcTransport.h> namespace android { @@ -25,14 +26,17 @@ namespace android { // RpcTransportCtxFactory with TLS enabled with self-signed certificate. class RpcTransportCtxFactoryTls : public RpcTransportCtxFactory { public: - static std::unique_ptr<RpcTransportCtxFactory> make(); + static std::unique_ptr<RpcTransportCtxFactory> make(std::shared_ptr<RpcCertificateVerifier>); std::unique_ptr<RpcTransportCtx> newServerCtx() const override; std::unique_ptr<RpcTransportCtx> newClientCtx() const override; const char* toCString() const override; private: - RpcTransportCtxFactoryTls() = default; + RpcTransportCtxFactoryTls(std::shared_ptr<RpcCertificateVerifier> verifier) + : mCertVerifier(std::move(verifier)){}; + + std::shared_ptr<RpcCertificateVerifier> mCertVerifier; }; } // namespace android diff --git a/libs/binder/tests/Android.bp b/libs/binder/tests/Android.bp index 13ea8272e2..a9bc15d5b3 100644 --- a/libs/binder/tests/Android.bp +++ b/libs/binder/tests/Android.bp @@ -150,6 +150,7 @@ cc_test { srcs: [ "binderRpcTest.cpp", + "RpcCertificateVerifierSimple.cpp", ], shared_libs: [ "libbinder", diff --git a/libs/binder/tests/RpcCertificateVerifierSimple.cpp b/libs/binder/tests/RpcCertificateVerifierSimple.cpp new file mode 100644 index 0000000000..68e7c6567c --- /dev/null +++ b/libs/binder/tests/RpcCertificateVerifierSimple.cpp @@ -0,0 +1,28 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#define LOG_TAG "RpcCertificateVerifierSimple" +#include <log/log.h> + +#include "RpcCertificateVerifierSimple.h" + +namespace android { + +status_t RpcCertificateVerifierSimple::verify(const X509*, uint8_t*) { + // TODO(b/195166979): implement this + return OK; +} + +} // namespace android diff --git a/libs/binder/tests/RpcCertificateVerifierSimple.h b/libs/binder/tests/RpcCertificateVerifierSimple.h new file mode 100644 index 0000000000..aff5c7cae5 --- /dev/null +++ b/libs/binder/tests/RpcCertificateVerifierSimple.h @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <binder/RpcCertificateVerifier.h> + +namespace android { + +// A simple certificate verifier for testing. +class RpcCertificateVerifierSimple : public RpcCertificateVerifier { +public: + status_t verify(const X509*, uint8_t*) override; +}; + +} // namespace android diff --git a/libs/binder/tests/binderRpcTest.cpp b/libs/binder/tests/binderRpcTest.cpp index 7c405d3541..8a03de22a9 100644 --- a/libs/binder/tests/binderRpcTest.cpp +++ b/libs/binder/tests/binderRpcTest.cpp @@ -46,6 +46,7 @@ #include "../RpcSocketAddress.h" // for testing preconnected clients #include "../RpcState.h" // for debugging #include "../vm_sockets.h" // for VMADDR_* +#include "RpcCertificateVerifierSimple.h" using namespace std::chrono_literals; @@ -61,12 +62,18 @@ static inline std::vector<RpcSecurity> RpcSecurityValues() { return {RpcSecurity::RAW, RpcSecurity::TLS}; } -static inline std::unique_ptr<RpcTransportCtxFactory> newFactory(RpcSecurity rpcSecurity) { +static inline std::unique_ptr<RpcTransportCtxFactory> newFactory( + RpcSecurity rpcSecurity, std::shared_ptr<RpcCertificateVerifier> verifier = nullptr) { switch (rpcSecurity) { case RpcSecurity::RAW: return RpcTransportCtxFactoryRaw::make(); - case RpcSecurity::TLS: - return RpcTransportCtxFactoryTls::make(); + case RpcSecurity::TLS: { + // TODO(b/198833574): exchange keys and set proper verifier + if (verifier == nullptr) { + verifier = std::make_shared<RpcCertificateVerifierSimple>(); + } + return RpcTransportCtxFactoryTls::make(std::move(verifier)); + } default: LOG_ALWAYS_FATAL("Unknown RpcSecurity %d", rpcSecurity); } |