binder: implement simple TLS verification for testing
Implements RpcCertificateVerifierSimple with an algorithm
that treats all certificates as leaf certificates.
Fix existing tests to set certificates properly. Also
add a test that checks that bad certificates are rejected.
Also adds RpcCertificateUtils that includes function for
(de)serializing certificates. These util functions are useful
for implementing RpcCertificateVerifier.
Test: binderRpcTest
Bug: 195166979
Fixes: 196422181
Fixes: 198833574
Change-Id: I6c1f0f88fe5bc712f3890426d6da26c9ad046d79
diff --git a/libs/binder/tests/RpcCertificateVerifierSimple.cpp b/libs/binder/tests/RpcCertificateVerifierSimple.cpp
index 68e7c65..0cf0e1c 100644
--- a/libs/binder/tests/RpcCertificateVerifierSimple.cpp
+++ b/libs/binder/tests/RpcCertificateVerifierSimple.cpp
@@ -16,12 +16,32 @@
#define LOG_TAG "RpcCertificateVerifierSimple"
#include <log/log.h>
+#include <binder/RpcCertificateUtils.h>
+
#include "RpcCertificateVerifierSimple.h"
namespace android {
-status_t RpcCertificateVerifierSimple::verify(const X509*, uint8_t*) {
- // TODO(b/195166979): implement this
+status_t RpcCertificateVerifierSimple::verify(const X509* peerCert, uint8_t* outAlert) {
+ std::lock_guard<std::mutex> lock(mMutex);
+ for (const auto& trustedCert : mTrustedPeerCertificates) {
+ if (0 == X509_cmp(trustedCert.get(), peerCert)) {
+ return OK;
+ }
+ }
+ *outAlert = SSL_AD_CERTIFICATE_UNKNOWN;
+ return PERMISSION_DENIED;
+}
+
+status_t RpcCertificateVerifierSimple::addTrustedPeerCertificate(CertificateFormat format,
+ const std::vector<uint8_t>& cert) {
+ bssl::UniquePtr<X509> x509 = deserializeCertificate(cert, format);
+ if (x509 == nullptr) {
+ ALOGE("Certificate is not in the proper format %s", PrintToString(format).c_str());
+ return BAD_VALUE;
+ }
+ std::lock_guard<std::mutex> lock(mMutex);
+ mTrustedPeerCertificates.push_back(std::move(x509));
return OK;
}