binder: RpcCertificateVerifier takes SSL pointer.
This allows the implementation to get the certificate
chain from the SSL connection as well, if necessary.
Test: binderRpcTest
Bug: 195166979
Change-Id: I87ca34d09217f958fe014b963ef41e4821ffe743
diff --git a/libs/binder/Android.bp b/libs/binder/Android.bp
index 91f9615..6cb45ca 100644
--- a/libs/binder/Android.bp
+++ b/libs/binder/Android.bp
@@ -256,6 +256,9 @@
export_header_lib_headers: [
"libbinder_headers",
],
+ export_shared_lib_headers: [
+ "libssl",
+ ],
export_include_dirs: ["include_tls"],
static_libs: [
"libbase",
diff --git a/libs/binder/RpcTransportTls.cpp b/libs/binder/RpcTransportTls.cpp
index e55da77..8c066ee 100644
--- a/libs/binder/RpcTransportTls.cpp
+++ b/libs/binder/RpcTransportTls.cpp
@@ -460,17 +460,13 @@
LOG_ALWAYS_FATAL_IF(outAlert == nullptr);
const char* logPrefix = SSL_is_server(ssl) ? "Server" : "Client";
- bssl::UniquePtr<X509> peerCert(SSL_get_peer_certificate(ssl)); // Does not set error queue
- LOG_ALWAYS_FATAL_IF(peerCert == nullptr,
- "%s: libssl should not ask to verify non-existing cert", logPrefix);
-
auto ctx = SSL_get_SSL_CTX(ssl); // Does not set error queue
LOG_ALWAYS_FATAL_IF(ctx == nullptr);
// void* -> RpcTransportCtxTls*
auto rpcTransportCtxTls = reinterpret_cast<RpcTransportCtxTls*>(SSL_CTX_get_app_data(ctx));
LOG_ALWAYS_FATAL_IF(rpcTransportCtxTls == nullptr);
- status_t verifyStatus = rpcTransportCtxTls->mCertVerifier->verify(peerCert.get(), outAlert);
+ status_t verifyStatus = rpcTransportCtxTls->mCertVerifier->verify(ssl, outAlert);
if (verifyStatus == OK) {
return ssl_verify_ok;
}
diff --git a/libs/binder/include_tls/binder/RpcCertificateVerifier.h b/libs/binder/include_tls/binder/RpcCertificateVerifier.h
index 97af31c..800e375 100644
--- a/libs/binder/include_tls/binder/RpcCertificateVerifier.h
+++ b/libs/binder/include_tls/binder/RpcCertificateVerifier.h
@@ -26,7 +26,18 @@
class RpcCertificateVerifier {
public:
virtual ~RpcCertificateVerifier() = default;
- virtual status_t verify(const X509* peerCert, uint8_t* outAlert) = 0;
+
+ // The implementation may use the following function to get
+ // the peer certificate and chain:
+ // - SSL_get_peer_certificate
+ // - SSL_get_peer_cert_chain
+ // - SSL_get_peer_full_cert_chain
+ //
+ // The implementation should return OK on success or error codes on error. For example:
+ // - PERMISSION_DENIED for rejected certificates
+ // - NO_INIT for not presenting a certificate when requested
+ // - UNKNOWN_ERROR for other errors
+ virtual status_t verify(const SSL* ssl, uint8_t* outAlert) = 0;
};
} // namespace android
diff --git a/libs/binder/tests/RpcCertificateVerifierSimple.cpp b/libs/binder/tests/RpcCertificateVerifierSimple.cpp
index da98f59..1f74adc 100644
--- a/libs/binder/tests/RpcCertificateVerifierSimple.cpp
+++ b/libs/binder/tests/RpcCertificateVerifierSimple.cpp
@@ -22,10 +22,15 @@
namespace android {
-status_t RpcCertificateVerifierSimple::verify(const X509* peerCert, uint8_t* outAlert) {
+status_t RpcCertificateVerifierSimple::verify(const SSL* ssl, uint8_t* outAlert) {
+ const char* logPrefix = SSL_is_server(ssl) ? "Server" : "Client";
+ bssl::UniquePtr<X509> peerCert(SSL_get_peer_certificate(ssl)); // Does not set error queue
+ LOG_ALWAYS_FATAL_IF(peerCert == nullptr,
+ "%s: libssl should not ask to verify non-existing cert", logPrefix);
+
std::lock_guard<std::mutex> lock(mMutex);
for (const auto& trustedCert : mTrustedPeerCertificates) {
- if (0 == X509_cmp(trustedCert.get(), peerCert)) {
+ if (0 == X509_cmp(trustedCert.get(), peerCert.get())) {
return OK;
}
}
diff --git a/libs/binder/tests/RpcCertificateVerifierSimple.h b/libs/binder/tests/RpcCertificateVerifierSimple.h
index 1f2e531..bdb2426 100644
--- a/libs/binder/tests/RpcCertificateVerifierSimple.h
+++ b/libs/binder/tests/RpcCertificateVerifierSimple.h
@@ -35,7 +35,7 @@
// certificate being added.
class RpcCertificateVerifierSimple : public RpcCertificateVerifier {
public:
- status_t verify(const X509*, uint8_t*) override;
+ status_t verify(const SSL*, uint8_t*) override;
// Add a trusted peer certificate. Peers presenting this certificate are accepted.
//