binder: abstract out key/cert config
This change allows certificates and keys to be configured in
a custom way.
Bug: 199344157
Fixes: 200195645
Test: pass
Change-Id: I7b88f21652142fd78e99bc5352f1e78000ca050f
diff --git a/libs/binder/RpcTransportTls.cpp b/libs/binder/RpcTransportTls.cpp
index 8c066ee..f8cd71d 100644
--- a/libs/binder/RpcTransportTls.cpp
+++ b/libs/binder/RpcTransportTls.cpp
@@ -44,8 +44,6 @@
namespace android {
namespace {
-constexpr const int kCertValidDays = 30;
-
// Implement BIO for socket that ignores SIGPIPE.
int socketNew(BIO* bio) {
BIO_set_data(bio, reinterpret_cast<void*>(-1));
@@ -100,49 +98,6 @@
return ret;
}
-bssl::UniquePtr<EVP_PKEY> makeKeyPairForSelfSignedCert() {
- bssl::UniquePtr<EC_KEY> ec_key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
- if (ec_key == nullptr || !EC_KEY_generate_key(ec_key.get())) {
- ALOGE("Failed to generate key pair.");
- return nullptr;
- }
- bssl::UniquePtr<EVP_PKEY> evp_pkey(EVP_PKEY_new());
- // Use set1 instead of assign to avoid leaking ec_key when assign fails. set1 increments
- // the refcount of the ec_key, so it is okay to release it at the end of this function.
- if (evp_pkey == nullptr || !EVP_PKEY_set1_EC_KEY(evp_pkey.get(), ec_key.get())) {
- ALOGE("Failed to assign key pair.");
- return nullptr;
- }
- return evp_pkey;
-}
-
-bssl::UniquePtr<X509> makeSelfSignedCert(EVP_PKEY* evp_pkey, const int valid_days) {
- bssl::UniquePtr<X509> x509(X509_new());
- bssl::UniquePtr<BIGNUM> serial(BN_new());
- bssl::UniquePtr<BIGNUM> serialLimit(BN_new());
- TEST_AND_RETURN(nullptr, BN_lshift(serialLimit.get(), BN_value_one(), 128));
- TEST_AND_RETURN(nullptr, BN_rand_range(serial.get(), serialLimit.get()));
- TEST_AND_RETURN(nullptr, BN_to_ASN1_INTEGER(serial.get(), X509_get_serialNumber(x509.get())));
- TEST_AND_RETURN(nullptr, X509_gmtime_adj(X509_getm_notBefore(x509.get()), 0));
- TEST_AND_RETURN(nullptr,
- X509_gmtime_adj(X509_getm_notAfter(x509.get()), 60 * 60 * 24 * valid_days));
-
- X509_NAME* subject = X509_get_subject_name(x509.get());
- TEST_AND_RETURN(nullptr,
- X509_NAME_add_entry_by_txt(subject, "O", MBSTRING_ASC,
- reinterpret_cast<const uint8_t*>("Android"), -1, -1,
- 0));
- TEST_AND_RETURN(nullptr,
- X509_NAME_add_entry_by_txt(subject, "CN", MBSTRING_ASC,
- reinterpret_cast<const uint8_t*>("BinderRPC"), -1,
- -1, 0));
- TEST_AND_RETURN(nullptr, X509_set_issuer_name(x509.get(), subject));
-
- TEST_AND_RETURN(nullptr, X509_set_pubkey(x509.get(), evp_pkey));
- TEST_AND_RETURN(nullptr, X509_sign(x509.get(), evp_pkey, EVP_sha256()));
- return x509;
-}
-
[[maybe_unused]] void sslDebugLog(const SSL* ssl, int type, int value) {
switch (type) {
case SSL_CB_HANDSHAKE_START:
@@ -437,7 +392,7 @@
template <typename Impl,
typename = std::enable_if_t<std::is_base_of_v<RpcTransportCtxTls, Impl>>>
static std::unique_ptr<RpcTransportCtxTls> create(
- std::shared_ptr<RpcCertificateVerifier> verifier);
+ std::shared_ptr<RpcCertificateVerifier> verifier, RpcAuth* auth);
std::unique_ptr<RpcTransport> newTransport(android::base::unique_fd fd,
FdTrigger* fdTrigger) const override;
std::vector<uint8_t> getCertificate(RpcCertificateFormat) const override;
@@ -479,16 +434,15 @@
// provided as a template argument so that this function can initialize an |Impl| object.
template <typename Impl, typename>
std::unique_ptr<RpcTransportCtxTls> RpcTransportCtxTls::create(
- std::shared_ptr<RpcCertificateVerifier> verifier) {
+ std::shared_ptr<RpcCertificateVerifier> verifier, RpcAuth* auth) {
bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
TEST_AND_RETURN(nullptr, ctx != nullptr);
- auto evp_pkey = makeKeyPairForSelfSignedCert();
- TEST_AND_RETURN(nullptr, evp_pkey != nullptr);
- auto cert = makeSelfSignedCert(evp_pkey.get(), kCertValidDays);
- TEST_AND_RETURN(nullptr, cert != nullptr);
- TEST_AND_RETURN(nullptr, SSL_CTX_use_PrivateKey(ctx.get(), evp_pkey.get()));
- TEST_AND_RETURN(nullptr, SSL_CTX_use_certificate(ctx.get(), cert.get()));
+ if (status_t authStatus = auth->configure(ctx.get()); authStatus != OK) {
+ ALOGE("%s: Failed to configure auth info: %s", __PRETTY_FUNCTION__,
+ statusToString(authStatus).c_str());
+ return nullptr;
+ };
// Enable two-way authentication by setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT on server.
// Client ignores SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag.
@@ -538,11 +492,13 @@
} // namespace
std::unique_ptr<RpcTransportCtx> RpcTransportCtxFactoryTls::newServerCtx() const {
- return android::RpcTransportCtxTls::create<RpcTransportCtxTlsServer>(mCertVerifier);
+ return android::RpcTransportCtxTls::create<RpcTransportCtxTlsServer>(mCertVerifier,
+ mAuth.get());
}
std::unique_ptr<RpcTransportCtx> RpcTransportCtxFactoryTls::newClientCtx() const {
- return android::RpcTransportCtxTls::create<RpcTransportCtxTlsClient>(mCertVerifier);
+ return android::RpcTransportCtxTls::create<RpcTransportCtxTlsClient>(mCertVerifier,
+ mAuth.get());
}
const char* RpcTransportCtxFactoryTls::toCString() const {
@@ -550,13 +506,17 @@
}
std::unique_ptr<RpcTransportCtxFactory> RpcTransportCtxFactoryTls::make(
- std::shared_ptr<RpcCertificateVerifier> verifier) {
+ std::shared_ptr<RpcCertificateVerifier> verifier, std::unique_ptr<RpcAuth> auth) {
if (verifier == nullptr) {
ALOGE("%s: Must provide a certificate verifier", __PRETTY_FUNCTION__);
return nullptr;
}
+ if (auth == nullptr) {
+ ALOGE("%s: Must provide an auth provider", __PRETTY_FUNCTION__);
+ return nullptr;
+ }
return std::unique_ptr<RpcTransportCtxFactoryTls>(
- new RpcTransportCtxFactoryTls(std::move(verifier)));
+ new RpcTransportCtxFactoryTls(std::move(verifier), std::move(auth)));
}
} // namespace android