Merge changes If71af5f7,Ic7861ac9 am: 3ea5fd2e am: b1dc01ec am: 56294e27

    },

}

cc_library_static {

    name: "libbinder_tls_test_utils",

    host_supported: true,

    target: {

        darwin: {

            enabled: false,

        },

    },

    defaults: [

        "binder_test_defaults",

        "libbinder_tls_shared_deps",

    ],

    shared_libs: [

        "libbinder",

        "libbase",

        "liblog",

    ],

    static_libs: [

        "libbinder_tls_static",

    ],

    srcs: [

        "RpcTlsTestUtils.cpp",

    ],

    export_include_dirs: [

        "include_tls_test_utils",

    ],

    visibility: [

        ":__subpackages__",

    ],

}

cc_test {

    name: "binderRpcTest",

    host_supported: true,

    srcs: [

        "binderRpcTest.cpp",

        "RpcAuthTesting.cpp",

        "RpcCertificateVerifierSimple.cpp",

    ],

    shared_libs: [

        "libbinder",

    ],

    static_libs: [

        "libbinder_tls_static",

        "libbinder_tls_test_utils",

        "binderRpcTestIface-cpp",

        "binderRpcTestIface-ndk",

    ],

        "libbinder_tls_shared_deps",

    ],

    srcs: [

        "RpcAuthTesting.cpp",

        "RpcTlsUtilsTest.cpp",

    ],

    shared_libs: [

        "liblog",

    ],

    static_libs: [

        "libbinder_tls_test_utils",

        "libbinder_tls_static",

    ],

    test_suites: ["general-tests", "device-tests"],

    srcs: [

        "binderRpcBenchmark.cpp",

        "IBinderRpcBenchmark.aidl",

        "RpcAuthTesting.cpp",

    ],

    shared_libs: [

        "libbase",

        "libutils",

    ],

    static_libs: [

        "libbinder_tls_test_utils",

        "libbinder_tls_static",

    ],

}

/*

 * Copyright (C) 2021 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#pragma once

#include <binder/RpcAuth.h>

namespace android {

constexpr const uint32_t kCertValidSeconds = 30 * (60 * 60 * 24); // 30 days

bssl::UniquePtr<EVP_PKEY> makeKeyPairForSelfSignedCert();

bssl::UniquePtr<X509> makeSelfSignedCert(EVP_PKEY* pKey, uint32_t validSeconds);

// An implementation of RpcAuth that generates a key pair and a self-signed

// certificate every time configure() is called.

class RpcAuthSelfSigned : public RpcAuth {

public:

    RpcAuthSelfSigned(uint32_t validSeconds = kCertValidSeconds) : mValidSeconds(validSeconds) {}

    status_t configure(SSL_CTX* ctx) override;

private:

    const uint32_t mValidSeconds;

};

class RpcAuthPreSigned : public RpcAuth {

public:

    RpcAuthPreSigned(bssl::UniquePtr<EVP_PKEY> pkey, bssl::UniquePtr<X509> cert)

          : mPkey(std::move(pkey)), mCert(std::move(cert)) {}

    status_t configure(SSL_CTX* ctx) override;

private:

    bssl::UniquePtr<EVP_PKEY> mPkey;

    bssl::UniquePtr<X509> mCert;

};

} // namespace android

/*

 * Copyright (C) 2021 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#define LOG_TAG "RpcCertificateVerifierSimple"

#include <log/log.h>

#include <binder/RpcTlsUtils.h>

#include "RpcCertificateVerifierSimple.h"

namespace android {

status_t RpcCertificateVerifierSimple::verify(const SSL* ssl, uint8_t* outAlert) {

    const char* logPrefix = SSL_is_server(ssl) ? "Server" : "Client";

    bssl::UniquePtr<X509> peerCert(SSL_get_peer_certificate(ssl)); // Does not set error queue

    LOG_ALWAYS_FATAL_IF(peerCert == nullptr,

                        "%s: libssl should not ask to verify non-existing cert", logPrefix);

    std::lock_guard<std::mutex> lock(mMutex);

    for (const auto& trustedCert : mTrustedPeerCertificates) {

        if (0 == X509_cmp(trustedCert.get(), peerCert.get())) {

            return OK;

        }

    }

    *outAlert = SSL_AD_CERTIFICATE_UNKNOWN;

    return PERMISSION_DENIED;

}

status_t RpcCertificateVerifierSimple::addTrustedPeerCertificate(RpcCertificateFormat format,

                                                                 const std::vector<uint8_t>& cert) {

    bssl::UniquePtr<X509> x509 = deserializeCertificate(cert, format);

    if (x509 == nullptr) {

        ALOGE("Certificate is not in the proper format %s", PrintToString(format).c_str());

        return BAD_VALUE;

    }

    std::lock_guard<std::mutex> lock(mMutex);

    mTrustedPeerCertificates.push_back(std::move(x509));

    return OK;

}

} // namespace android

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include "RpcAuthTesting.h"

#define LOG_TAG "RpcTlsTestUtils"

#include <log/log.h>

#include <binder/RpcTlsTestUtils.h>

#include <binder/RpcTlsUtils.h>

#include "../Utils.h" // for TEST_AND_RETURN

namespace android {

    return OK;

}

status_t RpcCertificateVerifierSimple::verify(const SSL* ssl, uint8_t* outAlert) {

    const char* logPrefix = SSL_is_server(ssl) ? "Server" : "Client";

    bssl::UniquePtr<X509> peerCert(SSL_get_peer_certificate(ssl)); // Does not set error queue

    LOG_ALWAYS_FATAL_IF(peerCert == nullptr,

                        "%s: libssl should not ask to verify non-existing cert", logPrefix);

    std::lock_guard<std::mutex> lock(mMutex);

    for (const auto& trustedCert : mTrustedPeerCertificates) {

        if (0 == X509_cmp(trustedCert.get(), peerCert.get())) {

            return OK;

        }

    }

    *outAlert = SSL_AD_CERTIFICATE_UNKNOWN;

    return PERMISSION_DENIED;

}

status_t RpcCertificateVerifierSimple::addTrustedPeerCertificate(RpcCertificateFormat format,

                                                                 const std::vector<uint8_t>& cert) {

    bssl::UniquePtr<X509> x509 = deserializeCertificate(cert, format);

    if (x509 == nullptr) {

        ALOGE("Certificate is not in the proper format %s", PrintToString(format).c_str());

        return BAD_VALUE;

    }

    std::lock_guard<std::mutex> lock(mMutex);

    mTrustedPeerCertificates.push_back(std::move(x509));

    return OK;

}

} // namespace android

 * limitations under the License.

 */

#include <binder/RpcTlsTestUtils.h>

#include <binder/RpcTlsUtils.h>

#include <gtest/gtest.h>

#include "RpcAuthTesting.h"

namespace android {

std::string toDebugString(EVP_PKEY* pkey) {