Apple Network Framework SecItem

.github/workflows/ci.yml

@@ -168,6 +168,15 @@ jobs:
         python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
         chmod a+x builder
         ./builder build -p ${{ env.PACKAGE_NAME }} --cmake-extra=${{ matrix.eventloop }}
+
+  macos-secitem:
+    runs-on: macos-14 # latest
+    steps:
+    - name: Build ${{ env.PACKAGE_NAME }} + consumers
+      run: |
+        python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
+        chmod a+x builder
+        ./builder build -p ${{ env.PACKAGE_NAME }} --cmake-extra=-DAWS_USE_APPLE_NETWORK_FRAMEWORK=ON --cmake-extra=-DAWS_USE_SECITEM=ON
 
   macos-x64:
     runs-on: macos-14-large # latest

CMakeLists.txt

@@ -124,8 +124,8 @@ elseif (APPLE)
         list(APPEND EVENT_LOOP_DEFINES "DISPATCH_QUEUE")
     endif ()
 
-    # Enable KQUEUE on MacOS 
-    if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
+    # Enable KQUEUE on MacOS only if AWS_USE_SECITEM is not declared. SecItem requires Dispatch Queue.
+    if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin" AND NOT DEFINED AWS_USE_SECITEM)
         list(APPEND EVENT_LOOP_DEFINES "KQUEUE")
     endif()
 
@@ -198,6 +198,10 @@ foreach(EVENT_LOOP_DEFINE IN LISTS EVENT_LOOP_DEFINES)
     target_compile_definitions(${PROJECT_NAME} PUBLIC "-DAWS_ENABLE_${EVENT_LOOP_DEFINE}")
 endforeach()
 
+if (AWS_USE_SECITEM)
+    target_compile_definitions(${PROJECT_NAME} PUBLIC "-DAWS_USE_SECITEM")
+endif()
+
 if (BYO_CRYPTO)
     target_compile_definitions(${PROJECT_NAME} PUBLIC "-DBYO_CRYPTO")
 endif()

include/aws/io/channel_bootstrap.h

@@ -214,6 +214,7 @@ struct aws_server_socket_channel_bootstrap_options {
     aws_server_bootstrap_on_accept_channel_shutdown_fn *shutdown_callback;
     aws_server_bootstrap_on_server_listener_destroy_fn *destroy_callback;
     bool enable_read_back_pressure;
+    struct aws_event_loop *requested_event_loop;
     void *user_data;
 };
 

include/aws/io/io.h

@@ -102,13 +102,6 @@ enum aws_io_errors {
     AWS_IO_CHANNEL_READ_WOULD_EXCEED_WINDOW,
     AWS_IO_EVENT_LOOP_ALREADY_ASSIGNED,
     AWS_IO_EVENT_LOOP_SHUTDOWN,
-    AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE,
-    AWS_IO_TLS_ERROR_NOT_NEGOTIATED,
-    AWS_IO_TLS_ERROR_WRITE_FAILURE,
-    AWS_IO_TLS_ERROR_ALERT_RECEIVED,
-    AWS_IO_TLS_CTX_ERROR,
-    AWS_IO_TLS_VERSION_UNSUPPORTED,
-    AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED,
     AWS_IO_MISSING_ALPN_MESSAGE,
     AWS_IO_UNHANDLED_ALPN_PROTOCOL_MESSAGE,
     AWS_IO_FILE_VALIDATION_FAILURE,
@@ -140,12 +133,35 @@ enum aws_io_errors {
     DEPRECATED_AWS_IO_INVALID_FILE_HANDLE,
     AWS_IO_SHARED_LIBRARY_LOAD_FAILURE,
     AWS_IO_SHARED_LIBRARY_FIND_SYMBOL_FAILURE,
-    AWS_IO_TLS_NEGOTIATION_TIMEOUT,
-    AWS_IO_TLS_ALERT_NOT_GRACEFUL,
     AWS_IO_MAX_RETRIES_EXCEEDED,
     AWS_IO_RETRY_PERMISSION_DENIED,
+
+    AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE,
+    AWS_IO_TLS_ERROR_NOT_NEGOTIATED,
+    AWS_IO_TLS_ERROR_WRITE_FAILURE,
+    AWS_IO_TLS_ERROR_ALERT_RECEIVED,
+    AWS_IO_TLS_CTX_ERROR,
+    AWS_IO_TLS_VERSION_UNSUPPORTED,
+    AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED,
+    AWS_IO_TLS_NEGOTIATION_TIMEOUT,
+    AWS_IO_TLS_ALERT_NOT_GRACEFUL,
     AWS_IO_TLS_DIGEST_ALGORITHM_UNSUPPORTED,
     AWS_IO_TLS_SIGNATURE_ALGORITHM_UNSUPPORTED,
+    AWS_IO_TLS_ERROR_READ_FAILURE,
+    AWS_IO_TLS_UNKNOWN_ROOT_CERTIFICATE,
+    AWS_IO_TLS_NO_ROOT_CERTIFICATE_FOUND,
+    AWS_IO_TLS_CERTIFICATE_EXPIRED,
+    AWS_IO_TLS_CERTIFICATE_NOT_YET_VALID,
+    AWS_IO_TLS_BAD_CERTIFICATE,
+    AWS_IO_TLS_PEER_CERTIFICATE_EXPIRED,
+    AWS_IO_TLS_BAD_PEER_CERTIFICATE,
+    AWS_IO_TLS_PEER_CERTIFICATE_REVOKED,
+    AWS_IO_TLS_PEER_CERTIFICATE_UNKNOWN,
+    AWS_IO_TLS_INTERNAL_ERROR,
+    AWS_IO_TLS_CLOSED_GRACEFUL,
+    AWS_IO_TLS_CLOSED_ABORT,
+    AWS_IO_TLS_INVALID_CERTIFICATE_CHAIN,
+    AWS_IO_TLS_HOST_NAME_MISSMATCH,
 
     AWS_ERROR_PKCS11_VERSION_UNSUPPORTED,
     AWS_ERROR_PKCS11_TOKEN_NOT_FOUND,
@@ -258,8 +274,6 @@ enum aws_io_errors {
     AWS_IO_STREAM_SEEK_UNSUPPORTED,
     AWS_IO_STREAM_GET_LENGTH_UNSUPPORTED,
 
-    AWS_IO_TLS_ERROR_READ_FAILURE,
-
     AWS_ERROR_PEM_MALFORMED,
 
     AWS_IO_ERROR_END_RANGE = AWS_ERROR_ENUM_END_RANGE(AWS_C_IO_PACKAGE_ID),

include/aws/io/private/pki_utils.h

@@ -15,8 +15,10 @@
 #ifdef AWS_OS_APPLE
 /* It's ok to include external headers because this is a PRIVATE header file */
 #    include <CoreFoundation/CFArray.h>
+#    include <Security/Security.h>
 #endif /* AWS_OS_APPLE */
 
+struct aws_secitem_options;
 struct aws_string;
 
 AWS_EXTERN_C_BEGIN
@@ -29,7 +31,6 @@ AWS_IO_API const char *aws_determine_default_pki_dir(void);
 AWS_IO_API const char *aws_determine_default_pki_ca_file(void);
 
 #ifdef AWS_OS_APPLE
-#    if !defined(AWS_OS_IOS)
 /**
  * Imports a PEM armored PKCS#7 public/private key pair
  * into identity for use with SecurityFramework.
@@ -41,7 +42,6 @@ int aws_import_public_and_private_keys_to_identity(
     const struct aws_byte_cursor *private_key,
     CFArrayRef *identity,
     const struct aws_string *keychain_path);
-#    endif /* AWS_OS_IOS */
 
 /**
  * Imports a PKCS#12 file into identity for use with
@@ -54,24 +54,38 @@ int aws_import_pkcs12_to_identity(
     CFArrayRef *identity);
 
 /**
- * Loads PRM armored PKCS#7 certificates into certs
- * for use with custom CA.
+ * Imports a PEM armored PKCS#7 public/private key pair
+ * into protected data keychain for use with Apple Network Framework.
+ * Currently only implemented for iOS.
  */
-int aws_import_trusted_certificates(
+int aws_secitem_import_cert_and_key(
     struct aws_allocator *alloc,
     CFAllocatorRef cf_alloc,
-    const struct aws_byte_cursor *certificates_blob,
-    CFArrayRef *certs);
+    const struct aws_byte_cursor *public_cert_chain,
+    const struct aws_byte_cursor *private_key,
+    sec_identity_t *secitem_identity,
+    const struct aws_secitem_options *secitem_options);
 
 /**
- * Releases identity (the output of the aws_import_* functions).
+ * Imports a PKCS#12 file into protected data keychain for use with
+ * Apple Network Framework.
+ * Currently only implemented for iOS.
  */
-void aws_release_identity(CFArrayRef identity);
+int aws_secitem_import_pkcs12(
+    CFAllocatorRef cf_alloc,
+    const struct aws_byte_cursor *pkcs12_cursor,
+    const struct aws_byte_cursor *password,
+    sec_identity_t *out_identity);
 
 /**
- * releases the output of aws_import_trusted_certificates.
+ * Loads PRM armored PKCS#7 certificates into certs
+ * for use with custom CA.
  */
-void aws_release_certificates(CFArrayRef certs);
+int aws_import_trusted_certificates(
+    struct aws_allocator *alloc,
+    CFAllocatorRef cf_alloc,
+    const struct aws_byte_cursor *certificates_blob,
+    CFArrayRef *certs);
 
 #endif /* AWS_OS_APPLE */
 

include/aws/io/private/socket_impl.h

@@ -35,15 +35,23 @@ int aws_socket_init_apple_nw_socket(
     struct aws_allocator *alloc,
     const struct aws_socket_options *options);
 
+struct aws_byte_cursor;
+struct aws_string;
+
 struct aws_socket_vtable {
     void (*socket_cleanup_fn)(struct aws_socket *socket);
     int (*socket_connect_fn)(
         struct aws_socket *socket,
         const struct aws_socket_endpoint *remote_endpoint,
         struct aws_event_loop *event_loop,
         aws_socket_on_connection_result_fn *on_connection_result,
+        aws_socket_retrieve_tls_options_fn *retrieve_tls_options,
+        void *user_data);
+    int (*socket_bind_fn)(
+        struct aws_socket *socket,
+        const struct aws_socket_endpoint *local_endpoint,
+        aws_socket_retrieve_tls_options_fn *retrieve_tls_options,
         void *user_data);
-    int (*socket_bind_fn)(struct aws_socket *socket, const struct aws_socket_endpoint *local_endpoint);
     int (*socket_listen_fn)(struct aws_socket *socket, int backlog_size);
     int (*socket_start_accept_fn)(
         struct aws_socket *socket,
@@ -67,6 +75,8 @@ struct aws_socket_vtable {
         void *user_data);
     int (*socket_get_error_fn)(struct aws_socket *socket);
     bool (*socket_is_open_fn)(struct aws_socket *socket);
+    struct aws_byte_buf (*socket_get_protocol_fn)(const struct aws_socket *socket);
+    struct aws_string *(*socket_get_server_name_fn)(const struct aws_socket *socket);
 };
 
 #endif // AWS_IO_SOCKET_IMPL_H

include/aws/io/private/tls_channel_handler_shared.h

@@ -25,6 +25,19 @@ enum aws_tls_handler_read_state {
     AWS_TLS_HANDLER_READ_SHUT_DOWN_COMPLETE,
 };
 
+/* Apple Network socket connections when using secitem handles both the TCP and TLS
+ * handshakes with a singular completion state change/callback.
+ * Various TLS related elements must be accessible during the socket creation
+ * and listener binding to fit within the framework around TCP, TLS, and ALPN.
+ * This struct is used as a container that can retrieve the necessary elements when
+ * they are needed. */
+struct tls_connection_context {
+    struct aws_string *host_name;
+    struct aws_string *alpn_list;
+    struct aws_tls_ctx *tls_ctx;
+    struct aws_event_loop *event_loop;
+};
+
 AWS_EXTERN_C_BEGIN
 
 AWS_IO_API void aws_tls_channel_handler_shared_init(

include/aws/io/socket.h

@@ -81,6 +81,7 @@ struct aws_socket_options {
 
 struct aws_socket;
 struct aws_event_loop;
+struct tls_connection_context;
 
 /**
  * Called in client mode when an outgoing connection has succeeded or an error has occurred.
@@ -91,6 +92,16 @@ struct aws_event_loop;
  */
 typedef void(aws_socket_on_connection_result_fn)(struct aws_socket *socket, int error_code, void *user_data);
 
+struct aws_tls_connection_options;
+
+/**
+ * Called to retrieve TLS related options during socket creation/initialization and socket listener binding.
+ * Typically the TLS handshake occurs after a socket connection is established but Apple Network Framework requires
+ * the setup of TLS related parameters at creation of the connection as its internal framework
+ * handles both the socket connection and the TLS handshake.
+ */
+typedef void(aws_socket_retrieve_tls_options_fn)(struct tls_connection_context *context, void *user_data);
+
 /**
  * Called by a listening socket when either an incoming connection has been received or an error occurred.
  *
@@ -158,8 +169,8 @@ struct aws_socket {
     void *impl;
 };
 
-struct aws_byte_buf;
-struct aws_byte_cursor;
+// struct aws_byte_buf;
+// struct aws_byte_cursor;
 
 AWS_EXTERN_C_BEGIN
 
@@ -203,14 +214,19 @@ AWS_IO_API int aws_socket_connect(
     const struct aws_socket_endpoint *remote_endpoint,
     struct aws_event_loop *event_loop,
     aws_socket_on_connection_result_fn *on_connection_result,
+    aws_socket_retrieve_tls_options_fn *retrieve_tls_options,
     void *user_data);
 
 /**
  * Binds the socket to a local address. In UDP mode, the socket is ready for `aws_socket_read()` operations. In
  * connection oriented modes, you still must call `aws_socket_listen()` and `aws_socket_start_accept()` before using the
  * socket. local_endpoint is copied.
  */
-AWS_IO_API int aws_socket_bind(struct aws_socket *socket, const struct aws_socket_endpoint *local_endpoint);
+AWS_IO_API int aws_socket_bind(
+    struct aws_socket *socket,
+    const struct aws_socket_endpoint *local_endpoint,
+    aws_socket_retrieve_tls_options_fn *retrieve_tls_options,
+    void *user_data);
 
 /**
  * Get the local address which the socket is bound to.