Skip to content

Commit

Permalink
WIP checkpoint
Browse files Browse the repository at this point in the history
  • Loading branch information
sbSteveK committed Oct 28, 2024
1 parent 187b704 commit 2b9a972
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 8 deletions.
23 changes: 23 additions & 0 deletions source/darwin/darwin_pki_utils.c
Original file line number Diff line number Diff line change
Expand Up @@ -675,6 +675,13 @@ int aws_secitem_import_cert_and_key(
key_type = kSecAttrKeyTypeEC;
break;

// DEBUG WIP
case AWS_PEM_TYPE_PRIVATE_PKCS8:
// DEBUG not working with SecItem
key_type = kSecAttrKeyTypeRSA;
break;

case AWS_PEM_TYPE_UNKNOWN:
default:
AWS_LOGF_ERROR(AWS_LS_IO_PKI, "Unsupported private key format.");
result = aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);
Expand Down Expand Up @@ -726,13 +733,29 @@ int aws_secitem_import_cert_and_key(
CFDictionaryAddValue(key_attributes, kSecAttrKeyType, key_type);
key_ref = SecKeyCreateWithData(key_data, key_attributes, &error);

// DEBUG WIP
if (!key_ref) {
CFStringRef error_desc = CFErrorCopyDescription(error);
char error_c_string[256];
if (CFStringGetCString(error_desc, error_c_string, sizeof(error_c_string), kCFStringEncodingUTF8)) {
AWS_LOGF_ERROR(AWS_LS_IO_PKI, "Failed creating private key with error: %s", error_c_string);
} else {
AWS_LOGF_ERROR(AWS_LS_IO_PKI, "Failed creating private key");
}

CFRelease(error_desc);
result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
goto done;
}

// Get the hash of the public key stored within the private key
key_copied_attributes = SecKeyCopyAttributes(key_ref);
// application_label_ref gets released when key_copied_attributes is released.
application_label_ref = (CFDataRef)CFDictionaryGetValue(key_copied_attributes, kSecAttrApplicationLabel);
if (!application_label_ref) {
AWS_LOGF_ERROR(AWS_LS_IO_PKI, "Failed creating private key application label.");
result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
goto done;
}

key_label_ref = CFStringCreateWithBytes(
Expand Down
50 changes: 44 additions & 6 deletions source/darwin/nw_socket.c
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,16 @@ static void s_setup_tcp_options(nw_protocol_options_t tcp_options, const struct
}
}

// DEBUG WIP
static void s_setup_tcp_options_local(nw_protocol_options_t tcp_options, const struct aws_socket_options *options) {
(void)tcp_options;
(void)options;
}
// DEBUG WIP
static void s_setup_tls_options_local(nw_protocol_options_t tls_options) {
(void)tls_options;
}

static int s_setup_socket_params(struct nw_socket *nw_socket, const struct aws_socket_options *options) {

/* If we already have parameters set, release them before re-establishing new parameters */
Expand All @@ -246,8 +256,8 @@ static int s_setup_socket_params(struct nw_socket *nw_socket, const struct aws_s

if (options->type == AWS_SOCKET_STREAM) {
if (options->domain == AWS_SOCKET_IPV4 || options->domain == AWS_SOCKET_IPV6) {
# ifdef AWS_USE_SECITEM

# ifdef AWS_USE_SECITEM
/* options->user_data will contain the tls_ctx if tls_ctx was initialized */
if (nw_socket->tls_ctx) {
struct secure_transport_ctx *transport_ctx = nw_socket->tls_ctx->impl;
Expand Down Expand Up @@ -449,8 +459,15 @@ static int s_setup_socket_params(struct nw_socket *nw_socket, const struct aws_s
s_setup_tcp_options(tcp_options, options);
});
}
# else // !AWS_USE_SECITEM
# else // Above block is AWS_USE_SECITEM. Below bloc is !AWS_USE_SECITEM
// TLS options are not set and the TLS options block should be disabled.
// nw_socket->nw_parameters = nw_parameters_create_secure_tcp(
// // TLS options Block disabled
// NW_PARAMETERS_DISABLE_PROTOCOL,
// // TCP options Block
// ^(nw_protocol_options_t tcp_options) {
// s_setup_tcp_options(tcp_options, options);
// });
nw_socket->nw_parameters = nw_parameters_create_secure_tcp(
// TLS options Block disabled
NW_PARAMETERS_DISABLE_PROTOCOL,
Expand All @@ -459,21 +476,42 @@ static int s_setup_socket_params(struct nw_socket *nw_socket, const struct aws_s
s_setup_tcp_options(tcp_options, options);
});
# endif // AWS_USE_SECITEM

} else if (options->domain == AWS_SOCKET_LOCAL) {
// DEBUG WIP issues with local sockets and potential permissions
/*
nw_socket->nw_parameters = nw_parameters_create_secure_tcp(
// TLS options Block disabled
^(nw_protocol_options_t tls_options) {
s_setup_tls_options_local(tls_options);
},
// TCP options Block
^(nw_protocol_options_t tcp_options) {
s_setup_tcp_options_local(tcp_options, options);
});
*/

nw_socket->nw_parameters = nw_parameters_create_secure_tcp(
NW_PARAMETERS_DISABLE_PROTOCOL,
// TCP options Block
^(nw_protocol_options_t tcp_options) {
s_setup_tcp_options(tcp_options, options);
^(nw_protocol_options_t tcp_options) { // try setup with nothing inside.
s_setup_tcp_options_local(tcp_options, options);
});
}
} else if (options->type == AWS_SOCKET_DGRAM) {
nw_socket->nw_parameters = nw_parameters_create_secure_udp(
NW_PARAMETERS_DISABLE_PROTOCOL,
// TCP options Block
^(nw_protocol_options_t tcp_options) {
s_setup_tcp_options(tcp_options, options);
^(nw_protocol_options_t tcp_options) { // try setup with nothing inside. DEBUG WIP
s_setup_tcp_options_local(tcp_options, options);
});

// DEBUG WIP
// NW_PARAMETERS_DEFAULT_CONFIGURATION); // DEBUG WIP local should not have tcp options set for Apple

// ^(nw_protocol_options_t tcp_options) {
// s_setup_tcp_options(tcp_options, options);
// });
}

if (!nw_socket->nw_parameters) {
Expand Down
10 changes: 8 additions & 2 deletions tests/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -225,8 +225,8 @@ if(NOT BYO_CRYPTO)
# to be a way to disable it
if(NOT(WIN32 AND NOT CMAKE_SYSTEM_VERSION MATCHES "10\.0\.1.*"))
# Skip TLS 1.0 and TLS 1.1 test for windows later than windows server 2022, as they droped old TLS
add_net_test_case(tls_client_channel_negotiation_error_legacy_crypto_tls10)
if(NOT AWS_USE_SECITEM)
add_net_test_case(tls_client_channel_negotiation_error_legacy_crypto_tls10)
# SecItem does not allow use of depricated TLS versions
add_net_test_case(tls_client_channel_negotiation_override_legacy_crypto_tls10)
add_net_test_case(tls_client_channel_negotiation_success_legacy_crypto_tls11)
Expand Down Expand Up @@ -266,7 +266,6 @@ if(NOT BYO_CRYPTO)
add_net_test_case(tls_channel_echo_and_backpressure_test)
add_net_test_case(tls_channel_shutdown_with_cache_test)
add_net_test_case(tls_channel_shutdown_with_cache_window_update_after_shutdown_test)
add_net_test_case(tls_client_channel_negotiation_error_socket_closed)
add_net_test_case(tls_client_channel_negotiation_success)
add_net_test_case(tls_server_multiple_connections)
add_net_test_case(tls_server_hangup_during_negotiation)
Expand All @@ -276,6 +275,13 @@ if(NOT BYO_CRYPTO)
add_net_test_case(alpn_no_protocol_message)
add_net_test_case(test_ecc_cert_import)
add_net_test_case(test_pkcs8_import)
if(NOT AWS_USE_SECITEM)
# This test shuts down the channel after a socket is established but while the TLS handshake is taking place
# further up the channel. Apple Network Framework's connection handles both the socket connection as well
# as the TLS handshake within the same create connection call without external notification that the socket
# has succeeded prior to the TLS negotiation. As such, this test will not work for Secitem.
add_net_test_case(tls_client_channel_negotiation_error_socket_closed)
endif()

add_test_case(alpn_error_creating_handler)
add_test_case(tls_destroy_null_context)
Expand Down

0 comments on commit 2b9a972

Please sign in to comment.