diff --git a/source/darwin/darwin_pki_utils.c b/source/darwin/darwin_pki_utils.c index 9b4e9f5ae..ac31b4c7f 100644 --- a/source/darwin/darwin_pki_utils.c +++ b/source/darwin/darwin_pki_utils.c @@ -675,6 +675,13 @@ int aws_secitem_import_cert_and_key( key_type = kSecAttrKeyTypeEC; break; + // DEBUG WIP + case AWS_PEM_TYPE_PRIVATE_PKCS8: + // DEBUG not working with SecItem + key_type = kSecAttrKeyTypeRSA; + break; + + case AWS_PEM_TYPE_UNKNOWN: default: AWS_LOGF_ERROR(AWS_LS_IO_PKI, "Unsupported private key format."); result = aws_raise_error(AWS_ERROR_INVALID_ARGUMENT); @@ -726,6 +733,21 @@ int aws_secitem_import_cert_and_key( CFDictionaryAddValue(key_attributes, kSecAttrKeyType, key_type); key_ref = SecKeyCreateWithData(key_data, key_attributes, &error); + // DEBUG WIP + if (!key_ref) { + CFStringRef error_desc = CFErrorCopyDescription(error); + char error_c_string[256]; + if (CFStringGetCString(error_desc, error_c_string, sizeof(error_c_string), kCFStringEncodingUTF8)) { + AWS_LOGF_ERROR(AWS_LS_IO_PKI, "Failed creating private key with error: %s", error_c_string); + } else { + AWS_LOGF_ERROR(AWS_LS_IO_PKI, "Failed creating private key"); + } + + CFRelease(error_desc); + result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE); + goto done; + } + // Get the hash of the public key stored within the private key key_copied_attributes = SecKeyCopyAttributes(key_ref); // application_label_ref gets released when key_copied_attributes is released. @@ -733,6 +755,7 @@ int aws_secitem_import_cert_and_key( if (!application_label_ref) { AWS_LOGF_ERROR(AWS_LS_IO_PKI, "Failed creating private key application label."); result = aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE); + goto done; } key_label_ref = CFStringCreateWithBytes( diff --git a/source/darwin/nw_socket.c b/source/darwin/nw_socket.c index f85d18c58..b4c0b0198 100644 --- a/source/darwin/nw_socket.c +++ b/source/darwin/nw_socket.c @@ -236,6 +236,16 @@ static void s_setup_tcp_options(nw_protocol_options_t tcp_options, const struct } } +// DEBUG WIP +static void s_setup_tcp_options_local(nw_protocol_options_t tcp_options, const struct aws_socket_options *options) { + (void)tcp_options; + (void)options; +} +// DEBUG WIP +static void s_setup_tls_options_local(nw_protocol_options_t tls_options) { + (void)tls_options; +} + static int s_setup_socket_params(struct nw_socket *nw_socket, const struct aws_socket_options *options) { /* If we already have parameters set, release them before re-establishing new parameters */ @@ -246,8 +256,8 @@ static int s_setup_socket_params(struct nw_socket *nw_socket, const struct aws_s if (options->type == AWS_SOCKET_STREAM) { if (options->domain == AWS_SOCKET_IPV4 || options->domain == AWS_SOCKET_IPV6) { -# ifdef AWS_USE_SECITEM +# ifdef AWS_USE_SECITEM /* options->user_data will contain the tls_ctx if tls_ctx was initialized */ if (nw_socket->tls_ctx) { struct secure_transport_ctx *transport_ctx = nw_socket->tls_ctx->impl; @@ -449,8 +459,15 @@ static int s_setup_socket_params(struct nw_socket *nw_socket, const struct aws_s s_setup_tcp_options(tcp_options, options); }); } -# else // !AWS_USE_SECITEM +# else // Above block is AWS_USE_SECITEM. Below bloc is !AWS_USE_SECITEM // TLS options are not set and the TLS options block should be disabled. + // nw_socket->nw_parameters = nw_parameters_create_secure_tcp( + // // TLS options Block disabled + // NW_PARAMETERS_DISABLE_PROTOCOL, + // // TCP options Block + // ^(nw_protocol_options_t tcp_options) { + // s_setup_tcp_options(tcp_options, options); + // }); nw_socket->nw_parameters = nw_parameters_create_secure_tcp( // TLS options Block disabled NW_PARAMETERS_DISABLE_PROTOCOL, @@ -459,21 +476,42 @@ static int s_setup_socket_params(struct nw_socket *nw_socket, const struct aws_s s_setup_tcp_options(tcp_options, options); }); # endif // AWS_USE_SECITEM + } else if (options->domain == AWS_SOCKET_LOCAL) { + // DEBUG WIP issues with local sockets and potential permissions + /* + nw_socket->nw_parameters = nw_parameters_create_secure_tcp( + // TLS options Block disabled + ^(nw_protocol_options_t tls_options) { + s_setup_tls_options_local(tls_options); + }, + // TCP options Block + ^(nw_protocol_options_t tcp_options) { + s_setup_tcp_options_local(tcp_options, options); + }); + */ + nw_socket->nw_parameters = nw_parameters_create_secure_tcp( NW_PARAMETERS_DISABLE_PROTOCOL, // TCP options Block - ^(nw_protocol_options_t tcp_options) { - s_setup_tcp_options(tcp_options, options); + ^(nw_protocol_options_t tcp_options) { // try setup with nothing inside. + s_setup_tcp_options_local(tcp_options, options); }); } } else if (options->type == AWS_SOCKET_DGRAM) { nw_socket->nw_parameters = nw_parameters_create_secure_udp( NW_PARAMETERS_DISABLE_PROTOCOL, // TCP options Block - ^(nw_protocol_options_t tcp_options) { - s_setup_tcp_options(tcp_options, options); + ^(nw_protocol_options_t tcp_options) { // try setup with nothing inside. DEBUG WIP + s_setup_tcp_options_local(tcp_options, options); }); + + // DEBUG WIP + // NW_PARAMETERS_DEFAULT_CONFIGURATION); // DEBUG WIP local should not have tcp options set for Apple + + // ^(nw_protocol_options_t tcp_options) { + // s_setup_tcp_options(tcp_options, options); + // }); } if (!nw_socket->nw_parameters) { diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 0adc1d378..1da4ab68d 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -225,8 +225,8 @@ if(NOT BYO_CRYPTO) # to be a way to disable it if(NOT(WIN32 AND NOT CMAKE_SYSTEM_VERSION MATCHES "10\.0\.1.*")) # Skip TLS 1.0 and TLS 1.1 test for windows later than windows server 2022, as they droped old TLS - add_net_test_case(tls_client_channel_negotiation_error_legacy_crypto_tls10) if(NOT AWS_USE_SECITEM) + add_net_test_case(tls_client_channel_negotiation_error_legacy_crypto_tls10) # SecItem does not allow use of depricated TLS versions add_net_test_case(tls_client_channel_negotiation_override_legacy_crypto_tls10) add_net_test_case(tls_client_channel_negotiation_success_legacy_crypto_tls11) @@ -266,7 +266,6 @@ if(NOT BYO_CRYPTO) add_net_test_case(tls_channel_echo_and_backpressure_test) add_net_test_case(tls_channel_shutdown_with_cache_test) add_net_test_case(tls_channel_shutdown_with_cache_window_update_after_shutdown_test) - add_net_test_case(tls_client_channel_negotiation_error_socket_closed) add_net_test_case(tls_client_channel_negotiation_success) add_net_test_case(tls_server_multiple_connections) add_net_test_case(tls_server_hangup_during_negotiation) @@ -276,6 +275,13 @@ if(NOT BYO_CRYPTO) add_net_test_case(alpn_no_protocol_message) add_net_test_case(test_ecc_cert_import) add_net_test_case(test_pkcs8_import) +if(NOT AWS_USE_SECITEM) + # This test shuts down the channel after a socket is established but while the TLS handshake is taking place + # further up the channel. Apple Network Framework's connection handles both the socket connection as well + # as the TLS handshake within the same create connection call without external notification that the socket + # has succeeded prior to the TLS negotiation. As such, this test will not work for Secitem. + add_net_test_case(tls_client_channel_negotiation_error_socket_closed) +endif() add_test_case(alpn_error_creating_handler) add_test_case(tls_destroy_null_context)