Add TLS support

.github/workflows/ci.yml

@@ -70,7 +70,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # This matrix runs tests on iOS, tvOS & watchOS, on oldest & newest supported Xcodes
+        # This matrix runs tests on iOS and tvOS on oldest & newest supported Xcodes
         runner:
           - macos-12 # x64
           - macos-13 # x64
@@ -81,9 +81,7 @@ jobs:
           [{ os: ios, destination: 'iOS Simulator,OS=16.1,name=iPhone 14'},
            { os: ios, destination: 'iOS Simulator,OS=17.2,name=iPhone 15'},
            { os: tvos, destination: 'tvOS Simulator,OS=16.1,name=Apple TV 4K (3rd generation) (at 1080p)'},
-           { os: tvos, destination: 'tvOS Simulator,OS=17.2,name=Apple TV 4K (3rd generation) (at 1080p)'},
-           { os: watchos, destination: 'watchOS Simulator,OS=10.2,name=Apple Watch SE (40mm) (2nd generation)'},
-           { os: watchos, destination: 'watchOS Simulator,OS=9.1,name=Apple Watch Series 5 (40mm)'}]
+           { os: tvos, destination: 'tvOS Simulator,OS=17.2,name=Apple TV 4K (3rd generation) (at 1080p)'}]
         xcode:
           - Xcode_14.1
           - Xcode_15.2
@@ -110,10 +108,6 @@ jobs:
             xcode: Xcode_14.1
           - target: { os: ios, destination: 'iOS Simulator,OS=17.2,name=iPhone 15'}
             xcode: Xcode_14.1
-          - target: { os: watchos, destination: 'watchOS Simulator,OS=10.2,name=Apple Watch SE (40mm) (2nd generation)'}
-            xcode: Xcode_14.1
-          - target: { os: watchos, destination: 'watchOS Simulator,OS=9.1,name=Apple Watch Series 5 (40mm)'}
-            xcode: Xcode_15.2
     steps:
       - name: Build ${{ env.PACKAGE_NAME }} + consumers
         run: |

Package.swift

@@ -22,6 +22,9 @@ let cSettings: [CSetting] = [
     .define("AWS_APPSTORE_SAFE"),
 ]
 
+/// Store any defines that will be used by Swift Tests in swiftTestSettings
+var swiftTestSettings: [SwiftSetting] = []
+
 //////////////////////////////////////////////////////////////////////
 /// Configure C targets.
 /// Note: We can not use unsafe flags because SwiftPM makes the target ineligible for use by other packages.
@@ -124,14 +127,26 @@ awsCIoPlatformExcludes.append("source/posix")
 awsCIoPlatformExcludes.append("source/linux")
 awsCIoPlatformExcludes.append("source/s2n")
 awsCIoPlatformExcludes.append("source/darwin")
+cSettingsIO.append(.define("AWS_USE_IO_COMPLETION_PORTS"))
+swiftTestSettings.append(.define("AWS_USE_IO_COMPLETION_PORTS"))
 #elseif os(Linux)
 awsCIoPlatformExcludes.append("source/windows")
 awsCIoPlatformExcludes.append("source/bsd")
 awsCIoPlatformExcludes.append("source/darwin")
+cSettingsIO.append(.define("AWS_USE_EPOLL"))
+swiftTestSettings.append(.define("AWS_USE_EPOLL"))
 #else  // macOS, iOS, watchOS, tvOS
 awsCIoPlatformExcludes.append("source/windows")
 awsCIoPlatformExcludes.append("source/linux")
 awsCIoPlatformExcludes.append("source/s2n")
+cSettingsIO.append(.define("__APPLE__"))
+cSettingsIO.append(.define("AWS_USE_DISPATCH_QUEUE", .when(platforms: [.iOS, .tvOS])))
+cSettingsIO.append(.define("AWS_USE_SECITEM", .when(platforms: [.iOS, .tvOS])))
+cSettingsIO.append(.define("AWS_USE_KQUEUE", .when(platforms: [.macOS])))
+swiftTestSettings.append(.define("__APPLE__"))
+swiftTestSettings.append(.define("AWS_USE_DISPATCH_QUEUE", .when(platforms: [.iOS, .tvOS])))
+swiftTestSettings.append(.define("AWS_USE_SECITEM", .when(platforms: [.iOS, .tvOS])))
+swiftTestSettings.append(.define("AWS_USE_KQUEUE", .when(platforms: [.macOS])))
 #endif
 
 //////////////////////////////////////////////////////////////////////
@@ -304,7 +319,8 @@ packageTargets.append(contentsOf: [
         path: "Test/AwsCommonRuntimeKitTests",
         resources: [
             .process("Resources")
-        ]
+        ],
+        swiftSettings: swiftTestSettings
     ),
     .executableTarget(
         name: "Elasticurl",

Source/AwsCommonRuntimeKit/io/TLSContextOptions.swift

@@ -37,7 +37,7 @@ public class TLSContextOptions: CStruct {
     public static func makeMTLS(
         certificateData: Data,
         privateKeyData: Data) throws -> TLSContextOptions {
-        #if os(tvOS) || os(iOS) || os(watchOS)
+        #if os(watchOS)
         throw CommonRunTimeError.crtError(CRTError(code: AWS_ERROR_PLATFORM_NOT_SUPPORTED.rawValue))
         #endif
         return try TLSContextOptions(certificateData: certificateData, privateKeyData: privateKeyData)
@@ -55,7 +55,7 @@ public class TLSContextOptions: CStruct {
     public static func makeMTLS(
         certificatePath: String,
         privateKeyPath: String) throws -> TLSContextOptions {
-        #if os(tvOS) || os(iOS) || os(watchOS)
+        #if os(watchOS)
         throw CommonRunTimeError.crtError(CRTError(code: AWS_ERROR_PLATFORM_NOT_SUPPORTED.rawValue))
         #endif
         return try TLSContextOptions(certificatePath: certificatePath, privateKeyPath: privateKeyPath)
@@ -126,6 +126,22 @@ public class TLSContextOptions: CStruct {
     public func setMinimumTLSVersion(_ tlsVersion: TLSVersion) {
         aws_tls_ctx_options_set_minimum_tls_version(rawValue, aws_tls_versions(rawValue: tlsVersion.rawValue))
     }
+
+    /// Updates TLSContextOptions to use specified options when importing certificate and key into keychain.
+    ///
+    /// NOTE: This only works on Apple devices using Apple keychain via Secitem.. The library is currently only tested on iOS.
+    ///
+    /// - Parameters:
+    ///     - certLabel: Human readable label to apply to certificate being imported into keychain.
+    ///     - keyLabel: Human readable label to apply to key being imported into keychain.
+    /// - Throws: CommonRuntimeError.crtError
+    public func setSecitemLabels(certLabel: String? = nil, keyLabel: String? = nil) throws {
+        let secitemOptions = TLSSecitemOptions(certLabel: certLabel, keyLabel: keyLabel)
+
+        if aws_tls_ctx_options_set_secitem_options(rawValue, secitemOptions.rawValue) != AWS_OP_SUCCESS {
+            throw CommonRunTimeError.crtError(CRTError.makeFromLastError())
+        }
+    }
 
     typealias RawType = aws_tls_ctx_options
     func withCStruct<Result>(_ body: (aws_tls_ctx_options) -> Result) -> Result {

Source/AwsCommonRuntimeKit/io/TLSSecitemOptions.swift

@@ -0,0 +1,37 @@
+//  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//  SPDX-License-Identifier: Apache-2.0.
+
+import AwsCIo
+
+public class TLSSecitemOptions: CStruct {
+    var rawValue: UnsafeMutablePointer<aws_secitem_options>
+
+    public init(
+        certLabel: String? = nil,
+        keyLabel: String? = nil) {
+
+            self.rawValue = allocator.allocate(capacity: 1)
+
+            self.rawValue.pointee.cert_label = certLabel?.withByteCursorPointer { certLabelCursorPointer in
+                aws_string_new_from_cursor(
+                    allocator.rawValue,
+                    certLabelCursorPointer)
+            }
+
+            self.rawValue.pointee.key_label = keyLabel?.withByteCursorPointer { keyLabelCursorPointer in
+                aws_string_new_from_cursor(
+                    allocator.rawValue,
+                    keyLabelCursorPointer)
+            }
+    }
+
+    typealias RawType = aws_secitem_options
+    func withCStruct<Result>(_ body: (aws_secitem_options) -> Result) -> Result {
+        return body(rawValue.pointee)
+    }
+
+    deinit {
+        aws_tls_secitem_options_clean_up(rawValue)
+        allocator.release(rawValue)
+    }
+}

Test/AwsCommonRuntimeKitTests/io/TLSContextTests.swift

@@ -39,4 +39,20 @@ class TLSContextTests: XCBaseTestCase {
         _ = TLSConnectionOptions(context: context)
     }
 #endif
+
+#if AWS_USE_SECITEM
+    func testCreateTlsContextWithSecitemOptions() throws {
+        let certPath = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_MQTT311_IOT_CORE_X509_CERT")
+        let privateKeyPath = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_MQTT311_IOT_CORE_X509_KEY")
+
+        let certificateData = try Data(contentsOf: URL(fileURLWithPath: certPath))
+        let privateKeyData = try Data(contentsOf: URL(fileURLWithPath: privateKeyPath))
+
+        let options = try TLSContextOptions.makeMTLS(certificateData: certificateData, privateKeyData: privateKeyData)
+        try options.setSecitemLabels(certLabel: "TEST_CERT_LABEL", keyLabel: "TEST_KEY_LABEL")
+
+        let context = try TLSContext(options:options, mode: .client)
+        _ = TLSConnectionOptions(context: context)
+    }
+#endif
 }