awslabs · sbSteveK · Mar 28, 2025 · Nov 4, 2024 · Nov 5, 2024 · Nov 5, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -276,6 +276,23 @@ jobs:
         chmod a+x builder
         ./builder build -p ${{ env.PACKAGE_NAME }} --cmake-extra=-DAWS_USE_APPLE_NETWORK_FRAMEWORK=${{ matrix.eventloop == 'dispatch_queue' && 'ON' || 'OFF' }} --cmake-extra=-DENABLE_SANITIZERS=ON --cmake-extra=-DSANITIZERS="${{ matrix.sanitizers }}" --config Debug
 
+  macos-secitem:
+    runs-on: macos-14 # latest
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizers: [",thread", ",address,undefined"]
+    steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+    - name: Build ${{ env.PACKAGE_NAME }} + consumers
+      run: |
+        python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
+        chmod a+x builder
+        ./builder build -p ${{ env.PACKAGE_NAME }} --cmake-extra=-DAWS_USE_SECITEM=ON --cmake-extra=-DAWS_USE_APPLE_NETWORK_FRAMEWORK=ON --cmake-extra=-DENABLE_SANITIZERS=ON --cmake-extra=-DSANITIZERS="${{ matrix.sanitizers }}"
+
   freebsd:
     runs-on: ubuntu-24.04  # latest
     steps:

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -110,8 +110,8 @@ elseif (APPLE)
         list(APPEND EVENT_LOOP_DEFINES "DISPATCH_QUEUE")
     endif ()
 
-    # Enable KQUEUE on MacOS
-    if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
+    # Enable KQUEUE on MacOS only if AWS_USE_SECITEM is not declared. SecItem requires Dispatch Queue.
+    if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin" AND NOT DEFINED AWS_USE_SECITEM)
         list(APPEND EVENT_LOOP_DEFINES "KQUEUE")
     endif()
 
@@ -184,6 +184,10 @@ foreach(EVENT_LOOP_DEFINE IN LISTS EVENT_LOOP_DEFINES)
     target_compile_definitions(${PROJECT_NAME} PUBLIC "-DAWS_ENABLE_${EVENT_LOOP_DEFINE}")
 endforeach()
 
+if (AWS_USE_SECITEM)
+    target_compile_definitions(${PROJECT_NAME} PUBLIC "-DAWS_USE_SECITEM")
+endif()
+
 if (BYO_CRYPTO)
     target_compile_definitions(${PROJECT_NAME} PUBLIC "-DBYO_CRYPTO")
 endif()

diff --git a/include/aws/io/io.h b/include/aws/io/io.h
@@ -99,13 +99,6 @@ enum aws_io_errors {
     AWS_IO_CHANNEL_READ_WOULD_EXCEED_WINDOW,
     AWS_IO_EVENT_LOOP_ALREADY_ASSIGNED,
     AWS_IO_EVENT_LOOP_SHUTDOWN,
-    AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE,
-    AWS_IO_TLS_ERROR_NOT_NEGOTIATED,
-    AWS_IO_TLS_ERROR_WRITE_FAILURE,
-    AWS_IO_TLS_ERROR_ALERT_RECEIVED,
-    AWS_IO_TLS_CTX_ERROR,
-    AWS_IO_TLS_VERSION_UNSUPPORTED,
-    AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED,
     AWS_IO_MISSING_ALPN_MESSAGE,
     AWS_IO_UNHANDLED_ALPN_PROTOCOL_MESSAGE,
     AWS_IO_FILE_VALIDATION_FAILURE,
@@ -128,6 +121,7 @@ enum aws_io_errors {
     AWS_IO_SOCKET_INVALID_ADDRESS,
     AWS_IO_SOCKET_ILLEGAL_OPERATION_FOR_STATE,
     AWS_IO_SOCKET_CONNECT_ABORTED,
+    AWS_IO_SOCKET_MISSING_EVENT_LOOP,
     AWS_IO_DNS_QUERY_FAILED,
     AWS_IO_DNS_INVALID_NAME,
     AWS_IO_DNS_NO_ADDRESS_FOR_HOST,
@@ -137,12 +131,35 @@ enum aws_io_errors {
     DEPRECATED_AWS_IO_INVALID_FILE_HANDLE,
     AWS_IO_SHARED_LIBRARY_LOAD_FAILURE,
     AWS_IO_SHARED_LIBRARY_FIND_SYMBOL_FAILURE,
-    AWS_IO_TLS_NEGOTIATION_TIMEOUT,
-    AWS_IO_TLS_ALERT_NOT_GRACEFUL,
     AWS_IO_MAX_RETRIES_EXCEEDED,
     AWS_IO_RETRY_PERMISSION_DENIED,
+
+    AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE,
+    AWS_IO_TLS_ERROR_NOT_NEGOTIATED,
+    AWS_IO_TLS_ERROR_WRITE_FAILURE,
+    AWS_IO_TLS_ERROR_ALERT_RECEIVED,
+    AWS_IO_TLS_CTX_ERROR,
+    AWS_IO_TLS_VERSION_UNSUPPORTED,
+    AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED,
+    AWS_IO_TLS_NEGOTIATION_TIMEOUT,
+    AWS_IO_TLS_ALERT_NOT_GRACEFUL,
     AWS_IO_TLS_DIGEST_ALGORITHM_UNSUPPORTED,
     AWS_IO_TLS_SIGNATURE_ALGORITHM_UNSUPPORTED,
+    AWS_IO_TLS_ERROR_READ_FAILURE,
+    AWS_IO_TLS_UNKNOWN_ROOT_CERTIFICATE,
+    AWS_IO_TLS_NO_ROOT_CERTIFICATE_FOUND,
+    AWS_IO_TLS_CERTIFICATE_EXPIRED,
+    AWS_IO_TLS_CERTIFICATE_NOT_YET_VALID,
+    AWS_IO_TLS_BAD_CERTIFICATE,
+    AWS_IO_TLS_PEER_CERTIFICATE_EXPIRED,
+    AWS_IO_TLS_BAD_PEER_CERTIFICATE,
+    AWS_IO_TLS_PEER_CERTIFICATE_REVOKED,
+    AWS_IO_TLS_PEER_CERTIFICATE_UNKNOWN,
+    AWS_IO_TLS_INTERNAL_ERROR,
+    AWS_IO_TLS_CLOSED_GRACEFUL,
+    AWS_IO_TLS_CLOSED_ABORT,
+    AWS_IO_TLS_INVALID_CERTIFICATE_CHAIN,
+    AWS_IO_TLS_HOST_NAME_MISSMATCH,
 
     AWS_ERROR_PKCS11_VERSION_UNSUPPORTED,
     AWS_ERROR_PKCS11_TOKEN_NOT_FOUND,
@@ -255,8 +272,6 @@ enum aws_io_errors {
     AWS_IO_STREAM_SEEK_UNSUPPORTED,
     AWS_IO_STREAM_GET_LENGTH_UNSUPPORTED,
 
-    AWS_IO_TLS_ERROR_READ_FAILURE,
-
     AWS_ERROR_PEM_MALFORMED,
 
     AWS_IO_ERROR_END_RANGE = AWS_ERROR_ENUM_END_RANGE(AWS_C_IO_PACKAGE_ID),

diff --git a/include/aws/io/private/pki_utils.h b/include/aws/io/private/pki_utils.h
@@ -15,8 +15,10 @@
 #ifdef AWS_OS_APPLE
 /* It's ok to include external headers because this is a PRIVATE header file */
 #    include <CoreFoundation/CFArray.h>
+#    include <Security/Security.h>
 #endif /* AWS_OS_APPLE */
 
+struct aws_secitem_options;
 struct aws_string;
 
 AWS_EXTERN_C_BEGIN
@@ -29,7 +31,6 @@ AWS_IO_API const char *aws_determine_default_pki_dir(void);
 AWS_IO_API const char *aws_determine_default_pki_ca_file(void);
 
 #ifdef AWS_OS_APPLE
-#    if !defined(AWS_OS_IOS)
 /**
  * Imports a PEM armored PKCS#7 public/private key pair
  * into identity for use with SecurityFramework.
@@ -41,7 +42,6 @@ int aws_import_public_and_private_keys_to_identity(
     const struct aws_byte_cursor *private_key,
     CFArrayRef *identity,
     const struct aws_string *keychain_path);
-#    endif /* AWS_OS_IOS */
 
 /**
  * Imports a PKCS#12 file into identity for use with
@@ -64,14 +64,28 @@ int aws_import_trusted_certificates(
     CFArrayRef *certs);
 
 /**
- * Releases identity (the output of the aws_import_* functions).
+ * Imports a PEM armored PKCS#7 public/private key pair
+ * into protected data keychain for use with Apple Network Framework.
+ * Currently only implemented for iOS.
  */
-void aws_release_identity(CFArrayRef identity);
+int aws_secitem_import_cert_and_key(
+    struct aws_allocator *alloc,
+    CFAllocatorRef cf_alloc,
+    const struct aws_byte_cursor *public_cert_chain,
+    const struct aws_byte_cursor *private_key,
+    sec_identity_t *secitem_identity,
+    const struct aws_secitem_options *secitem_options);
 
 /**
- * releases the output of aws_import_trusted_certificates.
+ * Imports a PKCS#12 file into protected data keychain for use with
+ * Apple Network Framework.
+ * Currently only implemented for iOS.
  */
-void aws_release_certificates(CFArrayRef certs);
+int aws_secitem_import_pkcs12(
+    CFAllocatorRef cf_alloc,
+    const struct aws_byte_cursor *pkcs12_cursor,
+    const struct aws_byte_cursor *password,
+    sec_identity_t *out_identity);
 
 #endif /* AWS_OS_APPLE */
 

diff --git a/include/aws/io/private/socket_impl.h b/include/aws/io/private/socket_impl.h
@@ -51,13 +51,8 @@ int aws_socket_init_apple_nw_socket(
 
 struct aws_socket_vtable {
     void (*socket_cleanup_fn)(struct aws_socket *socket);
-    int (*socket_connect_fn)(
-        struct aws_socket *socket,
-        const struct aws_socket_endpoint *remote_endpoint,
-        struct aws_event_loop *event_loop,
-        aws_socket_on_connection_result_fn *on_connection_result,
-        void *user_data);
-    int (*socket_bind_fn)(struct aws_socket *socket, const struct aws_socket_endpoint *local_endpoint);
+    int (*socket_connect_fn)(struct aws_socket *socket, struct aws_socket_connect_options *socket_connect_options);
+    int (*socket_bind_fn)(struct aws_socket *socket, struct aws_socket_bind_options *socket_bind_options);
     int (*socket_listen_fn)(struct aws_socket *socket, int backlog_size);
     int (*socket_start_accept_fn)(
         struct aws_socket *socket,
@@ -85,6 +80,8 @@ struct aws_socket_vtable {
         struct aws_socket *socket,
         aws_socket_on_shutdown_complete_fn fn,
         void *user_data);
+    struct aws_byte_buf (*socket_get_protocol_fn)(const struct aws_socket *socket);
+    struct aws_string *(*socket_get_server_name_fn)(const struct aws_socket *socket);
 };
 
 struct on_start_accept_result_args {

diff --git a/include/aws/io/private/tls_channel_handler_shared.h b/include/aws/io/private/tls_channel_handler_shared.h
@@ -27,6 +27,8 @@ enum aws_tls_handler_read_state {
 
 AWS_EXTERN_C_BEGIN
 
+AWS_IO_API bool aws_is_using_secitem(void);
+
 AWS_IO_API void aws_tls_channel_handler_shared_init(
     struct aws_tls_channel_handler_shared *tls_handler_shared,
     struct aws_channel_handler *handler,

diff --git a/include/aws/io/socket.h b/include/aws/io/socket.h
@@ -81,7 +81,6 @@ struct aws_socket_options {
 };
 
 struct aws_socket;
-struct aws_event_loop;
 
 /**
  * Called in client mode when an outgoing connection has succeeded or an error has occurred.
@@ -168,6 +167,21 @@ struct aws_socket {
     void *impl;
 };
 
+struct aws_socket_connect_options {
+    const struct aws_socket_endpoint *remote_endpoint;
+    struct aws_event_loop *event_loop;
+    aws_socket_on_connection_result_fn *on_connection_result;
+    void *user_data;
+
+    /*
+     * This is only set when using Apple SecItem for TLS negotiation.
+     * Apple Network Connections using SecItem require all TLS configuration options at the point of
+     * creating the socket slot as it handles both the TCP and TLS negotiation before returning a
+     * valid socket for use.
+     */
+    struct aws_tls_connection_options *tls_connection_options;
+};
+
 struct aws_socket_listener_options {
     aws_socket_on_accept_result_fn *on_accept_result;
     void *on_accept_result_user_data;
@@ -178,6 +192,21 @@ struct aws_socket_listener_options {
     void *on_accept_start_user_data;
 };
 
+struct aws_socket_bind_options {
+    const struct aws_socket_endpoint *local_endpoint;
+    void *user_data;
+
+    /*
+     * This is only set when using Apple SecItem for TLS negotiation.
+     * Apple Network Connections using SecItem require all TLS configuration options at the point of
+     * creating the socket slot as it handles both the TCP and TLS negotiation before returning a
+     * valid socket for use.
+     * Socket bind also needs an event loop to run its verification block.
+     */
+    struct aws_event_loop *event_loop;
+    struct aws_tls_connection_options *tls_connection_options;
+};
+
 struct aws_byte_buf;
 struct aws_byte_cursor;
 
@@ -212,21 +241,15 @@ AWS_IO_API void aws_socket_clean_up(struct aws_socket *socket);
  * on_connection_result in the event-loop's thread. Upon completion, the socket will already be assigned
  * an event loop. If NULL is passed for UDP, it will immediately return upon success, but you must call
  * aws_socket_assign_to_event_loop before use.
- *
  */
-AWS_IO_API int aws_socket_connect(
-    struct aws_socket *socket,
-    const struct aws_socket_endpoint *remote_endpoint,
-    struct aws_event_loop *event_loop,
-    aws_socket_on_connection_result_fn *on_connection_result,
-    void *user_data);
+AWS_IO_API int aws_socket_connect(struct aws_socket *socket, struct aws_socket_connect_options *socket_connect_options);
 
 /**
  * Binds the socket to a local address. In UDP mode, the socket is ready for `aws_socket_read()` operations. In
  * connection oriented modes, you still must call `aws_socket_listen()` and `aws_socket_start_accept()` before using the
  * socket. local_endpoint is copied.
  */
-AWS_IO_API int aws_socket_bind(struct aws_socket *socket, const struct aws_socket_endpoint *local_endpoint);
+AWS_IO_API int aws_socket_bind(struct aws_socket *socket, struct aws_socket_bind_options *socket_bind_options);
 
 /**
  * Get the local address which the socket is bound to.