feat: add support to CRT HTTP Client for providing custom trust and key store

[dayaffe]

Issue #

#1110

Description of changes

Example Usage with STSClient on Apple devices:

let urlSessionTLSOptions = URLSessionTLSOptions(
    certificateFile: "localhost", // .cer
    keyStoreName: "certificate", // .p12
    keyStorePassword: "test"
)

let client = try await STSClient(
    config: .init(
        httpClientConfiguration: .init(
            tlsOptions: .init(urlSessionTLSOptions: urlSessionTLSOptions)
        )
    )
)

Example Usage with STSClient on Linux:

let crtTLSOptions = CRTClientTLSOptions(
    certificatePath: "/path/",
    certificateFilename: "trustStoreFile",
    keyStoreFilepath: "/path/file",
    keyStorePassword: "password"
)

let client = try await STSClient(
    config: .init(
        httpClientConfiguration: .init(
            tlsOptions: .init(crtTLSOptions: crtTLSOptions)
        )
    )
)

Directions for testing URLSession changes:

Step 1: Downgrade Openssl on mac from 3.x to 1.1. Mac's Keychain Access and XCode are not compatible with the latest openssl encryption algorithms

Step 2. Generate a key (.pem) and a certificate (.cer) and then include both in a keystore (.p12)

Step 3. Include both the certificate file (.cer) and keystore (.p12) in the project's bundle

Step 4. Create a local test server. You can use mine as an exmaple and run it using node server.js:

const express = require('express');
const https = require('https');
const fs = require('fs');

const app = express();

app.get('/', (req, res) => {
  res.send('Hello, Secure World!');
});

https.createServer({
  key: fs.readFileSync('key.pem'),
  cert: fs.readFileSync('certificate.pem'),
  passphrase: "test"
}, app)
.listen(3000, () => {
  console.log('Listening on https://localhost:3000');
});

Step 5. Run XCode proj that hits the server. Here is my example code:

let urlSessionTLSOptions = URLSessionTLSOptions(
    certificateFile: "localhost", // .cer
    keyStoreName: "certificate", // .p12
    keyStorePassword: "test"
)

// Create an instance of our URLSessionHTTPClient
let urlSessionClient = URLSessionHTTPClient(httpClientConfiguration: .init(urlSessionTLSOptions: urlSessionTLSOptions))

// Create an SdkHttpRequest
let sdkHttpRequest = SdkHttpRequest(
    method: .get,
    endpoint: Endpoint(host: "localhost", path: "/", port: 3000, protocolType: .https),
    body: .noStream
)
// Send the request
do {
    let response = try await urlSessionClient.send(request: sdkHttpRequest)
    print("Response received: \(response)")
} catch {
    print("Failed to make request: \(error)")
}

Scope

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[sichanyoo]

Minor suggestions

[waahm7]

If this is the public API, Is it possible to have one TLSContext class and create either a URLSessionTLSOptions or a TLSContext internally from it?

[waahm7]

It might be better to just expose a wrapper to TLSContextOptions and create a TLSContext from that. No one should be passing server mode to this TLSContext.init function.

[waahm7]

These are derived variables, but someone can modify them after the init function. Is that intended?

[dayaffe]

Will change so they cant modify

[jbelkins]

Should any of these properties be modifiable? Generally configuration objects are immutable once created.

[xiazhvera]

SecPKCS12Import: The latest aws-crt-swift disabled the API for iOS, tvOS, and watchOS, as we dont really have a way to test the API on those platforms. Would you have a test plan to the feature with pkcs12 key on the platforms? Maybe I could add the tests to CRT as well and enable the API there.

awslabs/aws-crt-swift#246 <= PR that disabled SecPKCS12Import

[dayaffe]

I agree there's no easy way to test on those platforms natively (would work via simulator for dev testing), I manually generated the p12 file using a combination of keychain access and openssl 1.1

[jbelkins]

See individual comments. Also it seems that we have some HTTP client config that is specific to only one client. Short of clearly documenting what affects what, is there a way that we can unify settings so that one setting affects both clients?

[jbelkins]

Should this be error log level?

[jbelkins]

Should any of these properties be modifiable? Generally configuration objects are immutable once created.

[jbelkins]

Eliminate the print statement, or change it to a log statement

[jbelkins]

Also, should error be unwrapped here? Seems odd to log & throw an error you're not sure is there

[dayaffe]

Eliminating print statement, the error has to be there as part of description of SecTrustEvaluateWithError. If result is false, error will be populated with reason, if true error will be null

[jbelkins]

The actual error here is that setting anchor certificates failed? Should the error we throw say that more explicitly?

[jbelkins]

Let's move these extensions to a separate source file

[jbelkins]

The URLSessionHTTPClient is getting big

[jbelkins]

Why unwrap to a local var with an underscore?

if let crtTLSOptions {

will unwrap the optional then "shadow" it inside the if.

[jbelkins]

Is TLSContext a CRT type? If so, let's not expose it directly to customers. CRT is an "implementation detail" of the AWS SDK for Swift that should remain concealed from customers.

[dayaffe]

Will change this to CRTClientTLSOptions type that I created and provide a resolveContext() method on it

[dayaffe]

Can also rename that if we want to get rid of CRT from it

[jbelkins]

Eventually Swift Foundation will eliminate these differences, but for now we're stuck with swift-corelibs-foundation on Linux which is not always faithful to the original.

[jbelkins]

nit: can this be a computed property instead of stored?

[jbelkins]

same with the property above

[jbelkins]

Fix the swiftlint issue before merging