iOS Data Protection Keychain

include/aws/io/private/pki_utils.h

@@ -15,6 +15,8 @@
 #ifdef AWS_OS_APPLE
 /* It's ok to include external headers because this is a PRIVATE header file */
 #    include <CoreFoundation/CFArray.h>
+#include <Security/Security.h>
+struct aws_secitem_options;
 #endif /* AWS_OS_APPLE */
 
 struct aws_string;
@@ -41,7 +43,21 @@ int aws_import_public_and_private_keys_to_identity(
     const struct aws_byte_cursor *private_key,
     CFArrayRef *identity,
     const struct aws_string *keychain_path);
-#    endif /* AWS_OS_IOS */
+#   endif /* !AWS_OS_IOS */
+
+/**
+ * Imports a PEM armored PKCS#7 public/private key pair
+ * into protected data keychain for use with Apple Network Framework.
+ * Currently only implemented for iOS.
+ */
+int aws_secitem_import_cert_and_key(
+    struct aws_allocator *alloc,
+    CFAllocatorRef cf_alloc,
+    const struct aws_byte_cursor *public_cert_chain,
+    const struct aws_byte_cursor *private_key,
+    SecCertificateRef *secitem_certificate,
+    SecKeyRef *secitem_private_key,
+    const struct aws_secitem_options *secitem_options);
 
 /**
  * Imports a PKCS#12 file into identity for use with

include/aws/io/tls_channel_handler.h

@@ -146,6 +146,37 @@ struct aws_tls_connection_options {
  */
 struct aws_tls_key_operation;
 
+#ifdef __APPLE__
+
+/**
+ * A struct containing parameters used during import of Certificate and Private Key into a
+ * data protection keychain using Apple's SecItem API.
+ */
+struct aws_secitem_options {
+    /**
+     * Human-Readable identifier tag for certificate being used in keychain.
+     * Value will be used with kSecAttrLabel Key in SecItem functions.
+     * If one is not provided, we generate it ourselves.
+     */
+    struct aws_string *cert_label;
+
+    /**
+     * Human-Readable identifier tag for private key being used in keychain.
+     * Value will be used with kSecAttrLabel Key in SecItem functions.
+     * If one is not provided, we generate it ourselves.
+     */
+    struct aws_string *key_label;
+
+    /**
+     * Human-Readable unique identifier tag for private key being used in keychain.
+     * Value will be used with kSecAttrLabel Key in SecItem functions.
+     * If one is not provided, we generate it ourselves.
+     */
+    struct aws_string *application_label;
+};
+
+#endif /* __APPLE__ */
+
 struct aws_tls_ctx_options {
     struct aws_allocator *allocator;
 
@@ -214,15 +245,24 @@ struct aws_tls_ctx_options {
      */
     struct aws_byte_buf pkcs12_password;
 
-#    if !defined(AWS_OS_IOS)
+    /**
+     * When adding items to the keychain, SecItem allows the setting of attributes
+     * that control various options and settings related to access of the items. This
+     * struct contains the various attributes we currently support.
+     */
+    struct aws_secitem_options *secitem_options;
+
+#   if !defined(AWS_OS_IOS)
     /**
      * On Apple OS you can also use a custom keychain instead of
      * the default keychain of the account.
      */
     struct aws_string *keychain_path;
-#    endif
 
-#endif
+#   endif /* !AWS_OS_IOS */
+
+
+#endif /* __APPLE__ */
 
     /** max tls fragment size. Default is the value of g_aws_channel_max_fragment_size. */
     size_t max_fragment_size;