xref: /aosp_15_r20/external/aws-crt-java/src/native/tls_context_options.c (revision 3c7ae9de214676c52d19f01067dc1a404272dc11)

/**
 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 * SPDX-License-Identifier: Apache-2.0.
 */

#include <jni.h>

#include <aws/common/string.h>
#include <aws/io/tls_channel_handler.h>

#include "crt.h"
#include "java_class_ids.h"
#include "tls_context_pkcs11_options.h"

#include "custom_key_op_handler.h"

/* Have to wrap the native struct so we can manage string lifetime */
struct jni_tls_ctx_options {
    /* Must be first thing in the structure so casts to aws_tls_ctx_options work */
    struct aws_tls_ctx_options options;
    /* these strings get copied from java, so we don't have to pin and track references */
    struct aws_string *ca_file;
    struct aws_string *ca_path;
    struct aws_string *alpn_list;
    struct aws_string *certificate_path;
    struct aws_string *private_key_path;
    struct aws_string *pkcs12_path;
    struct aws_string *pkcs12_password;
    struct aws_string *certificate;
    struct aws_string *private_key;
    struct aws_string *windows_cert_store_path;
    struct aws_string *ca_root;

    struct aws_tls_ctx_pkcs11_options *pkcs11_options;

    struct aws_custom_key_op_handler *custom_key_op_handler;
};

/* on 32-bit platforms, casting pointers to longs throws a warning we don't need */
#if UINTPTR_MAX == 0xffffffff
#    if defined(_MSC_VER)
#        pragma warning(push)
#        pragma warning(disable : 4305) /* 'type cast': truncation from 'jlong' to 'jni_tls_ctx_options *' */
#    else
#        pragma GCC diagnostic push
#        pragma GCC diagnostic ignored "-Wpointer-to-int-cast"
#        pragma GCC diagnostic ignored "-Wint-to-pointer-cast"
#    endif
#endif

static void s_jni_tls_ctx_options_destroy(struct jni_tls_ctx_options *tls) {
    if (tls == NULL) {
        return;
    }

    aws_string_destroy(tls->ca_file);
    aws_string_destroy(tls->ca_path);
    aws_string_destroy(tls->alpn_list);
    aws_string_destroy(tls->certificate_path);
    aws_string_destroy(tls->private_key_path);
    aws_string_destroy(tls->pkcs12_path);
    aws_string_destroy_secure(tls->pkcs12_password);
    aws_string_destroy(tls->certificate);
    aws_string_destroy_secure(tls->private_key);
    aws_string_destroy(tls->windows_cert_store_path);
    aws_string_destroy(tls->ca_root);

    aws_tls_ctx_pkcs11_options_from_java_destroy(tls->pkcs11_options);
    aws_custom_key_op_handler_java_release(tls->custom_key_op_handler);
    aws_tls_ctx_options_clean_up(&tls->options);

    struct aws_allocator *allocator = aws_jni_get_allocator();
    aws_mem_release(allocator, tls);
}

JNIEXPORT
jlong JNICALL Java_software_amazon_awssdk_crt_io_TlsContextOptions_tlsContextOptionsNew(
    JNIEnv *env,
    jclass jni_class,
    jint jni_min_tls_version,
    jint jni_cipher_pref,
    jstring jni_alpn,
    jstring jni_certificate,
    jstring jni_private_key,
    jstring jni_cert_path,
    jstring jni_key_path,
    jstring jni_ca,
    jstring jni_ca_filepath,
    jstring jni_ca_dirpath,
    jboolean jni_verify_peer,
    jstring jni_pkcs12_path,
    jstring jni_pkcs12_password,
    jobject jni_pkcs11_options,
    jobject jni_custom_key_op,
    jstring jni_windows_cert_store_path) {
    (void)jni_class;
    aws_cache_jni_ids(env);

    struct aws_allocator *allocator = aws_jni_get_allocator();
    struct jni_tls_ctx_options *tls = aws_mem_calloc(allocator, 1, sizeof(struct jni_tls_ctx_options));
    AWS_FATAL_ASSERT(tls);
    aws_tls_ctx_options_init_default_client(&tls->options, allocator);

    /* Certs or paths will cause an init, which overwrites other fields, so do those first */
    if (jni_certificate && jni_private_key) {
        tls->certificate = aws_jni_new_string_from_jstring(env, jni_certificate);
        if (!tls->certificate) {
            aws_jni_throw_runtime_exception(env, "failed to get certificate string");
            goto on_error;
        }
        tls->private_key = aws_jni_new_string_from_jstring(env, jni_private_key);
        if (!tls->private_key) {
            aws_jni_throw_runtime_exception(env, "failed to get privateKey string");
            goto on_error;
        }

        struct aws_byte_cursor cert_cursor = aws_byte_cursor_from_string(tls->certificate);
        struct aws_byte_cursor key_cursor = aws_byte_cursor_from_string(tls->private_key);

        if (aws_tls_ctx_options_init_client_mtls(&tls->options, allocator, &cert_cursor, &key_cursor)) {
            aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_init_client_mtls failed");
            goto on_error;
        }
    } else if (jni_cert_path && jni_key_path) {
        tls->certificate_path = aws_jni_new_string_from_jstring(env, jni_cert_path);
        if (!tls->certificate_path) {
            aws_jni_throw_runtime_exception(env, "failed to get certificatePath string");
            goto on_error;
        }
        tls->private_key_path = aws_jni_new_string_from_jstring(env, jni_key_path);
        if (!tls->private_key_path) {
            aws_jni_throw_runtime_exception(env, "failed to get privateKeyPath string");
            goto on_error;
        }

        if (aws_tls_ctx_options_init_client_mtls_from_path(
                &tls->options,
                allocator,
                aws_string_c_str(tls->certificate_path),
                aws_string_c_str(tls->private_key_path))) {
            aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_init_client_mtls_from_path failed");
            goto on_error;
        }
    } else if (jni_pkcs11_options) {
        tls->pkcs11_options = aws_tls_ctx_pkcs11_options_from_java_new(env, jni_pkcs11_options);
        if (tls->pkcs11_options == NULL) {
            /* exception already thrown */
            goto on_error;
        }

        if (aws_tls_ctx_options_init_client_mtls_with_pkcs11(&tls->options, allocator, tls->pkcs11_options)) {
            aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_init_client_mtls_with_pkcs11 failed");
            goto on_error;
        }
    } else if (jni_custom_key_op) {

        jobject jni_custom_key_op_handle = (*env)->GetObjectField(
            env, jni_custom_key_op, tls_context_custom_key_operation_options_properties.operation_handler_field_id);
        if (!jni_custom_key_op_handle) {
            aws_jni_throw_runtime_exception(
                env, "could not get custom operation handler from jni_custom_key_op_handle!");
            goto on_error;
        }

        tls->custom_key_op_handler = aws_custom_key_op_handler_java_new(env, jni_custom_key_op_handle);

        /* Certificate needs to be set, but there are multiple ways to get it */
        jstring jni_custom_key_op_cert_path = (*env)->GetObjectField(
            env, jni_custom_key_op, tls_context_custom_key_operation_options_properties.certificate_file_path_field_id);
        jstring jni_custom_key_op_cert_contents = (*env)->GetObjectField(
            env,
            jni_custom_key_op,
            tls_context_custom_key_operation_options_properties.certificate_file_contents_field_id);

        if (jni_custom_key_op_cert_path && jni_custom_key_op_cert_contents) {
            /* Cannot have both a certificate path and data - use one or the other */
            aws_jni_throw_runtime_exception(
                env, "Custom key operation handler: cannot have both certificate file path and certificate contents!");
            goto on_error;
        } else if (jni_custom_key_op_cert_contents) {
            /* If we have the certificate contents, then use it directly */
            tls->certificate = aws_jni_new_string_from_jstring(env, jni_custom_key_op_cert_contents);
            if (!tls->certificate) {
                aws_jni_throw_runtime_exception(
                    env, "Custom key operation handler: failed to get certificate contents string");
                goto on_error;
            }
            struct aws_byte_cursor certificate_byte_cursor = aws_byte_cursor_from_string(tls->certificate);

            /* Initialize the client with a custom key operation */
            if (aws_tls_ctx_options_init_client_mtls_with_custom_key_operations(
                    &tls->options, allocator, tls->custom_key_op_handler, &certificate_byte_cursor) != AWS_OP_SUCCESS) {
                aws_jni_throw_runtime_exception(
                    env, "aws_tls_ctx_options_init_client_mtls_with_custom_key_operations failed");
                goto on_error;
            }
        } else if (jni_custom_key_op_cert_path) {
            /* If we have a certificate path, we need to get the certificate data from it and use that */
            tls->certificate_path = aws_jni_new_string_from_jstring(env, jni_custom_key_op_cert_path);
            if (!tls->certificate_path) {
                aws_jni_throw_runtime_exception(
                    env, "Custom key operation handler: failed to get certificate path string");
                goto on_error;
            }
            struct aws_byte_buf tmp_byte_buf;
            int op = aws_byte_buf_init_from_file(&tmp_byte_buf, allocator, aws_string_c_str(tls->certificate_path));
            if (op != AWS_OP_SUCCESS) {
                aws_jni_throw_runtime_exception(
                    env, "Custom key operation handler: failed to get certificate path string");
                aws_byte_buf_clean_up(&tmp_byte_buf);
                goto on_error;
            }
            struct aws_byte_cursor certificate_byte_cursor = aws_byte_cursor_from_buf(&tmp_byte_buf);

            /* Initialize the client with a custom key operation */
            if (aws_tls_ctx_options_init_client_mtls_with_custom_key_operations(
                    &tls->options, allocator, tls->custom_key_op_handler, &certificate_byte_cursor) != AWS_OP_SUCCESS) {
                aws_jni_throw_runtime_exception(
                    env, "aws_tls_ctx_options_init_client_mtls_with_custom_key_operations failed");
                aws_byte_buf_clean_up(&tmp_byte_buf);
                goto on_error;
            }
            aws_byte_buf_clean_up(&tmp_byte_buf);
        } else {
            aws_jni_throw_runtime_exception(env, "Custom key operation handler: No certificate set!");
            goto on_error;
        }

    } else if (jni_pkcs12_path && jni_pkcs12_password) {
        tls->pkcs12_path = aws_jni_new_string_from_jstring(env, jni_pkcs12_path);
        if (!tls->pkcs12_path) {
            aws_jni_throw_runtime_exception(env, "failed to get pkcs12Path string");
            goto on_error;
        }
        tls->pkcs12_password = aws_jni_new_string_from_jstring(env, jni_pkcs12_password);
        if (!tls->pkcs12_password) {
            aws_jni_throw_runtime_exception(env, "failed to get pkcs12Password string");
            goto on_error;
        }

        struct aws_byte_cursor password = aws_byte_cursor_from_string(tls->pkcs12_password);
        if (aws_tls_ctx_options_init_client_mtls_pkcs12_from_path(
                &tls->options, allocator, aws_string_c_str(tls->pkcs12_path), &password)) {
            aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_init_client_mtls_pkcs12_from_path failed");
            goto on_error;
        }
    } else if (jni_windows_cert_store_path) {
        tls->windows_cert_store_path = aws_jni_new_string_from_jstring(env, jni_windows_cert_store_path);
        if (!tls->windows_cert_store_path) {
            aws_jni_throw_runtime_exception(env, "failed to get windowsCertStorePath string");
            goto on_error;
        }

        if (aws_tls_ctx_options_init_client_mtls_from_system_path(
                &tls->options, allocator, aws_string_c_str(tls->windows_cert_store_path))) {

            aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_init_client_mtls_from_system_path failed");
            goto on_error;
        }
    }

    if (jni_ca) {
        tls->ca_root = aws_jni_new_string_from_jstring(env, jni_ca);
        if (!tls->ca_root) {
            aws_jni_throw_runtime_exception(env, "failed to get caRoot string");
            goto on_error;
        }
        struct aws_byte_cursor ca_cursor = aws_byte_cursor_from_string(tls->ca_root);
        if (aws_tls_ctx_options_override_default_trust_store(&tls->options, &ca_cursor)) {
            aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_override_default_trust_store failed");
            goto on_error;
        }
    } else if (jni_ca_filepath || jni_ca_dirpath) {
        const char *ca_file = NULL;
        const char *ca_path = NULL;
        if (jni_ca_filepath) {
            tls->ca_file = aws_jni_new_string_from_jstring(env, jni_ca_filepath);
            if (!tls->ca_file) {
                aws_jni_throw_runtime_exception(env, "failed to get caFile string");
                goto on_error;
            }

            ca_file = aws_string_c_str(tls->ca_file);
        }
        if (jni_ca_dirpath) {
            tls->ca_path = aws_jni_new_string_from_jstring(env, jni_ca_dirpath);
            if (!tls->ca_path) {
                aws_jni_throw_runtime_exception(env, "failed to get caPath string");
                goto on_error;
            }

            ca_path = aws_string_c_str(tls->ca_path);
        }

        if (aws_tls_ctx_options_override_default_trust_store_from_path(&tls->options, ca_path, ca_file)) {
            aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_override_default_trust_store_from_path failed");
            goto on_error;
        }
    }

    /* apply the rest of the non-init settings */
    tls->options.minimum_tls_version = (enum aws_tls_versions)jni_min_tls_version;
    tls->options.cipher_pref = (enum aws_tls_cipher_pref)jni_cipher_pref;
    tls->options.verify_peer = jni_verify_peer != 0;

    if (jni_alpn) {
        tls->alpn_list = aws_jni_new_string_from_jstring(env, jni_alpn);
        if (!tls->alpn_list) {
            aws_jni_throw_runtime_exception(env, "failed to get alpnList string");
            goto on_error;
        }

        if (aws_tls_ctx_options_set_alpn_list(&tls->options, aws_string_c_str(tls->alpn_list))) {
            aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_set_alpn_list failed");
            goto on_error;
        }
    }

    return (jlong)tls;

on_error:

    s_jni_tls_ctx_options_destroy(tls);

    return (jlong)0;
}

JNIEXPORT
void JNICALL Java_software_amazon_awssdk_crt_io_TlsContextOptions_tlsContextOptionsDestroy(
    JNIEnv *env,
    jclass jni_class,
    jlong jni_tls) {
    (void)jni_class;
    aws_cache_jni_ids(env);

    s_jni_tls_ctx_options_destroy((struct jni_tls_ctx_options *)jni_tls);
}

JNIEXPORT
jboolean JNICALL Java_software_amazon_awssdk_crt_io_TlsContextOptions_tlsContextOptionsIsAlpnAvailable(
    JNIEnv *env,
    jclass jni_class) {
    (void)jni_class;
    aws_cache_jni_ids(env);

    return aws_tls_is_alpn_available();
}

JNIEXPORT
jboolean JNICALL Java_software_amazon_awssdk_crt_io_TlsContextOptions_tlsContextOptionsIsCipherPreferenceSupported(
    JNIEnv *env,
    jclass jni_class,
    jint jni_cipher_pref) {

    (void)jni_class;
    aws_cache_jni_ids(env);

    if (jni_cipher_pref < 0 || AWS_IO_TLS_CIPHER_PREF_END_RANGE <= jni_cipher_pref) {
        aws_jni_throw_runtime_exception(
            env,
            "TlsContextOptions.tlsContextOptionsSetCipherPreference: TlsCipherPreference is out of range: %d",
            (int)jni_cipher_pref);
        return false;
    }

    return aws_tls_is_cipher_pref_supported((enum aws_tls_cipher_pref)jni_cipher_pref);
}

#if UINTPTR_MAX == 0xffffffff
#    if defined(_MSC_VER)
#        pragma warning(pop)
#    else
#        pragma GCC diagnostic pop
#    endif
#endif