-
-
Notifications
You must be signed in to change notification settings - Fork 32
/
Copy pathTSTLSConfiguration.swift
327 lines (292 loc) · 12.6 KB
/
TSTLSConfiguration.swift
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
//===----------------------------------------------------------------------===//
//
// This source file is part of the MQTTNIO project
//
// Copyright (c) 2020-2022 Adam Fowler
// Licensed under Apache License v2.0
//
// See LICENSE.txt for license information
//
// SPDX-License-Identifier: Apache-2.0
//
//===----------------------------------------------------------------------===//
#if canImport(Network)
import Foundation
import Network
#if os(macOS) || os(Linux)
import NIOSSL
#endif
/// TLS Version enumeration
public enum TSTLSVersion {
case tlsV10
case tlsV11
case tlsV12
case tlsV13
/// return `SSLProtocol` for iOS12 api
var sslProtocol: SSLProtocol {
switch self {
case .tlsV10:
return .tlsProtocol1
case .tlsV11:
return .tlsProtocol11
case .tlsV12:
return .tlsProtocol12
case .tlsV13:
return .tlsProtocol13
}
}
/// return `tls_protocol_version_t` for iOS13 and later apis
@available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *)
var tlsProtocolVersion: tls_protocol_version_t {
switch self {
case .tlsV10:
return .TLSv10
case .tlsV11:
return .TLSv11
case .tlsV12:
return .TLSv12
case .tlsV13:
return .TLSv13
}
}
}
@available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *)
extension tls_protocol_version_t {
var tsTLSVersion: TSTLSVersion {
switch self {
case .TLSv10:
return .tlsV10
case .TLSv11:
return .tlsV11
case .TLSv12:
return .tlsV12
case .TLSv13:
return .tlsV13
default:
preconditionFailure("Invalid TLS version")
}
}
}
/// Certificate verification modes.
public enum TSCertificateVerification {
/// All certificate verification disabled.
case none
/// Certificates will be validated against the trust store and checked
/// against the hostname of the service we are contacting.
case fullVerification
}
/// TLS configuration for NIO Transport Services
public struct TSTLSConfiguration {
/// Error loading TLS files
public enum Error: Swift.Error {
case invalidData
}
/// Struct defining an array of certificates
public struct Certificates {
let certificates: [SecCertificate]
/// Create certificate array from already loaded SecCertificate array
public static func certificates(_ secCertificates: [SecCertificate]) -> Self { .init(certificates: secCertificates) }
#if os(macOS) || os(Linux)
/// Create certificate array from PEM file
public static func pem(_ filename: String) throws -> Self {
let certificates = try NIOSSLCertificate.fromPEMFile(filename)
let secCertificates = try certificates.map { certificate -> SecCertificate in
guard let certificate = try SecCertificateCreateWithData(nil, Data(certificate.toDERBytes()) as CFData) else {
throw TSTLSConfiguration.Error.invalidData
}
return certificate
}
return .init(certificates: secCertificates)
}
#endif
/// Create certificate array from DER file
public static func der(_ filename: String) throws -> Self {
let certificateData = try Data(contentsOf: URL(fileURLWithPath: filename))
guard let secCertificate = SecCertificateCreateWithData(nil, certificateData as CFData) else {
throw TSTLSConfiguration.Error.invalidData
}
return .init(certificates: [secCertificate])
}
}
/// Struct defining identity
public struct Identity {
let identity: SecIdentity
/// Create Identity from already loaded SecIdentity
public static func secIdentity(_ secIdentity: SecIdentity) -> Self { .init(identity: secIdentity) }
/// Create Identity from p12 file
public static func p12(filename: String, password: String) throws -> Self {
let data = try Data(contentsOf: URL(fileURLWithPath: filename))
let options: [String: String] = [kSecImportExportPassphrase as String: password]
var rawItems: CFArray?
guard SecPKCS12Import(data as CFData, options as CFDictionary, &rawItems) == errSecSuccess else {
throw TSTLSConfiguration.Error.invalidData
}
let items = rawItems! as! [[String: Any]]
guard let firstItem = items.first,
let secIdentity = firstItem[kSecImportItemIdentity as String] as! SecIdentity?
else {
throw TSTLSConfiguration.Error.invalidData
}
return .init(identity: secIdentity)
}
}
/// The minimum TLS version to allow in negotiation. Defaults to tlsv1.
public var minimumTLSVersion: TSTLSVersion
/// The maximum TLS version to allow in negotiation. If nil, there is no upper limit. Defaults to nil.
public var maximumTLSVersion: TSTLSVersion?
/// The trust roots to use to validate certificates. This only needs to be provided if you intend to validate
/// certificates.
public var trustRoots: [SecCertificate]?
/// The identity associated with the leaf certificate.
public var clientIdentity: SecIdentity?
/// The application protocols to use in the connection.
public var applicationProtocols: [String]
/// Whether to verify remote certificates.
public var certificateVerification: TSCertificateVerification
/// Initialize TSTLSConfiguration
/// - Parameters:
/// - minimumTLSVersion: minimum version of TLS supported
/// - maximumTLSVersion: maximum version of TLS supported
/// - trustRoots: The trust roots to use to validate certificates
/// - clientIdentity: Client identity
/// - applicationProtocols: The application protocols to use in the connection
/// - certificateVerification: Should certificates be verified
public init(
minimumTLSVersion: TSTLSVersion = .tlsV10,
maximumTLSVersion: TSTLSVersion? = nil,
trustRoots: [SecCertificate]? = nil,
clientIdentity: SecIdentity? = nil,
applicationProtocols: [String] = [],
certificateVerification: TSCertificateVerification = .fullVerification
) {
self.minimumTLSVersion = minimumTLSVersion
self.maximumTLSVersion = maximumTLSVersion
self.trustRoots = trustRoots
self.clientIdentity = clientIdentity
self.applicationProtocols = applicationProtocols
self.certificateVerification = certificateVerification
}
/// Initialize TSTLSConfiguration
/// - Parameters:
/// - minimumTLSVersion: minimum version of TLS supported
/// - maximumTLSVersion: maximum version of TLS supported
/// - trustRoots: The trust roots to use to validate certificates
/// - clientIdentity: Client identity
/// - applicationProtocols: The application protocols to use in the connection
/// - certificateVerification: Should certificates be verified
public init(
minimumTLSVersion: TSTLSVersion = .tlsV10,
maximumTLSVersion: TSTLSVersion? = nil,
trustRoots: Certificates,
clientIdentity: Identity,
applicationProtocols: [String] = [],
certificateVerification: TSCertificateVerification = .fullVerification
) {
self.minimumTLSVersion = minimumTLSVersion
self.maximumTLSVersion = maximumTLSVersion
self.trustRoots = trustRoots.certificates
self.clientIdentity = clientIdentity.identity
self.applicationProtocols = applicationProtocols
self.certificateVerification = certificateVerification
}
}
extension TSTLSConfiguration {
func getNWProtocolTLSOptions() throws -> NWProtocolTLS.Options {
let options = NWProtocolTLS.Options()
// minimum TLS protocol
if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, self.minimumTLSVersion.tlsProtocolVersion)
} else {
sec_protocol_options_set_tls_min_version(options.securityProtocolOptions, self.minimumTLSVersion.sslProtocol)
}
// maximum TLS protocol
if let maximumTLSVersion = self.maximumTLSVersion {
if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, maximumTLSVersion.tlsProtocolVersion)
} else {
sec_protocol_options_set_tls_max_version(options.securityProtocolOptions, maximumTLSVersion.sslProtocol)
}
}
if let clientIdentity = self.clientIdentity, let secClientIdentity = sec_identity_create(clientIdentity) {
sec_protocol_options_set_local_identity(options.securityProtocolOptions, secClientIdentity)
}
for applicationProtocol in self.applicationProtocols {
sec_protocol_options_add_tls_application_protocol(options.securityProtocolOptions, applicationProtocol)
}
if self.certificateVerification != .fullVerification || self.trustRoots != nil {
// add verify block to control certificate verification
sec_protocol_options_set_verify_block(
options.securityProtocolOptions,
{ _, sec_trust, sec_protocol_verify_complete in
guard self.certificateVerification != .none else {
sec_protocol_verify_complete(true)
return
}
let trust = sec_trust_copy_ref(sec_trust).takeRetainedValue()
if let trustRootCertificates = trustRoots {
SecTrustSetAnchorCertificates(trust, trustRootCertificates as CFArray)
}
if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
SecTrustEvaluateAsyncWithError(trust, Self.tlsDispatchQueue) { _, result, error in
if let error {
print("Trust failed: \(error.localizedDescription)")
}
sec_protocol_verify_complete(result)
}
} else {
SecTrustEvaluateAsync(trust, Self.tlsDispatchQueue) { _, result in
switch result {
case .proceed, .unspecified:
sec_protocol_verify_complete(true)
default:
sec_protocol_verify_complete(false)
}
}
}
},
Self.tlsDispatchQueue
)
}
return options
}
/// Dispatch queue used by Network framework TLS to control certificate verification
static var tlsDispatchQueue = DispatchQueue(label: "TSTLSConfiguration")
}
/// Deprecated TSTLSConfiguration
@available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *)
@available(*, deprecated, message: "Use the init using TSTLSVersion")
extension TSTLSConfiguration {
/// Initialize TSTLSConfiguration
public init(
minimumTLSVersion: tls_protocol_version_t,
maximumTLSVersion: tls_protocol_version_t? = nil,
trustRoots: Certificates,
clientIdentity: Identity,
applicationProtocols: [String] = [],
certificateVerification: TSCertificateVerification = .fullVerification
) {
self.minimumTLSVersion = minimumTLSVersion.tsTLSVersion
self.maximumTLSVersion = maximumTLSVersion?.tsTLSVersion
self.trustRoots = trustRoots.certificates
self.clientIdentity = clientIdentity.identity
self.applicationProtocols = applicationProtocols
self.certificateVerification = certificateVerification
}
/// Initialize TSTLSConfiguration
public init(
minimumTLSVersion: tls_protocol_version_t,
maximumTLSVersion: tls_protocol_version_t? = nil,
trustRoots: [SecCertificate]? = nil,
clientIdentity: SecIdentity? = nil,
applicationProtocols: [String] = [],
certificateVerification: TSCertificateVerification = .fullVerification
) {
self.minimumTLSVersion = minimumTLSVersion.tsTLSVersion
self.maximumTLSVersion = maximumTLSVersion?.tsTLSVersion
self.trustRoots = trustRoots
self.clientIdentity = clientIdentity
self.applicationProtocols = applicationProtocols
self.certificateVerification = certificateVerification
}
}
#endif