in src/native/tls_context_options.c [70:234]
jlong JNICALL Java_software_amazon_awssdk_crt_io_TlsContextOptions_tlsContextOptionsNew(
JNIEnv *env,
jclass jni_class,
jint jni_min_tls_version,
jint jni_cipher_pref,
jstring jni_alpn,
jstring jni_certificate,
jstring jni_private_key,
jstring jni_cert_path,
jstring jni_key_path,
jstring jni_ca,
jstring jni_ca_filepath,
jstring jni_ca_dirpath,
jboolean jni_verify_peer,
jstring jni_pkcs12_path,
jstring jni_pkcs12_password,
jobject jni_pkcs11_options) {
(void)jni_class;
struct aws_allocator *allocator = aws_jni_get_allocator();
struct jni_tls_ctx_options *tls = aws_mem_calloc(allocator, 1, sizeof(struct jni_tls_ctx_options));
AWS_FATAL_ASSERT(tls);
aws_tls_ctx_options_init_default_client(&tls->options, allocator);
/* Certs or paths will cause an init, which overwrites other fields, so do those first */
if (jni_certificate && jni_private_key) {
tls->certificate = aws_jni_new_string_from_jstring(env, jni_certificate);
if (!tls->certificate) {
aws_jni_throw_runtime_exception(env, "failed to get certificate string");
goto on_error;
}
tls->private_key = aws_jni_new_string_from_jstring(env, jni_private_key);
if (!tls->private_key) {
aws_jni_throw_runtime_exception(env, "failed to get privateKey string");
goto on_error;
}
struct aws_byte_cursor cert_cursor = aws_byte_cursor_from_string(tls->certificate);
struct aws_byte_cursor key_cursor = aws_byte_cursor_from_string(tls->private_key);
if (aws_tls_ctx_options_init_client_mtls(&tls->options, allocator, &cert_cursor, &key_cursor)) {
aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_init_client_mtls failed");
goto on_error;
}
} else if (jni_cert_path && jni_key_path) {
tls->certificate_path = aws_jni_new_string_from_jstring(env, jni_cert_path);
if (!tls->certificate_path) {
aws_jni_throw_runtime_exception(env, "failed to get certificatePath string");
goto on_error;
}
tls->private_key_path = aws_jni_new_string_from_jstring(env, jni_key_path);
if (!tls->private_key_path) {
aws_jni_throw_runtime_exception(env, "failed to get privateKeyPath string");
goto on_error;
}
if (aws_tls_ctx_options_init_client_mtls_from_path(
&tls->options,
allocator,
aws_string_c_str(tls->certificate_path),
aws_string_c_str(tls->private_key_path))) {
aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_init_client_mtls_from_path failed");
goto on_error;
}
} else if (jni_pkcs11_options) {
tls->pkcs11_options = aws_tls_ctx_pkcs11_options_from_java_new(env, jni_pkcs11_options);
if (tls->pkcs11_options == NULL) {
/* exception already thrown */
goto on_error;
}
if (aws_tls_ctx_options_init_client_mtls_with_pkcs11(&tls->options, allocator, tls->pkcs11_options)) {
aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_init_client_mtls_with_pkcs11 failed");
goto on_error;
}
}
#if defined(__APPLE__)
else if (jni_pkcs12_path && jni_pkcs12_password) {
tls->pkcs12_path = aws_jni_new_string_from_jstring(env, jni_pkcs12_path);
if (!tls->pkcs12_path) {
aws_jni_throw_runtime_exception(env, "failed to get pkcs12Path string");
goto on_error;
}
tls->pkcs12_password = aws_jni_new_string_from_jstring(env, jni_pkcs12_password);
if (!tls->pkcs12_password) {
aws_jni_throw_runtime_exception(env, "failed to get pkcs12Password string");
goto on_error;
}
struct aws_byte_cursor password = aws_byte_cursor_from_string(tls->pkcs12_password);
if (aws_tls_ctx_options_init_client_mtls_pkcs12_from_path(
&tls->options, allocator, aws_string_c_str(tls->pkcs12_path), &password)) {
aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_init_client_mtls_pkcs12_from_path failed");
goto on_error;
}
}
#endif
(void)jni_pkcs12_path;
(void)jni_pkcs12_password;
if (jni_ca) {
tls->ca_root = aws_jni_new_string_from_jstring(env, jni_ca);
if (!tls->ca_root) {
aws_jni_throw_runtime_exception(env, "failed to get caRoot string");
goto on_error;
}
struct aws_byte_cursor ca_cursor = aws_byte_cursor_from_string(tls->ca_root);
if (aws_tls_ctx_options_override_default_trust_store(&tls->options, &ca_cursor)) {
aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_override_default_trust_store failed");
goto on_error;
}
} else if (jni_ca_filepath || jni_ca_dirpath) {
const char *ca_file = NULL;
const char *ca_path = NULL;
if (jni_ca_filepath) {
tls->ca_file = aws_jni_new_string_from_jstring(env, jni_ca_filepath);
if (!tls->ca_file) {
aws_jni_throw_runtime_exception(env, "failed to get caFile string");
goto on_error;
}
ca_file = aws_string_c_str(tls->ca_file);
}
if (jni_ca_dirpath) {
tls->ca_path = aws_jni_new_string_from_jstring(env, jni_ca_dirpath);
if (!tls->ca_path) {
aws_jni_throw_runtime_exception(env, "failed to get caPath string");
goto on_error;
}
ca_path = aws_string_c_str(tls->ca_path);
}
if (aws_tls_ctx_options_override_default_trust_store_from_path(&tls->options, ca_path, ca_file)) {
aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_override_default_trust_store_from_path failed");
goto on_error;
}
}
/* apply the rest of the non-init settings */
tls->options.minimum_tls_version = (enum aws_tls_versions)jni_min_tls_version;
tls->options.cipher_pref = (enum aws_tls_cipher_pref)jni_cipher_pref;
tls->options.verify_peer = jni_verify_peer != 0;
if (jni_alpn) {
tls->alpn_list = aws_jni_new_string_from_jstring(env, jni_alpn);
if (!tls->alpn_list) {
aws_jni_throw_runtime_exception(env, "failed to get alpnList string");
goto on_error;
}
if (aws_tls_ctx_options_set_alpn_list(&tls->options, aws_string_c_str(tls->alpn_list))) {
aws_jni_throw_runtime_exception(env, "aws_tls_ctx_options_set_alpn_list failed");
goto on_error;
}
}
return (jlong)tls;
on_error:
s_jni_tls_ctx_options_destroy(tls);
return (jlong)0;
}