[Android] SSL certificate error when run the AWS gem sample levels (#2060)

[Android] Add AWS CA Cert handling to fix SSL errors.
4 years ago · 177f532ffa
parent 9b6d207163
commit 177f532ffa
21 changed files with 4309 additions and 1 deletions
--- a/Code/Tools/AWSNativeSDKInit/source/AWSNativeSDKInit.cpp
+++ b/Code/Tools/AWSNativeSDKInit/source/AWSNativeSDKInit.cpp
@ -25,6 +25,8 @@ namespace AWSNativeSDKInit
 #if defined(PLATFORM_SUPPORTS_AWS_NATIVE_SDK)
        void CustomizeSDKOptions(Aws::SDKOptions& options);
        void CustomizeShutdown();
+
+        void CopyCaCertBundle();
 #endif
    }

@ -44,6 +46,8 @@ namespace AWSNativeSDKInit
    void InitializationManager::InitAwsApi()
    {
        s_initManager = AZ::Environment::CreateVariable<InitializationManager>(initializationManagerTag);
+
+        Platform::CopyCaCertBundle();
    }

    void InitializationManager::Shutdown()
--- a/Code/Tools/AWSNativeSDKInit/source/Platform/Android/InitializeCerts_Android.cpp
+++ b/Code/Tools/AWSNativeSDKInit/source/Platform/Android/InitializeCerts_Android.cpp
@ -0,0 +1,89 @@
+/*
+ * Copyright (c) Contributors to the Open 3D Engine Project. For complete copyright and license terms please see the LICENSE at the root of this distribution.
+ * 
+ * SPDX-License-Identifier: Apache-2.0 OR MIT
+ *
+ */
+
+#include <AzCore/PlatformDef.h>
+// The AWS Native SDK AWSAllocator triggers a warning due to accessing members of std::allocator directly.
+// AWSAllocator.h(70): warning C4996: 'std::allocator<T>::pointer': warning STL4010: Various members of std::allocator are deprecated in
+// C++17. Use std::allocator_traits instead of accessing these members directly. You can define
+// _SILENCE_CXX17_OLD_ALLOCATOR_MEMBERS_DEPRECATION_WARNING or _SILENCE_ALL_CXX17_DEPRECATION_WARNINGS to acknowledge that you have received
+// this warning.
+AZ_PUSH_DISABLE_WARNING(4251 4996, "-Wunknown-warning-option")
+#include <aws/core/utils/memory/stl/AWSString.h>
+AZ_POP_DISABLE_WARNING
+#include <AzCore/Android/Utils.h>
+#include <AzCore/IO/FileIO.h>
+#include <AzCore/IO/SystemFile.h>
+#include <AzCore/std/containers/vector.h>
+
+namespace AWSNativeSDKInit
+{
+    namespace Platform
+    {
+        void CopyCaCertBundle()
+        {
+            AZStd::vector<char> contents;
+            AZStd::string certificatePath = "@assets@/certificates/aws/cacert.pem";
+            AZStd::string publicStoragePath = AZ::Android::Utils::GetAppPublicStoragePath();
+            publicStoragePath.append("/certificates/aws/cacert.pem");
+
+            AZ::IO::FileIOBase* fileBase = AZ::IO::FileIOBase::GetInstance();
+
+            if (!fileBase->Exists(certificatePath.c_str()))
+            {
+                AZ_Error("AWSNativeSDKInit", false, "Certificate File(%s) does not exist.\n", certificatePath.c_str());
+            }
+
+            AZ::IO::HandleType fileHandle;
+            AZ::IO::Result fileResult = fileBase->Open(certificatePath.c_str(), AZ::IO::OpenMode::ModeRead, fileHandle);
+
+            if (!fileResult)
+            {
+                AZ_Error("AWSNativeSDKInit", false, "Failed to open certificate file with result %i\n", fileResult.GetResultCode());
+            }
+
+            AZ::u64 fileSize = 0;
+            fileBase->Size(fileHandle, fileSize);
+
+            if (fileSize == 0)
+            {
+                AZ_Error("AWSNativeSDKInit", false, "Given empty file(%s) as the certificate bundle.\n", certificatePath.c_str());
+            }
+
+            contents.resize(fileSize + 1);
+            fileResult = fileBase->Read(fileHandle, contents.data(), fileSize);
+
+            if (!fileResult)
+            {
+                AZ_Error(
+                    "AWSNativeSDKInit", false, "Failed to read from the certificate bundle(%s) with result code(%i).\n", certificatePath.c_str(),
+                    fileResult.GetResultCode());
+            }
+
+            AZ_Printf("AWSNativeSDKInit", "Certificate bundle is read successfully from %s", certificatePath.c_str());
+
+            AZ::IO::HandleType outFileHandle;
+
+            AZ::IO::Result outFileResult = fileBase->Open(publicStoragePath.c_str(), AZ::IO::OpenMode::ModeWrite, outFileHandle);
+
+            if (!outFileResult)
+            {
+                AZ_Error("AWSNativeSDKInit", false, "Failed to open the certificate bundle with result %i\n", fileResult.GetResultCode());
+            }
+
+            AZ::IO::Result writeFileResult = fileBase->Write(outFileHandle, contents.data(), fileSize);
+            if (!writeFileResult)
+            {
+                AZ_Error("AWSNativeSDKInit", false, "Failed to write the certificate bundle with result %i\n", writeFileResult.GetResultCode());
+            }
+
+            fileBase->Close(fileHandle);
+            fileBase->Close(outFileHandle);
+
+            AZ_Printf("AWSNativeSDKInit", "Certificate bundle successfully copied to %s", publicStoragePath.c_str());
+        }
+    } // namespace Platform
+}
--- a/Code/Tools/AWSNativeSDKInit/source/Platform/Android/platform_android_files.cmake
+++ b/Code/Tools/AWSNativeSDKInit/source/Platform/Android/platform_android_files.cmake
@ -7,4 +7,5 @@

 set(FILES
    ../Common/Default/AWSNativeSDKInit_Default.cpp
+    InitializeCerts_Android.cpp
 )
--- a/Code/Tools/AWSNativeSDKInit/source/Platform/Common/Default/InitializeCerts_Null.cpp
+++ b/Code/Tools/AWSNativeSDKInit/source/Platform/Common/Default/InitializeCerts_Null.cpp
@ -0,0 +1,16 @@
+/*
+ * Copyright (c) Contributors to the Open 3D Engine Project. For complete copyright and license terms please see the LICENSE at the root of this distribution.
+ * 
+ * SPDX-License-Identifier: Apache-2.0 OR MIT
+ *
+ */
+
+namespace AWSNativeSDKInit
+{
+    namespace Platform
+    {
+        void CopyCaCertBundle()
+        {
+        }
+    } // namespace Platform
+} // namespace AWSCore
--- a/Code/Tools/AWSNativeSDKInit/source/Platform/Linux/platform_linux_files.cmake
+++ b/Code/Tools/AWSNativeSDKInit/source/Platform/Linux/platform_linux_files.cmake
@ -7,4 +7,5 @@

 set(FILES
    ../Common/Default/AWSNativeSDKInit_Default.cpp
+    ../Common/Default/InitializeCerts_Null.cpp
 )
--- a/Code/Tools/AWSNativeSDKInit/source/Platform/Mac/platform_mac_files.cmake
+++ b/Code/Tools/AWSNativeSDKInit/source/Platform/Mac/platform_mac_files.cmake
@ -7,4 +7,5 @@

 set(FILES
    ../Common/Default/AWSNativeSDKInit_Default.cpp
+    ../Common/Default/InitializeCerts_Null.cpp
 )
--- a/Code/Tools/AWSNativeSDKInit/source/Platform/Windows/platform_windows_files.cmake
+++ b/Code/Tools/AWSNativeSDKInit/source/Platform/Windows/platform_windows_files.cmake
@ -7,4 +7,5 @@

 set(FILES
    ../Common/Default/AWSNativeSDKInit_Default.cpp
+    ../Common/Default/InitializeCerts_Null.cpp
 )
--- a/Code/Tools/AWSNativeSDKInit/source/Platform/iOS/platform_ios_files.cmake
+++ b/Code/Tools/AWSNativeSDKInit/source/Platform/iOS/platform_ios_files.cmake
@ -7,4 +7,5 @@

 set(FILES
    ../Common/Default/AWSNativeSDKInit_Default.cpp
+    ../Common/Default/InitializeCerts_Null.cpp
 )
--- a/Gems/AWSClientAuth/Code/Source/AWSClientAuthSystemComponent.cpp
+++ b/Gems/AWSClientAuth/Code/Source/AWSClientAuthSystemComponent.cpp
@ -13,6 +13,7 @@
 #include <Authorization/AWSCognitoAuthorizationController.h>
 #include <AzCore/std/smart_ptr/make_shared.h>
 #include <ResourceMapping/AWSResourceMappingBus.h>
+#include <Framework/AWSApiJobConfig.h>

 #include <aws/cognito-identity/CognitoIdentityClient.h>
 #include <aws/cognito-idp/CognitoIdentityProviderClient.h>
@ -163,7 +164,11 @@ namespace AWSClientAuth

    void AWSClientAuthSystemComponent::OnSDKInitialized()
    {
-        Aws::Client::ClientConfiguration clientConfiguration;
+        AWSCore::AwsApiJobConfig* defaultConfig;
+        AWSCore::AWSCoreRequestBus::BroadcastResult(defaultConfig, &AWSCore::AWSCoreRequests::GetDefaultConfig);
+        Aws::Client::ClientConfiguration clientConfiguration =
+            defaultConfig ? defaultConfig->GetClientConfiguration() : Aws::Client::ClientConfiguration();
+
        AZStd::string region;
        AWSCore::AWSResourceMappingRequestBus::BroadcastResult(region, &AWSCore::AWSResourceMappingRequests::GetDefaultRegion);

--- a/Gems/AWSClientAuth/Code/Tests/AWSClientAuthGemMock.h
+++ b/Gems/AWSClientAuth/Code/Tests/AWSClientAuthGemMock.h
@ -113,6 +113,27 @@ namespace AWSClientAuthUnitTest
        MOCK_METHOD1(ReloadConfigFile, void(bool isReloadingConfigFileName));
    };

+    class AWSCoreRequestBusMock
+        : public AWSCore::AWSCoreRequestBus::Handler
+    {
+    public:
+        AWSCoreRequestBusMock()
+        {
+            AWSCore::AWSCoreRequestBus::Handler::BusConnect();
+
+            ON_CALL(*this, GetDefaultJobContext).WillByDefault(testing::Return(nullptr));
+            ON_CALL(*this, GetDefaultConfig).WillByDefault(testing::Return(nullptr));
+        }
+
+        ~AWSCoreRequestBusMock()
+        {
+            AWSCore::AWSCoreRequestBus::Handler::BusDisconnect();
+        }
+
+        MOCK_METHOD0(GetDefaultJobContext, AZ::JobContext*());
+        MOCK_METHOD0(GetDefaultConfig, AWSCore::AwsApiJobConfig*());
+    };
+
    class HttpRequestorRequestBusMock
        : public HttpRequestor::HttpRequestorRequestBus::Handler
    {
--- a/Gems/AWSClientAuth/Code/Tests/AWSClientAuthSystemComponentTest.cpp
+++ b/Gems/AWSClientAuth/Code/Tests/AWSClientAuthSystemComponentTest.cpp
@ -161,6 +161,7 @@ public:
    testing::NiceMock<AWSClientAuthUnitTest::AWSClientAuthSystemComponentMock> *m_awsClientAuthSystemsComponent;
    testing::NiceMock<AWSClientAuthUnitTest::AWSCoreSystemComponentMock> *m_awsCoreSystemsComponent;
    testing::NiceMock<AWSClientAuthUnitTest::AWSResourceMappingRequestBusMock> m_awsResourceMappingRequestBusMock;
+    testing::NiceMock<AWSClientAuthUnitTest::AWSCoreRequestBusMock> m_awsCoreRequestBusMock;
    AZ::Entity* m_entity = nullptr;
 };

@ -176,6 +177,7 @@ TEST_F(AWSClientAuthSystemComponentTest, ActivateDeactivate_Success)
    EXPECT_CALL(*m_awsCoreSystemsComponent, Init()).Times(1).InSequence(s1);
    EXPECT_CALL(*m_awsClientAuthSystemsComponent, Init()).Times(1).InSequence(s1);
    EXPECT_CALL(*m_awsCoreSystemsComponent, Activate()).Times(1).InSequence(s1);
+    EXPECT_CALL(m_awsCoreRequestBusMock, GetDefaultConfig()).Times(1).InSequence(s1);
    EXPECT_CALL(m_awsResourceMappingRequestBusMock, GetDefaultRegion()).Times(1).InSequence(s1);
    EXPECT_CALL(*m_awsClientAuthSystemsComponent, Activate()).Times(1).InSequence(s1);

--- a/Gems/AWSCore/Assets/Certificates/AWS/cacert.pem
+++ b/Gems/AWSCore/Assets/Certificates/AWS/cacert.pem
--- a/Gems/AWSCore/Code/CMakeLists.txt
+++ b/Gems/AWSCore/Code/CMakeLists.txt
@ -6,12 +6,14 @@
 #

 ly_get_list_relative_pal_filename(pal_editor_include_dir ${CMAKE_CURRENT_LIST_DIR}/Include/Private/Editor/Platform/${PAL_PLATFORM_NAME})
+ly_get_list_relative_pal_filename(pal_cafile_include_dir ${CMAKE_CURRENT_LIST_DIR}/Source/Framework/Platform/${PAL_PLATFORM_NAME})

 ly_add_target(
    NAME AWSCore.Static STATIC
    NAMESPACE Gem
    FILES_CMAKE
        awscore_files.cmake
+         ${pal_cafile_include_dir}/platform_${PAL_PLATFORM_NAME_LOWERCASE}_files.cmake
    INCLUDE_DIRECTORIES
        PUBLIC
            Include/Public
--- a/Gems/AWSCore/Code/Source/Framework/AWSApiJob.cpp
+++ b/Gems/AWSCore/Code/Source/Framework/AWSApiJob.cpp
@ -9,6 +9,10 @@

 namespace AWSCore
 {
+    namespace Platform
+    {
+        Aws::String GetCaCertBundlePath();
+    }

    const char* AwsApiJob::COMPONENT_DISPLAY_NAME = "AWSCoreFramework";

@ -29,6 +33,14 @@ namespace AWSCore
                config.userAgent = "/O3DE_AwsApiJob";
                config.requestTimeoutMs = 30000;
                config.connectTimeoutMs = 30000;
+
+                // Instructs the HTTP client where to find the SSL certificate trust store.
+                // It is required to copy the cacert.pem to the expected file path for running the Android client.
+                Aws::String caFilePath = Platform::GetCaCertBundlePath();
+                if (!caFilePath.empty())
+                {
+                    config.caFile = caFilePath;
+                }
            }
        );
    };
--- a/Gems/AWSCore/Code/Source/Framework/Platform/Android/GetCertsPath_Android.cpp
+++ b/Gems/AWSCore/Code/Source/Framework/Platform/Android/GetCertsPath_Android.cpp
@ -0,0 +1,32 @@
+/*
+ * Copyright (c) Contributors to the Open 3D Engine Project. For complete copyright and license terms please see the LICENSE at the root of this distribution.
+ * 
+ * SPDX-License-Identifier: Apache-2.0 OR MIT
+ *
+ */
+
+#include <AzCore/PlatformDef.h>
+// The AWS Native SDK AWSAllocator triggers a warning due to accessing members of std::allocator directly.
+// AWSAllocator.h(70): warning C4996: 'std::allocator<T>::pointer': warning STL4010: Various members of std::allocator are deprecated in
+// C++17. Use std::allocator_traits instead of accessing these members directly. You can define
+// _SILENCE_CXX17_OLD_ALLOCATOR_MEMBERS_DEPRECATION_WARNING or _SILENCE_ALL_CXX17_DEPRECATION_WARNINGS to acknowledge that you have received
+// this warning.
+AZ_PUSH_DISABLE_WARNING(4251 4996, "-Wunknown-warning-option")
+#include <aws/core/utils/memory/stl/AWSString.h>
+AZ_POP_DISABLE_WARNING
+#include <AzCore/Android/Utils.h>
+#include <AzCore/std/string/string.h>
+
+namespace AWSCore
+{
+    namespace Platform
+    {
+        Aws::String GetCaCertBundlePath()
+        {
+            AZStd::string publicStoragePath = AZ::Android::Utils::GetAppPublicStoragePath();
+            publicStoragePath.append("/certificates/aws/cacert.pem");
+
+            return publicStoragePath.c_str();
+        }
+    } // namespace Platform
+}
--- a/Gems/AWSCore/Code/Source/Framework/Platform/Android/platform_android_files.cmake
+++ b/Gems/AWSCore/Code/Source/Framework/Platform/Android/platform_android_files.cmake
@ -0,0 +1,10 @@
+#
+# Copyright (c) Contributors to the Open 3D Engine Project. For complete copyright and license terms please see the LICENSE at the root of this distribution.
+# 
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+#
+#
+
+set(FILES
+    GetCertsPath_Android.cpp
+)
--- a/Gems/AWSCore/Code/Source/Framework/Platform/Common/GetCertsPath_Null.cpp
+++ b/Gems/AWSCore/Code/Source/Framework/Platform/Common/GetCertsPath_Null.cpp
@ -0,0 +1,27 @@
+/*
+ * Copyright (c) Contributors to the Open 3D Engine Project. For complete copyright and license terms please see the LICENSE at the root of this distribution.
+ * 
+ * SPDX-License-Identifier: Apache-2.0 OR MIT
+ *
+ */
+
+#include <AzCore/PlatformDef.h>
+// The AWS Native SDK AWSAllocator triggers a warning due to accessing members of std::allocator directly.
+// AWSAllocator.h(70): warning C4996: 'std::allocator<T>::pointer': warning STL4010: Various members of std::allocator are deprecated in
+// C++17. Use std::allocator_traits instead of accessing these members directly. You can define
+// _SILENCE_CXX17_OLD_ALLOCATOR_MEMBERS_DEPRECATION_WARNING or _SILENCE_ALL_CXX17_DEPRECATION_WARNINGS to acknowledge that you have received
+// this warning.
+AZ_PUSH_DISABLE_WARNING(4251 4996, "-Wunknown-warning-option")
+#include <aws/core/utils/memory/stl/AWSString.h>
+AZ_POP_DISABLE_WARNING
+
+namespace AWSCore
+{
+    namespace Platform
+    {
+        Aws::String GetCaCertBundlePath()
+        {
+            return ""; // no-op
+        }
+    } // namespace Platform
+} // namespace GridMate
--- a/Gems/AWSCore/Code/Source/Framework/Platform/Linux/platform_linux_files.cmake
+++ b/Gems/AWSCore/Code/Source/Framework/Platform/Linux/platform_linux_files.cmake
@ -0,0 +1,10 @@
+#
+# Copyright (c) Contributors to the Open 3D Engine Project. For complete copyright and license terms please see the LICENSE at the root of this distribution.
+# 
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+#
+#
+
+set(FILES
+    ../Common/GetCertsPath_Null.cpp
+)
--- a/Gems/AWSCore/Code/Source/Framework/Platform/Mac/platform_mac_files.cmake
+++ b/Gems/AWSCore/Code/Source/Framework/Platform/Mac/platform_mac_files.cmake
@ -0,0 +1,10 @@
+#
+# Copyright (c) Contributors to the Open 3D Engine Project. For complete copyright and license terms please see the LICENSE at the root of this distribution.
+# 
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+#
+#
+
+set(FILES
+    ../Common/GetCertsPath_Null.cpp
+)
--- a/Gems/AWSCore/Code/Source/Framework/Platform/Windows/platform_windows_files.cmake
+++ b/Gems/AWSCore/Code/Source/Framework/Platform/Windows/platform_windows_files.cmake
@ -0,0 +1,10 @@
+#
+# Copyright (c) Contributors to the Open 3D Engine Project. For complete copyright and license terms please see the LICENSE at the root of this distribution.
+# 
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+#
+#
+
+set(FILES
+    ../Common/GetCertsPath_Null.cpp
+)
--- a/Gems/AWSCore/Code/Source/Framework/Platform/iOS/platform_ios_files.cmake
+++ b/Gems/AWSCore/Code/Source/Framework/Platform/iOS/platform_ios_files.cmake
@ -0,0 +1,10 @@
+#
+# Copyright (c) Contributors to the Open 3D Engine Project. For complete copyright and license terms please see the LICENSE at the root of this distribution.
+# 
+# SPDX-License-Identifier: Apache-2.0 OR MIT
+#
+#
+
+set(FILES
+    ../Common/GetCertsPath_Null.cpp
+)