Add MacOS specific compilation options

[hongkongkiwi]

• Adds additional compilation options for MacOS
• Add dylib building for MacOS

Here's how I got it compiling for MacOS:

Install depeencies

brew install json-c p11-kit openssl@3 libp11 zlib

Install AWS SDK

git clone --recurse-submodules "https://github.com/aws/aws-sdk-cpp" "aws-sdk-cpp"
cd "aws-sdk-cpp"
./prefetch_crt_dependency.sh
mkdir -p ./build
cd ./build
cmake \
  -DCMAKE_PREFIX_PATH="/opt/homebrew/opt/curl/" \
  -DBUILD_ONLY="kms;acm-pca" \
  -DCMAKE_BUILD_TYPE=Release  \
  -DENABLE_TESTING=OFF \
  -DAUTORUN_UNIT_TESTS=OFF \
  -DBUILD_SHARED_LIBS=OFF \
  -DCMAKE_INSTALL_PREFIX="$HOME/aws-sdk-cpp"
  ..
cmake --build build -j $(nproc)
make install

We need to fix up the SDK so it builds s2n which is doesn't seem to do by default in latest versoins.

cd ../crt/aws-crt-cpp/crt/s2n
mkdir -p build
cd build
cmake .. -Bbuild \
    -DCMAKE_BUILD_TYPE=Release \
    -DCMAKE_INSTALL_PREFIX="$HOME/aws-sdk-cpp"
cmake --build build -j $(nproc)
cmake --install build

Compile AWS PKCS11

AWS_SDK_PATH="$HOME/aws-sdk-cpp" make

Using on MacOS

mkdir -p ~/.config/aws-kms-pkcs11
touch ~/.config/aws-kms-pkcs11/config

Setup OpenSSL Config

cat >openssl_config.conf <<EOF
openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/homebrew/opt/libp11/lib/engines-3/libpkcs11.dylib
MODULE_PATH = /Users/andy/.config/aws-kms-pkcs11/aws_kms_pkcs11.dylib
init = 0

[req]
distinguished_name=dn
[ dn ]
EOF

OPENSSL_CONF=openssl_config.conf openssl req -config <(echo "$CONFIG") -x509 -key pkcs11:token=my-signing-key -keyform engine -engine pkcs11 -out mycert.pem -subj '/CN=mycert' -days 366 -addext basicConstraints=critical,CA:FALSE

[hongkongkiwi]

This has been working well for me, but it looks like it might be out of date now. Be great to get it into main.

[JackOfMostTrades]

pkg-config --cflags openssl will actually be empty on an Ubuntu system (this is why CI is failing) because header files are in the standard include path. If the make will fail if pkg-config has non-zero exit code then you can probably skip this check? A stack overflow post leads me to think ifneq ($(.SHELLSTATUS),0) might be the right alternative here.

[JackOfMostTrades]

I'm not sure if it makes sense to target the dylib on Linux systems (and vice-versa)? Can/should all: be defined based on UNAME_S?

[JackOfMostTrades]

Sorry, apparently my review comments were saved as a draft rather than posted. Please check the above comments; the PR as it was was causing the CI build to fail, so it needs some tweaks.