add enhanced tls configs

Author: xinsong-cui

runtime/protocol/http-client-engines/http-client-engine-crt/api/http-client-engine-crt.api

@@ -15,21 +15,41 @@ public final class aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngine$Compa
 public final class aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig : aws/smithy/kotlin/runtime/http/engine/HttpClientEngineConfigImpl {
 	public static final field Companion Laws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig$Companion;
 	public synthetic fun <init> (Laws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig$Builder;Lkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public final fun getCaDir ()Ljava/lang/String;
+	public final fun getCaFile ()Ljava/lang/String;
+	public final fun getCaRoot ()Ljava/lang/String;
+	public final fun getCipherPreference ()Laws/sdk/kotlin/crt/io/TlsCipherPreference;
 	public final fun getClientBootstrap ()Laws/sdk/kotlin/crt/io/ClientBootstrap;
 	public final fun getInitialWindowSizeBytes ()I
 	public final fun getMaxConnections-pVg5ArA ()I
+	public final fun getVerifyPeer ()Z
+	public final fun setCaDir (Ljava/lang/String;)V
+	public final fun setCaFile (Ljava/lang/String;)V
+	public final fun setCaRoot (Ljava/lang/String;)V
+	public final fun setCipherPreference (Laws/sdk/kotlin/crt/io/TlsCipherPreference;)V
 	public final fun setClientBootstrap (Laws/sdk/kotlin/crt/io/ClientBootstrap;)V
+	public final fun setVerifyPeer (Z)V
 	public fun toBuilderApplicator ()Lkotlin/jvm/functions/Function1;
 }
 
 public final class aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig$Builder : aws/smithy/kotlin/runtime/http/engine/HttpClientEngineConfigImpl$BuilderImpl {
 	public fun <init> ()V
+	public final fun getCaDir ()Ljava/lang/String;
+	public final fun getCaFile ()Ljava/lang/String;
+	public final fun getCaRoot ()Ljava/lang/String;
+	public final fun getCipherPreference ()Laws/sdk/kotlin/crt/io/TlsCipherPreference;
 	public final fun getClientBootstrap ()Laws/sdk/kotlin/crt/io/ClientBootstrap;
 	public final fun getInitialWindowSizeBytes ()I
 	public final fun getMaxConnections-pVg5ArA ()I
+	public final fun getVerifyPeer ()Z
+	public final fun setCaDir (Ljava/lang/String;)V
+	public final fun setCaFile (Ljava/lang/String;)V
+	public final fun setCaRoot (Ljava/lang/String;)V
+	public final fun setCipherPreference (Laws/sdk/kotlin/crt/io/TlsCipherPreference;)V
 	public final fun setClientBootstrap (Laws/sdk/kotlin/crt/io/ClientBootstrap;)V
 	public final fun setInitialWindowSizeBytes (I)V
 	public final fun setMaxConnections-WZ4Q5Ns (I)V
+	public final fun setVerifyPeer (Z)V
 }
 
 public final class aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig$Companion {

runtime/protocol/http-client-engines/http-client-engine-crt/jvm/src/aws/smithy/kotlin/runtime/http/engine/crt/ConnectionManager.kt

@@ -32,9 +32,13 @@ internal class ConnectionManager(
 
     private val crtTlsContext: TlsContext = TlsContextOptionsBuilder()
         .apply {
-            verifyPeer = true
             alpn = config.tlsContext.alpn.joinToString(separator = ";") { it.protocolId }
             minTlsVersion = toCrtTlsVersion(config.tlsContext.minVersion)
+            caRoot = config.caRoot
+            caFile = config.caFile
+            caDir = config.caDir
+            tlsCipherPreference = config.cipherPreference
+            verifyPeer = config.verifyPeer
         }
         .build()
         .let(::CrtTlsContext)

runtime/protocol/http-client-engines/http-client-engine-crt/jvm/src/aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig.kt

@@ -6,6 +6,7 @@
 package aws.smithy.kotlin.runtime.http.engine.crt
 
 import aws.sdk.kotlin.crt.io.ClientBootstrap
+import aws.sdk.kotlin.crt.io.TlsCipherPreference
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngineConfig
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngineConfigImpl
 
@@ -44,13 +45,44 @@ public class CrtHttpEngineConfig private constructor(builder: Builder) : HttpCli
      */
     public var clientBootstrap: ClientBootstrap? = builder.clientBootstrap
 
+    /**
+     * Certificate Authority content in PEM format
+     */
+    public var caRoot: String? = builder.caRoot
+
+    /**
+     * Path to the root certificate. Must be in PEM format.
+     */
+    public var caFile: String? = builder.caFile
+
+    /**
+     * Path to the local trust store. Can be null.
+     */
+    public var caDir: String? = builder.caDir
+
+    /**
+     * TLS cipher suite preference for connections.
+     * Controls which cipher suites are available during TLS negotiation.
+     */
+    public var cipherPreference: TlsCipherPreference = builder.cipherPreference
+
+    /**
+     * Whether to verify the peer's certificate during TLS handshake.
+     * When false, accepts any certificate (insecure, for testing only).
+     */
+    public var verifyPeer: Boolean = builder.verifyPeer
+
     override fun toBuilderApplicator(): HttpClientEngineConfig.Builder.() -> Unit = {
         super.toBuilderApplicator()()
 
         if (this is Builder) {
             maxConnections = this@CrtHttpEngineConfig.maxConnections
             initialWindowSizeBytes = this@CrtHttpEngineConfig.initialWindowSizeBytes
             clientBootstrap = this@CrtHttpEngineConfig.clientBootstrap
+            caRoot = this@CrtHttpEngineConfig.caRoot
+            caFile = this@CrtHttpEngineConfig.caFile
+            cipherPreference = this@CrtHttpEngineConfig.cipherPreference
+            verifyPeer = this@CrtHttpEngineConfig.verifyPeer
         }
     }
 
@@ -73,5 +105,32 @@ public class CrtHttpEngineConfig private constructor(builder: Builder) : HttpCli
          * Set the [ClientBootstrap] to use for the engine. By default it is a shared instance.
          */
         public var clientBootstrap: ClientBootstrap? = null
+
+        /**
+         * Certificate Authority content in PEM format
+         */
+        public var caRoot: String? = null
+
+        /**
+         * Path to the root certificate. Must be in PEM format.
+         */
+        public var caFile: String? = null
+
+        /**
+         * Path to the local trust store. Can be null.
+         */
+        public var caDir: String? = null
+
+        /**
+         * TLS cipher suite preference for connections.
+         * Controls which cipher suites are available during TLS negotiation.
+         */
+        public var cipherPreference: TlsCipherPreference = TlsCipherPreference.SYSTEM_DEFAULT
+
+        /**
+         * Whether to verify the peer's certificate during TLS handshake.
+         * When false, accepts any certificate (insecure, for testing only).
+         */
+        public var verifyPeer: Boolean = true
     }
 }

runtime/protocol/http-client-engines/http-client-engine-okhttp/api/http-client-engine-okhttp.api

@@ -66,19 +66,36 @@ public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngine$Com
 public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig : aws/smithy/kotlin/runtime/http/engine/HttpClientEngineConfigImpl {
 	public static final field Companion Laws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig$Companion;
 	public synthetic fun <init> (Laws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig$Builder;Lkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public final fun getCertificatePinner ()Lokhttp3/CertificatePinner;
+	public final fun getCipherSuites ()Ljava/util/List;
 	public final fun getConnectionIdlePollingInterval-FghU774 ()Lkotlin/time/Duration;
+	public final fun getHostnameVerifier ()Ljavax/net/ssl/HostnameVerifier;
+	public final fun getKeyManagerProvider ()Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider;
 	public final fun getMaxConcurrencyPerHost-pVg5ArA ()I
+	public final fun getTrustManagerProvider ()Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider;
+	public final fun setKeyManagerProvider (Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider;)V
+	public final fun setTrustManagerProvider (Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider;)V
 	public fun toBuilderApplicator ()Lkotlin/jvm/functions/Function1;
 }
 
 public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig$Builder : aws/smithy/kotlin/runtime/http/engine/HttpClientEngineConfigImpl$BuilderImpl {
 	public fun <init> ()V
+	public final fun getCertificatePinner ()Lokhttp3/CertificatePinner;
+	public final fun getCipherSuites ()Ljava/util/List;
 	public final fun getConnectionIdlePollingInterval-FghU774 ()Lkotlin/time/Duration;
+	public final fun getHostnameVerifier ()Ljavax/net/ssl/HostnameVerifier;
+	public final fun getKeyManagerProvider ()Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider;
 	public final fun getMaxConcurrencyPerHost-0hXNFcg ()Lkotlin/UInt;
 	public fun getTelemetryProvider ()Laws/smithy/kotlin/runtime/telemetry/TelemetryProvider;
+	public final fun getTrustManagerProvider ()Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider;
+	public final fun setCertificatePinner (Lokhttp3/CertificatePinner;)V
+	public final fun setCipherSuites (Ljava/util/List;)V
 	public final fun setConnectionIdlePollingInterval-BwNAW2A (Lkotlin/time/Duration;)V
+	public final fun setHostnameVerifier (Ljavax/net/ssl/HostnameVerifier;)V
+	public final fun setKeyManagerProvider (Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider;)V
 	public final fun setMaxConcurrencyPerHost-ExVfyTY (Lkotlin/UInt;)V
 	public fun setTelemetryProvider (Laws/smithy/kotlin/runtime/telemetry/TelemetryProvider;)V
+	public final fun setTrustManagerProvider (Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider;)V
 }
 
 public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig$Companion {
@@ -134,3 +151,11 @@ public final class aws/smithy/kotlin/runtime/http/engine/okhttp/StreamingRequest
 	public fun writeTo (Lokio/BufferedSink;)V
 }
 
+public abstract interface class aws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider {
+	public abstract fun keyManagers ()[Ljavax/net/ssl/KeyManager;
+}
+
+public abstract interface class aws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider {
+	public abstract fun trustManagers ()[Ljavax/net/ssl/TrustManager;
+}
+

runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngine.kt

@@ -24,6 +24,8 @@ import kotlinx.coroutines.job
 import okhttp3.*
 import okhttp3.coroutines.executeAsync
 import java.util.concurrent.TimeUnit
+import javax.net.ssl.SSLContext
+import javax.net.ssl.X509TrustManager
 import kotlin.time.toJavaDuration
 import aws.smithy.kotlin.runtime.net.TlsVersion as SdkTlsVersion
 import okhttp3.TlsVersion as OkHttpTlsVersion
@@ -103,7 +105,20 @@ public fun OkHttpEngineConfig.buildClient(
         followRedirects(false)
         followSslRedirects(false)
 
-        connectionSpecs(listOf(minTlsConnectionSpec(config.tlsContext), ConnectionSpec.CLEARTEXT))
+        connectionSpecs(listOf(tlsConnectionSpec(config.tlsContext, config.cipherSuites), ConnectionSpec.CLEARTEXT))
+
+        if (config.trustManagerProvider != null) {
+            val (sslContext, trustManager) = createSslContext(config.trustManagerProvider, config.keyManagerProvider)
+            sslSocketFactory(sslContext.socketFactory, trustManager)
+        }
+
+        if (config.certificatePinner != null) {
+            certificatePinner(config.certificatePinner)
+        }
+
+        if (config.hostnameVerifier != null) {
+            hostnameVerifier(config.hostnameVerifier)
+        }
 
         // Transient connection errors are handled by retry strategy (exceptions are wrapped and marked retryable
         // appropriately internally). We don't want inner retry logic that inflates the number of retries.
@@ -159,7 +174,7 @@ public fun OkHttpEngineConfig.buildClient(
     }.build()
 }
 
-private fun minTlsConnectionSpec(tlsContext: TlsContext): ConnectionSpec {
+private fun tlsConnectionSpec(tlsContext: TlsContext, cipherSuites: List<String>?): ConnectionSpec {
     val minVersion = tlsContext.minVersion ?: TlsVersion.TLS_1_2
     val okHttpTlsVersions = SdkTlsVersion
         .values()
@@ -170,6 +185,11 @@ private fun minTlsConnectionSpec(tlsContext: TlsContext): ConnectionSpec {
     return ConnectionSpec
         .Builder(ConnectionSpec.MODERN_TLS)
         .tlsVersions(*okHttpTlsVersions)
+        .apply {
+            if (cipherSuites != null) {
+                cipherSuites(*cipherSuites.toTypedArray())
+            }
+        }
         .build()
 }
 
@@ -179,3 +199,22 @@ private fun toOkHttpTlsVersion(sdkTlsVersion: SdkTlsVersion): OkHttpTlsVersion =
     SdkTlsVersion.TLS_1_2 -> OkHttpTlsVersion.TLS_1_2
     SdkTlsVersion.TLS_1_3 -> OkHttpTlsVersion.TLS_1_3
 }
+
+/**
+ * Creates an SSL context with custom trust and key managers
+ */
+private fun createSslContext(trustManagerProvider: TlsTrustManagersProvider?, keyManagerProvider: TlsKeyManagersProvider?): Pair<SSLContext, X509TrustManager> {
+    val trustManagers = trustManagerProvider?.trustManagers()
+    val keyManagers = keyManagerProvider?.keyManagers()
+
+    if (trustManagerProvider != null && (trustManagers.isNullOrEmpty() || trustManagers[0] !is X509TrustManager)) {
+        throw IllegalStateException("Unexpected trust managers")
+    }
+
+    val sslContext = SSLContext.getInstance("TLS")
+    sslContext.init(keyManagers, trustManagers, null)
+
+    val trustManager = trustManagers!![0] as X509TrustManager
+
+    return sslContext to trustManager
+}

runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig.kt

@@ -9,6 +9,8 @@ import aws.smithy.kotlin.runtime.http.engine.HttpClientEngineConfig
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngineConfigImpl
 import aws.smithy.kotlin.runtime.telemetry.Global
 import aws.smithy.kotlin.runtime.telemetry.TelemetryProvider
+import okhttp3.CertificatePinner
+import javax.net.ssl.HostnameVerifier
 import kotlin.time.Duration
 
 /**
@@ -50,12 +52,50 @@ public class OkHttpEngineConfig private constructor(builder: Builder) : HttpClie
      */
     public val maxConcurrencyPerHost: UInt = builder.maxConcurrencyPerHost ?: builder.maxConcurrency
 
+    /**
+     * Provider for TLS trust managers used to validate server certificates during TLS handshake.
+     * Trust managers determine whether to trust the certificate chain presented by a remote server.
+     * When provided, these trust managers will be used instead of the default system trust store.
+     */
+    public var trustManagerProvider: TlsTrustManagersProvider? = builder.trustManagerProvider
+
+    /**
+     * Provider for KeyManagers that supply client certificates for mutual TLS (mTLS) authentication.
+     * When provided, the client will present certificates from these KeyManagers when the server
+     * requests client authentication. Used for scenarios requiring client certificate authentication.
+     */
+    public var keyManagerProvider: TlsKeyManagersProvider? = builder.keyManagerProvider
+
+    /**
+     * List of cipher suites to enable for TLS connections. If null, uses OkHttp defaults.
+     * When specified, only the listed cipher suites will be enabled.
+     */
+    public val cipherSuites: List<String>? = builder.cipherSuites
+
+    /**
+     * Certificate pinner that validates server certificates against known public key pins.
+     * Used to prevent man-in-the-middle attacks by ensuring the server presents expected certificates.
+     */
+    public val certificatePinner: CertificatePinner? = builder.certificatePinner
+
+    /**
+     * Custom hostname verifier for validating server hostnames during TLS handshake.
+     * By default, OkHttp verifies that the certificate's hostname matches the request hostname.
+     * Use this to implement custom hostname verification logic.
+     */
+    public val hostnameVerifier: HostnameVerifier? = builder.hostnameVerifier
+
     override fun toBuilderApplicator(): HttpClientEngineConfig.Builder.() -> Unit = {
         super.toBuilderApplicator()()
 
         if (this is Builder) {
             connectionIdlePollingInterval = this@OkHttpEngineConfig.connectionIdlePollingInterval
             maxConcurrencyPerHost = this@OkHttpEngineConfig.maxConcurrencyPerHost
+            trustManagerProvider = this@OkHttpEngineConfig.trustManagerProvider
+            keyManagerProvider = this@OkHttpEngineConfig.keyManagerProvider
+            cipherSuites = this@OkHttpEngineConfig.cipherSuites
+            certificatePinner = this@OkHttpEngineConfig.certificatePinner
+            hostnameVerifier = this@OkHttpEngineConfig.hostnameVerifier
         }
     }
 
@@ -84,6 +124,39 @@ public class OkHttpEngineConfig private constructor(builder: Builder) : HttpClie
          */
         public var maxConcurrencyPerHost: UInt? = null
 
+        /**
+         * Provider for TLS trust managers used to validate server certificates during TLS handshake.
+         * Trust managers determine whether to trust the certificate chain presented by a remote server.
+         * When provided, these trust managers will be used instead of the default system trust store.
+         */
+        public var trustManagerProvider: TlsTrustManagersProvider? = null
+
+        /**
+         * Provider for KeyManagers that supply client certificates for mutual TLS (mTLS) authentication.
+         * When provided, the client will present certificates from these KeyManagers when the server
+         * requests client authentication. Used for scenarios requiring client certificate authentication.
+         */
+        public var keyManagerProvider: TlsKeyManagersProvider? = null
+
+        /**
+         * List of cipher suites to enable for TLS connections. If null, uses OkHttp defaults.
+         * When specified, only the listed cipher suites will be enabled.
+         */
+        public var cipherSuites: List<String>? = null
+
+        /**
+         * Certificate pinner that validates server certificates against known public key pins.
+         * Used to prevent man-in-the-middle attacks by ensuring the server presents expected certificates.
+         */
+        public var certificatePinner: CertificatePinner? = null
+
+        /**
+         * Custom hostname verifier for validating server hostnames during TLS handshake.
+         * By default, OkHttp verifies that the certificate's hostname matches the request hostname.
+         * Use this to implement custom hostname verification logic.
+         */
+        public var hostnameVerifier: HostnameVerifier? = null
+
         override var telemetryProvider: TelemetryProvider = TelemetryProvider.Global
     }
 }

runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider.kt

@@ -0,0 +1,20 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.smithy.kotlin.runtime.http.engine.okhttp
+
+import javax.net.ssl.KeyManager
+
+/**
+ * Provider for TLS key managers used for client certificate authentication.
+ *
+ * Key managers provide the client's private key and certificate chain when
+ * the server requests client authentication during TLS handshake.
+ */
+public interface TlsKeyManagersProvider {
+    /**
+     * @return The [KeyManager]s used for client authentication.
+     */
+    public fun keyManagers(): Array<KeyManager>
+}