feat: add enhanced tls configs (#1396)

Author: xinsong-cui

.changes/39ca59b7-65d6-44da-85a6-84c26ad481e7.json

@@ -0,0 +1,8 @@
+{
+    "id": "39ca59b7-65d6-44da-85a6-84c26ad481e7",
+    "type": "feature",
+    "description": "Add additional TLS configuration options to HTTP engines.",
+    "issues": [
+        "awslabs/smithy-kotlin#820"
+    ]
+}

runtime/protocol/http-client-engines/http-client-engine-crt/api/http-client-engine-crt.api

@@ -15,21 +15,41 @@ public final class aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngine$Compa
 public final class aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig : aws/smithy/kotlin/runtime/http/engine/HttpClientEngineConfigImpl {
 	public static final field Companion Laws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig$Companion;
 	public synthetic fun <init> (Laws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig$Builder;Lkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public final fun getCertificateFile ()Ljava/lang/String;
+	public final fun getCertificatePem ()Ljava/lang/String;
+	public final fun getCertificatesDirectory ()Ljava/lang/String;
 	public final fun getClientBootstrap ()Laws/sdk/kotlin/crt/io/ClientBootstrap;
 	public final fun getInitialWindowSizeBytes ()I
 	public final fun getMaxConnections-pVg5ArA ()I
+	public final fun getTlsCipherPreference ()Laws/sdk/kotlin/crt/io/TlsCipherPreference;
+	public final fun getVerifyPeer ()Z
+	public final fun setCertificateFile (Ljava/lang/String;)V
+	public final fun setCertificatePem (Ljava/lang/String;)V
+	public final fun setCertificatesDirectory (Ljava/lang/String;)V
 	public final fun setClientBootstrap (Laws/sdk/kotlin/crt/io/ClientBootstrap;)V
+	public final fun setTlsCipherPreference (Laws/sdk/kotlin/crt/io/TlsCipherPreference;)V
+	public final fun setVerifyPeer (Z)V
 	public fun toBuilderApplicator ()Lkotlin/jvm/functions/Function1;
 }
 
 public final class aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig$Builder : aws/smithy/kotlin/runtime/http/engine/HttpClientEngineConfigImpl$BuilderImpl {
 	public fun <init> ()V
+	public final fun getCertificateFile ()Ljava/lang/String;
+	public final fun getCertificatePem ()Ljava/lang/String;
+	public final fun getCertificatesDirectory ()Ljava/lang/String;
 	public final fun getClientBootstrap ()Laws/sdk/kotlin/crt/io/ClientBootstrap;
 	public final fun getInitialWindowSizeBytes ()I
 	public final fun getMaxConnections-pVg5ArA ()I
+	public final fun getTlsCipherPreference ()Laws/sdk/kotlin/crt/io/TlsCipherPreference;
+	public final fun getVerifyPeer ()Z
+	public final fun setCertificateFile (Ljava/lang/String;)V
+	public final fun setCertificatePem (Ljava/lang/String;)V
+	public final fun setCertificatesDirectory (Ljava/lang/String;)V
 	public final fun setClientBootstrap (Laws/sdk/kotlin/crt/io/ClientBootstrap;)V
 	public final fun setInitialWindowSizeBytes (I)V
 	public final fun setMaxConnections-WZ4Q5Ns (I)V
+	public final fun setTlsCipherPreference (Laws/sdk/kotlin/crt/io/TlsCipherPreference;)V
+	public final fun setVerifyPeer (Z)V
 }
 
 public final class aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig$Companion {

runtime/protocol/http-client-engines/http-client-engine-crt/jvm/src/aws/smithy/kotlin/runtime/http/engine/crt/ConnectionManager.kt

@@ -32,9 +32,13 @@ internal class ConnectionManager(
 
     private val crtTlsContext: TlsContext = TlsContextOptionsBuilder()
         .apply {
-            verifyPeer = true
             alpn = config.tlsContext.alpn.joinToString(separator = ";") { it.protocolId }
             minTlsVersion = toCrtTlsVersion(config.tlsContext.minVersion)
+            caRoot = config.certificatePem
+            caFile = config.certificateFile
+            caDir = config.certificatesDirectory
+            tlsCipherPreference = config.tlsCipherPreference
+            verifyPeer = config.verifyPeer
         }
         .build()
         .let(::CrtTlsContext)

runtime/protocol/http-client-engines/http-client-engine-crt/jvm/src/aws/smithy/kotlin/runtime/http/engine/crt/CrtHttpEngineConfig.kt

@@ -6,6 +6,7 @@
 package aws.smithy.kotlin.runtime.http.engine.crt
 
 import aws.sdk.kotlin.crt.io.ClientBootstrap
+import aws.sdk.kotlin.crt.io.TlsCipherPreference
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngineConfig
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngineConfigImpl
 
@@ -44,13 +45,48 @@ public class CrtHttpEngineConfig private constructor(builder: Builder) : HttpCli
      */
     public var clientBootstrap: ClientBootstrap? = builder.clientBootstrap
 
+    /**
+     * Certificate authority content in PEM format
+     * Mutually exclusive with [certificateFile] and [certificatesDirectory].
+     */
+    public var certificatePem: String? = builder.certificatePem
+
+    /**
+     * Path to the certificate file in PEM format.
+     * Mutually exclusive with [certificatePem]. Can be used independently or together with [certificatesDirectory].
+     */
+    public var certificateFile: String? = builder.certificateFile
+
+    /**
+     * Path to the certificates directory containing PEM files.
+     * Mutually exclusive with [certificatePem]. Can be used independently or together with [certificateFile].
+     */
+    public var certificatesDirectory: String? = builder.certificatesDirectory
+
+    /**
+     * TLS cipher suite preference for connections.
+     * Controls which cipher suites are available during TLS negotiation.
+     */
+    public var tlsCipherPreference: TlsCipherPreference = builder.tlsCipherPreference
+
+    /**
+     * Whether to verify the peer's certificate during TLS handshake.
+     * When false, accepts any certificate.
+     */
+    public var verifyPeer: Boolean = builder.verifyPeer
+
     override fun toBuilderApplicator(): HttpClientEngineConfig.Builder.() -> Unit = {
         super.toBuilderApplicator()()
 
         if (this is Builder) {
             maxConnections = this@CrtHttpEngineConfig.maxConnections
             initialWindowSizeBytes = this@CrtHttpEngineConfig.initialWindowSizeBytes
             clientBootstrap = this@CrtHttpEngineConfig.clientBootstrap
+            certificatePem = this@CrtHttpEngineConfig.certificatePem
+            certificateFile = this@CrtHttpEngineConfig.certificateFile
+            certificatesDirectory = this@CrtHttpEngineConfig.certificatesDirectory
+            tlsCipherPreference = this@CrtHttpEngineConfig.tlsCipherPreference
+            verifyPeer = this@CrtHttpEngineConfig.verifyPeer
         }
     }
 
@@ -73,5 +109,35 @@ public class CrtHttpEngineConfig private constructor(builder: Builder) : HttpCli
          * Set the [ClientBootstrap] to use for the engine. By default it is a shared instance.
          */
         public var clientBootstrap: ClientBootstrap? = null
+
+        /**
+         * Certificate Authority content in PEM format.
+         * Mutually exclusive with caFile and caDir.
+         */
+        public var certificatePem: String? = null
+
+        /**
+         * Path to the certificate file in PEM format.
+         * Mutually exclusive with [certificatePem]. Can be used independently or together with [certificatesDirectory].
+         */
+        public var certificateFile: String? = null
+
+        /**
+         * Path to the certificates directory containing PEM files.
+         * Mutually exclusive with [certificatePem]. Can be used independently or together with [certificateFile].
+         */
+        public var certificatesDirectory: String? = null
+
+        /**
+         * TLS cipher suite preference for connections.
+         * Controls which cipher suites are available during TLS negotiation.
+         */
+        public var tlsCipherPreference: TlsCipherPreference = TlsCipherPreference.SYSTEM_DEFAULT
+
+        /**
+         * Whether to verify the peer's certificate during TLS handshake.
+         * When false, accepts any certificate (insecure, for testing only).
+         */
+        public var verifyPeer: Boolean = true
     }
 }

runtime/protocol/http-client-engines/http-client-engine-okhttp/api/http-client-engine-okhttp.api

@@ -66,19 +66,36 @@ public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngine$Com
 public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig : aws/smithy/kotlin/runtime/http/engine/HttpClientEngineConfigImpl {
 	public static final field Companion Laws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig$Companion;
 	public synthetic fun <init> (Laws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig$Builder;Lkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public final fun getCertificatePinner ()Lokhttp3/CertificatePinner;
+	public final fun getCipherSuites ()Ljava/util/List;
 	public final fun getConnectionIdlePollingInterval-FghU774 ()Lkotlin/time/Duration;
+	public final fun getHostnameVerifier ()Ljavax/net/ssl/HostnameVerifier;
+	public final fun getKeyManager ()Ljavax/net/ssl/KeyManager;
 	public final fun getMaxConcurrencyPerHost-pVg5ArA ()I
+	public final fun getTrustManager ()Ljavax/net/ssl/X509TrustManager;
+	public final fun setKeyManager (Ljavax/net/ssl/KeyManager;)V
+	public final fun setTrustManager (Ljavax/net/ssl/X509TrustManager;)V
 	public fun toBuilderApplicator ()Lkotlin/jvm/functions/Function1;
 }
 
 public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig$Builder : aws/smithy/kotlin/runtime/http/engine/HttpClientEngineConfigImpl$BuilderImpl {
 	public fun <init> ()V
+	public final fun getCertificatePinner ()Lokhttp3/CertificatePinner;
+	public final fun getCipherSuites ()Ljava/util/List;
 	public final fun getConnectionIdlePollingInterval-FghU774 ()Lkotlin/time/Duration;
+	public final fun getHostnameVerifier ()Ljavax/net/ssl/HostnameVerifier;
+	public final fun getKeyManager ()Ljavax/net/ssl/KeyManager;
 	public final fun getMaxConcurrencyPerHost-0hXNFcg ()Lkotlin/UInt;
 	public fun getTelemetryProvider ()Laws/smithy/kotlin/runtime/telemetry/TelemetryProvider;
+	public final fun getTrustManager ()Ljavax/net/ssl/X509TrustManager;
+	public final fun setCertificatePinner (Lokhttp3/CertificatePinner;)V
+	public final fun setCipherSuites (Ljava/util/List;)V
 	public final fun setConnectionIdlePollingInterval-BwNAW2A (Lkotlin/time/Duration;)V
+	public final fun setHostnameVerifier (Ljavax/net/ssl/HostnameVerifier;)V
+	public final fun setKeyManager (Ljavax/net/ssl/KeyManager;)V
 	public final fun setMaxConcurrencyPerHost-ExVfyTY (Lkotlin/UInt;)V
 	public fun setTelemetryProvider (Laws/smithy/kotlin/runtime/telemetry/TelemetryProvider;)V
+	public final fun setTrustManager (Ljavax/net/ssl/X509TrustManager;)V
 }
 
 public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig$Companion {

runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngine.kt

@@ -24,6 +24,9 @@ import kotlinx.coroutines.job
 import okhttp3.*
 import okhttp3.coroutines.executeAsync
 import java.util.concurrent.TimeUnit
+import javax.net.ssl.KeyManager
+import javax.net.ssl.SSLContext
+import javax.net.ssl.X509TrustManager
 import kotlin.time.toJavaDuration
 import aws.smithy.kotlin.runtime.net.TlsVersion as SdkTlsVersion
 import okhttp3.TlsVersion as OkHttpTlsVersion
@@ -103,7 +106,15 @@ public fun OkHttpEngineConfig.buildClient(
         followRedirects(false)
         followSslRedirects(false)
 
-        connectionSpecs(listOf(minTlsConnectionSpec(config.tlsContext), ConnectionSpec.CLEARTEXT))
+        connectionSpecs(listOf(tlsConnectionSpec(config.tlsContext, config.cipherSuites), ConnectionSpec.CLEARTEXT))
+
+        config.trustManager?.let {
+            val sslContext = createSslContext(it, config.keyManager)
+            sslSocketFactory(sslContext.socketFactory, trustManager!!)
+        }
+
+        config.certificatePinner?.let(::certificatePinner)
+        config.hostnameVerifier?.let(::hostnameVerifier)
 
         // Transient connection errors are handled by retry strategy (exceptions are wrapped and marked retryable
         // appropriately internally). We don't want inner retry logic that inflates the number of retries.
@@ -159,7 +170,7 @@ public fun OkHttpEngineConfig.buildClient(
     }.build()
 }
 
-private fun minTlsConnectionSpec(tlsContext: TlsContext): ConnectionSpec {
+private fun tlsConnectionSpec(tlsContext: TlsContext, cipherSuites: List<String>?): ConnectionSpec {
     val minVersion = tlsContext.minVersion ?: TlsVersion.TLS_1_2
     val okHttpTlsVersions = SdkTlsVersion
         .values()
@@ -170,6 +181,9 @@ private fun minTlsConnectionSpec(tlsContext: TlsContext): ConnectionSpec {
     return ConnectionSpec
         .Builder(ConnectionSpec.MODERN_TLS)
         .tlsVersions(*okHttpTlsVersions)
+        .apply {
+            cipherSuites?.toTypedArray()?.let(::cipherSuites)
+        }
         .build()
 }
 
@@ -179,3 +193,16 @@ private fun toOkHttpTlsVersion(sdkTlsVersion: SdkTlsVersion): OkHttpTlsVersion =
     SdkTlsVersion.TLS_1_2 -> OkHttpTlsVersion.TLS_1_2
     SdkTlsVersion.TLS_1_3 -> OkHttpTlsVersion.TLS_1_3
 }
+
+/**
+ * Creates an SSL context with custom trust and key managers
+ */
+private fun createSslContext(trustManager: X509TrustManager, keyManager: KeyManager?): SSLContext {
+    val keyManagers = keyManager?.let { arrayOf(it) }
+    val trustManagers = arrayOf(trustManager)
+
+    val sslContext = SSLContext.getInstance("TLS")
+    sslContext.init(keyManagers, trustManagers, null)
+
+    return sslContext
+}

runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig.kt

@@ -9,6 +9,10 @@ import aws.smithy.kotlin.runtime.http.engine.HttpClientEngineConfig
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngineConfigImpl
 import aws.smithy.kotlin.runtime.telemetry.Global
 import aws.smithy.kotlin.runtime.telemetry.TelemetryProvider
+import okhttp3.CertificatePinner
+import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.KeyManager
+import javax.net.ssl.X509TrustManager
 import kotlin.time.Duration
 
 /**
@@ -50,12 +54,50 @@ public class OkHttpEngineConfig private constructor(builder: Builder) : HttpClie
      */
     public val maxConcurrencyPerHost: UInt = builder.maxConcurrencyPerHost ?: builder.maxConcurrency
 
+    /**
+     * Trust manager used to validate server certificates during TLS handshake.
+     * Determines whether to trust the certificate chain presented by a remote server.
+     * When provided, this trust manager will be used instead of the default system trust store.
+     */
+    public var trustManager: X509TrustManager? = builder.trustManager
+
+    /**
+     * Key manager that supplies client certificates for mutual TLS (mTLS) authentication.
+     * When provided, the client will present certificates from this key manager when the server
+     * requests client authentication. Used for scenarios requiring client certificate authentication.
+     */
+    public var keyManager: KeyManager? = builder.keyManager
+
+    /**
+     * List of cipher suites to enable for TLS connections. If null, uses OkHttp defaults.
+     * When specified, only the listed cipher suites will be enabled.
+     */
+    public val cipherSuites: List<String>? = builder.cipherSuites
+
+    /**
+     * Certificate pinner that validates server certificates against known public key pins.
+     * Used to prevent man-in-the-middle attacks by ensuring the server presents expected certificates.
+     */
+    public val certificatePinner: CertificatePinner? = builder.certificatePinner
+
+    /**
+     * Custom hostname verifier for validating server hostnames during TLS handshake.
+     * By default, OkHttp verifies that the certificate's hostname matches the request hostname.
+     * Use this to implement custom hostname verification logic.
+     */
+    public val hostnameVerifier: HostnameVerifier? = builder.hostnameVerifier
+
     override fun toBuilderApplicator(): HttpClientEngineConfig.Builder.() -> Unit = {
         super.toBuilderApplicator()()
 
         if (this is Builder) {
             connectionIdlePollingInterval = this@OkHttpEngineConfig.connectionIdlePollingInterval
             maxConcurrencyPerHost = this@OkHttpEngineConfig.maxConcurrencyPerHost
+            trustManager = this@OkHttpEngineConfig.trustManager
+            keyManager = this@OkHttpEngineConfig.keyManager
+            cipherSuites = this@OkHttpEngineConfig.cipherSuites
+            certificatePinner = this@OkHttpEngineConfig.certificatePinner
+            hostnameVerifier = this@OkHttpEngineConfig.hostnameVerifier
         }
     }
 
@@ -84,6 +126,39 @@ public class OkHttpEngineConfig private constructor(builder: Builder) : HttpClie
          */
         public var maxConcurrencyPerHost: UInt? = null
 
+        /**
+         * Trust manager used to validate server certificates during TLS handshake.
+         * Determines whether to trust the certificate chain presented by a remote server.
+         * When provided, this trust manager will be used instead of the default system trust store.
+         */
+        public var trustManager: X509TrustManager? = null
+
+        /**
+         * Key manager that supplies client certificates for mutual TLS (mTLS) authentication.
+         * When provided, the client will present certificates from this key manager when the server
+         * requests client authentication. Used for scenarios requiring client certificate authentication.
+         */
+        public var keyManager: KeyManager? = null
+
+        /**
+         * List of cipher suites to enable for TLS connections. If null, uses OkHttp defaults.
+         * When specified, only the listed cipher suites will be enabled.
+         */
+        public var cipherSuites: List<String>? = null
+
+        /**
+         * Certificate pinner that validates server certificates against known public key pins.
+         * Used to prevent man-in-the-middle attacks by ensuring the server presents expected certificates.
+         */
+        public var certificatePinner: CertificatePinner? = null
+
+        /**
+         * Custom hostname verifier for validating server hostnames during TLS handshake.
+         * By default, OkHttp verifies that the certificate's hostname matches the request hostname.
+         * Use this to implement custom hostname verification logic.
+         */
+        public var hostnameVerifier: HostnameVerifier? = null
+
         override var telemetryProvider: TelemetryProvider = TelemetryProvider.Global
     }
 }

runtime/protocol/http-client-engines/test-suite/build.gradle.kts

@@ -26,6 +26,7 @@ kotlin {
             dependencies {
                 implementation(libs.ktor.server.jetty.jakarta)
                 implementation(libs.ktor.network.tls.certificates)
+                implementation(libs.okhttp)
 
                 implementation(project(":runtime:protocol:http-client-engines:http-client-engine-default"))
                 implementation(project(":runtime:protocol:http-client-engines:http-client-engine-crt"))