[ok_http] Add support for client certificates using Java PrivateKeys (#1444)

Author: brianquinlan

.github/workflows/okhttp.yaml

@@ -32,7 +32,7 @@ jobs:
       - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b
         with:
           distribution: 'zulu'
-          java-version: '17'
+          java-version: '21'
       - uses: subosito/flutter-action@44ac965b96f18d999802d4b807e3256d5a3f9fa1
         with:
           channel: 'stable'
@@ -50,7 +50,7 @@ jobs:
         if: always() && steps.install.outcome == 'success'
         with:
           # api-level/minSdkVersion should be help in sync in:
-          # - .github/workflows/ok.yml
+          # - .github/workflows/okhttp.yml
           # - pkgs/ok_http/android/build.gradle
           # - pkgs/ok_http/example/android/app/build.gradle
           api-level: 21

pkgs/cronet_http/android/build.gradle

@@ -9,7 +9,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:8.1.0'
+        classpath 'com.android.tools.build:gradle:8.9.0'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
     }
 }

pkgs/flutter_http_example/android/gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.5-all.zip

pkgs/http_client_conformance_tests/lib/src/response_headers_tests.dart

@@ -163,8 +163,8 @@ void testResponseHeaders(Client client,
               response.headers['foo'],
               anyOf(
                   '1 2', // RFC-specified behavior
-                  '1' // Common client behavior.
-                  ));
+                  // Common client behavior (Cronet, Apple URL Loading System).
+                  '1'));
         } on ClientException {
           // The client rejected the response, which is allowed per RFC-9110.
         }
@@ -178,9 +178,11 @@ void testResponseHeaders(Client client,
           expect(
               response.headers['foo'],
               anyOf(
-                  '1 2', // RFC-specified behavior
-                  '1' // Common client behavior.
-                  ));
+                '1 2', // RFC-specified behavior
+                // Common client behavior (Cronet, Apple URL Loading System).
+                '1',
+                '1\r2', // Common client behavior (Java).
+              ));
         } on ClientException {
           // The client rejected the response, which is allowed per RFC-9110.
         }

pkgs/ok_http/CHANGELOG.md

@@ -2,7 +2,9 @@
 
 - `OkHttpClient` now receives an `OkHttpClientConfiguration` to configure the client on a per-call basis.
 - `OkHttpClient` supports setting four types of timeouts: [`connectTimeout`](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/connect-timeout.html), [`readTimeout`](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/read-timeout.html), [`writeTimeout`](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/write-timeout.html), and [`callTimeout`](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/call-timeout.html), using the `OkHttpClientConfiguration`.
-- Update to `jnigen` 0.12.2
+- Upgrade to `jni` 0.13.0
+- Upgrade to `jnigen` 0.13.1
+- `OKHttpClient` supports client certificates.
 
 ## 0.1.0
 

pkgs/ok_http/android/build.gradle

@@ -4,16 +4,15 @@ group = "com.example.ok_http"
 version = "1.0"
 
 buildscript {
-    // Required to support `okhttp:4.12.0`.
-    ext.kotlin_version = '1.9.23'
+    ext.kotlin_version = '2.1.10'
     repositories {
         google()
         mavenCentral()
     }
 
     dependencies {
         // The Android Gradle Plugin knows how to build native code with the NDK.
-        classpath("com.android.tools.build:gradle:7.3.0")
+        classpath("com.android.tools.build:gradle:8.1.2")
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
     }
 }
@@ -34,7 +33,7 @@ android {
     }
 
     kotlinOptions {
-        jvmTarget = '1.8'
+        jvmTarget = JavaVersion.VERSION_21
     }
 
     sourceSets {
@@ -52,8 +51,8 @@ android {
     ndkVersion = android.ndkVersion
 
     compileOptions {
-        sourceCompatibility = JavaVersion.VERSION_1_8
-        targetCompatibility = JavaVersion.VERSION_1_8
+        sourceCompatibility = JavaVersion.VERSION_21
+        targetCompatibility = JavaVersion.VERSION_21
     }
 
     defaultConfig {

pkgs/ok_http/android/src/main/kotlin/com/example/ok_http/FixedResponseX509ExtendedKeyManager.kt

@@ -0,0 +1,55 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+package com.example.ok_http
+
+import java.net.Socket
+import java.security.Principal
+import java.security.PrivateKey
+import java.security.cert.X509Certificate
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.X509ExtendedKeyManager
+
+/**
+ * A `X509ExtendedKeyManager` that always responds with the configured
+ * private key, certificate chain, and alias.
+ */
+class FixedResponseX509ExtendedKeyManager(
+        private val certificateChain: Array<X509Certificate>,
+        private val privateKey: PrivateKey,
+        private val alias: String,
+) : X509ExtendedKeyManager() {
+
+    override fun getClientAliases(keyType: String, issuers: Array<Principal>?) = arrayOf(alias)
+
+    override fun chooseClientAlias(
+            keyType: Array<String>,
+            issuers: Array<Principal>?,
+            socket: Socket?,
+    ) = alias
+
+    override fun getServerAliases(keyType: String, issuers: Array<Principal>?) = arrayOf(alias)
+
+    override fun chooseServerAlias(
+            keyType: String,
+            issuers: Array<Principal>?,
+            socket: Socket?,
+    ) = alias
+
+    override fun getCertificateChain(alias: String) = certificateChain
+
+    override fun getPrivateKey(alias: String) = privateKey
+
+    override fun chooseEngineClientAlias(
+            keyType: Array<String?>?,
+            issuers: Array<Principal?>?,
+            engine: SSLEngine?,
+    ) = alias
+
+    override fun chooseEngineServerAlias(
+            keyType: String?,
+            issuers: Array<Principal?>?,
+            engine: SSLEngine?
+    ) = alias
+}

pkgs/ok_http/example/android/app/build.gradle

@@ -29,8 +29,8 @@ android {
     ndkVersion = flutter.ndkVersion
 
     compileOptions {
-        sourceCompatibility = JavaVersion.VERSION_1_8
-        targetCompatibility = JavaVersion.VERSION_1_8
+        sourceCompatibility = JavaVersion.VERSION_21
+        targetCompatibility = JavaVersion.VERSION_21
     }
 
     defaultConfig {

pkgs/ok_http/example/android/gradle/wrapper/gradle-wrapper.properties

@@ -2,4 +2,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.3-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip

pkgs/ok_http/example/android/settings.gradle

@@ -18,7 +18,7 @@ pluginManagement {
 
 plugins {
     id "dev.flutter.flutter-plugin-loader" version "1.0.0"
-    id "com.android.application" version "7.3.0" apply false
+    id "com.android.application" version "8.2.1" apply false
     id "org.jetbrains.kotlin.android" version "1.9.23" apply false
 }
 

pkgs/ok_http/example/integration_test/certificate_test.dart

@@ -0,0 +1,187 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'dart:async';
+import 'dart:io' as io;
+import 'dart:typed_data';
+
+import 'package:flutter/services.dart' show rootBundle;
+import 'package:http/http.dart';
+import 'package:integration_test/integration_test.dart';
+import 'package:ok_http/ok_http.dart';
+import 'package:ok_http/src/jni/bindings.dart' as bindings;
+
+import 'package:test/test.dart';
+
+Future<Uint8List> loadCertificateBytes(String path) async {
+  return (await rootBundle.load(path)).buffer.asUint8List();
+}
+
+void main() async {
+  IntegrationTestWidgetsFlutterBinding.ensureInitialized();
+
+  group('TLS', () {
+    group('loadPrivateKeyAndCertificateChainFromPKCS12', () {
+      test('success', () async {
+        final certBytes =
+            await loadCertificateBytes('test_certs/test-combined.p12');
+        final (key, chain) =
+            loadPrivateKeyAndCertificateChainFromPKCS12(certBytes, '1234');
+        expect(
+            key
+                .as(bindings.Key.type)
+                .getFormat()!
+                .toDartString(releaseOriginal: true),
+            'PKCS#8');
+        expect(chain.length, 1);
+        expect(chain[0].getType()!.toDartString(), 'X.509');
+      });
+
+      test('bad password', () async {
+        final certBytes =
+            await loadCertificateBytes('test_certs/test-combined.p12');
+        expect(
+            () => loadPrivateKeyAndCertificateChainFromPKCS12(
+                certBytes, 'incorrectpassword'),
+            throwsA(isA<io.IOException>().having(
+                (e) => e.toString(), 'toString', contains('password'))));
+      });
+
+      test('bad PKCS12 data', () async {
+        final certBytes = Uint8List.fromList([1, 2, 3, 4]);
+        expect(
+            () =>
+                loadPrivateKeyAndCertificateChainFromPKCS12(certBytes, '1234'),
+            throwsA(isA<io.IOException>().having(
+                (e) => e.toString(),
+                'toString',
+                contains('does not represent a PKCS12 key store'))));
+      });
+    });
+
+    test('unknown server cert', () async {
+      final serverContext = io.SecurityContext()
+        ..useCertificateChainBytes(
+            await loadCertificateBytes('test_certs/server_chain.p12'),
+            password: 'dartdart')
+        ..usePrivateKeyBytes(
+            await loadCertificateBytes('test_certs/server_key.p12'),
+            password: 'dartdart');
+      final server =
+          await io.SecureServerSocket.bind('localhost', 0, serverContext);
+      final serverException = Completer<void>();
+      server.listen((socket) async {
+        serverException.complete();
+        await socket.close();
+      }, onError: (Object e) {
+        serverException.completeError(e);
+      });
+      addTearDown(server.close);
+
+      final config =
+          const OkHttpClientConfiguration(validateServerCertificates: true);
+      final httpClient = OkHttpClient(configuration: config);
+      addTearDown(httpClient.close);
+
+      expect(
+          () async =>
+              await httpClient.get(Uri.https('localhost:${server.port}', '/')),
+          throwsA(isA<ClientException>()
+              .having((e) => e.message, 'message', contains('Handshake'))));
+      expect(
+          () async => await serverException.future,
+          throwsA(isA<io.HandshakeException>()
+              .having((e) => e.message, 'message', contains('Handshake'))));
+    });
+
+    test('ignore unknown server cert', () async {
+      final serverContext = io.SecurityContext()
+        ..useCertificateChainBytes(
+            await loadCertificateBytes('test_certs/server_chain.p12'),
+            password: 'dartdart')
+        ..usePrivateKeyBytes(
+            await loadCertificateBytes('test_certs/server_key.p12'),
+            password: 'dartdart');
+      final server =
+          await io.SecureServerSocket.bind('localhost', 0, serverContext);
+      server.listen((socket) async {
+        socket
+            .writeAll(['HTTP/1.1 200 OK', 'Content-Length: 0', '\r\n'], '\r\n');
+        await socket.close();
+      });
+      addTearDown(server.close);
+
+      final config =
+          const OkHttpClientConfiguration(validateServerCertificates: false);
+      final httpClient = OkHttpClient(configuration: config);
+      addTearDown(httpClient.close);
+
+      expect(
+          (await httpClient.get(Uri.https('localhost:${server.port}', '/')))
+              .statusCode,
+          200);
+    });
+
+    test('client cert', () async {
+      final certBytes =
+          await loadCertificateBytes('test_certs/test-combined.p12');
+      final serverContext = io.SecurityContext()
+        ..useCertificateChainBytes(
+            await loadCertificateBytes('test_certs/server_chain.p12'),
+            password: 'dartdart')
+        ..usePrivateKeyBytes(
+            await loadCertificateBytes('test_certs/server_key.p12'),
+            password: 'dartdart')
+        ..setTrustedCertificatesBytes(certBytes, password: '1234');
+
+      final clientCertificate = Completer<io.X509Certificate?>();
+      final server = await io.SecureServerSocket.bind(
+          'localhost', 0, serverContext,
+          requireClientCertificate: true);
+      server.listen((socket) async {
+        clientCertificate.complete(socket.peerCertificate);
+        socket
+            .writeAll(['HTTP/1.1 200 OK', 'Content-Length: 0', '\r\n'], '\r\n');
+        await socket.close();
+      });
+      addTearDown(server.close);
+
+      final (key, chain) =
+          loadPrivateKeyAndCertificateChainFromPKCS12(certBytes, '1234');
+      final config = OkHttpClientConfiguration(
+          clientPrivateKey: key,
+          clientCertificateChain: chain,
+          validateServerCertificates: false);
+      final httpClient = OkHttpClient(configuration: config);
+      addTearDown(httpClient.close);
+
+      expect(
+          (await httpClient.get(Uri.https('localhost:${server.port}', '/')))
+              .statusCode,
+          200);
+      expect((await clientCertificate.future)!.issuer,
+          contains('Internet Widgits Pty Ltd'));
+    });
+
+    test('private key without cert chain', () async {
+      final certBytes =
+          await loadCertificateBytes('test_certs/test-combined.p12');
+
+      final (key, chain) =
+          loadPrivateKeyAndCertificateChainFromPKCS12(certBytes, '1234');
+      final config = OkHttpClientConfiguration(clientPrivateKey: key);
+      expect(() => OkHttpClient(configuration: config), throwsArgumentError);
+    });
+
+    test('private key without cert chain', () async {
+      final certBytes =
+          await loadCertificateBytes('test_certs/test-combined.p12');
+
+      final (key, chain) =
+          loadPrivateKeyAndCertificateChainFromPKCS12(certBytes, '1234');
+      final config = OkHttpClientConfiguration(clientCertificateChain: chain);
+      expect(() => OkHttpClient(configuration: config), throwsArgumentError);
+    });
+  });
+}

pkgs/ok_http/example/integration_test/client_test.dart

@@ -28,6 +28,7 @@ Future<void> testConformance() async {
           supportsFoldedHeaders: false,
           canSendCookieHeaders: true,
           canReceiveSetCookieHeaders: true,
+          correctlyHandlesNullHeaderValues: false,
         );
       } finally {
         HttpClientRequestProfile.profilingEnabled = profile;
@@ -46,6 +47,7 @@ Future<void> testConformance() async {
           supportsFoldedHeaders: false,
           canSendCookieHeaders: true,
           canReceiveSetCookieHeaders: true,
+          correctlyHandlesNullHeaderValues: false,
         );
       } finally {
         HttpClientRequestProfile.profilingEnabled = profile;