Enable client TLS auth for Netty

This commit enables customers to configure a TlsKeyManagersProvider on the Netty
client which will be used to authenticate the client during client TLS
authentication.

Author: dagnir

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/NettyNioAsyncHttpClient.java

@@ -48,6 +48,8 @@
 import software.amazon.awssdk.http.Protocol;
 import software.amazon.awssdk.http.SdkHttpConfigurationOption;
 import software.amazon.awssdk.http.SdkHttpRequest;
+import software.amazon.awssdk.http.SystemPropertyTlsKeyManagersProvider;
+import software.amazon.awssdk.http.TlsKeyManagersProvider;
 import software.amazon.awssdk.http.async.AsyncExecuteRequest;
 import software.amazon.awssdk.http.async.SdkAsyncHttpClient;
 import software.amazon.awssdk.http.nio.netty.internal.AwaitCloseChannelPoolMap;
@@ -92,6 +94,7 @@ private NettyNioAsyncHttpClient(DefaultBuilder builder, AttributeMap serviceDefa
                                              .sdkEventLoopGroup(sdkEventLoopGroup)
                                              .sslProvider(resolveSslProvider(builder))
                                              .proxyConfiguration(builder.proxyConfiguration)
+                                             .tlsKeyManagersProvider(builder.tlsKeyManagersProvider)
                                              .build();
     }
 
@@ -354,6 +357,17 @@ public interface Builder extends SdkAsyncHttpClient.Builder<NettyNioAsyncHttpCli
          * @see ProxyConfiguration#nonProxyHosts()
          */
         Builder proxyConfiguration(ProxyConfiguration proxyConfiguration);
+
+        /**
+         * Set the {@link TlsKeyManagersProvider} for this client. The {@code KeyManager}s will be used by the client to
+         * authenticate itself with the remote server if necessary when establishing the TLS connection.
+         * <p>
+         * By default the configured provider is {@link SystemPropertyTlsKeyManagersProvider}.
+         *
+         * @param keyManagersProvider The {@code TlsKeyManagersProvider}.
+         * @return The builder for method chaining.
+         */
+        Builder tlsKeyManagersProvider(TlsKeyManagersProvider keyManagersProvider);
     }
 
     /**
@@ -371,6 +385,7 @@ private static final class DefaultBuilder implements Builder {
         private Integer maxHttp2Streams;
         private SslProvider sslProvider;
         private ProxyConfiguration proxyConfiguration;
+        private TlsKeyManagersProvider tlsKeyManagersProvider = SystemPropertyTlsKeyManagersProvider.create();
 
         private DefaultBuilder() {
         }
@@ -537,6 +552,12 @@ public void setProxyConfiguration(ProxyConfiguration proxyConfiguration) {
             proxyConfiguration(proxyConfiguration);
         }
 
+        @Override
+        public Builder tlsKeyManagersProvider(TlsKeyManagersProvider tlsKeyManagersProvider) {
+            this.tlsKeyManagersProvider = tlsKeyManagersProvider;
+            return this;
+        }
+
         @Override
         public SdkAsyncHttpClient buildWithDefaults(AttributeMap serviceDefaults) {
             return new NettyNioAsyncHttpClient(this, standardOptions.build()

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/AwaitCloseChannelPoolMap.java

@@ -40,11 +40,14 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
 import java.util.concurrent.atomic.AtomicReference;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.TrustManagerFactory;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.annotations.SdkTestInternalApi;
 import software.amazon.awssdk.http.Protocol;
+import software.amazon.awssdk.http.TlsKeyManagersProvider;
 import software.amazon.awssdk.http.nio.netty.ProxyConfiguration;
 import software.amazon.awssdk.http.nio.netty.SdkEventLoopGroup;
 import software.amazon.awssdk.http.nio.netty.internal.http2.HttpOrHttp2ChannelPool;
@@ -82,6 +85,7 @@ public void channelCreated(Channel ch) throws Exception {
     private final long maxStreams;
     private final SslProvider sslProvider;
     private final ProxyConfiguration proxyConfiguration;
+    private final TlsKeyManagersProvider tlsKeyManagersProvider;
 
     private AwaitCloseChannelPoolMap(Builder builder) {
         this.sdkChannelOptions = builder.sdkChannelOptions;
@@ -91,6 +95,7 @@ private AwaitCloseChannelPoolMap(Builder builder) {
         this.maxStreams = builder.maxStreams;
         this.sslProvider = builder.sslProvider;
         this.proxyConfiguration = builder.proxyConfiguration;
+        this.tlsKeyManagersProvider = builder.tlsKeyManagersProvider;
     }
 
     @SdkTestInternalApi
@@ -260,6 +265,7 @@ private SslContext sslContext(URI targetAddress) {
                                     .sslProvider(sslProvider)
                                     .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                                     .trustManager(getTrustManager())
+                                    .keyManager(getKeyManager())
                                     .build();
         } catch (SSLException e) {
             throw new RuntimeException(e);
@@ -270,6 +276,16 @@ private TrustManagerFactory getTrustManager() {
         return configuration.trustAllCertificates() ? InsecureTrustManagerFactory.INSTANCE : null;
     }
 
+    private KeyManagerFactory getKeyManager() {
+        if (tlsKeyManagersProvider != null) {
+            KeyManager[] keyManagers = tlsKeyManagersProvider.keyManagers();
+            if (keyManagers != null) {
+                return StaticKeyManagerFactory.create(keyManagers);
+            }
+        }
+        return null;
+    }
+
     public static class Builder {
 
         private SdkChannelOptions sdkChannelOptions;
@@ -279,6 +295,7 @@ public static class Builder {
         private long maxStreams;
         private SslProvider sslProvider;
         private ProxyConfiguration proxyConfiguration;
+        private TlsKeyManagersProvider tlsKeyManagersProvider;
 
         private Builder() {
         }
@@ -318,6 +335,11 @@ public Builder proxyConfiguration(ProxyConfiguration proxyConfiguration) {
             return this;
         }
 
+        public Builder tlsKeyManagersProvider(TlsKeyManagersProvider tlsKeyManagersProvider) {
+            this.tlsKeyManagersProvider = tlsKeyManagersProvider;
+            return this;
+        }
+
         public AwaitCloseChannelPoolMap build() {
             return new AwaitCloseChannelPoolMap(this);
         }

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/StaticKeyManagerFactory.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.http.nio.netty.internal;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+
+/**
+ * Factory that simply returns a statically provided set of {@link KeyManager}s.
+ */
+@SdkInternalApi
+public final class StaticKeyManagerFactory extends KeyManagerFactory {
+    private StaticKeyManagerFactory(KeyManager[] keyManagers) {
+        super(new StaticKeyManagerFactorySpi(keyManagers), null, null);
+    }
+
+    public static StaticKeyManagerFactory create(KeyManager[] keyManagers) {
+        return new StaticKeyManagerFactory(keyManagers);
+    }
+}

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/StaticKeyManagerFactorySpi.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.http.nio.netty.internal;
+
+import java.security.KeyStore;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactorySpi;
+import javax.net.ssl.ManagerFactoryParameters;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.utils.Validate;
+
+
+/**
+* Factory SPI that simply returns a statically provided set of {@link KeyManager}s.
+*/
+@SdkInternalApi
+public final class StaticKeyManagerFactorySpi extends KeyManagerFactorySpi {
+    private final KeyManager[] keyManagers;
+
+    public StaticKeyManagerFactorySpi(KeyManager[] keyManagers) {
+        Validate.paramNotNull(keyManagers, "keyManagers");
+        this.keyManagers = new KeyManager[keyManagers.length];
+        System.arraycopy(keyManagers, 0, this.keyManagers, 0, keyManagers.length);
+    }
+
+    @Override
+    protected void engineInit(KeyStore ks, char[] password) {
+    }
+
+    @Override
+    protected void engineInit(ManagerFactoryParameters spec) {
+    }
+
+    @Override
+    protected KeyManager[] engineGetKeyManagers() {
+        return keyManagers;
+    }
+}

http-clients/netty-nio-client/src/test/java/software/amazon/awssdk/http/nio/netty/ClientTlsAuthTestBase.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.http.nio.netty;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+abstract class ClientTlsAuthTestBase {
+    protected static final String STORE_PASSWORD = "password";
+    protected static final String CLIENT_STORE_TYPE = "pkcs12";
+    protected static final String TEST_KEY_STORE = "/software/amazon/awssdk/http/netty/server-keystore";
+    protected static final String CLIENT_KEY_STORE = "/software/amazon/awssdk/http/netty/client1.p12";
+
+    protected static Path tempDir;
+    protected static Path serverKeyStore;
+    protected static Path clientKeyStore;
+
+    @BeforeClass
+    public static void setUp() throws IOException {
+        tempDir = Files.createTempDirectory(ClientTlsAuthTestBase.class.getSimpleName());
+        copyCertsToTmpDir();
+    }
+
+    @AfterClass
+    public static void teardown() throws IOException {
+        Files.deleteIfExists(serverKeyStore);
+        Files.deleteIfExists(clientKeyStore);
+        Files.deleteIfExists(tempDir);
+    }
+
+    private static void copyCertsToTmpDir() throws IOException {
+        InputStream sksStream = ClientTlsAuthTestBase.class.getResourceAsStream(TEST_KEY_STORE);
+        Path sks = copyToTmpDir(sksStream, "server-keystore");
+
+        InputStream cksStream = ClientTlsAuthTestBase.class.getResourceAsStream(CLIENT_KEY_STORE);
+        Path cks = copyToTmpDir(cksStream, "client1.p12");
+
+        serverKeyStore = sks;
+        clientKeyStore = cks;
+    }
+
+    private static Path copyToTmpDir(InputStream srcStream, String name) throws IOException {
+        Path dst = tempDir.resolve(name);
+        Files.copy(srcStream, dst);
+        return dst;
+    }
+}