Enable support for adding KeyManager #1811
Description
Subsystem
Client, CIO module
Is your feature request related to a problem? Please describe.
I am currently configuring the client to communicate over mutual tls/mutual authentication. The server will require the client to identify itself. To enable this feature a client needs a sslcontext with a preconfigured keymanager initialized. With the Apache or OkHttp module this is already possible with ktor, because it accepts a custom sslcontext or sslsocketfactory, see below:
For Apache HttpClient
import io.ktor.client.HttpClient
import io.ktor.client.engine.apache.Apache
class ApacheExampleClient {
val client = HttpClient(Apache) {
engine {
sslContext = //custom sslcontext
}
}
}
For OkHttp
import io.ktor.client.HttpClient
import io.ktor.client.engine.okhttp.OkHttp
class OkHttpExampleClient {
val client = HttpClient(OkHttp) {
engine {
config {
sslSocketFactory(socketFactory, trustManager)
hostnameVerifier(hostnameVerifier)
}
}
}
}
The CIO module accepts couple of https parameters, such as trustmanager and secure random. I am assuming that the CIO module will use these values to create a custom sslcontext. With the current options available in the TLSConfigBuilder, which is being used by the CIOEngineConfig, it is not possible to provide the keymaterial.
Describe the solution you'd like
I would like to have the possibility to also provide a keymanager within the TLSConfigBuilder. In that way the client can identify itself when the server is requesting the client to provide client-certificate during the handshake process.
With KeyManager and TrustManager
import io.ktor.client.HttpClient
import io.ktor.client.engine.cio.CIO
class CioExampleClient {
val client = HttpClient(CIO) {
engine {
https {
keyManager = //keymanager
trustManager = //trustmanager
}
}
}
}
Motivation to include to ktor
This option will enable the end-user to get the same behaviour as other clients like apache and okhttp for mutual authentication. I am not quite sure if it is easy to implement or even possible, but it would be a cool feature to have it.