[ok_http] Add support for client certificates using Java PrivateKeys (#1444)

Author: brianquinlan

.github/workflows/okhttp.yaml

@@ -32,7 +32,7 @@ jobs:
       - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b
         with:
           distribution: 'zulu'
-          java-version: '17'
+          java-version: '21'
       - uses: subosito/flutter-action@44ac965b96f18d999802d4b807e3256d5a3f9fa1
         with:
           channel: 'stable'
@@ -50,7 +50,7 @@ jobs:
         if: always() && steps.install.outcome == 'success'
         with:
           # api-level/minSdkVersion should be help in sync in:
-          # - .github/workflows/ok.yml
+          # - .github/workflows/okhttp.yml
           # - pkgs/ok_http/android/build.gradle
           # - pkgs/ok_http/example/android/app/build.gradle
           api-level: 21

pkgs/cronet_http/android/build.gradle

@@ -9,7 +9,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:8.1.0'
+        classpath 'com.android.tools.build:gradle:8.9.0'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
     }
 }

pkgs/flutter_http_example/android/gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.5-all.zip

pkgs/http_client_conformance_tests/lib/src/response_headers_tests.dart

@@ -163,8 +163,8 @@ void testResponseHeaders(Client client,
               response.headers['foo'],
               anyOf(
                   '1 2', // RFC-specified behavior
-                  '1' // Common client behavior.
-                  ));
+                  // Common client behavior (Cronet, Apple URL Loading System).
+                  '1'));
         } on ClientException {
           // The client rejected the response, which is allowed per RFC-9110.
         }
@@ -178,9 +178,11 @@ void testResponseHeaders(Client client,
           expect(
               response.headers['foo'],
               anyOf(
-                  '1 2', // RFC-specified behavior
-                  '1' // Common client behavior.
-                  ));
+                '1 2', // RFC-specified behavior
+                // Common client behavior (Cronet, Apple URL Loading System).
+                '1',
+                '1\r2', // Common client behavior (Java).
+              ));
         } on ClientException {
           // The client rejected the response, which is allowed per RFC-9110.
         }

pkgs/ok_http/CHANGELOG.md

@@ -2,7 +2,9 @@
 
 - `OkHttpClient` now receives an `OkHttpClientConfiguration` to configure the client on a per-call basis.
 - `OkHttpClient` supports setting four types of timeouts: [`connectTimeout`](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/connect-timeout.html), [`readTimeout`](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/read-timeout.html), [`writeTimeout`](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/write-timeout.html), and [`callTimeout`](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/call-timeout.html), using the `OkHttpClientConfiguration`.
-- Update to `jnigen` 0.12.2
+- Upgrade to `jni` 0.13.0
+- Upgrade to `jnigen` 0.13.1
+- `OKHttpClient` supports client certificates.
 
 ## 0.1.0
 

pkgs/ok_http/android/build.gradle

@@ -4,16 +4,15 @@ group = "com.example.ok_http"
 version = "1.0"
 
 buildscript {
-    // Required to support `okhttp:4.12.0`.
-    ext.kotlin_version = '1.9.23'
+    ext.kotlin_version = '2.1.10'
     repositories {
         google()
         mavenCentral()
     }
 
     dependencies {
         // The Android Gradle Plugin knows how to build native code with the NDK.
-        classpath("com.android.tools.build:gradle:7.3.0")
+        classpath("com.android.tools.build:gradle:8.1.2")
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
     }
 }
@@ -34,7 +33,7 @@ android {
     }
 
     kotlinOptions {
-        jvmTarget = '1.8'
+        jvmTarget = JavaVersion.VERSION_21
     }
 
     sourceSets {
@@ -52,8 +51,8 @@ android {
     ndkVersion = android.ndkVersion
 
     compileOptions {
-        sourceCompatibility = JavaVersion.VERSION_1_8
-        targetCompatibility = JavaVersion.VERSION_1_8
+        sourceCompatibility = JavaVersion.VERSION_21
+        targetCompatibility = JavaVersion.VERSION_21
     }
 
     defaultConfig {

pkgs/ok_http/android/src/main/kotlin/com/example/ok_http/FixedResponseX509ExtendedKeyManager.kt

@@ -0,0 +1,55 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+package com.example.ok_http
+
+import java.net.Socket
+import java.security.Principal
+import java.security.PrivateKey
+import java.security.cert.X509Certificate
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.X509ExtendedKeyManager
+
+/**
+ * A `X509ExtendedKeyManager` that always responds with the configured
+ * private key, certificate chain, and alias.
+ */
+class FixedResponseX509ExtendedKeyManager(
+        private val certificateChain: Array<X509Certificate>,
+        private val privateKey: PrivateKey,
+        private val alias: String,
+) : X509ExtendedKeyManager() {
+
+    override fun getClientAliases(keyType: String, issuers: Array<Principal>?) = arrayOf(alias)
+
+    override fun chooseClientAlias(
+            keyType: Array<String>,
+            issuers: Array<Principal>?,
+            socket: Socket?,
+    ) = alias
+
+    override fun getServerAliases(keyType: String, issuers: Array<Principal>?) = arrayOf(alias)
+
+    override fun chooseServerAlias(
+            keyType: String,
+            issuers: Array<Principal>?,
+            socket: Socket?,
+    ) = alias
+
+    override fun getCertificateChain(alias: String) = certificateChain
+
+    override fun getPrivateKey(alias: String) = privateKey
+
+    override fun chooseEngineClientAlias(
+            keyType: Array<String?>?,
+            issuers: Array<Principal?>?,
+            engine: SSLEngine?,
+    ) = alias
+
+    override fun chooseEngineServerAlias(
+            keyType: String?,
+            issuers: Array<Principal?>?,
+            engine: SSLEngine?
+    ) = alias
+}

pkgs/ok_http/example/android/app/build.gradle

@@ -29,8 +29,8 @@ android {
     ndkVersion = flutter.ndkVersion
 
     compileOptions {
-        sourceCompatibility = JavaVersion.VERSION_1_8
-        targetCompatibility = JavaVersion.VERSION_1_8
+        sourceCompatibility = JavaVersion.VERSION_21
+        targetCompatibility = JavaVersion.VERSION_21
     }
 
     defaultConfig {

pkgs/ok_http/example/android/gradle/wrapper/gradle-wrapper.properties

@@ -2,4 +2,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.3-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip

pkgs/ok_http/example/android/settings.gradle

@@ -18,7 +18,7 @@ pluginManagement {
 
 plugins {
     id "dev.flutter.flutter-plugin-loader" version "1.0.0"
-    id "com.android.application" version "7.3.0" apply false
+    id "com.android.application" version "8.2.1" apply false
     id "org.jetbrains.kotlin.android" version "1.9.23" apply false
 }