transport-api: add ability to use a javax SSLContext with TLS (#3438)

 #### Motivation
The javax SSLContext is sometimes used as a way to pass through
credentials and trust stores.

 #### Modifications
Add a `.sslContext(SSLContext)` method to our SslConfig types
and thread it through the netty API in to the JdkSslContext type
which will then use the provided SSLContext as the engine for the
SslHandler.

Author: bryce-anderson

servicetalk-http-netty/src/test/java/io/servicetalk/http/netty/SslContextTest.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright © 2026 Apple Inc. and the ServiceTalk project authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.servicetalk.http.netty;
+
+import io.servicetalk.http.api.BlockingHttpClient;
+import io.servicetalk.http.api.HttpResponseStatus;
+import io.servicetalk.test.resources.DefaultTestCerts;
+import io.servicetalk.transport.api.ClientSslConfigBuilder;
+import io.servicetalk.transport.api.ServerContext;
+import io.servicetalk.transport.api.ServerSslConfigBuilder;
+
+import org.junit.jupiter.api.Test;
+
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+
+import static io.servicetalk.test.resources.DefaultTestCerts.serverPemHostname;
+import static io.servicetalk.transport.api.SslClientAuthMode.REQUIRE;
+import static io.servicetalk.transport.netty.internal.AddressUtils.localAddress;
+import static io.servicetalk.transport.netty.internal.AddressUtils.serverHostAndPort;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class SslContextTest {
+
+    private static final char[] KEYSTORE_PASSWORD = "changeit".toCharArray();
+
+    @Test
+    void mutualSslWithSSLContext() throws Exception {
+        SSLContext serverSslContext = createServerSSLContextWithClientAuth();
+        try (ServerContext serverContext = HttpServers.forAddress(localAddress(0))
+                .sslConfig(new ServerSslConfigBuilder(serverSslContext)
+                        .clientAuthMode(REQUIRE)
+                        .build())
+                .listenBlockingAndAwait((ctx, request, responseFactory) -> responseFactory.ok())) {
+            SSLContext clientSslContext = createClientSSLContextWithKeyMaterial();
+            try (BlockingHttpClient client = HttpClients.forSingleAddress(serverHostAndPort(serverContext))
+                    .sslConfig(new ClientSslConfigBuilder(clientSslContext)
+                            .peerHost(serverPemHostname())
+                            .build())
+                    .buildBlocking()) {
+                assertEquals(HttpResponseStatus.OK, client.request(client.get("/")).status());
+            }
+        }
+    }
+
+    private static SSLContext createClientSSLContextWithKeyMaterial() throws Exception {
+        KeyManagerFactory kmf = createKeyManagerFactory(DefaultTestCerts::loadClientP12);
+        TrustManagerFactory tmf = createTrustManagerFactory(DefaultTestCerts::loadServerCAPem);
+        return createSSLContext(kmf, tmf);
+    }
+
+    private static SSLContext createServerSSLContextWithClientAuth() throws Exception {
+        KeyManagerFactory kmf = createKeyManagerFactory(DefaultTestCerts::loadServerP12);
+        TrustManagerFactory tmf = createTrustManagerFactory(DefaultTestCerts::loadClientCAPem);
+        return createSSLContext(kmf, tmf);
+    }
+
+    private static KeyManagerFactory createKeyManagerFactory(java.util.function.Supplier<InputStream> p12Supplier)
+            throws Exception {
+        KeyStore keyStore = KeyStore.getInstance("PKCS12");
+        try (InputStream is = p12Supplier.get()) {
+            keyStore.load(is, KEYSTORE_PASSWORD);
+        }
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        kmf.init(keyStore, KEYSTORE_PASSWORD);
+        return kmf;
+    }
+
+    private static TrustManagerFactory createTrustManagerFactory(java.util.function.Supplier<InputStream> caPemSupplier)
+            throws Exception {
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        Certificate caCert;
+        try (InputStream is = caPemSupplier.get()) {
+            caCert = cf.generateCertificate(is);
+        }
+        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        trustStore.load(null, null);
+        trustStore.setCertificateEntry("ca", caCert);
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(trustStore);
+        return tmf;
+    }
+
+    private static SSLContext createSSLContext(KeyManagerFactory kmf, TrustManagerFactory tmf) throws Exception {
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+        return sslContext;
+    }
+}

servicetalk-transport-api/src/main/java/io/servicetalk/transport/api/AbstractSslConfig.java

@@ -21,9 +21,12 @@
 import java.util.function.Supplier;
 import javax.annotation.Nullable;
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManagerFactory;
 
 abstract class AbstractSslConfig implements SslConfig {
+    @Nullable
+    private final SSLContext sslContext;
     @Nullable
     private final TrustManagerFactory trustManagerFactory;
     @Nullable
@@ -52,7 +55,8 @@ abstract class AbstractSslConfig implements SslConfig {
     private final List<CertificateCompressionAlgorithm> certificateCompressionAlgorithms;
     private final Duration handshakeTimeout;
 
-    AbstractSslConfig(@Nullable final TrustManagerFactory trustManagerFactory,
+    AbstractSslConfig(@Nullable final SSLContext sslContext,
+                      @Nullable final TrustManagerFactory trustManagerFactory,
                       @Nullable final Supplier<InputStream> trustCertChainSupplier,
                       @Nullable final KeyManagerFactory keyManagerFactory,
                       @Nullable final Supplier<InputStream> keyCertChainSupplier,
@@ -64,6 +68,7 @@ abstract class AbstractSslConfig implements SslConfig {
                       final int maxCertificateListBytes, @Nullable final SslProvider provider,
                       @Nullable final List<CertificateCompressionAlgorithm> certificateCompressionAlgorithms,
                       final Duration handshakeTimeout) {
+        this.sslContext = sslContext;
         this.trustManagerFactory = trustManagerFactory;
         this.trustCertChainSupplier = trustCertChainSupplier;
         this.keyManagerFactory = keyManagerFactory;
@@ -82,6 +87,12 @@ abstract class AbstractSslConfig implements SslConfig {
         this.handshakeTimeout = handshakeTimeout;
     }
 
+    @Nullable
+    @Override
+    public final SSLContext sslContext() {
+        return sslContext;
+    }
+
     @Nullable
     @Override
     public final TrustManagerFactory trustManagerFactory() {

servicetalk-transport-api/src/main/java/io/servicetalk/transport/api/AbstractSslConfigBuilder.java

@@ -24,6 +24,7 @@
 import java.util.function.Supplier;
 import javax.annotation.Nullable;
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLSessionContext;
 import javax.net.ssl.TrustManagerFactory;
@@ -44,6 +45,8 @@ abstract class AbstractSslConfigBuilder<T extends AbstractSslConfigBuilder<T>> {
     static final Duration DEFAULT_HANDSHAKE_TIMEOUT = ofSeconds(5);
     private static final int DEFAULT_MAX_CERTIFICATE_LIST_BYTES = 32 * 1024;    // 32Kb
 
+    @Nullable
+    private SSLContext sslContext;
     @Nullable
     private TrustManagerFactory trustManagerFactory;
     @Nullable
@@ -72,6 +75,42 @@ abstract class AbstractSslConfigBuilder<T extends AbstractSslConfigBuilder<T>> {
     private List<CertificateCompressionAlgorithm> certificateCompressionAlgorithms;
     private Duration handshakeTimeout = DEFAULT_HANDSHAKE_TIMEOUT;
 
+    /**
+     * Set a pre-configured {@link SSLContext} to use for SSL/TLS.
+     * <p>
+     * When an {@link SSLContext} is provided, it takes precedence over individual trust and key manager
+     * configurations and forces the {@link SslProvider} to JDK.
+     * <p>
+     * This method is mutually exclusive with:
+     * <ul>
+     *   <li>{@link #trustManager(TrustManagerFactory)}</li>
+     *   <li>{@link #trustManager(Supplier)}</li>
+     *   <li>{@link #keyManager(KeyManagerFactory)}</li>
+     *   <li>{@link #keyManager(Supplier, Supplier)}</li>
+     *   <li>{@link #keyManager(Supplier, Supplier, String)}</li>
+     * </ul>
+     *
+     * @param sslContext the SSLContext to use
+     * @return {@code this}
+     * @see SslConfig#sslContext()
+     */
+    public final T sslContext(final SSLContext sslContext) {
+        this.sslContext = requireNonNull(sslContext);
+        // Clear individual manager configurations as they conflict with SSLContext
+        trustManagerFactory = null;
+        trustCertChainSupplier = null;
+        keyManagerFactory = null;
+        keyCertChainSupplier = null;
+        keySupplier = null;
+        keyPassword = null;
+        return thisT();
+    }
+
+    @Nullable
+    final SSLContext sslContext() {
+        return sslContext;
+    }
+
     /**
      * Set the {@link TrustManagerFactory} used for verifying the remote endpoint's certificate.
      *
@@ -82,6 +121,7 @@ abstract class AbstractSslConfigBuilder<T extends AbstractSslConfigBuilder<T>> {
     public final T trustManager(TrustManagerFactory tmf) {
         this.trustManagerFactory = requireNonNull(tmf);
         trustCertChainSupplier = null;
+        sslContext = null;
         return thisT();
     }
 
@@ -105,6 +145,7 @@ final TrustManagerFactory trustManager() {
     public final T trustManager(Supplier<InputStream> trustCertChainSupplier) {
         this.trustCertChainSupplier = requireNonNull(trustCertChainSupplier);
         trustManagerFactory = null;
+        sslContext = null;
         return thisT();
     }
 
@@ -125,6 +166,7 @@ public final T keyManager(KeyManagerFactory kmf) {
         keyCertChainSupplier = null;
         keySupplier = null;
         keyPassword = null;
+        sslContext = null;
         return thisT();
     }
 
@@ -155,6 +197,7 @@ public final T keyManager(Supplier<InputStream> keyCertChainSupplier, Supplier<I
         this.keySupplier = requireNonNull(keySupplier);
         keyPassword = null;
         keyManagerFactory = null;
+        sslContext = null;
         return thisT();
     }
 
@@ -183,6 +226,7 @@ public final T keyManager(Supplier<InputStream> keyCertChainSupplier, Supplier<I
         this.keySupplier = requireNonNull(keySupplier);
         this.keyPassword = keyPassword;
         keyManagerFactory = null;
+        sslContext = null;
         return thisT();
     }
 

servicetalk-transport-api/src/main/java/io/servicetalk/transport/api/ClientSslConfigBuilder.java

@@ -21,6 +21,7 @@
 import java.util.function.Supplier;
 import javax.annotation.Nullable;
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.TrustManagerFactory;
@@ -50,6 +51,16 @@ public final class ClientSslConfigBuilder extends AbstractSslConfigBuilder<Clien
     public ClientSslConfigBuilder() {
     }
 
+    /**
+     * Create a new instance using a {@link SSLContext} for key and trust configuration.
+     *
+     * @param sslContext the {@link SSLContext} to use for SSL/TLS.
+     * @see ClientSslConfig#sslContext()
+     */
+    public ClientSslConfigBuilder(SSLContext sslContext) {
+        sslContext(sslContext);
+    }
+
     /**
      * Create a new instance using {@code tmf} to verify trusted servers.
      *
@@ -142,7 +153,7 @@ public ClientSslConfigBuilder sniHostname(String sniHostname) {
      * @return a new {@link ClientSslConfig}.
      */
     public ClientSslConfig build() {
-        return new DefaultClientSslConfig(hostnameVerificationAlgorithm, peerHost, peerPort, sniHostname,
+        return new DefaultClientSslConfig(sslContext(), hostnameVerificationAlgorithm, peerHost, peerPort, sniHostname,
                 trustManager(), trustCertChainSupplier(), keyManager(), keyCertChainSupplier(), keySupplier(),
                 keyPassword(), sslProtocols(), alpnProtocols(), ciphers(), cipherSuiteFilter(), sessionCacheSize(),
                 sessionTimeout(), maxCertificateListBytes(), provider(), certificateCompressionAlgorithms(),
@@ -163,7 +174,8 @@ private static final class DefaultClientSslConfig extends AbstractSslConfig impl
         @Nullable
         private final String sniHostname;
 
-        DefaultClientSslConfig(@Nullable final String hostnameVerificationAlgorithm,
+        DefaultClientSslConfig(@Nullable final SSLContext sslContext,
+                               @Nullable final String hostnameVerificationAlgorithm,
                                @Nullable final String peerHost,
                                final int peerPort,
                                @Nullable final String sniHostname,
@@ -178,8 +190,8 @@ private static final class DefaultClientSslConfig extends AbstractSslConfig impl
                                final int maxCertificateListBytes, @Nullable final SslProvider provider,
                                @Nullable final List<CertificateCompressionAlgorithm> certificateCompressionAlgorithms,
                                final Duration handshakeTimeout) {
-            super(trustManagerFactory, trustCertChainSupplier, keyManagerFactory, keyCertChainSupplier, keySupplier,
-                    keyPassword, sslProtocols, alpnProtocols, ciphers, cipherSuiteFilter, sessionCacheSize,
+            super(sslContext, trustManagerFactory, trustCertChainSupplier, keyManagerFactory, keyCertChainSupplier,
+                    keySupplier, keyPassword, sslProtocols, alpnProtocols, ciphers, cipherSuiteFilter, sessionCacheSize,
                     sessionTimeout, maxCertificateListBytes, provider, certificateCompressionAlgorithms,
                     handshakeTimeout);
             this.hostnameVerificationAlgorithm = hostnameVerificationAlgorithm;

servicetalk-transport-api/src/main/java/io/servicetalk/transport/api/DelegatingSslConfig.java

@@ -21,6 +21,7 @@
 import java.util.function.Supplier;
 import javax.annotation.Nullable;
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManagerFactory;
 
 import static java.util.Objects.requireNonNull;
@@ -138,4 +139,10 @@ public Duration handshakeTimeout() {
     public int maxCertificateListBytes() {
         return delegate.maxCertificateListBytes();
     }
+
+    @Nullable
+    @Override
+    public SSLContext sslContext() {
+        return delegate.sslContext();
+    }
 }

servicetalk-transport-api/src/main/java/io/servicetalk/transport/api/ServerSslConfigBuilder.java

@@ -21,6 +21,7 @@
 import java.util.function.Supplier;
 import javax.annotation.Nullable;
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.TrustManagerFactory;
 
@@ -33,6 +34,16 @@
 public final class ServerSslConfigBuilder extends AbstractSslConfigBuilder<ServerSslConfigBuilder> {
     private SslClientAuthMode clientAuthMode = NONE;
 
+    /**
+     * Create a new instance using a {@link SSLContext} for key and trust configuration.
+     *
+     * @param sslContext the {@link SSLContext} to use for SSL/TLS.
+     * @see ServerSslConfig#sslContext()
+     */
+    public ServerSslConfigBuilder(SSLContext sslContext) {
+        sslContext(sslContext);
+    }
+
     /**
      * Create a new instance using the {@link KeyManagerFactory} for SSL/TLS handshakes.
      *
@@ -106,10 +117,10 @@ public ServerSslConfigBuilder clientAuthMode(SslClientAuthMode clientAuthMode) {
      * @return a new {@link ServerSslConfig}.
      */
     public ServerSslConfig build() {
-        return new DefaultServerSslConfig(clientAuthMode, trustManager(), trustCertChainSupplier(), keyManager(),
-                keyCertChainSupplier(), keySupplier(), keyPassword(), sslProtocols(), alpnProtocols(), ciphers(),
-                cipherSuiteFilter(), sessionCacheSize(), sessionTimeout(), maxCertificateListBytes(), provider(),
-                certificateCompressionAlgorithms(), handshakeTimeout());
+        return new DefaultServerSslConfig(sslContext(), clientAuthMode, trustManager(), trustCertChainSupplier(),
+                keyManager(), keyCertChainSupplier(), keySupplier(), keyPassword(), sslProtocols(), alpnProtocols(),
+                ciphers(), cipherSuiteFilter(), sessionCacheSize(), sessionTimeout(), maxCertificateListBytes(),
+                provider(), certificateCompressionAlgorithms(), handshakeTimeout());
     }
 
     @Override
@@ -120,7 +131,8 @@ protected ServerSslConfigBuilder thisT() {
     private static final class DefaultServerSslConfig extends AbstractSslConfig implements ServerSslConfig {
         private final SslClientAuthMode clientAuthMode;
 
-        DefaultServerSslConfig(SslClientAuthMode clientAuthMode,
+        DefaultServerSslConfig(@Nullable final SSLContext sslContext,
+                               SslClientAuthMode clientAuthMode,
                                @Nullable final TrustManagerFactory trustManagerFactory,
                                @Nullable final Supplier<InputStream> trustCertChainSupplier,
                                @Nullable final KeyManagerFactory keyManagerFactory,
@@ -132,8 +144,8 @@ private static final class DefaultServerSslConfig extends AbstractSslConfig impl
                                final int maxCertificateListBytes, @Nullable final SslProvider provider,
                                @Nullable final List<CertificateCompressionAlgorithm> certificateCompressionAlgorithms,
                                final Duration handshakeTimeout) {
-            super(trustManagerFactory, trustCertChainSupplier, keyManagerFactory, keyCertChainSupplier, keySupplier,
-                    keyPassword, sslProtocols, alpnProtocols, ciphers, cipherSuiteFilter, sessionCacheSize,
+            super(sslContext, trustManagerFactory, trustCertChainSupplier, keyManagerFactory, keyCertChainSupplier,
+                    keySupplier, keyPassword, sslProtocols, alpnProtocols, ciphers, cipherSuiteFilter, sessionCacheSize,
                     sessionTimeout, maxCertificateListBytes, provider, certificateCompressionAlgorithms,
                     handshakeTimeout);
             this.clientAuthMode = clientAuthMode;