Skip to content

feat(sdk): Add mTLS client certificate support#6024

Open
lazard36 wants to merge 7 commits intomatrix-org:mainfrom
lazard36:claude/add-mtls-certificates-UNFrB
Open

feat(sdk): Add mTLS client certificate support#6024
lazard36 wants to merge 7 commits intomatrix-org:mainfrom
lazard36:claude/add-mtls-certificates-UNFrB

Conversation

@lazard36
Copy link

@lazard36 lazard36 commented Jan 14, 2026

Summary

This PR adds mutual TLS (mTLS) authentication support to the matrix-rust-sdk, enabling clients to provide client certificates during TLS handshakes.

  • Add client_identity field to HttpSettings for storing client certificates
  • Implement client_certificate() method on ClientBuilder
  • Expose functionality via FFI for Swift/Kotlin bindings (PKCS#12 format)
  • Support both native-tls and rustls-tls backends with proper conditional compilation

Note: This PR supersedes #5988 and includes fixes for the TLS conditional compilation issues raised during review.

Key changes:

  • reqwest::Identity import and usage is now conditional on TLS features being enabled
  • FFI's PKCS#12 client certificate support is restricted to native-tls only (since from_pkcs12_der() is not available with rustls)
  • The SDK's client_certificate() method works with both TLS backends (users can use Identity::from_pem() with rustls)

Test plan

  • Verified compilation with native-tls feature
  • Verified compilation with rustls-tls feature
  • Verified FFI compilation with both TLS backends

@claude
feat(sdk): Add mTLS client certificate support
c49b23d 
Add support for mutual TLS (mTLS) authentication by allowing clients
to provide a client certificate (identity) that will be presented to
the server during the TLS handshake.

Changes:
- Add `client_identity` field to `HttpSettings` in `native.rs`
- Add `client_certificate()` method to `ClientBuilder`
- Expose `client_certificate()` via FFI for Swift bindings

The feature accepts PKCS#12/PFX certificate data that can be used
with reqwest::Identity for mutual TLS authentication.
@claude
fix(sdk): Fix TLS feature conditional compilation for mTLS
ea56560 
The `reqwest::Identity` type and related methods have different
availability depending on the TLS backend:

- `Identity` is available with both `native-tls` and `rustls-tls`
- `Identity::from_pkcs12_der()` is only available with `native-tls`
- `Identity::from_pem()` is available with both backends

This commit fixes compilation errors when building with different
TLS feature combinations by:

1. Making the `Identity` import conditional on TLS features
2. Making the `client_identity` field in `HttpSettings` conditional
3. Making the `client_certificate()` method conditional on TLS features
4. In FFI, restricting PKCS#12 client certificate support to `native-tls`
   only, since `from_pkcs12_der()` is not available with rustls
@lazard36 lazard36 requested a review from a team as a code owner January 14, 2026 14:57
@lazard36 lazard36 requested review from Hywan and removed request for a team January 14, 2026 14:57
claude added 3 commits January 14, 2026 15:01
@claude
style: Fix rustfmt formatting issues in mTLS code
020701b
@claude
fix(sdk): Use from_pem() in client_certificate doctest for cross-TLS …
3bf1793 
…compatibility

The doctest was using Identity::from_pkcs12_der() which only exists
with the native-tls feature. Changed to Identity::from_pem() which
works with both native-tls and rustls-tls backends.

Also updated the documentation to clarify that PKCS#12 format requires
the native-tls feature.
@claude
fix(sdk): Mark client_certificate doctest as ignore
ffa5318 
The reqwest::Identity API varies between TLS backends, so the doctest
is marked as ignore since it's demonstrating the concept rather than
providing runnable code.
@codspeed-hq
Copy link

codspeed-hq bot commented Jan 14, 2026
edited
Loading

CodSpeed Performance Report

Merging this PR will not alter performance

Comparing lazard36:claude/add-mtls-certificates-UNFrB (8cb3d53) with main (d64c990)

Summary

✅ 50 untouched benchmarks

claude added 2 commits January 14, 2026 15:20
@claude
fix(sdk): Use correct reqwest::Identity API in doctest
c244f6a 
Updated the client_certificate doctest to use the correct reqwest
Identity constructors:
- from_pkcs8_pem(cert_pem, key_pem) for rustls-tls
- from_pkcs12_der(p12_data, password) for native-tls

The doctest is marked as ignore since API availability varies by
TLS backend.
@claude
style: Wrap long comment line in FFI client_builder
8cb3d53
@codecov
Copy link

codecov bot commented Jan 14, 2026

Codecov Report

❌ Patch coverage is 30.00000% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.95%. Comparing base (cd9f433) to head (8cb3d53).
⚠️ Report is 63 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
crates/matrix-sdk/src/client/builder/mod.rs 0.00% 4 Missing ⚠️
crates/matrix-sdk/src/http_client/native.rs 50.00% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6024      +/-   ##
==========================================
+ Coverage   88.59%   88.95%   +0.36%     
==========================================
  Files         364      359       -5     
  Lines      104341    99290    -5051     
  Branches   104341    99290    -5051     
==========================================
- Hits        92438    88324    -4114     
+ Misses       7537     6976     -561     
+ Partials     4366     3990     -376

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@poljar poljar requested review from poljar and removed request for Hywan January 19, 2026 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@poljar poljar Awaiting requested review from poljar

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lazard36 @claude