[ok_http] Support Android Keystore PrivateKeys

[Anikate-De]

Please see dart-lang/sdk#50669, it serves as a starting point for this feature implementation.

The Android KeyStore System prohibits the application from extracting key material.

This essentially prevents HTTP client users from supplying the ByteArray of Key Material into the SecurityContext using setTrustedCertificatesBytes

However, since OkHttp can interact with native APIs, we can let the OkHttpClient use an SSLSocketFactory and pass the Key Material using javax.net.ssl.X509TrustManager

---

Proposal

Expose a new API in OkHttpClient:

class OkHttpClient ... {
    void setClientCertificateFromKeyStore(String keyStoreAlias) {...}
}

See dart-lang/sdk#50669 (comment)

If this is what we're going for, do you think that it would be better to write native code and then generate bindings of that (much like what we have for RedirectInterceptor and AsyncInputStreamReader) , rather than generating bindings for too many classes and then implementing it in Dart using JNI

---

Tests

What tests would be required to check if this is working correctly?

Setup a mock HTTPS Server with a CertificateChain and PrivateKey.
Then, setup valid and invalid certificates in the KeyStore and make requests from OkHttpClient?

cc @brianquinlan @camsim99

[brianquinlan]

I would assume that the implementation requires that you use sslSocketFactory? Does that limit the connection to not be HTTP/QUIC?

It might make sense to think of this in terms of what functionality from OkHttpClient.Build we want to make available in the client?

[brianquinlan]

See:
Usage example from customer request
KeyStore

[brianquinlan]

More interesting links:
https://android-developers.googleblog.com/2012/03/unifying-key-store-access-in-ics.html