Add cipher preference option in builder (#659)

* add cipher suite option in mqtt builder

* fix positional argument

* fix parameter & change parameter naming

* move cipher suite to builder option

* fix format

* add cipher_pref in builder doc

* update awscrt to 0.28.3

* validate TlsCipherPref

Author: xiazhvera

awsiot/mqtt5_client_builder.py

@@ -168,6 +168,8 @@
 
     **ca_bytes** (`bytes`): Override default trust store with CA certificates from these PEM formatted bytes.
 
+    **cipher_pref** (:class:`awscrt.io.TlsCipherPref`): Cipher preference to use for TLS connection. Default is `TlsCipherPref.DEFAULT`.
+
     **enable_metrics_collection** (`bool`): Whether to send the SDK version number in the CONNECT packet.
         Default is True.
 
@@ -243,8 +245,11 @@ def _builder(
         use_websockets=False,
         websocket_handshake_transform=None,
         use_custom_authorizer=False,
+        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs):
 
+    assert isinstance(cipher_pref, awscrt.io.TlsCipherPref)
+
     username = _get(kwargs, 'username', '')
     if _get(kwargs, 'enable_metrics_collection', True):
         username += _get_metrics_str(username)
@@ -345,6 +350,8 @@ def _builder(
     elif ca_filepath or ca_dirpath:
         tls_ctx_options.override_default_trust_store_from_path(ca_dirpath, ca_filepath)
 
+    tls_ctx_options.cipher_pref = cipher_pref
+
     if client_options.port is None:
         # prefer 443, even for direct MQTT connections, since it's less likely to be blocked by firewalls
         if use_websockets or awscrt.io.is_alpn_available():
@@ -453,6 +460,7 @@ def mtls_with_pkcs11(*,
         cert_file_contents=cert_bytes)
     return _builder(tls_ctx_options, **kwargs)
 
+
 def mtls_with_pkcs12(*,
                      pkcs12_filepath: str,
                      pkcs12_password: str,
@@ -543,7 +551,10 @@ def _sign_websocket_handshake_request(transform_args, **kwargs):
         except Exception as e:
             transform_args.set_done(e)
 
-    return websockets_with_custom_handshake(_sign_websocket_handshake_request, websocket_proxy_options, **kwargs)
+    return websockets_with_custom_handshake(
+        _sign_websocket_handshake_request,
+        websocket_proxy_options,
+        **kwargs)
 
 
 def websockets_with_custom_handshake(

awsiot/mqtt_connection_builder.py

@@ -111,6 +111,8 @@
 
     **ca_bytes** (`bytes`): Override default trust store with CA certificates from these PEM formatted bytes.
 
+    **cipher_pref** (:class:`awscrt.io.TlsCipherPref`): Cipher preference to use for TLS connection. Default is `TlsCipherPref.DEFAULT`.
+
     **enable_metrics_collection** (`bool`): Whether to send the SDK version number in the CONNECT packet.
         Default is True.
 
@@ -181,8 +183,11 @@ def _builder(
         use_websockets=False,
         websocket_handshake_transform=None,
         use_custom_authorizer=False,
+        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs):
 
+    assert isinstance(cipher_pref, awscrt.io.TlsCipherPref)
+
     ca_bytes = _get(kwargs, 'ca_bytes')
     ca_filepath = _get(kwargs, 'ca_filepath')
     ca_dirpath = _get(kwargs, 'ca_dirpath')
@@ -202,6 +207,8 @@ def _builder(
     if port == 443 and awscrt.io.is_alpn_available() and use_custom_authorizer is False:
         tls_ctx_options.alpn_list = ['http/1.1'] if use_websockets else ['x-amzn-mqtt-ca']
 
+    tls_ctx_options.cipher_pref = cipher_pref
+
     socket_options = awscrt.io.SocketOptions()
     socket_options.connect_timeout_ms = _get(kwargs, 'tcp_connect_timeout_ms', 5000)
     # These have been inconsistent between keepalive/keep_alive. Resolve both for now to ease transition.
@@ -350,6 +357,7 @@ def mtls_with_pkcs11(*,
 
     return _builder(tls_ctx_options, **kwargs)
 
+
 def mtls_with_pkcs12(*,
                      pkcs12_filepath: str,
                      pkcs12_password: str,
@@ -552,6 +560,7 @@ def direct_with_custom_authorizer(
         use_websockets=False,
         **kwargs)
 
+
 def websockets_with_custom_authorizer(
         region=None,
         credentials_provider=None,
@@ -590,7 +599,7 @@ def websockets_with_custom_authorizer(
         auth_authorizer_signature (`str`):  The digital signature of the token value in the `auth_token_value`
             parameter. The signature must be based on the private key associated with the custom authorizer.  The
             signature must be base64 encoded.
-            Required if the custom authorizer has signing enabled.  
+            Required if the custom authorizer has signing enabled.
 
         auth_token_key_name (`str`): Key used to extract the custom authorizer token from MQTT username query-string
             properties.
@@ -616,15 +625,15 @@ def websockets_with_custom_authorizer(
 
 
 def _with_custom_authorizer(auth_username=None,
-        auth_authorizer_name=None,
-        auth_authorizer_signature=None,
-        auth_password=None,
-        auth_token_key_name=None,
-        auth_token_value=None,
-        use_websockets=False,
-        websockets_credentials_provider=None,
-        websockets_region=None,
-        **kwargs) -> awscrt.mqtt.Connection:
+                            auth_authorizer_name=None,
+                            auth_authorizer_signature=None,
+                            auth_password=None,
+                            auth_token_key_name=None,
+                            auth_token_value=None,
+                            use_websockets=False,
+                            websockets_credentials_provider=None,
+                            websockets_region=None,
+                            **kwargs) -> awscrt.mqtt.Connection:
     """
     Helper function that contains the setup needed for custom authorizers
     """
@@ -657,7 +666,7 @@ def _with_custom_authorizer(auth_username=None,
     kwargs["password"] = auth_password
 
     tls_ctx_options = awscrt.io.TlsContextOptions()
-    if use_websockets == False:
+    if not use_websockets:
         kwargs["port"] = 443
         tls_ctx_options.alpn_list = ["mqtt"]