Skip to content

Add cipher preference option in builder #659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xiazhvera merged 13 commits into from
Dec 16, 2025
Merged

Add cipher preference option in builder #659

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
21d52a1
add cipher suite option in mqtt builder
xiazhvera Sep 23, 2025
6f910ba
Merge branch 'main' into cipher_suite
xiazhvera Sep 29, 2025
618e718
fix positional argument
xiazhvera Sep 29, 2025
552bcc7
Merge branch 'cipher_suite' of https://github.com/aws/aws-iot-device-…
xiazhvera Sep 29, 2025
d0bc6f3
fix parameter & change parameter naming
xiazhvera Sep 29, 2025
a2e9100
Merge branch 'main' into cipher_suite
xiazhvera Oct 17, 2025
96677e5
move cipher suite to builder option
xiazhvera Oct 17, 2025
30f3ab2
fix format
xiazhvera Oct 20, 2025
7e4dd31
add cipher_pref in builder doc
xiazhvera Oct 21, 2025
64ccc02
update awscrt to 0.28.3
xiazhvera Oct 30, 2025
8016d9d
Merge branch 'main' into cipher_suite
xiazhvera Nov 13, 2025
7928494
validate TlsCipherPref
xiazhvera Nov 21, 2025
24113bf
Merge branch 'main' of https://github.com/aws/aws-iot-device-sdk-pyth…
xiazhvera Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 30 additions & 4 deletions awsiot/mqtt5_client_builder.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,7 +362,8 @@ def _builder(
return client


def mtls_from_path(cert_filepath, pri_key_filepath, **kwargs) -> awscrt.mqtt5.Client:
def mtls_from_path(cert_filepath, pri_key_filepath, cipher_suite=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt5.Client:
"""
This builder creates an :class:`awscrt.mqtt5.Client`, configured for an mTLS MQTT5 Client to AWS IoT.
TLS arguments are passed as filepaths.
Expand All @@ -377,10 +378,15 @@ def mtls_from_path(cert_filepath, pri_key_filepath, **kwargs) -> awscrt.mqtt5.Cl
"""
_check_required_kwargs(**kwargs)
tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_from_path(cert_filepath, pri_key_filepath)
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options, **kwargs)


def mtls_from_bytes(cert_bytes, pri_key_bytes, **kwargs) -> awscrt.mqtt5.Client:
def mtls_from_bytes(
cert_bytes,
pri_key_bytes,
cipher_suite=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt5.Client:
"""
This builder creates an :class:`awscrt.mqtt5.Client`, configured for an mTLS MQTT5 Client to AWS IoT.
TLS arguments are passed as in-memory bytes.
Expand All @@ -395,6 +401,7 @@ def mtls_from_bytes(cert_bytes, pri_key_bytes, **kwargs) -> awscrt.mqtt5.Client:
"""
_check_required_kwargs(**kwargs)
tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls(cert_bytes, pri_key_bytes)
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options, **kwargs)


Expand All @@ -406,6 +413,7 @@ def mtls_with_pkcs11(*,
private_key_label: str = None,
cert_filepath: str = None,
cert_bytes=None,
cipher_suite=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt5.Client:
"""
This builder creates an :class:`awscrt.mqtt5.Client`, configured for an mTLS MQTT connection to AWS IoT,
Expand Down Expand Up @@ -451,11 +459,14 @@ def mtls_with_pkcs11(*,
private_key_label=private_key_label,
cert_file_path=cert_filepath,
cert_file_contents=cert_bytes)
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options, **kwargs)


def mtls_with_pkcs12(*,
pkcs12_filepath: str,
pkcs12_password: str,
cipher_suite=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT,
Expand All @@ -476,11 +487,13 @@ def mtls_with_pkcs12(*,
tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_pkcs12(
pkcs12_filepath=pkcs12_filepath,
pkcs12_password=pkcs12_password)
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options, **kwargs)


def mtls_with_windows_cert_store_path(*,
cert_store_path: str,
cipher_suite=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt5.Client:
"""
This builder creates an :class:`awscrt.mqtt5.Client`, configured for an mTLS MQTT5 Client to AWS IoT,
Expand All @@ -499,13 +512,15 @@ def mtls_with_windows_cert_store_path(*,
_check_required_kwargs(**kwargs)

tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_windows_cert_store_path(cert_store_path)
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options, **kwargs)


def websockets_with_default_aws_signing(
region,
credentials_provider,
websocket_proxy_options=None,
cipher_suite=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt5.Client:
"""
This builder creates an :class:`awscrt.mqtt5.Client`, configured for an MQTT5 Client over websockets to AWS IoT.
Expand Down Expand Up @@ -543,12 +558,17 @@ def _sign_websocket_handshake_request(transform_args, **kwargs):
except Exception as e:
transform_args.set_done(e)

return websockets_with_custom_handshake(_sign_websocket_handshake_request, websocket_proxy_options, **kwargs)
return websockets_with_custom_handshake(
_sign_websocket_handshake_request,
websocket_proxy_options,
cipher_suite,
**kwargs)


def websockets_with_custom_handshake(
websocket_handshake_transform,
websocket_proxy_options=None,
cipher_suite=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt5.Client:
"""
This builder creates an :class:`awscrt.mqtt5.Client`, configured for an MQTT5 Client over websockets,
Expand Down Expand Up @@ -576,6 +596,7 @@ def websockets_with_custom_handshake(
"""
_check_required_kwargs(**kwargs)
tls_ctx_options = awscrt.io.TlsContextOptions()
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options=tls_ctx_options,
use_websockets=True,
websocket_handshake_transform=websocket_handshake_transform,
Expand Down Expand Up @@ -607,6 +628,7 @@ def direct_with_custom_authorizer(
auth_password=None,
auth_token_key_name=None,
auth_token_value=None,
cipher_suite=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt5.Client:
"""
This builder creates an :class:`awscrt.mqtt5.Client`, configured for an MQTT5 Client using a custom
Expand Down Expand Up @@ -673,6 +695,7 @@ def direct_with_custom_authorizer(

tls_ctx_options = awscrt.io.TlsContextOptions()
tls_ctx_options.alpn_list = ["mqtt"]
tls_ctx_options.cipher_pref = cipher_suite

return _builder(tls_ctx_options=tls_ctx_options,
use_websockets=False,
Expand All @@ -688,6 +711,7 @@ def websockets_with_custom_authorizer(
websocket_proxy_options=None,
auth_token_key_name=None,
auth_token_value=None,
cipher_suite=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt5.Client:
"""
This builder creates an :class:`awscrt.mqtt5.Client`, configured for an MQTT5 Client using a custom
Expand Down Expand Up @@ -757,6 +781,7 @@ def websockets_with_custom_authorizer(
kwargs["password"] = auth_password

tls_ctx_options = awscrt.io.TlsContextOptions()
tls_ctx_options.cipher_pref = cipher_suite

def _sign_websocket_handshake_request(transform_args, **kwargs):
# transform_args need to know when transform is done
Expand All @@ -773,7 +798,7 @@ def _sign_websocket_handshake_request(transform_args, **kwargs):
**kwargs)


def new_default_builder(**kwargs) -> awscrt.mqtt5.Client:
def new_default_builder(cipher_suite=awscrt.io.TlsCipherPref.DEFAULT, **kwargs) -> awscrt.mqtt5.Client:
"""
This builder creates an :class:`awscrt.mqtt5.Client`, without any configuration besides the default TLS context options.

Expand All @@ -782,6 +807,7 @@ def new_default_builder(**kwargs) -> awscrt.mqtt5.Client:
"""
_check_required_kwargs(**kwargs)
tls_ctx_options = awscrt.io.TlsContextOptions()
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options=tls_ctx_options,
use_websockets=False,
**kwargs)
59 changes: 45 additions & 14 deletions awsiot/mqtt_connection_builder.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,7 +258,11 @@ def _builder(
)


def mtls_from_path(cert_filepath, pri_key_filepath, **kwargs) -> awscrt.mqtt.Connection:
def mtls_from_path(
cert_filepath,
pri_key_filepath,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT.
TLS arguments are passed as filepaths.
Expand All @@ -273,10 +277,15 @@ def mtls_from_path(cert_filepath, pri_key_filepath, **kwargs) -> awscrt.mqtt.Con
"""
_check_required_kwargs(**kwargs)
tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_from_path(cert_filepath, pri_key_filepath)
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options, **kwargs)


def mtls_from_bytes(cert_bytes, pri_key_bytes, **kwargs) -> awscrt.mqtt.Connection:
def mtls_from_bytes(
cert_bytes,
pri_key_bytes,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT.
TLS arguments are passed as in-memory bytes.
Expand All @@ -291,6 +300,7 @@ def mtls_from_bytes(cert_bytes, pri_key_bytes, **kwargs) -> awscrt.mqtt.Connecti
"""
_check_required_kwargs(**kwargs)
tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls(cert_bytes, pri_key_bytes)
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options, **kwargs)


Expand All @@ -302,6 +312,7 @@ def mtls_with_pkcs11(*,
private_key_label: str = None,
cert_filepath: str = None,
cert_bytes=None,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT,
Expand Down Expand Up @@ -347,12 +358,15 @@ def mtls_with_pkcs11(*,
private_key_label=private_key_label,
cert_file_path=cert_filepath,
cert_file_contents=cert_bytes)
tls_ctx_options.cipher_pref = cipher_suite

return _builder(tls_ctx_options, **kwargs)


def mtls_with_pkcs12(*,
pkcs12_filepath: str,
pkcs12_password: str,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT,
Expand All @@ -373,11 +387,13 @@ def mtls_with_pkcs12(*,
tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_pkcs12(
pkcs12_filepath=pkcs12_filepath,
pkcs12_password=pkcs12_password)
tls_ctx_options.cipher_suite = cipher_suite
return _builder(tls_ctx_options, **kwargs)


def mtls_with_windows_cert_store_path(*,
cert_store_path: str,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT,
Expand All @@ -396,6 +412,7 @@ def mtls_with_windows_cert_store_path(*,
_check_required_kwargs(**kwargs)

tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_windows_cert_store_path(cert_store_path)
tls_ctx_options.cipher_pref = cipher_suite

return _builder(tls_ctx_options, **kwargs)

Expand All @@ -404,6 +421,7 @@ def websockets_with_default_aws_signing(
region,
credentials_provider,
websocket_proxy_options=None,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an MQTT connection over websockets to AWS IoT.
Expand Down Expand Up @@ -441,12 +459,17 @@ def _sign_websocket_handshake_request(transform_args, **kwargs):
except Exception as e:
transform_args.set_done(e)

return websockets_with_custom_handshake(_sign_websocket_handshake_request, websocket_proxy_options, **kwargs)
return websockets_with_custom_handshake(
_sign_websocket_handshake_request,
cipher_suite,
websocket_proxy_options,
**kwargs)


def websockets_with_custom_handshake(
websocket_handshake_transform,
websocket_proxy_options=None,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an MQTT connection over websockets,
Expand Down Expand Up @@ -474,6 +497,7 @@ def websockets_with_custom_handshake(
"""
_check_required_kwargs(**kwargs)
tls_ctx_options = awscrt.io.TlsContextOptions()
tls_ctx_options.cipher_pref = cipher_suite
return _builder(tls_ctx_options=tls_ctx_options,
use_websockets=True,
websocket_handshake_transform=websocket_handshake_transform,
Expand Down Expand Up @@ -505,6 +529,7 @@ def direct_with_custom_authorizer(
auth_password=None,
auth_token_key_name=None,
auth_token_value=None,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an MQTT connection using a custom
Expand Down Expand Up @@ -550,8 +575,10 @@ def direct_with_custom_authorizer(
auth_token_key_name=auth_token_key_name,
auth_token_value=auth_token_value,
use_websockets=False,
cipher_suite: awscrt.io.TlsCipherPref=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs)


def websockets_with_custom_authorizer(
region=None,
credentials_provider=None,
Expand All @@ -561,6 +588,7 @@ def websockets_with_custom_authorizer(
auth_password=None,
auth_token_key_name=None,
auth_token_value=None,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
This builder creates an :class:`awscrt.mqtt.Connection`, configured for an MQTT connection using a custom
Expand Down Expand Up @@ -590,7 +618,7 @@ def websockets_with_custom_authorizer(
auth_authorizer_signature (`str`): The digital signature of the token value in the `auth_token_value`
parameter. The signature must be based on the private key associated with the custom authorizer. The
signature must be base64 encoded.
Required if the custom authorizer has signing enabled.
Required if the custom authorizer has signing enabled.

auth_token_key_name (`str`): Key used to extract the custom authorizer token from MQTT username query-string
properties.
Expand All @@ -612,19 +640,21 @@ def websockets_with_custom_authorizer(
use_websockets=True,
websockets_region=region,
websockets_credentials_provider=credentials_provider,
cipher_suite: awscrt.io.TlsCipherPref=awscrt.io.TlsCipherPref.DEFAULT,
**kwargs)


def _with_custom_authorizer(auth_username=None,
auth_authorizer_name=None,
auth_authorizer_signature=None,
auth_password=None,
auth_token_key_name=None,
auth_token_value=None,
use_websockets=False,
websockets_credentials_provider=None,
websockets_region=None,
**kwargs) -> awscrt.mqtt.Connection:
auth_authorizer_name=None,
auth_authorizer_signature=None,
auth_password=None,
auth_token_key_name=None,
auth_token_value=None,
use_websockets=False,
websockets_credentials_provider=None,
websockets_region=None,
cipher_suite: awscrt.io.TlsCipherPref = awscrt.io.TlsCipherPref.DEFAULT,
**kwargs) -> awscrt.mqtt.Connection:
"""
Helper function that contains the setup needed for custom authorizers
"""
Expand Down Expand Up @@ -657,7 +687,8 @@ def _with_custom_authorizer(auth_username=None,
kwargs["password"] = auth_password

tls_ctx_options = awscrt.io.TlsContextOptions()
if use_websockets == False:
tls_ctx_options.cipher_pref = cipher_suite
if not use_websockets:
kwargs["port"] = 443
tls_ctx_options.alpn_list = ["mqtt"]

Expand Down
Loading