aliyun · huiguangjun · Jul 1, 2025 · May 15, 2025
diff --git a/src/main/java/com/aliyun/oss/ClientConfiguration.java b/src/main/java/com/aliyun/oss/ClientConfiguration.java
@@ -19,6 +19,7 @@
 
 package com.aliyun.oss;
 
+import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.LinkedHashMap;
@@ -129,6 +130,8 @@ public class ClientConfiguration {
 
     private boolean enableAutoCorrectClockSkew = false;
 
+    private KeyStore keyStore = null;
+
     public ClientConfiguration() {
         super();
         AppendDefaultExcludeList(this.cnameExcludeList);
@@ -1017,4 +1020,35 @@ public boolean isEnableAutoCorrectClockSkew() {
     public void setEnableAutoCorrectClockSkew(boolean enableAutoCorrectClockSkew) {
         this.enableAutoCorrectClockSkew = enableAutoCorrectClockSkew;
     }
+
+    /**
+     * Gets the KeyStore currently configured for SSL/TLS operations.
+     * <p>
+     * This KeyStore typically contains trusted certificates (for server verification)
+     * or client certificates (for mutual authentication). The returned KeyStore is
+     * the same instance that was set via {@link #setKeyStore(KeyStore)}.
+     * <p>
+     * Note: If no KeyStore has been explicitly set, this method may return `null`.
+     * Applications should ensure the KeyStore is properly initialized and configured
+     * before use in SSL/TLS contexts.
+     *
+     * @return the KeyStore instance (e.g., JKS or PKCS12 format), or `null` if not set.
+     */
+    public KeyStore getKeyStore() {
+        return keyStore;
+    }
+
+    /**
+     * Sets the KeyStore to be used for SSL/TLS operations.
+     * <p>
+     * This KeyStore typically contains trusted certificates (for server verification)
+     * or client certificates (for mutual authentication). The KeyStore must be
+     * pre-initialized and populated with the necessary certificates/keys before being set.
+     *
+     * @param keyStore the KeyStore instance (e.g., JKS or PKCS12 format) to be used.
+     *                 Must not be null.
+     */
+    public void setKeyStore(KeyStore keyStore) {
+        this.keyStore = keyStore;
+    }
 }
diff --git a/src/main/java/com/aliyun/oss/common/comm/DefaultServiceClient.java b/src/main/java/com/aliyun/oss/common/comm/DefaultServiceClient.java
@@ -248,7 +248,11 @@ protected HttpClientConnectionManager createHttpClientConnectionManager() {
 
             // get trustManager using default certification from jdk
             TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-            tmf.init((KeyStore) null);
+            if (config.getKeyStore() != null){
+                tmf.init(config.getKeyStore());
+            } else {
+                tmf.init((KeyStore) null);
+            }
             trustManagerList.addAll(Arrays.asList(tmf.getTrustManagers()));
 
             final List<X509TrustManager> finalTrustManagerList = new ArrayList<X509TrustManager>();