diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SpkiPinningClientTlsStrategy.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SpkiPinningClientTlsStrategy.java
new file mode 100644
index 0000000000..99c91a1311
--- /dev/null
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SpkiPinningClientTlsStrategy.java
@@ -0,0 +1,340 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * SPKI pinning decorator for client-side TLS.
+ *
+ * This strategy enforces one or more {@code sha256/} pins for a given
+ * host or single-label wildcard (e.g. {@code *.example.com}) after the standard
+ * trust manager and hostname verification succeed. Pins are matched against the
+ * {@code SubjectPublicKeyInfo} (SPKI) of any certificate in the peer chain.
+ *
+ * Host matching is performed on the IDNA ASCII (Punycode) lowercase form.
+ * Wildcards are single-label only (e.g. {@code *.example.com} matches
+ * {@code a.example.com} but not {@code a.b.example.com}).
+ *
+ * Warning: Certificate pinning increases operational risk.
+ * Always ship at least two pins (active + backup) and keep
+ * normal PKI + hostname verification enabled.
+ *
+ * Thread-safety: immutable and thread-safe.
+ *
+ * @since 5.6
+ */
+@Contract(threading = ThreadingBehavior.IMMUTABLE)
+public final class SpkiPinningClientTlsStrategy extends DefaultClientTlsStrategy {
+
+ private static final String PIN_PREFIX = "sha256/";
+ private static final int SHA256_LEN = 32;
+
+ /**
+ * Byte-array key with constant-time equality for use in sets/maps.
+ */
+ private static final class ByteArrayKey {
+ final byte[] v;
+ private final int hash;
+
+ ByteArrayKey(final byte[] v) {
+ this.v = Objects.requireNonNull(v, "bytes");
+ int h = 1;
+ for (int i = 0; i < v.length; i++) {
+ h = 31 * h + (v[i] & 0xff);
+ }
+ this.hash = h;
+ }
+
+ @Override
+ public boolean equals(final Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof ByteArrayKey)) {
+ return false;
+ }
+ return MessageDigest.isEqual(v, ((ByteArrayKey) o).v);
+ }
+
+ @Override
+ public int hashCode() {
+ return hash;
+ }
+ }
+
+ /**
+ * Match rule for a host or single-label wildcard.
+ */
+ private static final class Rule {
+ final String pattern; // normalized: IDNA ASCII + lowercase
+ final boolean wildcard; // true if pattern starts with "*."
+ final String tail; // for wildcard, ".example.com"; otherwise null
+ final Set pins; // unmodifiable set of 32-byte SHA-256 hashes
+
+ Rule(final String pattern, final Set pins) {
+ if (pattern == null) {
+ throw new IllegalArgumentException("Host pattern must not be null");
+ }
+ final String norm;
+ try {
+ norm = IDN.toASCII(pattern).toLowerCase(Locale.ROOT);
+ } catch (final IllegalArgumentException e) {
+ throw new IllegalArgumentException("Invalid IDN host pattern: " + pattern, e);
+ }
+ if (norm.isEmpty()) {
+ throw new IllegalArgumentException("Empty host pattern");
+ }
+ final boolean wc = norm.startsWith("*.");
+ if (wc && norm.indexOf('.', 2) < 0) { // require "*."
+ throw new IllegalArgumentException("Wildcard must be single-label: *.example.com");
+ }
+ if (pins == null || pins.isEmpty()) {
+ throw new IllegalArgumentException("At least one SPKI pin is required for " + pattern);
+ }
+ this.pattern = norm;
+ this.wildcard = wc;
+ this.tail = wc ? norm.substring(1) : null; // ".example.com"
+ this.pins = Collections.unmodifiableSet(new HashSet<>(pins));
+ }
+
+ // In Rule
+ boolean matches(final String host) {
+ if (host == null || host.isEmpty()) {
+ return false;
+ }
+ if (wildcard) {
+ if (!host.endsWith(tail)) {
+ return false;
+ }
+ final int boundary = host.length() - tail.length();
+ if (boundary < 1) {
+ return false;
+ }
+ if (host.charAt(boundary) != '.') {
+ return false;
+ }
+ return host.indexOf('.', 0) == boundary;
+ }
+ return host.equals(pattern);
+ }
+
+ }
+
+ private final List rules;
+
+ private SpkiPinningClientTlsStrategy(final SSLContext sslContext, final List rules) {
+ super(sslContext);
+ this.rules = Collections.unmodifiableList(new ArrayList<>(rules));
+ }
+
+ /**
+ * Invoked after the default trust and hostname checks. If one or more rules match the
+ * {@code hostname}, at least one pin must match any SPKI in the peer chain.
+ */
+ @Override
+ protected void verifySession(final String hostname, final SSLSession sslSession) throws SSLException {
+ final String host;
+ try {
+ // Canonicalize host: IDNA (Punycode) + lowercase for consistent matching.
+ host = IDN.toASCII(hostname == null ? "" : hostname).toLowerCase(Locale.ROOT);
+ } catch (final IllegalArgumentException e) {
+ throw new SSLException("Invalid IDN host: " + hostname, e);
+ }
+ super.verifySession(host, sslSession);
+ enforcePins(host, sslSession);
+ }
+
+ /**
+ * Enforce SPKI pins for the given hostname and session.
+ * Package-private for testing.
+ */
+ void enforcePins(final String hostname, final SSLSession sslSession) throws SSLException {
+ final List matched = matchedRules(hostname);
+ if (matched.isEmpty()) {
+ return; // No pins configured for this host.
+ }
+
+ final byte[][] peerSpkiHashes = chainSpkiSha256(sslSession);
+ for (int i = 0; i < peerSpkiHashes.length; i++) {
+ final ByteArrayKey key = new ByteArrayKey(peerSpkiHashes[i]);
+ for (int r = 0; r < matched.size(); r++) {
+ if (matched.get(r).pins.contains(key)) {
+ return; // match found
+ }
+ }
+ }
+
+ throw new SSLException("SPKI pinning failure for " + hostname
+ + "; peer pins: " + peerPinsForLog(peerSpkiHashes)
+ + "; configured pins: " + configuredPinsFor(matched));
+ }
+
+
+ /**
+ * Create a new builder.
+ *
+ * @param sslContext SSL context used for handshakes (trust + keys).
+ * @return builder
+ */
+ public static Builder newBuilder(final SSLContext sslContext) {
+ return new Builder(sslContext);
+ }
+
+ /**
+ * Builder for {@link SpkiPinningClientTlsStrategy}.
+ */
+ public static final class Builder {
+ private final SSLContext sslContext;
+ private final List rules = new ArrayList<>();
+
+ private Builder(final SSLContext sslContext) {
+ this.sslContext = Objects.requireNonNull(sslContext, "sslContext");
+ }
+
+ /**
+ * Add pins for a host pattern.
+ *
+ * @param hostPattern exact host (e.g. {@code api.example.com}) or single-label wildcard
+ * (e.g. {@code *.example.com}).
+ * @param pins one or more pins in the form {@code sha256/BASE64}.
+ * @return this
+ * @throws IllegalArgumentException if a pin is not {@code sha256/...}, has invalid Base64, or wrong length.
+ */
+ public Builder add(final String hostPattern, final String... pins) {
+ if (pins == null || pins.length == 0) {
+ throw new IllegalArgumentException("No pins supplied for " + hostPattern);
+ }
+ final Set set = new HashSet<>(pins.length);
+ for (int i = 0; i < pins.length; i++) {
+ set.add(parsePin(pins[i]));
+ }
+ rules.add(new Rule(hostPattern, set));
+ return this;
+ }
+
+ /**
+ * Build an immutable {@link SpkiPinningClientTlsStrategy}.
+ */
+ public SpkiPinningClientTlsStrategy build() {
+ return new SpkiPinningClientTlsStrategy(sslContext, rules);
+ }
+
+ private static ByteArrayKey parsePin(final String s) {
+ if (s == null) {
+ throw new IllegalArgumentException("Pin must not be null");
+ }
+ final String t = s.trim();
+ if (!t.regionMatches(true, 0, PIN_PREFIX, 0, PIN_PREFIX.length())) {
+ throw new IllegalArgumentException("Only sha256 pins are supported: " + s);
+ }
+ final String b64 = t.substring(PIN_PREFIX.length()).trim();
+ final byte[] raw;
+ try {
+ raw = Base64.getDecoder().decode(b64);
+ } catch (final IllegalArgumentException e) {
+ throw new IllegalArgumentException("Invalid Base64 in SPKI pin: " + s, e);
+ }
+ if (raw.length != SHA256_LEN) {
+ throw new IllegalArgumentException("SPKI pin must be 32 bytes (SHA-256): " + s);
+ }
+ return new ByteArrayKey(raw);
+ }
+ }
+
+
+ private List matchedRules(final String host) {
+ final List out = new ArrayList<>();
+ for (int i = 0; i < rules.size(); i++) {
+ final Rule r = rules.get(i);
+ if (r.matches(host)) {
+ out.add(r);
+ }
+ }
+ return out;
+ }
+
+ private static byte[][] chainSpkiSha256(final SSLSession session) throws SSLException {
+ final Certificate[] chain = session.getPeerCertificates();
+ try {
+ final MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
+ final List out = new ArrayList<>(chain.length);
+ for (int i = 0; i < chain.length; i++) {
+ final Certificate c = chain[i];
+ if (c instanceof X509Certificate) {
+ final byte[] spki = ((X509Certificate) c).getPublicKey().getEncoded();
+ out.add(sha256.digest(spki));
+ }
+ }
+ if (out.isEmpty()) {
+ throw new SSLException("No X509Certificate in peer chain");
+ }
+ return out.toArray(new byte[out.size()][]);
+ } catch (final SSLException e) {
+ throw e;
+ } catch (final Exception e) {
+ throw new SSLException("Cannot compute SPKI sha256", e);
+ }
+ }
+
+ private static String configuredPinsFor(final List rules) {
+ final List pins = new ArrayList<>();
+ for (int i = 0; i < rules.size(); i++) {
+ for (final ByteArrayKey k : rules.get(i).pins) {
+ pins.add(PIN_PREFIX + Base64.getEncoder().encodeToString(k.v));
+ }
+ }
+ return pins.toString();
+ }
+
+ private static String peerPinsForLog(final byte[][] hashes) {
+ final List pins = new ArrayList<>(hashes.length);
+ for (int i = 0; i < hashes.length; i++) {
+ pins.add(PIN_PREFIX + Base64.getEncoder().encodeToString(hashes[i]));
+ }
+ return pins.toString();
+ }
+}
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientSpkiPinningExample.java b/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientSpkiPinningExample.java
new file mode 100644
index 0000000000..a05c4b2367
--- /dev/null
+++ b/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientSpkiPinningExample.java
@@ -0,0 +1,83 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * Warning: Replace the pins with real values for your hosts and always ship a
+ * backup pin. Keep PKI + hostname verification enabled.
+ */
+public class ClientSpkiPinningExample {
+
+ public static void main(final String[] args) throws Exception {
+ final SSLContext sslContext = SSLContexts.createSystemDefault();
+
+ final SpkiPinningClientTlsStrategy pinning = SpkiPinningClientTlsStrategy
+ .newBuilder(sslContext)
+ // Replace with real host(s) and real pins (sha256/)
+ .add("example.com",
+ "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+ "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=") // backup
+ .add("*.example.net",
+ "sha256/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=")
+ .build();
+
+ final PoolingHttpClientConnectionManager cm =
+ PoolingHttpClientConnectionManagerBuilder.create()
+ .setTlsSocketStrategy(pinning) // classic path
+ .build();
+
+ try (final CloseableHttpClient httpclient = HttpClients.custom()
+ .setConnectionManager(cm)
+ .build()) {
+
+ final HttpGet httpget = new HttpGet("https://example.com/");
+ System.out.println("Executing: " + httpget.getMethod() + " " + httpget.getUri());
+
+ httpclient.execute(httpget, response -> {
+ System.out.println("----------------------------------------");
+ System.out.println(httpget + " -> " + new StatusLine(response));
+ EntityUtils.consume(response.getEntity());
+ return null;
+ });
+ }
+ }
+}
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/SpkiPinningClientTlsStrategyTest.java b/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/SpkiPinningClientTlsStrategyTest.java
new file mode 100644
index 0000000000..cf83fca9d1
--- /dev/null
+++ b/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/SpkiPinningClientTlsStrategyTest.java
@@ -0,0 +1,491 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * getCriticalExtensionOIDs() {
+ return null;
+ }
+
+ @Override
+ public Set getNonCriticalExtensionOIDs() {
+ return null;
+ }
+
+ @Override
+ public byte[] getExtensionValue(final String oid) {
+ return null;
+ }
+
+ @Override
+ public boolean hasUnsupportedCriticalExtension() {
+ return false;
+ }
+ }
+
+ private static final class FakeSession implements SSLSession {
+ private final X509Certificate[] chain;
+
+ FakeSession(final X509Certificate cert) {
+ this.chain = new X509Certificate[]{cert};
+ }
+
+ @Override
+ public java.security.cert.Certificate[] getPeerCertificates() {
+ return chain;
+ }
+
+ @Override
+ public javax.security.cert.X509Certificate[] getPeerCertificateChain() {
+ return new javax.security.cert.X509Certificate[0];
+ }
+
+ @Override
+ public String getProtocol() {
+ return "TLSv1.3";
+ }
+
+ @Override
+ public String getCipherSuite() {
+ return "TLS_AES_128_GCM_SHA256";
+ }
+
+ @Override
+ public Principal getPeerPrincipal() {
+ return null;
+ }
+
+ @Override
+ public Principal getLocalPrincipal() {
+ return null;
+ }
+
+ @Override
+ public java.security.cert.Certificate[] getLocalCertificates() {
+ return new java.security.cert.Certificate[0];
+ }
+
+ @Override
+ public String getPeerHost() {
+ return "api.example.com";
+ }
+
+ @Override
+ public int getPeerPort() {
+ return 443;
+ }
+
+ @Override
+ public int getPacketBufferSize() {
+ return 0;
+ }
+
+ @Override
+ public int getApplicationBufferSize() {
+ return 0;
+ }
+
+ @Override
+ public long getCreationTime() {
+ return 0;
+ }
+
+ @Override
+ public long getLastAccessedTime() {
+ return 0;
+ }
+
+ @Override
+ public void invalidate() {
+ }
+
+ @Override
+ public boolean isValid() {
+ return true;
+ }
+
+ @Override
+ public Object getValue(final String s) {
+ return null;
+ }
+
+ @Override
+ public String[] getValueNames() {
+ return new String[0];
+ }
+
+ @Override
+ public void putValue(final String s, final Object o) {
+ }
+
+ @Override
+ public void removeValue(final String s) {
+ }
+
+ @Override
+ public javax.net.ssl.SSLSessionContext getSessionContext() {
+ return null;
+ }
+
+ @Override
+ public byte[] getId() {
+ return new byte[0];
+ }
+ }
+}