Support boringssl SSLCredential API #935
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@normanmaurer: If you could PTAL. Curious if you have a different design suggestion? This should pave the path for PQC support in |
normanmaurer
requested changes
Jun 27, 2025
Member
normanmaurer
left a comment
normanmaurer
left a comment
There was a problem hiding this comment.
First round of review...
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
…turn for non-getters
chrisvest
requested changes
Jun 27, 2025
# Conflicts: # openssl-dynamic/src/main/c/sslcontext.c
normanmaurer
requested changes
Jun 28, 2025
openssl-classes/src/main/java/io/netty/internal/tcnative/SSLCredential.java
Show resolved
Hide resolved
openssl-classes/src/main/java/io/netty/internal/tcnative/SSLCredential.java
Show resolved
Hide resolved
openssl-classes/src/main/java/io/netty/internal/tcnative/SSLCredential.java
Outdated
Show resolved
Hide resolved
…edential.java Co-authored-by: Norman Maurer <[email protected]>
…edential.java Co-authored-by: Norman Maurer <[email protected]>
…edential.java Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Co-authored-by: Norman Maurer <[email protected]>
Contributor
Author
|
@normanmaurer @chrisvest the first rounds of feedback should be addressed; I'm not sure if the centos6 build failure is related to my change. |
chrisvest
approved these changes
Jul 18, 2025
Member
|
I think this looks good. Sorry it took a while to get back to reviewing it again. |
Contributor
Author
|
@chrisvest thank you for the review, I can look into integrating this once it merges. @normanmaurer the requested changes is still showing from the first round review, I'm not sure if that's blocking or not for this repo |
Contributor
Author
|
@normanmaurer would you be able to take another look this week? |
Member
|
@jmcrawford45 I am currently on PTO... will check once back |
This was referenced Nov 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
Historically, BoringSSL lacked a built-in method to select between RSA and ECDSA certificates. The selection process, especially at TLS 1.2, is quite complex, as detailed in this link. TLS 1.3 simplifies this process significantly. Additionally, within ECDSA, there are different curves to consider, and future developments will introduce post-quantum key types. Recently, the SSL Credential API was introduced to BoringSSL to address this and a variety of other certificate negotiation decisions, such as:
Different kinds of credentials (delegate credentials, raw public keys, external PSKs, and more future innovations.
Negotiation for trust anchors to aid in PQ transitions and PKI agility.
Modifications:
Add JNI bindings for all the existing SSL_Credential related functionality in BoringSSL.
Result:
The SSL_CREDENTIAL consolidates everything related to a single "credential" into an object. Credentials can vary in type, such as X.509 certificates or others. Each credential has criteria, based on TLS protocol rules, to determine its applicability to a connection. Users configure an ordered preference list of credentials, and BoringSSL selects the first matching one.
This approach can be used alongside application-specific selection logic, like SNI dispatch. End users would use their criteria to select a list of candidates, such as an ECDSA and RSA certificate for a host, configure them in preference order with BoringSSL, and BoringSSL will evaluate them according to protocol rules.
Implements #918