Google Git
Sign in
boringssl/boringssl/33f8d62d539c862a6bef887c487a7c5807098889
commit
33f8d62d539c862a6bef887c487a7c5807098889
[log]
author
Lily Chen <chlily@google.com>
Fri Jan 23 20:45:46 2026 +0000
committer
Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Mon Apr 06 15:45:17 2026 -0700
tree
c9f8e2eaff0f32a515cb21ebe365f62eb6d66f02
parent
d8be2b4a71155bf82da092ef543176351eeb59ff [diff]
Raw Public Keys: Configure and advertise available client cert types

This CL adds a new SSL_CREDENTIAL type for Raw Public Keys. This type of
credential must have a public key and (either a private key or private
key method) configured in order to be considered complete.

This CL implements advertising the caller's available cert types (as a
client) in the client_certificate_type extension in ClientHello. By
default, this is automatically populated based on the configured
credential list.

The caller, as a client, may also configure the credential list late, or
may want to deviate from the the available client_certificate_types
computed by default. For such cases, this CL also adds an API function
to explicitly configure available client cert types offered in the
ClientHello.

Advertising the server_certificate_type extension in ServerHello, which
depends on the configured credential list as well as other decisions, is
implemented later.

Bug: 467663225
Change-Id: I36da8c1a135cfb423155cf9c7b8d8dc06a6a6964
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/89829
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Lily Chen <chlily@google.com>
15 files changed
tree: c9f8e2eaff0f32a515cb21ebe365f62eb6d66f02
  1. .bcr/
  2. .github/
  3. bench/
  4. cmake/
  5. crypto/
  6. decrepit/
  7. docs/
  8. fuzz/
  9. gen/
  10. include/
  11. infra/
  12. pki/
  13. rust/
  14. ssl/
  15. third_party/
  16. tool/
  17. util/
  18. .bazelignore
  19. .bazelrc
  20. .bazelversion
  21. .clang-format
  22. .clang-format-ignore
  23. .gitignore
  24. API-CONVENTIONS.md
  25. AUTHORS
  26. BREAKING-CHANGES.md
  27. BUILD.bazel
  28. build.json
  29. BUILDING.md
  30. CMakeLists.txt
  31. codereview.settings
  32. CONTRIBUTING.md
  33. FUZZING.md
  34. go.mod
  35. go.sum
  36. INCORPORATING.md
  37. LICENSE
  38. MODULE.bazel
  39. MODULE.bazel.lock
  40. PORTING.md
  41. PRESUBMIT.py
  42. PrivacyInfo.xcprivacy
  43. README.md
  44. SANDBOXING.md
  45. SECURITY.md
  46. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

To file a security issue, use the Chromium process and mention in the report this is for BoringSSL. You can ignore the parts of the process that are specific to Chromium/Chrome.

There are other files in this directory which might be helpful: