Google Git
Sign in
quiche / quiche.git / 47a444f77c2a74d9b5a366ff53a14c2a0fac6e9f
commit47a444f77c2a74d9b5a366ff53a14c2a0fac6e9f[log] [tgz]
authorQUICHE team <quiche-dev@google.com>Mon May 12 21:46:52 2025 -0700
committerCopybara-Service <copybara-worker@google.com>Mon May 12 21:47:51 2025 -0700
tree08e1b2f6a3e1d2bd980ef87520a8f284fc732a84
parentbbe16c18d2fc0ea4bc261b20dbc28fe53e32bf13 [diff]
Add QUIC client support for Trust Anchor IDs

Design doc: https://docs.google.com/document/d/1aO36iL4lLve7X13j3COPz4D7465m64x8Si8i8W3JDDk/edit?resourcekey=0-x7c0yQk0k-MLysVvy4GI_g&tab=t.0#heading=h.bat9awopsp53

This CL adds QUIC client support for https://tlswg.org/tls-trust-anchor-ids/draft-ietf-tls-trust-anchor-ids.html. It adds a field to QuicSSLConfig that can be optionally be populated with a list of Trust Anchor IDs. If set, this will be used to configure BoringSSL to send the Trust Anchor IDs extension.

To be able to test this, I added some rudimentary server support, namely adding a |trust_anchor_id| to ProofSource::Chain which, if non-empty, is configured alongside the server certificate using the SSL_CREDENTIAL API (see go/ssl-credential). Further work will be needed for true TAI server support, but this (along with a getter to check if the server indicated that the certificate matched the client's TAI list) is enough to test the client code.

Protected by FLAGS_gfe2_reloadable_flag_enable_tls_trust_anchor_ids.

PiperOrigin-RevId: 758041574
15 files changed
tree: 08e1b2f6a3e1d2bd980ef87520a8f284fc732a84
  1. build/
  2. depstool/
  3. quiche/
  4. .bazelrc
  5. .bazelversion
  6. BUILD.bazel
  7. CONTRIBUTING.md
  8. LICENSE
  9. MODULE.bazel
  10. MODULE.bazel.lock
  11. README.md
  12. WHITESPACE
README.md

QUICHE

QUICHE stands for QUIC, Http, Etc. It is Google‘s production-ready implementation of QUIC, HTTP/2, HTTP/3, and related protocols and tools. It powers Google’s servers, Chromium, Envoy, and other projects. It is actively developed and maintained.

There are two public QUICHE repositories. Either one may be used by embedders, as they are automatically kept in sync:

To embed QUICHE in your project, platform APIs need to be implemented and build files need to be created. Note that it is on the QUICHE team's roadmap to include default implementation for all platform APIs and to open-source build files. In the meanwhile, take a look at open source embedders like Chromium and Envoy to get started:

To contribute to QUICHE, follow instructions at CONTRIBUTING.md.

QUICHE is only supported on little-endian platforms.