[TLS Credentials]: Private Key Offload Implementation#41606
Closed
anniefrchz wants to merge 96 commits intogrpc:masterfrom
Closed
[TLS Credentials]: Private Key Offload Implementation#41606anniefrchz wants to merge 96 commits intogrpc:masterfrom
anniefrchz wants to merge 96 commits intogrpc:masterfrom
Conversation
yaml-cpp@0.9.0 is released at bazelbuild/bazel-central-registry#7443 <!-- If you know who should review your pull request, please assign it to that person, otherwise the pull request would get assigned randomly. If your pull request is for a specific language, please add the appropriate lang label. -->
PiperOrigin-RevId: 868250332
The `grpc_bazel_c_cpp_{opt,dbg}` tests are failing with timeout (most failures are under `//test/core/end2end` ). The exact cause isn't clear (might be bzlmod causing slower compilation). Try increasing the timeout to see if the error goes away.
https://fusion2.corp.google.com/ci;ids=1930537984/kokoro/prod:grpc%2Fcore%2Fmaster%2Fmacos%2Fgrpc_bazel_c_cpp_dbg/activity/0d32a035-4712-49af-9f20-e90d065e3ae0/summary
Closes grpc#41596
COPYBARA_INTEGRATE_REVIEW=grpc#41596 from yuanweiz:fix-macos-ci bf8754f
PiperOrigin-RevId: 868346260
Changes in parser: - add support for max recursion depth limit - add support for keep_matching - check if field is unset - eliminate unnecessary `ParseStringMatcher()` function Changes in matcher: - fix edge case in `XdsMatcherPrefixMap` - add `ForEachAction()` method, which will be needed by composite filter - split matcher and matcher context into separate build targets b/431645556 b/431645620 Closes grpc#41500 COPYBARA_INTEGRATE_REVIEW=grpc#41500 from markdroth:xds_matcher_polish f41a36e PiperOrigin-RevId: 868440217
PiperOrigin-RevId: 868484751
PiperOrigin-RevId: 868492036
…ficates independently (grpc#41484) <!-- If you know who should review your pull request, please assign it to that person, otherwise the pull request would get assigned randomly. If your pull request is for a specific language, please add the appropriate lang label. --> Closes grpc#41484 COPYBARA_INTEGRATE_REVIEW=grpc#41484 from anniefrchz:in_memory_provider d5c64b9 PiperOrigin-RevId: 868750621
…rpc#41597) These tests don't work with the `Chttp2SocketPair` or `Chttp2SocketPair1ByteAtATime` fixtures, since they use direct channels. Closes grpc#41597 COPYBARA_INTEGRATE_REVIEW=grpc#41597 from markdroth:connection_scaling_test_fix 6a5c84f PiperOrigin-RevId: 868763207
anniefrchz
commented
Feb 26, 2026
Contributor
Author
anniefrchz
left a comment
There was a problem hiding this comment.
I pushed the changes from your last revision minus the tests that were deleted. I was defeated by github UI in finding the comments in the file view to respond to them but all other commets should be addressed.
Thanks!
markdroth
reviewed
Feb 26, 2026
anniefrchz
commented
Feb 26, 2026
Contributor
Author
anniefrchz
left a comment
There was a problem hiding this comment.
This patch is ready for another review
markdroth
approved these changes
Feb 26, 2026
Member
markdroth
left a comment
There was a problem hiding this comment.
This looks really good!
Just a few minor cosmetic comments remaining; feel free to merge after addressing.
gtcooke94
approved these changes
Feb 26, 2026
Contributor
gtcooke94
left a comment
There was a problem hiding this comment.
This LGTM once you finish roth@'s other comments!
markdroth
approved these changes
Feb 26, 2026
justsmth
added a commit
to aws/aws-lc
that referenced
this pull request
Mar 4, 2026
### Description of changes: gRPC recently landed a TLS Private Key Offload feature (grpc/grpc#41606) that gates BoringSSL-specific code paths behind `#ifdef OPENSSL_IS_BORINGSSL`. AWS-LC defines `OPENSSL_IS_AWSLC` instead, so gRPC doesn't recognize it as BoringSSL-compatible. This causes all 11 `TlsPrivateKeyOffloadTest` tests to fail at setup time because `grpc_tls_identity_pairs_add_pair_with_signer` returns `UnimplementedError`. Since AWS-LC is a BoringSSL fork and supports all the relevant APIs (e.g. `SSL_PRIVATE_KEY_METHOD`), we pass `-DOPENSSL_IS_BORINGSSL=1` via `CMAKE_C_FLAGS`/`CMAKE_CXX_FLAGS` when building gRPC. This enables the BoringSSL code paths that are correct for AWS-LC, including private key offload, optimized session caching, and type macros. ### Call-outs: All `OPENSSL_IS_BORINGSSL` checks in gRPC are preprocessor-level guards inside source files — there's no CMake-level source file selection based on BoringSSL detection, so the CFLAGS approach is safe. ### Testing: The gRPC integration test itself validates the fix — the 11 `TlsPrivateKeyOffloadTest` tests that were failing should now pass. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
WillChilds-Klein
pushed a commit
to WillChilds-Klein/aws-lc
that referenced
this pull request
Mar 11, 2026
### Description of changes: gRPC recently landed a TLS Private Key Offload feature (grpc/grpc#41606) that gates BoringSSL-specific code paths behind `#ifdef OPENSSL_IS_BORINGSSL`. AWS-LC defines `OPENSSL_IS_AWSLC` instead, so gRPC doesn't recognize it as BoringSSL-compatible. This causes all 11 `TlsPrivateKeyOffloadTest` tests to fail at setup time because `grpc_tls_identity_pairs_add_pair_with_signer` returns `UnimplementedError`. Since AWS-LC is a BoringSSL fork and supports all the relevant APIs (e.g. `SSL_PRIVATE_KEY_METHOD`), we pass `-DOPENSSL_IS_BORINGSSL=1` via `CMAKE_C_FLAGS`/`CMAKE_CXX_FLAGS` when building gRPC. This enables the BoringSSL code paths that are correct for AWS-LC, including private key offload, optimized session caching, and type macros. ### Call-outs: All `OPENSSL_IS_BORINGSSL` checks in gRPC are preprocessor-level guards inside source files — there's no CMake-level source file selection based on BoringSSL detection, so the CFLAGS approach is safe. ### Testing: The gRPC integration test itself validates the fix — the 11 `TlsPrivateKeyOffloadTest` tests that were failing should now pass. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Zgoda91
pushed a commit
to Zgoda91/grpc
that referenced
this pull request
Mar 22, 2026
Closes grpc#41606 COPYBARA_INTEGRATE_REVIEW=grpc#41606 from anniefrchz:private_key_signer 881d900 PiperOrigin-RevId: 876385877
nebeid
pushed a commit
to nebeid/aws-lc
that referenced
this pull request
Mar 23, 2026
### Description of changes: gRPC recently landed a TLS Private Key Offload feature (grpc/grpc#41606) that gates BoringSSL-specific code paths behind `#ifdef OPENSSL_IS_BORINGSSL`. AWS-LC defines `OPENSSL_IS_AWSLC` instead, so gRPC doesn't recognize it as BoringSSL-compatible. This causes all 11 `TlsPrivateKeyOffloadTest` tests to fail at setup time because `grpc_tls_identity_pairs_add_pair_with_signer` returns `UnimplementedError`. Since AWS-LC is a BoringSSL fork and supports all the relevant APIs (e.g. `SSL_PRIVATE_KEY_METHOD`), we pass `-DOPENSSL_IS_BORINGSSL=1` via `CMAKE_C_FLAGS`/`CMAKE_CXX_FLAGS` when building gRPC. This enables the BoringSSL code paths that are correct for AWS-LC, including private key offload, optimized session caching, and type macros. ### Call-outs: All `OPENSSL_IS_BORINGSSL` checks in gRPC are preprocessor-level guards inside source files — there's no CMake-level source file selection based on BoringSSL detection, so the CFLAGS approach is safe. ### Testing: The gRPC integration test itself validates the fix — the 11 `TlsPrivateKeyOffloadTest` tests that were failing should now pass. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
asheshvidyut
pushed a commit
to asheshvidyut/grpc
that referenced
this pull request
Mar 26, 2026
Closes grpc#41606 COPYBARA_INTEGRATE_REVIEW=grpc#41606 from anniefrchz:private_key_signer 881d900 PiperOrigin-RevId: 876385877
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.