netty
diff --git a/‎common/src/main/java/io/netty/util/internal/EmptyArrays.java‎
Lines changed: 3 additions & 0 deletions b/‎common/src/main/java/io/netty/util/internal/EmptyArrays.java‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎handler/src/main/java/io/netty/handler/ssl/DefaultOpenSslCredential.java‎
Lines changed: 129 additions & 0 deletions b/‎handler/src/main/java/io/netty/handler/ssl/DefaultOpenSslCredential.java‎
Lines changed: 129 additions & 0 deletions
diff --git a/‎handler/src/main/java/io/netty/handler/ssl/NonOwnedOpenSslCredential.java‎
Lines changed: 88 additions & 0 deletions b/‎handler/src/main/java/io/netty/handler/ssl/NonOwnedOpenSslCredential.java‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java‎
Lines changed: 5 additions & 3 deletions b/‎handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java‎
Lines changed: 7 additions & 4 deletions b/‎handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎handler/src/main/java/io/netty/handler/ssl/OpenSslCredential.java‎
Lines changed: 85 additions & 0 deletions b/‎handler/src/main/java/io/netty/handler/ssl/OpenSslCredential.java‎
Lines changed: 85 additions & 0 deletions
@@ -21,6 +21,7 @@
 import java.nio.ByteBuffer;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.Map;
 
 public final class EmptyArrays {
 
@@ -36,6 +37,8 @@ public final class EmptyArrays {
     public static final Certificate[] EMPTY_CERTIFICATES = {};
     public static final X509Certificate[] EMPTY_X509_CERTIFICATES = {};
     public static final javax.security.cert.X509Certificate[] EMPTY_JAVAX_X509_CERTIFICATES = {};
+    @SuppressWarnings("rawtypes")
+    public static final Map.Entry[] EMPTY_MAP_ENTRY = {};
 
     public static final Throwable[] EMPTY_THROWABLES = {};
 
 
@@ -0,0 +1,129 @@
+/*
+ * Copyright 2026 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.ssl;
+
+import io.netty.internal.tcnative.SSLCredential;
+import io.netty.util.AbstractReferenceCounted;
+import io.netty.util.IllegalReferenceCountException;
+import io.netty.util.ResourceLeakDetector;
+import io.netty.util.ResourceLeakDetectorFactory;
+import io.netty.util.ResourceLeakTracker;
+
+/**
+ * Default implementation of {@link OpenSslCredential}.
+ *
+ * <p>This class manages the lifecycle of a native BoringSSL {@code SSL_CREDENTIAL} object.
+ */
+final class DefaultOpenSslCredential extends AbstractReferenceCounted implements OpenSslCredentialPointer {
+
+    private static final ResourceLeakDetector<DefaultOpenSslCredential> leakDetector =
+            ResourceLeakDetectorFactory.instance().newResourceLeakDetector(DefaultOpenSslCredential.class);
+
+    private final ResourceLeakTracker<DefaultOpenSslCredential> leak;
+    private final CredentialType type;
+    private long credential;
+
+    /**
+     * Creates a new credential instance.
+     *
+     * @param credential the native SSL_CREDENTIAL pointer
+     * @param type the credential type
+     */
+    DefaultOpenSslCredential(long credential, CredentialType type) {
+        this.credential = credential;
+        this.type = type;
+        this.leak = leakDetector.track(this);
+    }
+
+    @Override
+    public long credentialAddress() {
+        if (refCnt() <= 0) {
+            throw new IllegalReferenceCountException();
+        }
+        return credential;
+    }
+
+    @Override
+    public CredentialType type() {
+        return type;
+    }
+
+    @Override
+    protected void deallocate() {
+        try {
+            SSLCredential.free(credential);
+        } catch (Exception e) {
+            throw new IllegalStateException("Failed to free SSL_CREDENTIAL", e);
+        } finally {
+            credential = 0;
+            if (leak != null) {
+                boolean closed = leak.close(this);
+                assert closed;
+            }
+        }
+    }
+
+    @Override
+    public DefaultOpenSslCredential retain() {
+        if (leak != null) {
+            leak.record();
+        }
+        super.retain();
+        return this;
+    }
+
+    @Override
+    public DefaultOpenSslCredential retain(int increment) {
+        if (leak != null) {
+            leak.record();
+        }
+        super.retain(increment);
+        return this;
+    }
+
+    @Override
+    public DefaultOpenSslCredential touch() {
+        if (leak != null) {
+            leak.record();
+        }
+        super.touch();
+        return this;
+    }
+
+    @Override
+    public DefaultOpenSslCredential touch(Object hint) {
+        if (leak != null) {
+            leak.record(hint);
+        }
+        return this;
+    }
+
+    @Override
+    public boolean release() {
+        if (leak != null) {
+            leak.record();
+        }
+        return super.release();
+    }
+
+    @Override
+    public boolean release(int decrement) {
+        if (leak != null) {
+            leak.record();
+        }
+        return super.release(decrement);
+    }
+}
@@ -0,0 +1,88 @@
+/*
+ * Copyright 2026 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.ssl;
+
+import io.netty.util.AbstractReferenceCounted;
+import io.netty.util.IllegalReferenceCountException;
+
+/**
+ * A non-owning wrapper for an {@link OpenSslCredential} pointer.
+ *
+ * <p>This class is used when we need to expose an SSL_CREDENTIAL pointer that is managed
+ * by OpenSSL itself (e.g., the credential selected during the handshake). Unlike
+ * {@link DefaultOpenSslCredential}, this wrapper does not free the underlying credential
+ * when its reference count reaches zero, as the lifetime is managed externally.
+ *
+ * <p>This is a BoringSSL-specific feature.
+ */
+final class NonOwnedOpenSslCredential extends AbstractReferenceCounted implements OpenSslCredentialPointer {
+
+    private final long credential;
+    private final CredentialType type;
+    private volatile boolean released;
+
+    /**
+     * Creates a new non-owning credential wrapper.
+     *
+     * @param credential the native SSL_CREDENTIAL pointer (must not be 0)
+     * @param type the credential type
+     */
+    NonOwnedOpenSslCredential(long credential, CredentialType type) {
+        if (credential == 0) {
+            throw new IllegalArgumentException("credential pointer must not be 0");
+        }
+        this.credential = credential;
+        this.type = type;
+    }
+
+    @Override
+    public long credentialAddress() {
+        if (released) {
+            throw new IllegalReferenceCountException();
+        }
+        return credential;
+    }
+
+    @Override
+    public CredentialType type() {
+        return type;
+    }
+
+    @Override
+    public OpenSslCredential retain() {
+        return (OpenSslCredential) super.retain();
+    }
+
+    @Override
+    public OpenSslCredential retain(int increment) {
+        return (OpenSslCredential) super.retain(increment);
+    }
+
+    @Override
+    public OpenSslCredential touch() {
+        return (OpenSslCredential) super.touch();
+    }
+
+    @Override
+    public OpenSslCredential touch(Object hint) {
+        return this;
+    }
+
+    @Override
+    protected void deallocate() {
+        released = true;
+    }
+}
@@ -31,6 +31,7 @@
 import javax.net.ssl.TrustManagerFactory;
 
 import static io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext;
+import static io.netty.util.internal.EmptyArrays.EMPTY_MAP_ENTRY;
 
 /**
  * A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
@@ -180,7 +181,7 @@ public OpenSslClientContext(File trustCertCollectionFile, TrustManagerFactory tr
         this(toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
                 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
                 keyPassword, keyManagerFactory, ciphers, cipherFilter, apn, null, sessionCacheSize,
-                sessionTimeout, false, KeyStore.getDefaultType(), null, null, null);
+                sessionTimeout, false, KeyStore.getDefaultType(), null, null, null, EMPTY_MAP_ENTRY, null);
     }
 
     OpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
@@ -190,10 +191,11 @@ public OpenSslClientContext(File trustCertCollectionFile, TrustManagerFactory tr
                          long sessionCacheSize, long sessionTimeout, boolean enableOcsp, String keyStore,
                          String endpointIdentificationAlgorithm, List<SNIServerName> serverNames,
                          ResumptionController resumptionController,
-                         Map.Entry<SslContextOption<?>, Object>... options)
+                         Map.Entry<SslContextOption<?>, Object>[] options,
+                         List<OpenSslCredential> credentials)
             throws SSLException {
         super(ciphers, cipherFilter, apn, SSL.SSL_MODE_CLIENT, keyCertChain, ClientAuth.NONE, protocols, false,
-                endpointIdentificationAlgorithm, enableOcsp, serverNames, resumptionController, options);
+                endpointIdentificationAlgorithm, enableOcsp, serverNames, resumptionController, options, credentials);
         boolean success = false;
         boolean supportJdkSignatureFallback = isJdkSignatureFallbackEnabled(options);
         try {
 
@@ -34,21 +34,24 @@ public abstract class OpenSslContext extends ReferenceCountedOpenSslContext {
                    int mode, Certificate[] keyCertChain,
                    ClientAuth clientAuth, String[] protocols, boolean startTls, String endpointIdentificationAlgorithm,
                    boolean enableOcsp, List<SNIServerName> serverNames, ResumptionController resumptionController,
-                   Map.Entry<SslContextOption<?>, Object>... options)
+                   Map.Entry<SslContextOption<?>, Object>[] options,
+                   List<OpenSslCredential> credentials)
             throws SSLException {
         super(ciphers, cipherFilter, toNegotiator(apnCfg), mode, keyCertChain,
                 clientAuth, protocols, startTls, endpointIdentificationAlgorithm, enableOcsp, false,
-                serverNames, resumptionController, options);
+                serverNames, resumptionController, options, credentials);
     }
 
     OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
                    int mode, Certificate[] keyCertChain,
                    ClientAuth clientAuth, String[] protocols, boolean startTls, boolean enableOcsp,
                    List<SNIServerName> serverNames, ResumptionController resumptionController,
-                   Map.Entry<SslContextOption<?>, Object>... options)
+                   Map.Entry<SslContextOption<?>, Object>[] options,
+                   List<OpenSslCredential> credentials)
             throws SSLException {
         super(ciphers, cipherFilter, apn, mode, keyCertChain,
-                clientAuth, protocols, startTls, null, enableOcsp, false, serverNames, resumptionController, options);
+                clientAuth, protocols, startTls, null, enableOcsp, false, serverNames, resumptionController, options,
+                credentials);
     }
 
     @Override
 
@@ -0,0 +1,85 @@
+/*
+ * Copyright 2026 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.ssl;
+
+import io.netty.util.ReferenceCounted;
+
+/**
+ * Represents an OpenSSL/BoringSSL {@code SSL_CREDENTIAL} object.
+ *
+ * <p>SSL credentials provide a more flexible alternative to traditional certificate/key configuration,
+ * supporting features like:
+ * <ul>
+ *   <li>Multiple credentials per context (e.g., RSA + ECDSA)</li>
+ *   <li>Delegated credentials</li>
+ *   <li>OCSP stapling per credential</li>
+ *   <li>Signed Certificate Timestamps (SCT)</li>
+ *   <li>Trust anchor identifiers</li>
+ *   <li>Per-credential signing algorithm preferences</li>
+ * </ul>
+ *
+ * <p>This is a BoringSSL-specific feature. Use {@link #isAvailable()} to check availability.
+ *
+ * <p>Instances are reference counted and must be released when no longer needed.
+ *
+ * @see <a href="https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CREDENTIAL_free">
+ *      BoringSSL SSL_CREDENTIAL Documentation</a>
+ */
+public interface OpenSslCredential extends ReferenceCounted {
+    /**
+     * Check if the credentials API is supported.
+     * @return {@code true} if the credentials API is supported, otherwise {@code false}.
+     */
+    static boolean isAvailable() {
+        return OpenSsl.isAvailable() && OpenSsl.isBoringSSL();
+    }
+
+    /**
+     * Returns the type of this credential.
+     *
+     * @return the credential type
+     */
+    CredentialType type();
+
+    @Override
+    OpenSslCredential retain();
+
+    @Override
+    OpenSslCredential retain(int increment);
+
+    @Override
+    OpenSslCredential touch();
+
+    @Override
+    OpenSslCredential touch(Object hint);
+
+    /**
+     * The type of SSL credential.
+     */
+    enum CredentialType {
+        /**
+         * Standard X.509 certificate credential created with {@code SSL_CREDENTIAL_new_x509()}.
+         */
+        X509,
+
+        /**
+         * Delegated credential created with {@code SSL_CREDENTIAL_new_delegated()}.
+         *
+         * @see <a href="https://datatracker.ietf.org/doc/html/rfc9345">RFC 9345 - Delegated Credentials for TLS</a>
+         */
+        DELEGATED
+    }
+}