WIP

Author: CMCDragonkai

src/config.ts

@@ -3,6 +3,19 @@ import { quiche } from './native';
 
 
 type QUICConfig = {
+  /**
+   * Certificate authority certificate in PEM format or Uint8Array buffer
+   * containing PEM formatted certificate. Each string or Uint8Array can be
+   * one certificate or multiple certificates concatenated together. The order
+   * does not matter, each is an independent certificate authority. Multiple
+   * concatenated certificate authorities can be passed. They are all
+   * concatenated together.
+   *
+   * When this is not set, this defaults to the operating system's CA
+   * certificates. OpenSSL (and forks of OpenSSL) all support the
+   * environment variables `SSL_CERT_DIR` and `SSL_CERT_FILE`.
+   */
+  ca?: string | Array<string> | Uint8Array | Array<Uint8Array>;
 
   /**
    * Private key as a PEM string or Uint8Array buffer containing PEM formatted
@@ -20,20 +33,6 @@ type QUICConfig = {
    */
   cert?: string | Array<string> | Uint8Array | Array<Uint8Array>;
 
-  /**
-   * Certificate authority certificate in PEM format or Uint8Array buffer
-   * containing PEM formatted certificate. Each string or Uint8Array can be
-   * one certificate or multiple certificates concatenated together. The order
-   * does not matter, each is an independent certificate authority. Multiple
-   * concatenated certificate authorities can be passed. They are all
-   * concatenated together.
-   *
-   * When this is not set, this defaults to the operating system's CA
-   * certificates. OpenSSL (and forks of OpenSSL) all support the
-   * environment variables `SSL_CERT_DIR` and `SSL_CERT_FILE`.
-   */
-  ca?: string | Array<string> | Uint8Array | Array<Uint8Array>;
-
   /**
    * Colon separated list of supported signature algorithms.
    *
@@ -130,23 +129,17 @@ const serverDefault: QUICConfig = {
   enableEarlyData: true,
 };
 
+const textDecoder = new TextDecoder('utf-8');
+const textEncoder = new TextEncoder();
+
 function buildQuicheConfig(config: QUICConfig): QuicheConfig {
-  let certChainPem: Buffer | null = null;
-  let privKeyPem: Buffer | null = null;
-  if (config.tlsConfig != null && 'certChainPem' in config.tlsConfig) {
-    if (config.tlsConfig.certChainPem != null) {
-      certChainPem = Buffer.from(config.tlsConfig.certChainPem);
-    }
-    if (config.tlsConfig.privKeyPem != null) {
-      privKeyPem = Buffer.from(config.tlsConfig.privKeyPem);
-    }
-  }
 
-  // Ok let's see
-  let caBuffer;
+  // This will be passed in as a Optional<Uint8Array>
+
+  // This is a concatenated certificate authority certificates in
+  // PEM format, separated by `\n`
+  let caPEMBuffer: Uint8Array | undefined;
   if (config.ca != null) {
-    const textDecoder = new TextDecoder('utf-8');
-    const textEncoder = new TextEncoder();
     let caPEMString = '';
     if (typeof config.ca === 'string') {
       caPEMString = config.ca.trim() + '\n';
@@ -161,9 +154,29 @@ function buildQuicheConfig(config: QUICConfig): QuicheConfig {
         }
       }
     }
-    caBuffer = textEncoder.encode(caPEMString);
+    caPEMBuffer = textEncoder.encode(caPEMString);
   }
 
+  // Setup: [keyPEM, keyPEM, keyPEM]
+  // AND [certChainPem, certChainPEM, certChainPEM]
+  // Then we pass it in
+  // atm, i don't think this actually works
+  // due to lack of this `SSL_CTX_add1_chain_cert` function
+
+
+
+
+  // let certChainPem: Buffer | null = null;
+  // let privKeyPem: Buffer | null = null;
+  // if (config.tlsConfig != null && 'certChainPem' in config.tlsConfig) {
+  //   if (config.tlsConfig.certChainPem != null) {
+  //     certChainPem = Buffer.from(config.tlsConfig.certChainPem);
+  //   }
+  //   if (config.tlsConfig.privKeyPem != null) {
+  //     privKeyPem = Buffer.from(config.tlsConfig.privKeyPem);
+  //   }
+  // }
+
 
   const quicheConfig: QuicheConfig = quiche.Config.withBoringSslCtx(
     certChainPem,

src/native/napi/config.rs

@@ -1,4 +1,3 @@
-// use core::panicking::panic;
 use napi_derive::napi;
 use napi::bindgen_prelude::*;
 
@@ -41,97 +40,100 @@ impl Config {
     let config = quiche::Config::new(
       quiche::PROTOCOL_VERSION
     ).or_else(
-      |err| Err(Error::from_reason(err.to_string()))
+      |err| Err(napi::Error::from_reason(err.to_string()))
     )?;
     return Ok(Config(config));
   }
 
+  /// Creates configuration with custom TLS context
+  /// Servers must be setup with a key and cert
   #[napi(factory)]
   pub fn with_boring_ssl_ctx(
-    cert_pem: Option<Uint8Array>,
-    key_pem: Option<Uint8Array>,
-    supported_key_algos: Option<String>,
-    ca_cert_pem: Option<Uint8Array>,
     verify_peer: bool,
+    ca: Option<Uint8Array>,
+    key: Option<Vec<Uint8Array>>,
+    cert: Option<Vec<Uint8Array>>,
+    sigalgs: Option<String>,
   ) -> Result<Self> {
     let mut ssl_ctx_builder = boring::ssl::SslContextBuilder::new(
       boring::ssl::SslMethod::tls(),
     ).or_else(
-      |err| Err(Error::from_reason(err.to_string()))
+      |e| Err(napi::Error::from_reason(e.to_string()))
     )?;
-    let verify_value = if verify_peer {boring::ssl::SslVerifyMode::PEER | boring::ssl::SslVerifyMode::FAIL_IF_NO_PEER_CERT }
-    else { boring::ssl::SslVerifyMode::NONE };
+    let verify_value = if verify_peer {
+      boring::ssl::SslVerifyMode::PEER | boring::ssl::SslVerifyMode::FAIL_IF_NO_PEER_CERT
+    } else {
+      boring::ssl::SslVerifyMode::NONE
+    };
     ssl_ctx_builder.set_verify(verify_value);
-    // Processing and adding the cert chain
-    if let Some(cert_pem) = cert_pem {
-      let x509_cert_chain = boring::x509::X509::stack_from_pem(
-        &cert_pem.to_vec()
-      ).or_else(
-        |err| Err(Error::from_reason(err.to_string()))
-      )?;
-      for (i, cert) in x509_cert_chain.iter().enumerate() {
-        if i == 0 {
-          ssl_ctx_builder.set_certificate(
-            cert,
-          ).or_else(
-            |err| Err(Error::from_reason(err.to_string()))
-          )?;
-        } else {
-          ssl_ctx_builder.add_extra_chain_cert(
-            cert.clone(),
-          ).or_else(
-            |err| Err(Error::from_reason(err.to_string()))
-          )?;
-        }
-      }
-    }
-    // Processing and adding the private key
-    if let Some(key_pem) = key_pem {
-      let private_key = boring::pkey::PKey::private_key_from_pem(&key_pem)
-        .or_else(
-        |err| Err(Error::from_reason(err.to_string()))
-      )?;
-      ssl_ctx_builder.set_private_key(&private_key)
-        .or_else(
-          |err| Err(Error::from_reason(err.to_string()))
-        )?;
-    }
-    // Adding supported private key algorithms
-    if let Some(supported_key_algos) = supported_key_algos {
-      ssl_ctx_builder.set_sigalgs_list(&supported_key_algos)
+    // Setup all CA certificates
+    if let Some(ca) = ca {
+      let mut x509_store_builder = boring::x509::store::X509StoreBuilder::new()
         .or_else(
-          |err| Err(Error::from_reason(err.to_string()))
+          |e| Err(napi::Error::from_reason(e.to_string()))
         )?;
-    }
-    // Processing CA certificate
-    if let Some(ca_cert_pem) = ca_cert_pem {
       let x509_certs = boring::x509::X509::stack_from_pem(
-        &ca_cert_pem.to_vec()
+        &ca.to_vec()
       ).or_else(
-        |err| Err(Error::from_reason(err.to_string()))
+        |e| Err(napi::Error::from_reason(e.to_string()))
       )?;
-      let mut x509_store_builder = boring::x509::store::X509StoreBuilder::new()
-        .or_else(
-          |err| Err(Error::from_reason(err.to_string()))
-        )?;
       for x509 in x509_certs.into_iter() {
         x509_store_builder.add_cert(x509)
           .or_else(
-            |err| Err(Error::from_reason(err.to_string()))
+            |e| Err(napi::Error::from_reason(e.to_string()))
           )?;
       }
       let x509_store = x509_store_builder.build();
       ssl_ctx_builder.set_verify_cert_store(x509_store)
         .or_else(
+          |e| Err(napi::Error::from_reason(e.to_string()))
+        )?;
+    }
+    // Setup all certificates and keys
+    // The below may not actually work
+    // We assume we can just use certificate and add them to it
+    // However this may not be possible
+    if let (Some(key), Some(cert)) = (key, cert) {
+      for (k, c) in key.iter().zip(cert.iter()) {
+        let private_key = boring::pkey::PKey::private_key_from_pem(&k)
+          .or_else(
           |err| Err(Error::from_reason(err.to_string()))
         )?;
+        ssl_ctx_builder.set_private_key(&private_key).or_else(
+          |e| Err(napi::Error::from_reason(e.to_string()))
+        )?;
+        let x509_cert_chain = boring::x509::X509::stack_from_pem(
+          &c.to_vec()
+        ).or_else(
+          |err| Err(napi::Error::from_reason(err.to_string()))
+        )?;
+        for (i, cert) in x509_cert_chain.iter().enumerate() {
+          if i == 0 {
+            ssl_ctx_builder.set_certificate(cert,).or_else(
+              |err| Err(Error::from_reason(err.to_string()))
+            )?;
+          } else {
+            ssl_ctx_builder.add_extra_chain_cert(
+              cert.clone(),
+            ).or_else(
+              |err| Err(Error::from_reason(err.to_string()))
+            )?;
+          }
+        }
+      }
+    }
+    // Setup supported signature algorithms
+    if let Some(sigalgs) = sigalgs {
+      ssl_ctx_builder.set_sigalgs_list(&sigalgs).or_else(
+        |e| Err(napi::Error::from_reason(e.to_string()))
+      )?;
     }
     let ssl_ctx= ssl_ctx_builder.build();
     let config = quiche::Config::with_boring_ssl_ctx(
       quiche::PROTOCOL_VERSION,
       ssl_ctx,
     ).or_else(
-      |err| Err(Error::from_reason(err.to_string()))
+      |e| Err(Error::from_reason(e.to_string()))
     )?;
     return Ok(Config(config));
   }

tests/utils.ts

@@ -5,6 +5,7 @@ import type QUICServer from '@/QUICServer';
 import type QUICStream from '@/QUICStream';
 import { Crypto } from '@peculiar/webcrypto';
 import * as x509 from '@peculiar/x509';
+import { fc } from '@fast-check/jest';
 
 /**
  * WebCrypto polyfill from @peculiar/webcrypto
@@ -654,6 +655,24 @@ const handleStreamProm = async (stream: QUICStream, streamData: StreamData) => {
   }
 };
 
+
+// First thing is that we need to create a private key
+// To do this... we need to seed the webcrypto
+// But also this doesn't quite work
+
+const publicKeyArb = (privateKey: fc.Arbitrary<Buffer> = privateKeyArb) =>
+  privateKey.map((privateKey) => publicKeyFromPrivateKeyEd25519(privateKey));
+
+const keyPairArb = (
+  privateKey: fc.Arbitrary<Buffer> = privateKeyArb,
+): fc.Arbitrary<KeyPair> =>
+  privateKey.chain((privateKey) =>
+    fc.record({
+      privateKey: fc.constant(privateKey),
+      publicKey: publicKeyArb(fc.constant(privateKey)),
+    }),
+  );
+
 export {
   sleep,
   randomBytes,