wip: loading Ca from mem

* Related #9

[ci skip]

Author: tegefaulkes

src/QUICConnection.ts

@@ -265,6 +265,8 @@ class QUICConnection extends EventTarget {
     } = {}
   ) {
     this.logger.info(`Destroy ${this.constructor.name}`);
+    console.log(this.conn.localError())
+    console.log(this.conn.peerError())
     for (const stream of this.streamMap.values())  {
       await stream.destroy();
     }

src/config.ts

@@ -15,6 +15,7 @@ export type TlsConfig = {
 
 type QUICConfig = {
   tlsConfig: TlsConfig | undefined;
+  verifyPem: string | undefined;
   verifyFromPemFile: string | undefined;
   supportedPrivateKeyAlgos: string | undefined;
   verifyPeer: boolean;
@@ -35,6 +36,7 @@ type QUICConfig = {
 
 const clientDefault: QUICConfig = {
   tlsConfig: undefined,
+  verifyPem: undefined,
   verifyFromPemFile: undefined,
   supportedPrivateKeyAlgos: supportedPrivateKeyAlgosDefault,
   logKeys: undefined,
@@ -61,6 +63,7 @@ const clientDefault: QUICConfig = {
 
 const serverDefault: QUICConfig = {
   tlsConfig: undefined,
+  verifyPem: undefined,
   verifyFromPemFile: undefined,
   supportedPrivateKeyAlgos: supportedPrivateKeyAlgosDefault,
   logKeys: undefined,
@@ -96,6 +99,7 @@ function buildQuicheConfig(config: QUICConfig): QuicheConfig {
     certChainPem,
     privKeyPem,
     config.supportedPrivateKeyAlgos ?? null,
+    config.verifyPem != null ? Buffer.from(config.verifyPem) : null,
   );
   if (config.tlsConfig != null && 'certChainFromPemFile' in config.tlsConfig) {
     if (config.tlsConfig?.certChainFromPemFile != null) {

src/native/napi/config.rs

@@ -51,6 +51,7 @@ impl Config {
     cert_pem: Option<Uint8Array>,
     key_pem: Option<Uint8Array>,
     supported_key_algos: Option<String>,
+    ca_cert_pem: Option<Uint8Array>,
   ) -> Result<Self> {
     let mut ssl_ctx_builder = boring::ssl::SslContextBuilder::new(
       boring::ssl::SslMethod::tls(),
@@ -98,6 +99,29 @@ impl Config {
           |err| Err(Error::from_reason(err.to_string()))
         )?;
     }
+    // Processing CA certificate
+    if let Some(ca_cert_pem) = ca_cert_pem {
+      let x509_certs = boring::x509::X509::stack_from_pem(
+        &cert_pem.to_vec()
+      ).or_else(
+        |err| Err(Error::from_reason(err.to_string()))
+      )?;
+      let mut x509_store_builder = boring::x509::store::X509StoreBuilder::new()
+        .or_else(
+          |err| Err(Error::from_reason(err.to_string()))
+        )?;
+      for x509 in x509_certs.into_iter() {
+        x509_store_builder.add_cert(x509)
+          .or_else(
+            |err| Err(Error::from_reason(err.to_string()))
+          )?;
+      }
+      let x509_store = x509_store_builder.build();
+      ssl_ctx_builder.set_verify_cert_store(x509_store)
+        .or_else(
+          |err| Err(Error::from_reason(err.to_string()))
+        )?;
+    }
     let ssl_ctx= ssl_ctx_builder.build();
     let config = quiche::Config::with_boring_ssl_ctx(
       quiche::PROTOCOL_VERSION,

src/native/types.ts

@@ -43,6 +43,7 @@ interface ConfigConstructor {
     certPem: Uint8Array | null,
     keyPem: Uint8Array | null,
     supportedKeyAlgos: String | null,
+    ca_cert_pem: Uint8Array | null,
   ): Config;
 };
 

tests/QUICClient.test.ts

@@ -293,11 +293,12 @@ describe(QUICClient.name, () => {
     } = fc.sample(tlsArb, 1)[0]
 
     test('server verification succeeds', async () => {
+      const tlsConfig = await (fc.sample(tlsUtils.tlsConfigArb(tlsUtils.keyPairsArb(2)), {numRuns: 1})[0]);
       const server = new QUICServer({
         crypto,
         logger: logger.getChild(QUICServer.name),
         config: {
-          tlsConfig: tlsConfig1,
+          tlsConfig: certFixtures.tlsConfigMemOKP1,
           verifyPeer: false,
         }
       });
@@ -315,7 +316,7 @@ describe(QUICClient.name, () => {
         logger: logger.getChild(QUICClient.name),
         config: {
           verifyPeer: true,
-          verifyFromPemFile: ca.certChainFromPemFile,
+          verifyPem: tlsConfig.caPem,
         }
       });
       await handleConnectionEventProm.p