MatrixAI
diff --git a/‎src/QUICServer.ts
Lines changed: 12 additions & 7 deletions b/‎src/QUICServer.ts
Lines changed: 12 additions & 7 deletions
diff --git a/‎src/QUICSocket.ts
Lines changed: 3 additions & 10 deletions b/‎src/QUICSocket.ts
Lines changed: 3 additions & 10 deletions
diff --git a/‎src/config.ts
Lines changed: 167 additions & 51 deletions b/‎src/config.ts
Lines changed: 167 additions & 51 deletions
diff --git a/‎src/errors.ts
Lines changed: 5 additions & 0 deletions b/‎src/errors.ts
Lines changed: 5 additions & 0 deletions
@@ -10,7 +10,7 @@ import type {
 } from './types';
 import type { Header } from './native/types';
 import type QUICConnectionMap from './QUICConnectionMap';
-import type { QUICConfig, TlsConfig } from './config';
+import type { QUICConfig } from './config';
 import type { QUICServerConnectionEvent } from './events';
 import Logger from '@matrixai/logger';
 import { running } from '@matrixai/async-init';
@@ -70,8 +70,8 @@ class QUICServer extends EventTarget {
 
   public constructor({
     crypto,
-    socket,
     config,
+    socket,
     resolveHostname = utils.resolveHostname,
     reasonToCode,
     codeToReason,
@@ -84,11 +84,11 @@ class QUICServer extends EventTarget {
       key: ArrayBuffer;
       ops: Crypto;
     };
+    config: Partial<QUICConfig> & {
+      key: string | Array<string> | Uint8Array | Array<Uint8Array>;
+      cert: string | Array<string> | Uint8Array | Array<Uint8Array>;
+    };
     socket?: QUICSocket;
-    // This actually requires TLS
-    // You have to specify these some how
-    // We can force it
-    config: Partial<QUICConfig> & { tlsConfig: TlsConfig };
     resolveHostname?: (hostname: Hostname) => Host | PromiseLike<Host>;
     reasonToCode?: StreamReasonToCode;
     codeToReason?: StreamCodeToReason;
@@ -146,15 +146,17 @@ class QUICServer extends EventTarget {
   public async start({
     host = '::' as Host,
     port = 0 as Port,
+    reuseAddr,
   }: {
     host?: Host | Hostname;
     port?: Port;
+    reuseAddr?: boolean;
   } = {}) {
     let address: string;
     if (!this.isSocketShared) {
       address = utils.buildAddress(host, port);
       this.logger.info(`Start ${this.constructor.name} on ${address}`);
-      await this.socket.start({ host, port });
+      await this.socket.start({ host, port, reuseAddr });
       this.socket.addEventListener('error', this.handleQUICSocketError);
       address = utils.buildAddress(this.socket.host, this.socket.port);
     } else {
@@ -193,6 +195,9 @@ class QUICServer extends EventTarget {
     this.logger.info(`Stopped ${this.constructor.name} on ${address}`);
   }
 
+  /**
+   * @internal
+   */
   public async connectionNew(
     data: Buffer,
     remoteInfo: RemoteInfo,
 
@@ -72,15 +72,8 @@ class QUICSocket extends EventTarget {
       }
       return;
     }
-
-    // Apparently if it is a UDP datagram
-    // it could be a QUIC datagram, and not part of any connection
-    // However I don't know how the DCID would work in a QUIC dgram
-    // We have not explored this yet
-
     // Destination Connection ID is the ID the remote peer chose for us.
     const dcid = new QUICConnectionId(header.dcid);
-
     // Derive our SCID using HMAC signing.
     const scid = new QUICConnectionId(
       await this.crypto.ops.sign(
@@ -90,12 +83,10 @@ class QUICSocket extends EventTarget {
       0,
       quiche.MAX_CONN_ID_LEN,
     );
-
     const remoteInfo_ = {
       host: remoteInfo.address as Host,
       port: remoteInfo.port as Port,
     };
-
     // Now both must be checked
     let conn: QUICConnection;
     if (!this.connectionMap.has(dcid) && !this.connectionMap.has(scid)) {
@@ -207,10 +198,12 @@ class QUICSocket extends EventTarget {
   public async start({
     host = '::' as Host,
     port = 0 as Port,
+    reuseAddr = false,
     ipv6Only = false,
   }: {
     host?: Host | Hostname;
     port?: Port;
+    reuseAddr?: boolean;
     ipv6Only?: boolean;
   } = {}): Promise<void> {
     let address = utils.buildAddress(host, port);
@@ -223,7 +216,7 @@ class QUICSocket extends EventTarget {
     );
     this.socket = dgram.createSocket({
       type: udpType,
-      reuseAddr: false,
+      reuseAddr,
       ipv6Only,
     });
     this.socketBind = utils.promisify(this.socket.bind).bind(this.socket);
 
@@ -1,27 +1,67 @@
 import type { Config as QuicheConfig } from './native/types';
 import { quiche } from './native';
+import * as errors from './errors';
 
-// All the algos chrome supports + ed25519
-const supportedPrivateKeyAlgosDefault =
-  'ed25519:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512';
+type QUICConfig = {
+  /**
+   * Certificate authority certificate in PEM format or Uint8Array buffer
+   * containing PEM formatted certificate. Each string or Uint8Array can be
+   * one certificate or multiple certificates concatenated together. The order
+   * does not matter, each is an independent certificate authority. Multiple
+   * concatenated certificate authorities can be passed. They are all
+   * concatenated together.
+   *
+   * When this is not set, this defaults to the operating system's CA
+   * certificates. OpenSSL (and forks of OpenSSL) all support the
+   * environment variables `SSL_CERT_DIR` and `SSL_CERT_FILE`.
+   */
+  ca?: string | Array<string> | Uint8Array | Array<Uint8Array>;
 
-export type TlsConfig =
-  | {
-      certChainPem: string | null;
-      privKeyPem: string | null;
-    }
-  | {
-      certChainFromPemFile: string | null;
-      privKeyFromPemFile: string | null;
-    };
+  /**
+   * Private key as a PEM string or Uint8Array buffer containing PEM formatted
+   * key. You can pass multiple keys. The number of keys must match the number
+   * of certs. Each key must be associated to the the corresponding cert chain.
+   *
+   * Currently multiple key and certificate chains is not supported.
+   */
+  key?: string | Array<string> | Uint8Array | Array<Uint8Array>;
 
-type QUICConfig = {
-  tlsConfig: TlsConfig | undefined;
-  verifyPem: string | undefined;
-  verifyFromPemFile: string | undefined;
-  supportedPrivateKeyAlgos: string | undefined;
+  /**
+   * X.509 certificate chain in PEM format or Uint8Array buffer containing
+   * PEM formatted certificate chain. Each string or Uint8Array is a
+   * certificate chain in subject to issuer order. Multiple certificate chains
+   * can be passed. The number of certificate chains must match the number of
+   * keys. Each certificate chain must be associated to the corresponding key.
+   *
+   * Currently multiple key and certificate chains is not supported.
+   */
+  cert?: string | Array<string> | Uint8Array | Array<Uint8Array>;
+
+  /**
+   * Colon separated list of supported signature algorithms.
+   *
+   * When this is not set, this defaults to the following list:
+   * - rsa_pkcs1_sha256
+   * - rsa_pkcs1_sha384
+   * - rsa_pkcs1_sha512
+   * - rsa_pss_rsae_sha256
+   * - rsa_pss_rsae_sha384
+   * - rsa_pss_rsae_sha512
+   * - ecdsa_secp256r1_sha256
+   * - ecdsa_secp384r1_sha384
+   * - ecdsa_secp521r1_sha512
+   * - ed25519
+   */
+  sigalgs?: string;
+
+  /**
+   * Verify the other peer.
+   * Clients by default set this to true.
+   * Servers by default set this to false.
+   */
   verifyPeer: boolean;
-  logKeys: string | undefined;
+
+  logKeys?: string;
   grease: boolean;
   maxIdleTimeout: number;
   maxRecvUdpPayloadSize: number;
@@ -36,12 +76,28 @@ type QUICConfig = {
   enableEarlyData: boolean;
 };
 
+/**
+ * BoringSSL does not support:
+ * - rsa_pss_pss_sha256
+ * - rsa_pss_pss_sha384
+ * - rsa_pss_pss_sha512
+ * - ed448
+ */
+const sigalgs = [
+  'rsa_pkcs1_sha256',
+  'rsa_pkcs1_sha384',
+  'rsa_pkcs1_sha512',
+  'rsa_pss_rsae_sha256',
+  'rsa_pss_rsae_sha384',
+  'rsa_pss_rsae_sha512',
+  'ecdsa_secp256r1_sha256',
+  'ecdsa_secp384r1_sha384',
+  'ecdsa_secp521r1_sha512',
+  'ed25519',
+].join(':');
+
 const clientDefault: QUICConfig = {
-  tlsConfig: undefined,
-  verifyPem: undefined,
-  verifyFromPemFile: undefined,
-  supportedPrivateKeyAlgos: supportedPrivateKeyAlgosDefault,
-  logKeys: undefined,
+  sigalgs,
   verifyPeer: true,
   grease: true,
   maxIdleTimeout: 5000,
@@ -53,16 +109,13 @@ const clientDefault: QUICConfig = {
   initialMaxStreamsBidi: 100,
   initialMaxStreamsUni: 100,
   disableActiveMigration: true,
+  // Test if this is needed
   applicationProtos: ['http/0.9'],
   enableEarlyData: true,
 };
 
 const serverDefault: QUICConfig = {
-  tlsConfig: undefined,
-  verifyPem: undefined,
-  verifyFromPemFile: undefined,
-  supportedPrivateKeyAlgos: supportedPrivateKeyAlgosDefault,
-  logKeys: undefined,
+  sigalgs,
   verifyPeer: false,
   grease: true,
   maxIdleTimeout: 5000,
@@ -74,40 +127,103 @@ const serverDefault: QUICConfig = {
   initialMaxStreamsBidi: 100,
   initialMaxStreamsUni: 100,
   disableActiveMigration: true,
+  // Test if this is needed
   applicationProtos: ['http/0.9'],
   enableEarlyData: true,
 };
 
+const textDecoder = new TextDecoder('utf-8');
+const textEncoder = new TextEncoder();
+
 function buildQuicheConfig(config: QUICConfig): QuicheConfig {
-  let certChainPem: Buffer | null = null;
-  let privKeyPem: Buffer | null = null;
-  if (config.tlsConfig != null && 'certChainPem' in config.tlsConfig) {
-    if (config.tlsConfig.certChainPem != null) {
-      certChainPem = Buffer.from(config.tlsConfig.certChainPem);
+  if (config.key != null && config.cert == null) {
+    throw new errors.ErrorQUICConfig(
+      'The cert option must be set when key is set',
+    );
+  } else if (config.key == null && config.cert != null) {
+    throw new errors.ErrorQUICConfig(
+      'The key option must be set when cert is set',
+    );
+  } else if (config.key != null && config.cert != null) {
+    if (Array.isArray(config.key) && Array.isArray(config.cert)) {
+      if (config.key.length !== config.cert.length) {
+        throw new errors.ErrorQUICConfig(
+          'The number of keys must match the number of certs',
+        );
+      }
     }
-    if (config.tlsConfig.privKeyPem != null) {
-      privKeyPem = Buffer.from(config.tlsConfig.privKeyPem);
+  }
+  // This is a concatenated CA certificates in PEM format
+  let caPEMBuffer: Uint8Array | undefined;
+  if (config.ca != null) {
+    let caPEMString = '';
+    if (typeof config.ca === 'string') {
+      caPEMString = config.ca.trim() + '\n';
+    } else if (config.ca instanceof Uint8Array) {
+      caPEMString = textDecoder.decode(config.ca).trim() + '\n';
+    } else if (Array.isArray(config.ca)) {
+      for (const c of config.ca) {
+        if (typeof c === 'string') {
+          caPEMString += c.trim() + '\n';
+        } else {
+          caPEMString += textDecoder.decode(c).trim() + '\n';
+        }
+      }
     }
+    caPEMBuffer = textEncoder.encode(caPEMString);
   }
-  const quicheConfig: QuicheConfig = quiche.Config.withBoringSslCtx(
-    certChainPem,
-    privKeyPem,
-    config.supportedPrivateKeyAlgos ?? null,
-    config.verifyPem != null ? Buffer.from(config.verifyPem) : null,
-    config.verifyPeer,
-  );
-  if (config.tlsConfig != null && 'certChainFromPemFile' in config.tlsConfig) {
-    if (config.tlsConfig?.certChainFromPemFile != null) {
-      quicheConfig.loadCertChainFromPemFile(
-        config.tlsConfig.certChainFromPemFile,
-      );
+  // This is an array of private keys in PEM format
+  let keyPEMBuffers: Array<Uint8Array> | undefined;
+  if (config.key != null) {
+    const keyPEMs: Array<string> = [];
+    if (typeof config.key === 'string') {
+      keyPEMs.push(config.key.trim() + '\n');
+    } else if (config.key instanceof Uint8Array) {
+      keyPEMs.push(textDecoder.decode(config.key).trim() + '\n');
+    } else if (Array.isArray(config.key)) {
+      for (const k of config.key) {
+        if (typeof k === 'string') {
+          keyPEMs.push(k.trim() + '\n');
+        } else {
+          keyPEMs.push(textDecoder.decode(k).trim() + '\n');
+        }
+      }
     }
-    if (config.tlsConfig?.privKeyFromPemFile != null) {
-      quicheConfig.loadPrivKeyFromPemFile(config.tlsConfig.privKeyFromPemFile);
+    keyPEMBuffers = keyPEMs.map((k) => textEncoder.encode(k));
+  }
+  // This is an array of certificate chains in PEM format
+  let certChainPEMBuffers: Array<Uint8Array> | undefined;
+  if (config.cert != null) {
+    const certChainPEMs: Array<string> = [];
+    if (typeof config.cert === 'string') {
+      certChainPEMs.push(config.cert.trim() + '\n');
+    } else if (config.cert instanceof Uint8Array) {
+      certChainPEMs.push(textDecoder.decode(config.cert).trim() + '\n');
+    } else if (Array.isArray(config.cert)) {
+      for (const c of config.cert) {
+        if (typeof c === 'string') {
+          certChainPEMs.push(c.trim() + '\n');
+        } else {
+          certChainPEMs.push(textDecoder.decode(c).trim() + '\n');
+        }
+      }
     }
+    certChainPEMBuffers = certChainPEMs.map((c) => textEncoder.encode(c));
   }
-  if (config.verifyFromPemFile != null) {
-    quicheConfig.loadVerifyLocationsFromFile(config.verifyFromPemFile);
+  let quicheConfig: QuicheConfig;
+  try {
+    quicheConfig = quiche.Config.withBoringSslCtx(
+      config.verifyPeer,
+      caPEMBuffer,
+      keyPEMBuffers,
+      certChainPEMBuffers,
+      config.sigalgs,
+    );
+  } catch (e) {
+    throw new errors.ErrorQUICConfig(
+      `Failed to build Quiche config with custom SSL context: ${e.message}`,
+      { cause: e }
+    );
   }
   if (config.logKeys != null) {
     quicheConfig.logKeys();
 
@@ -4,6 +4,10 @@ class ErrorQUIC<T> extends AbstractError<T> {
   static description = 'QUIC error';
 }
 
+class ErrorQUICConfig<T> extends ErrorQUIC<T> {
+  static description = 'QUIC config error';
+}
+
 class ErrorQUICSocket<T> extends ErrorQUIC<T> {
   static description = 'QUIC Socket error';
 }
@@ -105,6 +109,7 @@ class ErrorQUICUndefinedBehaviour<T> extends ErrorQUIC<T> {
 
 export {
   ErrorQUIC,
+  ErrorQUICConfig,
   ErrorQUICSocket,
   ErrorQUICSocketNotRunning,
   ErrorQUICSocketServerDuplicate,