WIP

Author: CMCDragonkai

src/config.ts

@@ -21,6 +21,8 @@ type QUICConfig = {
    * Private key as a PEM string or Uint8Array buffer containing PEM formatted
    * key. You can pass multiple keys. The number of keys must match the number
    * of certs. Each key must be associated to the the corresponding cert chain.
+   *
+   * Currently multiple key and certificate chains is not supported.
    */
   key?: string | Array<string> | Uint8Array | Array<Uint8Array>;
 
@@ -30,6 +32,8 @@ type QUICConfig = {
    * certificate chain in subject to issuer order. Multiple certificate chains
    * can be passed. The number of certificate chains must match the number of
    * keys. Each certificate chain must be associated to the corresponding key.
+   *
+   * Currently multiple key and certificate chains is not supported.
    */
   cert?: string | Array<string> | Uint8Array | Array<Uint8Array>;
 
@@ -43,19 +47,21 @@ type QUICConfig = {
    * - rsa_pss_rsae_sha256
    * - rsa_pss_rsae_sha384
    * - rsa_pss_rsae_sha512
-   * - rsa_pss_pss_sha256
-   * - rsa_pss_pss_sha384
-   * - rsa_pss_pss_sha512
    * - ecdsa_secp256r1_sha256
    * - ecdsa_secp384r1_sha384
    * - ecdsa_secp521r1_sha512
    * - ed25519
-   * - ed448
    */
   sigalgs?: string;
 
+  /**
+   * Verify the other peer.
+   * Clients by default set this to true.
+   * Servers by default set this to false.
+   */
   verifyPeer: boolean;
-  logKeys: string | undefined;
+
+  logKeys?: string;
   grease: boolean;
   maxIdleTimeout: number;
   maxRecvUdpPayloadSize: number;
@@ -70,29 +76,28 @@ type QUICConfig = {
   enableEarlyData: boolean;
 };
 
+/**
+ * BoringSSL does not support:
+ * - rsa_pss_pss_sha256
+ * - rsa_pss_pss_sha384
+ * - rsa_pss_pss_sha512
+ * - ed448
+ */
 const sigalgs = [
   'rsa_pkcs1_sha256',
   'rsa_pkcs1_sha384',
   'rsa_pkcs1_sha512',
   'rsa_pss_rsae_sha256',
   'rsa_pss_rsae_sha384',
   'rsa_pss_rsae_sha512',
-  'rsa_pss_pss_sha256',
-  'rsa_pss_pss_sha384',
-  'rsa_pss_pss_sha512',
   'ecdsa_secp256r1_sha256',
   'ecdsa_secp384r1_sha384',
   'ecdsa_secp521r1_sha512',
   'ed25519',
-  'ed448',
 ].join(':');
 
 const clientDefault: QUICConfig = {
-  ca: undefined,
-  key: undefined,
-  cert: undefined,
   sigalgs,
-  logKeys: undefined,
   verifyPeer: true,
   grease: true,
   maxIdleTimeout: 5000,
@@ -104,16 +109,13 @@ const clientDefault: QUICConfig = {
   initialMaxStreamsBidi: 100,
   initialMaxStreamsUni: 100,
   disableActiveMigration: true,
+  // Test if this is needed
   applicationProtos: ['http/0.9'],
   enableEarlyData: true,
 };
 
 const serverDefault: QUICConfig = {
-  ca: undefined,
-  key: undefined,
-  cert: undefined,
   sigalgs,
-  logKeys: undefined,
   verifyPeer: false,
   grease: true,
   maxIdleTimeout: 5000,
@@ -125,6 +127,7 @@ const serverDefault: QUICConfig = {
   initialMaxStreamsBidi: 100,
   initialMaxStreamsUni: 100,
   disableActiveMigration: true,
+  // Test if this is needed
   applicationProtos: ['http/0.9'],
   enableEarlyData: true,
 };
@@ -207,13 +210,21 @@ function buildQuicheConfig(config: QUICConfig): QuicheConfig {
     }
     certChainPEMBuffers = certChainPEMs.map((c) => textEncoder.encode(c));
   }
-  const quicheConfig: QuicheConfig = quiche.Config.withBoringSslCtx(
-    config.verifyPeer,
-    caPEMBuffer,
-    keyPEMBuffers,
-    certChainPEMBuffers,
-    config.sigalgs,
-  );
+  let quicheConfig: QuicheConfig;
+  try {
+    quicheConfig = quiche.Config.withBoringSslCtx(
+      config.verifyPeer,
+      caPEMBuffer,
+      keyPEMBuffers,
+      certChainPEMBuffers,
+      config.sigalgs,
+    );
+  } catch (e) {
+    throw new errors.ErrorQUICConfig(
+      `Failed to build Quiche config with custom SSL context: ${e.message}`,
+      { cause: e }
+    );
+  }
   if (config.logKeys != null) {
     quicheConfig.logKeys();
   }

src/native/napi/config.rs

@@ -90,35 +90,34 @@ impl Config {
         )?;
     }
     // Setup all certificates and keys
-    // The below may not actually work
-    // We assume we can just use certificate and add them to it
-    // However this may not be possible
     if let (Some(key), Some(cert)) = (key, cert) {
-      for (k, c) in key.iter().zip(cert.iter()) {
-        let private_key = boring::pkey::PKey::private_key_from_pem(&k)
-          .or_else(
-          |err| Err(Error::from_reason(err.to_string()))
-        )?;
-        ssl_ctx_builder.set_private_key(&private_key).or_else(
-          |e| Err(napi::Error::from_reason(e.to_string()))
-        )?;
-        let x509_cert_chain = boring::x509::X509::stack_from_pem(
-          &c.to_vec()
-        ).or_else(
-          |err| Err(napi::Error::from_reason(err.to_string()))
-        )?;
-        for (i, cert) in x509_cert_chain.iter().enumerate() {
-          if i == 0 {
-            ssl_ctx_builder.set_certificate(cert,).or_else(
-              |err| Err(Error::from_reason(err.to_string()))
-            )?;
-          } else {
-            ssl_ctx_builder.add_extra_chain_cert(
-              cert.clone(),
-            ).or_else(
-              |err| Err(Error::from_reason(err.to_string()))
-            )?;
-          }
+      // Right now the boring crate does not provide a straight forward way of
+      // setting multiple independent certificate chains. So we are just picking
+      // the first key and cert pair.
+      let (k, c) = (key[0].to_vec(), cert[0].to_vec());
+      let private_key = boring::pkey::PKey::private_key_from_pem(&k)
+        .or_else(
+        |err| Err(Error::from_reason(err.to_string()))
+      )?;
+      ssl_ctx_builder.set_private_key(&private_key).or_else(
+        |e| Err(napi::Error::from_reason(e.to_string()))
+      )?;
+      let x509_cert_chain = boring::x509::X509::stack_from_pem(
+        &c
+      ).or_else(
+        |err| Err(napi::Error::from_reason(err.to_string()))
+      )?;
+      for (i, cert) in x509_cert_chain.iter().enumerate() {
+        if i == 0 {
+          ssl_ctx_builder.set_certificate(cert,).or_else(
+            |err| Err(Error::from_reason(err.to_string()))
+          )?;
+        } else {
+          ssl_ctx_builder.add_extra_chain_cert(
+            cert.clone(),
+          ).or_else(
+            |err| Err(Error::from_reason(err.to_string()))
+          )?;
         }
       }
     }

tests/QUICServer.test.ts

@@ -56,7 +56,7 @@ describe(QUICServer.name, () => {
       issuerPrivateKey: keyPairRSA.privateKey,
       duration: 60 * 60 * 24 * 365 * 10,
     });
-    keyPairRSAPEM = await testsUtils.keyPairRSAtoPEM(keyPairRSA);
+    keyPairRSAPEM = await testsUtils.keyPairRSAToPEM(keyPairRSA);
     certRSAPEM = testsUtils.certToPEM(certRSA);
     keyPairECDSA = await testsUtils.generateKeyPairECDSA();
     certECDSA = await testsUtils.generateCertificate({
@@ -65,7 +65,7 @@ describe(QUICServer.name, () => {
       issuerPrivateKey: keyPairECDSA.privateKey,
       duration: 60 * 60 * 24 * 365 * 10,
     });
-    keyPairECDSAPEM = await testsUtils.keyPairECDSAtoPEM(keyPairECDSA);
+    keyPairECDSAPEM = await testsUtils.keyPairECDSAToPEM(keyPairECDSA);
     certECDSAPEM = testsUtils.certToPEM(certECDSA);
     keyPairEd25519 = await testsUtils.generateKeyPairEd25519();
     certEd25519 = await testsUtils.generateCertificate({