feat: added verifyCallback and verifyAllowFail

[ci skip]

Author: tegefaulkes

src/QUICClient.ts

@@ -1,6 +1,6 @@
 import type { PromiseCancellable } from '@matrixai/async-cancellable';
 import type { ContextTimed } from '@matrixai/contexts';
-import type { ClientCrypto, Host, Hostname, Port } from './types';
+import type { ClientCrypto, Host, Hostname, Port, VerifyCallback } from './types';
 import type { Config } from './native/types';
 import type QUICConnectionMap from './QUICConnectionMap';
 import type {
@@ -79,6 +79,7 @@ class QUICClient extends EventTarget {
       resolveHostname?: (hostname: Hostname) => Host | PromiseLike<Host>;
       reasonToCode?: StreamReasonToCode;
       codeToReason?: StreamCodeToReason;
+      verifyCallback?: VerifyCallback;
       logger?: Logger;
     },
     ctx?: Partial<ContextTimed>,
@@ -96,6 +97,7 @@ class QUICClient extends EventTarget {
       resolveHostname = utils.resolveHostname,
       reasonToCode,
       codeToReason,
+      verifyCallback,
       logger = new Logger(`${this.name}`),
     }: {
       host: Host | Hostname;
@@ -112,6 +114,7 @@ class QUICClient extends EventTarget {
       resolveHostname?: (hostname: Hostname) => Host | PromiseLike<Host>;
       reasonToCode?: StreamReasonToCode;
       codeToReason?: StreamCodeToReason;
+      verifyCallback?: VerifyCallback;
       logger?: Logger;
     },
     @context ctx: ContextTimed,
@@ -199,6 +202,7 @@ class QUICClient extends EventTarget {
       config: quicConfig,
       reasonToCode,
       codeToReason,
+      verifyCallback,
       logger: logger.getChild(
         `${QUICConnection.name} ${scid.toString().slice(32)}`,
       ),

src/QUICConnection.ts

@@ -25,6 +25,9 @@ import * as utils from './utils';
 import * as errors from './errors';
 import { never } from './utils';
 
+// FIXME
+type VerifyCallback = (certs: Array<string>) => void;
+
 /**
  * Think of this as equivalent to `net.Socket`.
  * Errors here are emitted to the connection only.
@@ -199,6 +202,7 @@ class QUICConnection extends EventTarget {
   protected shortSent = false;
   protected secured = false;
   protected count = 0;
+  protected verifyCallback: VerifyCallback | undefined;
 
   public constructor({
     type,
@@ -209,6 +213,7 @@ class QUICConnection extends EventTarget {
     socket,
     reasonToCode = () => 0,
     codeToReason = (type, code) => new Error(`${type} ${code}`),
+    verifyCallback,
     logger,
   }:
     | {
@@ -220,6 +225,7 @@ class QUICConnection extends EventTarget {
         socket: QUICSocket;
         reasonToCode?: StreamReasonToCode;
         codeToReason?: StreamCodeToReason;
+        verifyCallback?: VerifyCallback;
         logger?: Logger;
       }
     | {
@@ -231,6 +237,7 @@ class QUICConnection extends EventTarget {
         socket: QUICSocket;
         reasonToCode?: StreamReasonToCode;
         codeToReason?: StreamCodeToReason;
+        verifyCallback?: VerifyCallback;
         logger?: Logger;
       }) {
     super();
@@ -281,6 +288,7 @@ class QUICConnection extends EventTarget {
     this.config = config;
     this.reasonToCode = reasonToCode;
     this.codeToReason = codeToReason;
+    this.verifyCallback = verifyCallback;
     this._remoteHost = remoteInfo.host;
     this._remotePort = remoteInfo.port;
     const {
@@ -755,7 +763,7 @@ class QUICConnection extends EventTarget {
         // Dispatching certs available event
         // this.dispatchEvent(new events.QUICConnectionRemoteCertEvent()); TODO
         try {
-          // if (this.verifyCallback != null) this.verifyCallback(peerCertsPem); TODO
+          if (this.verifyCallback != null) this.verifyCallback(peerCertsPem);
           this.conn.sendAckEliciting();
         } catch (e) {
           // Force the connection to end.

src/QUICServer.ts

@@ -6,7 +6,7 @@ import type {
   StreamCodeToReason,
   StreamReasonToCode,
   QUICConfig,
-  ServerCrypto,
+  ServerCrypto, VerifyCallback
 } from './types';
 import type { Header } from './native/types';
 import type QUICConnectionMap from './QUICConnectionMap';
@@ -51,6 +51,7 @@ class QUICServer extends EventTarget {
   protected socket: QUICSocket;
   protected reasonToCode: StreamReasonToCode | undefined;
   protected codeToReason: StreamCodeToReason | undefined;
+  protected verifyCallback: VerifyCallback | undefined;
   protected connectionMap: QUICConnectionMap;
 
   protected handleQUICSocketEvents = (e: events.QUICSocketEvent) => {
@@ -77,6 +78,7 @@ class QUICServer extends EventTarget {
     resolveHostname = utils.resolveHostname,
     reasonToCode,
     codeToReason,
+    verifyCallback,
     logger,
   }: {
     crypto: {
@@ -98,6 +100,7 @@ class QUICServer extends EventTarget {
     resolveHostname?: (hostname: Hostname) => Host | PromiseLike<Host>;
     reasonToCode?: StreamReasonToCode;
     codeToReason?: StreamCodeToReason;
+    verifyCallback?: VerifyCallback;
     logger?: Logger;
   }) {
     super();
@@ -124,6 +127,7 @@ class QUICServer extends EventTarget {
     this.config = quicConfig;
     this.reasonToCode = reasonToCode;
     this.codeToReason = codeToReason;
+    this.verifyCallback = verifyCallback;
   }
 
   @ready(new errors.ErrorQUICServerNotRunning())
@@ -336,6 +340,7 @@ class QUICServer extends EventTarget {
       config: this.config,
       reasonToCode: this.reasonToCode,
       codeToReason: this.codeToReason,
+      verifyCallback: this.verifyCallback,
       logger: this.logger.getChild(
         `${QUICConnection.name} ${scid.toString().slice(32)}-${clientConnRef}`,
       ),

src/config.ts

@@ -26,6 +26,7 @@ const sigalgs = [
 const clientDefault: QUICConfig = {
   sigalgs,
   verifyPeer: true,
+  verifyAllowFail: false,
   grease: true,
   maxIdleTimeout: 0,
   maxRecvUdpPayloadSize: quiche.MAX_DATAGRAM_SIZE, // 65527
@@ -45,6 +46,7 @@ const clientDefault: QUICConfig = {
 const serverDefault: QUICConfig = {
   sigalgs,
   verifyPeer: false,
+  verifyAllowFail: false,
   grease: true,
   maxIdleTimeout: 0,
   maxRecvUdpPayloadSize: quiche.MAX_DATAGRAM_SIZE, // 65527
@@ -148,6 +150,7 @@ function buildQuicheConfig(config: QUICConfig): QuicheConfig {
   try {
     quicheConfig = quiche.Config.withBoringSslCtx(
       config.verifyPeer,
+      config.verifyAllowFail,
       caPEMBuffer,
       keyPEMBuffers,
       certChainPEMBuffers,

src/native/napi/config.rs

@@ -50,6 +50,7 @@ impl Config {
   #[napi(factory)]
   pub fn with_boring_ssl_ctx(
     verify_peer: bool,
+    verify_allow_fail: bool,
     ca: Option<Uint8Array>,
     key: Option<Vec<Uint8Array>>,
     cert: Option<Vec<Uint8Array>>,
@@ -65,7 +66,15 @@ impl Config {
     } else {
       boring::ssl::SslVerifyMode::NONE
     };
-    ssl_ctx_builder.set_verify(verify_value);
+    ssl_ctx_builder.set_verify_callback(verify_value, move |pre_verify, _| {
+      // Override any validation errors, this is needed so we can request certs but validate them
+      //  manually.
+      if verify_allow_fail {
+        true
+      } else {
+        pre_verify
+      }
+    });
     // Setup all CA certificates
     if let Some(ca) = ca {
       let mut x509_store_builder = boring::x509::store::X509StoreBuilder::new()

src/native/types.ts

@@ -45,6 +45,7 @@ interface ConfigConstructor {
   new (): Config;
   withBoringSslCtx(
     verifyPeer: boolean,
+    verifyAllowFail: boolean,
     ca?: Uint8Array | undefined | null,
     key?: Array<Uint8Array> | undefined | null,
     cert?: Array<Uint8Array> | undefined | null,

src/types.ts

@@ -168,9 +168,17 @@ type QUICConfig = {
    * Verify the other peer.
    * Clients by default set this to true.
    * Servers by default set this to false.
+   * Servers will not request peer certs unless this is true.
+   * Server certs are always sent
    */
   verifyPeer: boolean;
 
+  /**
+   * Will allow unsecure TLS certs, allowing for certs to be requested
+   * but the verification result is ignored.
+   */
+  verifyAllowFail: boolean;
+
   /**
    * Enables the logging of secret keys to a file path.
    * Use this with wireshark to decrypt the QUIC packets for debugging.
@@ -299,6 +307,8 @@ type QUICConfig = {
   enableEarlyData: boolean;
 };
 
+type VerifyCallback = (certs: Array<string>) => void;
+
 export type {
   Opaque,
   Callback,
@@ -320,4 +330,5 @@ export type {
   QUICConfig,
   ContextCancellable,
   ContextTimed,
+  VerifyCallback,
 };