Wire webtransport-hashes concept down to obtain a connection

Author: jan-ivar

fetch.bs

@@ -2246,8 +2246,11 @@ Unless stated otherwise, it is false.
 <p class=note>This flag is for exclusive use by HTML's render-blocking mechanism. [[!HTML]]
 
 <p>A <a for=/>request</a> has an associated <dfn export for=request
-id=concept-request-webtransport-hashes>webtransport-hashes</dfn> (a
-<a for=/>list</a> of [=webtransport-hash=] items). Unless stated otherwise it is « ».
+id=concept-request-webtransport-hash-list>webtransport-hash list</dfn> (a
+<a for=/>webtransport-hash list</a>). Unless stated otherwise it is « ».
+
+<p>A <dfn export id=concept-webtransport-hash-list>webtransport-hash list</dfn> is a <a for=/>list</a> of zero or more
+<a for=/>webtransport-hashes</a>. It is initially « ».
 
 <p>An <dfn export id=concept-webtransport-hash>webtransport-hash</dfn> is a
 <a for=/>tuple</a> that consists of
@@ -3014,16 +3017,18 @@ steps:
 <p>To <dfn export id=concept-connection-obtain>obtain a connection</dfn>, given a
 <a>network partition key</a> <var>key</var>, <a for=/>URL</a> <var>url</var>, boolean
 <var>credentials</var>, an optional <a>new connection setting</a> <var>new</var> (default
-"<code>no</code>"), and an optional boolean
-<dfn export for="obtain a connection"><var>requireUnreliable</var></dfn> (default false), run these
+"<code>no</code>"), an optional boolean
+<dfn export for="obtain a connection"><var>requireUnreliable</var></dfn> (default false),
+and an optional <a for=/>webtransport-hash list</a> <var>webTransportHashes</var> (default []), run these
 steps:
-<!-- new's "yes-and-dedicated" and requireUnreliable have been added for WebTransport -->
+<!-- new's "yes-and-dedicated", requireUnreliable and webTransportHashes have been added for WebTransport -->
 
 <ol>
  <li>
   <p>If <var>new</var> is "<code>no</code>", then:
 
   <ol>
+   <li><p><a for=/>Assert</a>: <var>webTransportHashes</var> is empty.
    <li><p>Let <var>connections</var> be a set of <a>connections</a> in the user agent's
    <a>connection pool</a> whose <a for=connection>key</a> is <var>key</var>,
    <a for=connection>origin</a> is <var>url</var>'s <a for=url>origin</a>, and
@@ -3071,7 +3076,8 @@ steps:
     <p>Let <var>connection</var> be the result of running this step: run <a>create a connection</a>
     given <var>key</var>, <var>url</var>'s <a for=url>origin</a>, <var>credentials</var>,
     <var>proxy</var>, an <a>implementation-defined</a> <a for=/>host</a> from <var>hosts</var>,
-    <var>timingInfo</var>, and <var>requireUnreliable</var> an <a>implementation-defined</a> number
+    <var>timingInfo</var>, <var>requireUnreliable</var> and <var>webTransportHashes</var>
+    an <a>implementation-defined</a> number
     of times, <a>in parallel</a> from each other, and wait for at least 1 to return a value. In an
     <a>implementation-defined</a> manner, select a value to return from the returned values and
     return it. Any other returned values that are <a>connections</a> may be closed.
@@ -3105,8 +3111,9 @@ reused across <a>connections</a> whose <a for=connection>credentials</a> are fal
 <div algorithm>
 <p>To <dfn>create a connection</dfn>, given a <a for=/>network partition key</a> <var>key</var>,
 <a for=/>origin</a> <var>origin</var>, boolean <var>credentials</var>, string <var>proxy</var>,
-<a for=/>host</a> <var>host</var>, <a for=/>connection timing info</a> <var>timingInfo</var>, and
-boolean <var>requireUnreliable</var>, run these steps:
+<a for=/>host</a> <var>host</var>, <a for=/>connection timing info</a> <var>timingInfo</var>,
+boolean <var>requireUnreliable</var> and a <a for=/>webtransport-hash list</a>
+<var>webTransportHashes</var>, run these steps:
 
 <ol>
  <li><p>Set <var>timingInfo</var>'s <a for="connection timing info">connection start time</a> to the
@@ -3133,6 +3140,12 @@ boolean <var>requireUnreliable</var>, run these steps:
 
    <li><p>If <var>credentials</var> is false, then do not send a TLS client certificate.
 
+   <li><p>If <var>webTransportHashes</var> [=set/is empty|is not empty=], instead of using the
+     default certificate verification algorithm, consider the server certificate valid if it
+     meets the [=custom certificate requirements=] and if
+     [=verify a certificate hash|verifying the certificate hash=] against |webTransportHashes|
+     returns true. If either condition is not met, then return failure.
+
    <li><p>If establishing a connection does not succeed (e.g., a UDP, TCP, or TLS error), then
    return failure.
   </ul>