feat: load ca certs from memory

* Fixed up tests to work with the ca certs.
* Polykey generated certs now work with CA.

* Related #9

[ci skip]

index.d.ts

@@ -132,7 +132,7 @@ export function retry(scid: Uint8Array, dcid: Uint8Array, newScid: Uint8Array, t
 export function versionIsSupported(version: number): boolean
 export class Config {
   constructor()
-  static withBoringSslCtx(certPem?: Uint8Array | undefined | null, keyPem?: Uint8Array | undefined | null, supportedKeyAlgos?: string | undefined | null): Config
+  static withBoringSslCtx(certPem?: Uint8Array | undefined | null, keyPem?: Uint8Array | undefined | null, supportedKeyAlgos?: string | undefined | null, caCertPem?: Uint8Array | undefined | null): Config
   loadCertChainFromPemFile(file: string): void
   loadPrivKeyFromPemFile(file: string): void
   loadVerifyLocationsFromFile(file: string): void

src/QUICConnection.ts

@@ -265,6 +265,8 @@ class QUICConnection extends EventTarget {
     } = {}
   ) {
     this.logger.info(`Destroy ${this.constructor.name}`);
+    console.log(this.conn.localError())
+    console.log(this.conn.peerError())
     for (const stream of this.streamMap.values())  {
       await stream.destroy();
     }

src/config.ts

@@ -15,6 +15,7 @@ export type TlsConfig = {
 
 type QUICConfig = {
   tlsConfig: TlsConfig | undefined;
+  verifyPem: string | undefined;
   verifyFromPemFile: string | undefined;
   supportedPrivateKeyAlgos: string | undefined;
   verifyPeer: boolean;
@@ -35,6 +36,7 @@ type QUICConfig = {
 
 const clientDefault: QUICConfig = {
   tlsConfig: undefined,
+  verifyPem: undefined,
   verifyFromPemFile: undefined,
   supportedPrivateKeyAlgos: supportedPrivateKeyAlgosDefault,
   logKeys: undefined,
@@ -61,6 +63,7 @@ const clientDefault: QUICConfig = {
 
 const serverDefault: QUICConfig = {
   tlsConfig: undefined,
+  verifyPem: undefined,
   verifyFromPemFile: undefined,
   supportedPrivateKeyAlgos: supportedPrivateKeyAlgosDefault,
   logKeys: undefined,
@@ -96,6 +99,7 @@ function buildQuicheConfig(config: QUICConfig): QuicheConfig {
     certChainPem,
     privKeyPem,
     config.supportedPrivateKeyAlgos ?? null,
+    config.verifyPem != null ? Buffer.from(config.verifyPem) : null,
   );
   if (config.tlsConfig != null && 'certChainFromPemFile' in config.tlsConfig) {
     if (config.tlsConfig?.certChainFromPemFile != null) {

src/native/napi/config.rs

@@ -51,6 +51,7 @@ impl Config {
     cert_pem: Option<Uint8Array>,
     key_pem: Option<Uint8Array>,
     supported_key_algos: Option<String>,
+    ca_cert_pem: Option<Uint8Array>,
   ) -> Result<Self> {
     let mut ssl_ctx_builder = boring::ssl::SslContextBuilder::new(
       boring::ssl::SslMethod::tls(),
@@ -98,6 +99,29 @@ impl Config {
           |err| Err(Error::from_reason(err.to_string()))
         )?;
     }
+    // Processing CA certificate
+    if let Some(ca_cert_pem) = ca_cert_pem {
+      let x509_certs = boring::x509::X509::stack_from_pem(
+        &ca_cert_pem.to_vec()
+      ).or_else(
+        |err| Err(Error::from_reason(err.to_string()))
+      )?;
+      let mut x509_store_builder = boring::x509::store::X509StoreBuilder::new()
+        .or_else(
+          |err| Err(Error::from_reason(err.to_string()))
+        )?;
+      for x509 in x509_certs.into_iter() {
+        x509_store_builder.add_cert(x509)
+          .or_else(
+            |err| Err(Error::from_reason(err.to_string()))
+          )?;
+      }
+      let x509_store = x509_store_builder.build();
+      ssl_ctx_builder.set_verify_cert_store(x509_store)
+        .or_else(
+          |err| Err(Error::from_reason(err.to_string()))
+        )?;
+    }
     let ssl_ctx= ssl_ctx_builder.build();
     let config = quiche::Config::with_boring_ssl_ctx(
       quiche::PROTOCOL_VERSION,

src/native/types.ts

@@ -43,6 +43,7 @@ interface ConfigConstructor {
     certPem: Uint8Array | null,
     keyPem: Uint8Array | null,
     supportedKeyAlgos: String | null,
+    ca_cert_pem: Uint8Array | null,
   ): Config;
 };