Add support for in-memory certificate root stores.

docs/api/QUIC_CREDENTIAL_CONFIG.md

@@ -22,6 +22,8 @@ typedef struct QUIC_CREDENTIAL_CONFIG {
     QUIC_CREDENTIAL_LOAD_COMPLETE_HANDLER AsyncHandler; // Optional
     QUIC_ALLOWED_CIPHER_SUITE_FLAGS AllowedCipherSuites;// Optional
     const char* CaCertificateFile;                      // Optional
+    const uint8_t* CaCertificateBlob;                   // Optional
+    uint32_t CaCertificateBlobLength;                   // Optional
 } QUIC_CREDENTIAL_CONFIG;
 ```
 
@@ -159,7 +161,16 @@ Obtain the peer certificate using a faster in-process API call. Only available o
 
 `QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE`
 
-Enable CA certificate file provided in the `CaCertificateFile` member.
+Enable CA certificate store file whose filename is provided in the `CaCertificateFile` member.
+This is a text file containing certificates in `-----BEGIN CERTIFICATE-----` / `-----END CERTIFICATE-----` blocks.
+The file may also contain certificate revocation lists (CRLs) in `-----BEGIN X509 CRL-----` / `-----END X509 CRL-----` blocks.
+Only valid for OpenSSL.
+
+`QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_BLOB`
+
+Enable CA certificate store blob provided in memory by the `CaCertificateBlob` and `CaCertificateBlobLength` members.
+Its format is the same as used for `QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE`.
+Only valid for OpenSSL.
 
 `QUIC_CREDENTIAL_FLAG_DISABLE_AIA`
 
@@ -203,10 +214,21 @@ A set of flags indicating which cipher suites are available to negotiate. Must b
 
 #### `CaCertificateFile`
 
-Optional pointer to CA certificate file that will be used when
+Optional pointer to CA certificate filename that will be used when
 validating the peer certificate. This allows the use of a private CA.
 Must be used with `QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE`.
 
+#### `CaCertificateBlob`
+
+Optional pointer to CA certificate data that will be used when
+validating the peer certificate. This allows the use of a private CA.
+Must be used with `QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_BLOB` and `CaCertificateBlobLength`.
+
+#### `CaCertificateBlobLength`
+
+Optional length of CA certificate data pointed to by `CaCertificateBlob`.
+Must be used with `QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_BLOB` and `CaCertificateBlob`.
+
 # Remarks
 
 TODO

src/cs/lib/msquic_generated.cs

@@ -100,6 +100,7 @@ internal enum QUIC_CREDENTIAL_FLAGS
         INPROC_PEER_CERTIFICATE = 0x00080000,
         SET_CA_CERTIFICATE_FILE = 0x00100000,
         DISABLE_AIA = 0x00200000,
+        SET_CA_CERTIFICATE_BLOB = 0x00400000,
     }
 
     [System.Flags]
@@ -328,6 +329,12 @@ internal unsafe partial struct QUIC_CREDENTIAL_CONFIG
         [NativeTypeName("const char *")]
         internal sbyte* CaCertificateFile;
 
+        [NativeTypeName("const uint8_t *")]
+        internal byte* CaCertificateBlob;
+
+        [NativeTypeName("uint32_t")]
+        internal uint CaCertificateBlobLength;
+
         internal ref QUIC_CERTIFICATE_HASH* CertificateHash
         {
             get

src/inc/msquic.h

@@ -147,6 +147,7 @@ typedef enum QUIC_CREDENTIAL_FLAGS {
     QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE                = 0x00080000, // Schannel only
     QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE                = 0x00100000, // OpenSSL only currently
     QUIC_CREDENTIAL_FLAG_DISABLE_AIA                            = 0x00200000, // Schannel only currently
+    QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_BLOB                = 0x00400000, // OpenSSL only currently
 } QUIC_CREDENTIAL_FLAGS;
 
 DEFINE_ENUM_FLAG_OPERATORS(QUIC_CREDENTIAL_FLAGS)
@@ -416,6 +417,8 @@ typedef struct QUIC_CREDENTIAL_CONFIG {
     QUIC_CREDENTIAL_LOAD_COMPLETE_HANDLER AsyncHandler; // Optional
     QUIC_ALLOWED_CIPHER_SUITE_FLAGS AllowedCipherSuites;// Optional
     const char* CaCertificateFile;                      // Optional
+    const uint8_t* CaCertificateBlob;                   // Optional
+    uint32_t CaCertificateBlobLength;                   // Optional
 } QUIC_CREDENTIAL_CONFIG;
 
 //

src/platform/tls_openssl.c

@@ -2135,20 +2135,125 @@ CxPlatTlsSecConfigCreate(
         }
     }
 
-    if (CredConfigFlags & QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE &&
+    if ((CredConfigFlags & QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE) &&
         CredConfig->CaCertificateFile) {
+        X509_STORE* CertStore = SSL_CTX_get_cert_store(SecurityConfig->SSLCtx);
+        if (CertStore == NULL) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "SSL_CTX_get_cert_store failed");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto Exit;
+        }
+
         Ret =
-            SSL_CTX_load_verify_locations(
-                SecurityConfig->SSLCtx,
-                CredConfig->CaCertificateFile,
-                NULL);
+            X509_STORE_load_file(
+                CertStore,
+                CredConfig->CaCertificateFile);
         if (Ret != 1) {
             QuicTraceEvent(
                 LibraryErrorStatus,
                 "[ lib] ERROR, %u, %s.",
                 ERR_get_error(),
-                "SSL_CTX_load_verify_locations failed");
+                "X509_STORE_load_file failed");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto Exit;
+        }
+    }
+
+    if (CredConfigFlags & QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_BLOB &&
+        CredConfig->CaCertificateBlob) {
+        X509_STORE* CertStore = NULL;
+        BIO* CertBio = NULL;
+        STACK_OF(X509_INFO)* CertStack = NULL;
+
+        Status = QUIC_STATUS_TLS_ERROR;
+
+        // BIO_new_mem_buf() takes 'int' length
+        if (CredConfig->CaCertificateBlobLength > (unsigned)INT_MAX) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "CaCertificateBlobLength too large");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto BlobExit;
+        }
+
+        CertStore = SSL_CTX_get_cert_store(SecurityConfig->SSLCtx);
+        if (CertStore == NULL) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "SSL_CTX_get_cert_store failed");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto BlobExit;
+        }
+
+        CertBio = BIO_new_mem_buf(CredConfig->CaCertificateBlob, (int)CredConfig->CaCertificateBlobLength);
+        if (CertBio == NULL) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "BIO_new_mem_buf failed");
             Status = QUIC_STATUS_TLS_ERROR;
+            goto BlobExit;
+        }
+
+        CertStack = PEM_X509_INFO_read_bio(CertBio, NULL, NULL, NULL);
+        if (!CertStack) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "PEM_X509_INFO_read_bio failed");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto BlobExit;
+        }
+
+        for (int i = 0, max = sk_X509_INFO_num(CertStack); i < max; i++) {
+            X509_INFO* CertInfo = sk_X509_INFO_value(CertStack, i);
+            if (CertInfo->x509) {
+                Ret = X509_STORE_add_cert(CertStore, CertInfo->x509);
+                if (!Ret) {
+                    QuicTraceEvent(
+                        LibraryErrorStatus,
+                        "[ lib] ERROR, %u, %s.",
+                        ERR_get_error(),
+                        "X509_STORE_add_cert failed");
+                    Status = QUIC_STATUS_TLS_ERROR;
+                    goto BlobExit;
+                }
+            }
+            if (CertInfo->crl) {
+                Ret = X509_STORE_add_crl(CertStore, CertInfo->crl);
+                if (!Ret) {
+                    QuicTraceEvent(
+                        LibraryErrorStatus,
+                        "[ lib] ERROR, %u, %s.",
+                        ERR_get_error(),
+                        "X509_STORE_add_crl failed");
+                    Status = QUIC_STATUS_TLS_ERROR;
+                    goto BlobExit;
+                }
+            }
+        }
+
+        Status = QUIC_STATUS_SUCCESS;
+
+    BlobExit:
+        if (CertStack != NULL) {
+            sk_X509_INFO_pop_free(CertStack, X509_INFO_free);
+        }
+        if (CertBio != NULL) {
+            BIO_free(CertBio);
+        }
+
+        if (!QUIC_SUCCEEDED(Status)) {
             goto Exit;
         }
     }

src/platform/tls_quictls.c

@@ -1484,20 +1484,125 @@ CxPlatTlsSecConfigCreate(
         }
     }
 
-    if (CredConfigFlags & QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE &&
+    if ((CredConfigFlags & QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE) &&
         CredConfig->CaCertificateFile) {
+        X509_STORE* CertStore = SSL_CTX_get_cert_store(SecurityConfig->SSLCtx);
+        if (CertStore == NULL) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "SSL_CTX_get_cert_store failed");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto Exit;
+        }
+
         Ret =
-            SSL_CTX_load_verify_locations(
-                SecurityConfig->SSLCtx,
-                CredConfig->CaCertificateFile,
-                NULL);
+            X509_STORE_load_file(
+                CertStore,
+                CredConfig->CaCertificateFile);
         if (Ret != 1) {
             QuicTraceEvent(
                 LibraryErrorStatus,
                 "[ lib] ERROR, %u, %s.",
                 ERR_get_error(),
-                "SSL_CTX_load_verify_locations failed");
+                "X509_STORE_load_file failed");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto Exit;
+        }
+    }
+
+    if (CredConfigFlags & QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_BLOB &&
+        CredConfig->CaCertificateBlob) {
+        X509_STORE* CertStore = NULL;
+        BIO* CertBio = NULL;
+        STACK_OF(X509_INFO)* CertStack = NULL;
+
+        Status = QUIC_STATUS_TLS_ERROR;
+
+        // BIO_new_mem_buf() takes 'int' length
+        if (CredConfig->CaCertificateBlobLength > (unsigned)INT_MAX) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "CaCertificateBlobLength too large");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto BlobExit;
+        }
+
+        CertStore = SSL_CTX_get_cert_store(SecurityConfig->SSLCtx);
+        if (CertStore == NULL) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "SSL_CTX_get_cert_store failed");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto BlobExit;
+        }
+
+        CertBio = BIO_new_mem_buf(CredConfig->CaCertificateBlob, (int)CredConfig->CaCertificateBlobLength);
+        if (CertBio == NULL) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "BIO_new_mem_buf failed");
             Status = QUIC_STATUS_TLS_ERROR;
+            goto BlobExit;
+        }
+
+        CertStack = PEM_X509_INFO_read_bio(CertBio, NULL, NULL, NULL);
+        if (!CertStack) {
+            QuicTraceEvent(
+                LibraryErrorStatus,
+                "[ lib] ERROR, %u, %s.",
+                ERR_get_error(),
+                "PEM_X509_INFO_read_bio failed");
+            Status = QUIC_STATUS_TLS_ERROR;
+            goto BlobExit;
+        }
+
+        for (int i = 0, max = sk_X509_INFO_num(CertStack); i < max; i++) {
+            X509_INFO* CertInfo = sk_X509_INFO_value(CertStack, i);
+            if (CertInfo->x509) {
+                Ret = X509_STORE_add_cert(CertStore, CertInfo->x509);
+                if (!Ret) {
+                    QuicTraceEvent(
+                        LibraryErrorStatus,
+                        "[ lib] ERROR, %u, %s.",
+                        ERR_get_error(),
+                        "X509_STORE_add_cert failed");
+                    Status = QUIC_STATUS_TLS_ERROR;
+                    goto BlobExit;
+                }
+            }
+            if (CertInfo->crl) {
+                Ret = X509_STORE_add_crl(CertStore, CertInfo->crl);
+                if (!Ret) {
+                    QuicTraceEvent(
+                        LibraryErrorStatus,
+                        "[ lib] ERROR, %u, %s.",
+                        ERR_get_error(),
+                        "X509_STORE_add_crl failed");
+                    Status = QUIC_STATUS_TLS_ERROR;
+                    goto BlobExit;
+                }
+            }
+        }
+
+        Status = QUIC_STATUS_SUCCESS;
+
+    BlobExit:
+        if (CertStack != NULL) {
+            sk_X509_INFO_pop_free(CertStack, X509_INFO_free);
+        }
+        if (CertBio != NULL) {
+            BIO_free(CertBio);
+        }
+
+        if (!QUIC_SUCCEEDED(Status)) {
             goto Exit;
         }
     }

src/platform/tls_schannel.c

@@ -1008,7 +1008,8 @@ CxPlatTlsSecConfigCreate(
         return QUIC_STATUS_INVALID_PARAMETER;
     }
 
-    if (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE) {
+    if ((CredConfig->Flags & QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE) ||
+        (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_BLOB)) {
         return QUIC_STATUS_NOT_SUPPORTED;
     }