Support for custom cert validation

[ggwpez]

Hey I needed a way to inspect a cert before accepting a connection and implemented it on this fork by adding four things:

• Always include QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED and QUIC_CREDENTIAL_FLAG_REQUIRE_CLIENT_AUTHENTICATION into the CredConfig returned by parse_verify_options.
• Send an event ATOM_PEER_CERT_RECEIVED to the connection owner in handle_connection_event_peer_certificate_received to notify them of a received cert.
• Added function complete_cert_validation2(conn, bool) to accept / reject an inbound cert.
• Changed handle_connection_event_peer_certificate_received to return QUIC_STATUS_PENDING instead of success.

This makes it possible to asynchronously inspect a cert and accept or reject it before the connection is established (possibly also interesting for @danicuki).

Do you think this is generally the right direction? The parse_verify_options would probably need to have some arguments changed to make it possible to indicate the custom cert checking instead of always enabling it. And I would do some other cleanups.

[qzhuyan]

Great! thanks! Yes I think it is right direction! PR is welcomed!

just some thoughts listed below:

• Always include QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED and QUIC_CREDENTIAL_FLAG_REQUIRE_CLIENT_AUTHENTICATION into the CredConfig returned by parse_verify_options.

YES, we could do that now but perfer to make it configurable later
(to set QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED).

• Send an event ATOM_PEER_CERT_RECEIVED to the connection owner in handle_connection_event_peer_certificate_received to notify them of a received cert.

YES.
About the cert itself, it is unnecessary be included in the message, we already store it in the c_ctx->peer_cert, we could use quicer:peercert/1 to read it because there is usecase if when the system is overloaded we could close it directly.
if you want to include the peer cert in the message, pls make it configurable.

• Added function complete_cert_validation2(conn, bool) to accept / reject an inbound cert.

YES

• Changed handle_connection_event_peer_certificate_received to return QUIC_STATUS_PENDING instead of success.

YES.
I think we still need to conditionally return QUIC_STATUS_PENDING or QUIC_STATUS_SUCCESS for different usecases.

This makes it possible to asynchronously inspect a cert and accept or reject it before the connection is established (possibly also interesting for @danicuki).

Do you think this is generally the right direction? The parse_verify_options would probably need to have some arguments changed to make it possible to indicate the custom cert checking instead of always enabling it. And I would do some other cleanups.