Support for multiple server certificates

[Techwolfy]

Describe the feature you'd like supported

Currently MsQuic only supports a single QUIC_CERTIFICATE_HASH_STORE in QUIC_CREDENTIAL_CONFIG, so servers cannot offer both RSA-based and ECDSA-based ciphers. As certificate protocols evolve it would be useful to support multiple types of certificates simultaneously.

Proposed solution

QUIC_CREDENTIAL_CONFIG.CertificateHashStore is already a pointer type. Either accept an array length via the Reserved parameter, or create a new QUIC_CERTIFICATE_MULTI_HASH_STORE type to handle an array of hash store objects.

Additional context

No response

[nibanks]

How does Schannel/OpenSSL expose/support this?

[Techwolfy]

Schannel accepts an array of SCHANNEL_CERT_HASH_STORE in the ACH call via SCH_CREDENTIALS.{paCred,cCreds}. MsQuic already uses this but cCreds is currently always set to 1. I'm not familiar with OpenSSL unfortunately.

[anrossi]

I think from the Envoy work I did, I saw a BoringSSL API for setting multiple certificates. It might also exist and behave the same in OpenSSL. So I might have an idea there

[nibanks]

Thanks @Techwolfy. Is there a significant priority around this ask? Also, I'd recommend simply going with the QUIC_CERTIFICATE_MULTI_HASH_STORE proposal (indicated by a new QUIC_CREDENTIAL_FLAGS). Should be pretty easy to wire up.

[Techwolfy]

I'm currently working on a new feature that uses this. It's not too urgent, but we'd like to get it done in the current semester.