microsoft · nibanks · Jan 29, 2024 · Jan 29, 2024 · Jan 29, 2024 · May 23, 2024
@@ -353,6 +353,8 @@ if(QUIC_TLS STREQUAL "schannel")
     list(APPEND QUIC_COMMON_DEFINES QUIC_DISABLE_CHACHA20_TESTS)
     message(STATUS "Enabling anonymous client auth tests")
     list(APPEND QUIC_COMMON_DEFINES QUIC_ENABLE_ANON_CLIENT_AUTH_TESTS)
+    message(STATUS "Enabling certificate algorithm tests")
+    list(APPEND QUIC_COMMON_DEFINES QUIC_ENABLE_CERT_ALG_TESTS)
 endif()
 
 if(QUIC_TLS STREQUAL "openssl" OR  QUIC_TLS STREQUAL "openssl3")
@@ -362,6 +364,8 @@ if(QUIC_TLS STREQUAL "openssl" OR  QUIC_TLS STREQUAL "openssl3")
        message(STATUS "Enabling CA file tests")
        list(APPEND QUIC_COMMON_DEFINES QUIC_ENABLE_CA_CERTIFICATE_FILE_TESTS)
     endif()
+    message(STATUS "Disabling certificate algorithm tests")
+    list(APPEND QUIC_COMMON_DEFINES QUIC_DISABLE_CERT_ALG_TESTS)
 endif()
 
 if(QUIC_ENABLE_LOGGING)

@@ -19,9 +19,11 @@ typedef struct QUIC_CREDENTIAL_CONFIG {
     };
     const char* Principal;
     void* Reserved; // Currently unused
-    QUIC_CREDENTIAL_LOAD_COMPLETE_HANDLER AsyncHandler; // Optional
-    QUIC_ALLOWED_CIPHER_SUITE_FLAGS AllowedCipherSuites;// Optional
-    const char* CaCertificateFile;                      // Optional
+    QUIC_CREDENTIAL_LOAD_COMPLETE_HANDLER AsyncHandler;         // Optional w/ QUIC_CREDENTIAL_FLAG_LOAD_ASYNCHRONOUS
+    QUIC_ALLOWED_CIPHER_SUITE_FLAGS AllowedCipherSuites;        // Optional w/ QUIC_CREDENTIAL_FLAG_SET_ALLOWED_CIPHER_SUITES
+    const char* CaCertificateFile;                              // Optional w/ QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE
+    uint32_t MultipleCount;                                     // Optional w/ QUIC_CREDENTIAL_FLAG_SET_MULTIPLE
+    QUIC_ALLOWED_CERTIFICATE_ALGORITHM_FLAGS AllowedCertAlgs;   // Optional w/ QUIC_CREDENTIAL_FLAG_SET_ALLOWED_CERTIFICATE_ALGORITHMS
 } QUIC_CREDENTIAL_CONFIG;
 ```
 
@@ -161,6 +163,14 @@ Obtain the peer certificate using a faster in-process API call. Only available o
 
 Enable CA certificate file provided in the `CaCertificateFile` member.
 
+`QUIC_CREDENTIAL_FLAG_SET_MULTIPLE`
+
+Enable setting multiple certificates on the configuration. This changes the `CertificateHash` and `CertificateHashStore` members into pointers to an array, and the array length is read from the `MultipleCount` member. Only available on Schannel.
+
+`QUIC_CREDENTIAL_FLAG_SET_ALLOWED_CERTIFICATE_ALGORITHMS`
+
+Enable setting which asymmetric key algorithms are allowed on the peer's certificate via the `AllowedCertAlgs` member. Only available on Schannel.
+
 #### `CertificateHash`
 
 Must **only** use with `QUIC_CREDENTIAL_TYPE_CERTIFICATE_HASH` type.
@@ -203,6 +213,17 @@ Optional pointer to CA certificate file that will be used when
 validating the peer certificate. This allows the use of a private CA.
 Must be used with `QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE`.
 
+#### `MultipleCount`
+
+Count of credentials in array pointed to by `CertificateHash` or `CertificateHashStore`.
+Must be used with `QUIC_CREDENTIAL_FLAG_SET_MULTIPLE`.
+
+#### `AllowedCertAlgs`
+
+A set of flags representing algorithms the peer's certificate is allowed to have.
+This enables a client to tell a server with multiple certificates which one to send.
+Must be used with `QUIC_CREDENTIAL_FLAG_SET_ALLOWED_CERTIFICATE_ALGORITHMS`.
+
 # Remarks
 
 TODO

@@ -379,8 +379,24 @@ function Install-TestCertificates {
         Write-Debug "Found existing MsQuicTestRoot certificate!"
     }
 
+    $NewRootRsa = $false
+    Write-Debug "Searching for MsQuicTestRootRSA certificate..."
+    $RootCertRsa = Get-ChildItem -path Cert:\LocalMachine\Root\* -Recurse | Where-Object {$_.Subject -eq "CN=MsQuicTestRootRSA"}
+    if (!$RootCertRsa) {
+        Write-Host "MsQuicTestRootRSA not found! Creating new MsQuicTestRootRSA certificate..."
+        $RootCertRsa = New-SelfSignedCertificate -Subject "CN=MsQuicTestRootRSA" -FriendlyName MsQuicTestRootRSA -KeyUsageProperty Sign -KeyUsage CertSign,DigitalSignature -CertStoreLocation cert:\CurrentUser\My -HashAlgorithm SHA256 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy Exportable -KeyAlgorithm RSA -NotAfter(Get-Date).AddYears(5) -TextExtension @("2.5.29.19 = {text}ca=1&pathlength=0") -Type Custom
+        $TempRootPath = Join-Path $Env:TEMP "MsQuicTestRootRSA.cer"
+        Export-Certificate -Type CERT -Cert $RootCertRsa -FilePath $TempRootPath
+        CertUtil.exe -addstore Root $TempRootPath 2>&1 | Out-Null
+        Remove-Item $TempRootPath
+        $NewRootRsa = $true
+        Write-Host "New MsQuicTestRootRSA certificate installed!"
+    } else {
+        Write-Debug "Found existing MsQuicTestRootRSA certificate!"
+    }
+
     Write-Debug "Searching for MsQuicTestServer certificate..."
-    $ServerCert = Get-ChildItem -path Cert:\LocalMachine\My\* -Recurse | Where-Object {$_.Subject -eq "CN=MsQuicTestServer"}
+    $ServerCert = Get-ChildItem -path Cert:\LocalMachine\My\* -Recurse | Where-Object {$_.FriendlyName -eq "MsQuicTestServer"}
     if (!$ServerCert) {
         Write-Host "MsQuicTestServer not found! Creating new MsQuicTestServer certificate..."
         $ServerCert = New-SelfSignedCertificate -Subject "CN=MsQuicTestServer" -DnsName $DnsNames -FriendlyName MsQuicTestServer -KeyUsageProperty Sign -KeyUsage DigitalSignature -CertStoreLocation cert:\CurrentUser\My -HashAlgorithm SHA256 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy Exportable -KeyAlgorithm ECDSA_nistP256 -CurveExport CurveName -NotAfter(Get-Date).AddYears(5) -TextExtension @("2.5.29.19 = {text}","2.5.29.37 = {text}1.3.6.1.5.5.7.3.1") -Signer $RootCert
@@ -393,6 +409,20 @@ function Install-TestCertificates {
         Write-Debug "Found existing MsQuicTestServer certificate!"
     }
 
+    Write-Debug "Searching for MsQuicTestServerRSA certificate..."
+    $ServerCert = Get-ChildItem -path Cert:\LocalMachine\My\* -Recurse | Where-Object {$_.FriendlyName -eq "MsQuicTestServerRSA"}
+    if (!$ServerCert) {
+        Write-Host "MsQuicTestServerRSA not found! Creating new MsQuicTestServerRSA certificate..."
+        $ServerCert = New-SelfSignedCertificate -Subject "CN=MsQuicTestServer" -DnsName $DnsNames -FriendlyName MsQuicTestServerRSA -KeyUsageProperty Sign -KeyUsage DigitalSignature -CertStoreLocation cert:\CurrentUser\My -HashAlgorithm SHA1 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy Exportable -KeyAlgorithm RSA -CurveExport CurveName -NotAfter(Get-Date).AddYears(5) -TextExtension @("2.5.29.19 = {text}","2.5.29.37 = {text}1.3.6.1.5.5.7.3.1") -Signer $RootCertRsa
+        $TempServerPath = Join-Path $Env:TEMP "MsQuicTestServerCert.pfx"
+        Export-PfxCertificate -Cert $ServerCert -Password $PfxPassword -FilePath $TempServerPath
+        Import-PfxCertificate -FilePath $TempServerPath -Password $PfxPassword -Exportable -CertStoreLocation Cert:\LocalMachine\My
+        Remove-Item $TempServerPath
+        Write-Host "New MsQuicTestServerRSA certificate installed!"
+    } else {
+        Write-Debug "Found existing MsQuicTestServerRSA certificate!"
+    }
+
     Write-Debug "Searching for MsQuicTestExpiredServer certificate..."
     $ExpiredServerCert = Get-ChildItem -path Cert:\LocalMachine\My\* -Recurse | Where-Object {$_.Subject -eq "CN=MsQuicTestExpiredServer"}
     if (!$ExpiredServerCert) {
@@ -439,6 +469,10 @@ function Install-TestCertificates {
         Write-Host "Deleting MsQuicTestRoot from MY store..."
         Remove-Item $rootCert.PSPath
     }
+    if ($NewRootRsa) {
+        Write-Host "Deleting MsQuicTestRootRSA from MY store..."
+        Remove-Item $RootCertRsa.PSPath
+    }
 }
 
 function Install-DotnetTool {

@@ -99,6 +99,8 @@ internal enum QUIC_CREDENTIAL_FLAGS
         REVOCATION_CHECK_CACHE_ONLY = 0x00040000,
         INPROC_PEER_CERTIFICATE = 0x00080000,
         SET_CA_CERTIFICATE_FILE = 0x00100000,
+        SET_MULTIPLE = 0x00200000,
+        SET_ALLOWED_CERTIFICATE_ALGORITHMS = 0x00400000,
     }
 
     [System.Flags]
@@ -110,6 +112,14 @@ internal enum QUIC_ALLOWED_CIPHER_SUITE_FLAGS
         CHACHA20_POLY1305_SHA256 = 0x4,
     }
 
+    [System.Flags]
+    internal enum QUIC_ALLOWED_CERTIFICATE_ALGORITHM_FLAGS
+    {
+        QUIC_ALLOWED_CERTIFICATE_ALGORITHM_NONE = 0x0,
+        QUIC_ALLOWED_CERTIFICATE_ALGORITHM_RSA = 0x1,
+        QUIC_ALLOWED_CERTIFICATE_ALGORITHM_ECDSA = 0x2,
+    }
+
     [System.Flags]
     internal enum QUIC_CERTIFICATE_HASH_STORE_FLAGS
     {
@@ -312,6 +322,11 @@ internal unsafe partial struct QUIC_CREDENTIAL_CONFIG
         [NativeTypeName("const char *")]
         internal sbyte* CaCertificateFile;
 
+        [NativeTypeName("uint32_t")]
+        internal uint MultipleCount;
+
+        internal QUIC_ALLOWED_CERTIFICATE_ALGORITHM_FLAGS AllowedCertAlgs;
+
         internal ref QUIC_CERTIFICATE_HASH* CertificateHash
         {
             get

@@ -146,6 +146,8 @@ typedef enum QUIC_CREDENTIAL_FLAGS {
     QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY            = 0x00040000, // Windows only currently
     QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE                = 0x00080000, // Schannel only
     QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE                = 0x00100000, // OpenSSL only currently
+    QUIC_CREDENTIAL_FLAG_SET_MULTIPLE                           = 0x00200000, // Schannel only currently
+    QUIC_CREDENTIAL_FLAG_SET_ALLOWED_CERTIFICATE_ALGORITHMS     = 0x00400000, // Schannel only currently
 } QUIC_CREDENTIAL_FLAGS;
 
 DEFINE_ENUM_FLAG_OPERATORS(QUIC_CREDENTIAL_FLAGS)
@@ -159,6 +161,14 @@ typedef enum QUIC_ALLOWED_CIPHER_SUITE_FLAGS {
 
 DEFINE_ENUM_FLAG_OPERATORS(QUIC_ALLOWED_CIPHER_SUITE_FLAGS);
 
+typedef enum QUIC_ALLOWED_CERTIFICATE_ALGORITHM_FLAGS {
+    QUIC_ALLOWED_CERTIFICATE_ALGORITHM_NONE                          = 0x0,
+    QUIC_ALLOWED_CERTIFICATE_ALGORITHM_RSA                           = 0x1,
+    QUIC_ALLOWED_CERTIFICATE_ALGORITHM_ECDSA                         = 0x2,
+} QUIC_ALLOWED_CERTIFICATE_ALGORITHM_FLAGS;
+
+DEFINE_ENUM_FLAG_OPERATORS(QUIC_ALLOWED_CERTIFICATE_ALGORITHM_FLAGS);
+
 typedef enum QUIC_CERTIFICATE_HASH_STORE_FLAGS {
     QUIC_CERTIFICATE_HASH_STORE_FLAG_NONE           = 0x0000,
     QUIC_CERTIFICATE_HASH_STORE_FLAG_MACHINE_STORE  = 0x0001,
@@ -351,9 +361,11 @@ typedef struct QUIC_CREDENTIAL_CONFIG {
     };
     const char* Principal;
     void* Reserved; // Currently unused
-    QUIC_CREDENTIAL_LOAD_COMPLETE_HANDLER AsyncHandler; // Optional
-    QUIC_ALLOWED_CIPHER_SUITE_FLAGS AllowedCipherSuites;// Optional
-    const char* CaCertificateFile;                      // Optional
+    QUIC_CREDENTIAL_LOAD_COMPLETE_HANDLER AsyncHandler;         // Optional w/ QUIC_CREDENTIAL_FLAG_LOAD_ASYNCHRONOUS
+    QUIC_ALLOWED_CIPHER_SUITE_FLAGS AllowedCipherSuites;        // Optional w/ QUIC_CREDENTIAL_FLAG_SET_ALLOWED_CIPHER_SUITES
+    const char* CaCertificateFile;                              // Optional w/ QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE
+    uint32_t MultipleCount;                                     // Optional w/ QUIC_CREDENTIAL_FLAG_SET_MULTIPLE
+    QUIC_ALLOWED_CERTIFICATE_ALGORITHM_FLAGS AllowedCertAlgs;   // Optional w/ QUIC_CREDENTIAL_FLAG_SET_ALLOWED_CERTIFICATE_ALGORITHMS
 } QUIC_CREDENTIAL_CONFIG;
 
 //

@@ -119,6 +119,7 @@ typedef UINT64 uint64_t;
 
 #define QUIC_STATUS_CLOSE_NOTIFY            QUIC_STATUS_TLS_ALERT(0)    // Close notify
 #define QUIC_STATUS_BAD_CERTIFICATE         QUIC_STATUS_TLS_ALERT(42)   // Bad Certificate
+#define QUIC_STATUS_UNSUPPORTED_CERTIFICATE QUIC_STATUS_TLS_ALERT(43)   // Unsupported Certficiate
 #define QUIC_STATUS_EXPIRED_CERTIFICATE     QUIC_STATUS_TLS_ALERT(45)   // Expired Certificate
 #define QUIC_STATUS_REQUIRED_CERTIFICATE    QUIC_STATUS_TLS_ALERT(116)  // Required Certificate
 

@@ -30,7 +30,8 @@ typedef struct QUIC_PORTABLE_CERTIFICATE {
 QUIC_STATUS
 CxPlatCertCreate(
     _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig,
-    _Out_ QUIC_CERTIFICATE** NewCertificate
+    _In_ uint32_t CredCount,
+    _Out_writes_(CredCount) QUIC_CERTIFICATE** NewCertificate
     );
 
 //

@@ -524,6 +524,7 @@ typedef enum CXPLAT_TEST_CERT_TYPE {
     CXPLAT_TEST_CERT_SELF_SIGNED_CLIENT,
     CXPLAT_TEST_CERT_CA_SERVER,
     CXPLAT_TEST_CERT_CA_CLIENT,
+    CXPLAT_TEST_CERT_VALID_SERVER_RSA,
 } CXPLAT_TEST_CERT_TYPE;
 
 _IRQL_requires_max_(PASSIVE_LEVEL)

@@ -530,37 +530,52 @@ CxPlatCertLookupHashStore(
 QUIC_STATUS
 CxPlatCertCreate(
     _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig,
-    _Out_ QUIC_CERTIFICATE** NewCertificate
+    _In_ uint32_t CredCount,
+    _Out_writes_(CredCount) QUIC_CERTIFICATE** NewCertificate
     )
 {
-    QUIC_STATUS Status;
+    QUIC_STATUS Status = QUIC_STATUS_SUCCESS;
+    uint32_t CreatedCerts = 0;
 
     if (CredConfig->Type == QUIC_CREDENTIAL_TYPE_CERTIFICATE_HASH) {
         if (CredConfig->CertificateHash == NULL && CredConfig->Principal == NULL) {
             Status = QUIC_STATUS_INVALID_PARAMETER;
         } else {
-            Status =
-                CxPlatCertLookupHash(
-                    CredConfig->CertificateHash,
-                    CredConfig->Principal,
-                    NewCertificate);
+            for (uint32_t i = 0; i < CredCount; ++i) {
+                Status =
+                    CxPlatCertLookupHash(
+                        (CredConfig->CertificateHash == NULL ? NULL: &CredConfig->CertificateHash[i]),
+                        CredConfig->Principal,
+                        NewCertificate + i);
+                if (FAILED(Status)) {
+                    CreatedCerts = i;
+                    break;
+                }
+            }
         }
 
     } else if (CredConfig->Type == QUIC_CREDENTIAL_TYPE_CERTIFICATE_HASH_STORE) {
         if (CredConfig->CertificateHashStore == NULL) {
             Status = QUIC_STATUS_INVALID_PARAMETER;
         } else {
-            Status =
-                CxPlatCertLookupHashStore(
-                    CredConfig->CertificateHashStore,
-                    CredConfig->Principal,
-                    NewCertificate);
+            for (uint32_t i = 0; i < CredCount; ++i) {
+                Status =
+                    CxPlatCertLookupHashStore(
+                        &CredConfig->CertificateHashStore[i],
+                        CredConfig->Principal,
+                        NewCertificate + i);
+                if (FAILED(Status)) {
+                    CreatedCerts = i;
+                    break;
+                }
+            }
         }
 
     } else if (CredConfig->Type == QUIC_CREDENTIAL_TYPE_CERTIFICATE_CONTEXT) {
         if (CredConfig->CertificateContext == NULL) {
             Status = QUIC_STATUS_INVALID_PARAMETER;
         } else {
+            CXPLAT_FRE_ASSERT(CredCount == 1);
             *NewCertificate = (QUIC_CERTIFICATE*)CredConfig->CertificateContext;
             Status = QUIC_STATUS_SUCCESS;
         }
@@ -569,6 +584,13 @@ CxPlatCertCreate(
         Status = QUIC_STATUS_INVALID_PARAMETER;
     }
 
+    if (FAILED(Status)) {
+        for (uint32_t i = 0; i < CreatedCerts; ++i) {
+            CxPlatCertFree(NewCertificate[i]);
+            NewCertificate[i] = NULL;
+        }
+    }
+
     return Status;
 }
 

@@ -35,10 +35,12 @@
 #define CXPLAT_KEY_SIZE                                 2048
 
 #define CXPLAT_TEST_CERT_VALID_SERVER_FRIENDLY_NAME     L"MsQuicTestServer"
+#define CXPLAT_TEST_CERT_VALID_SERVER_RSA_FRIENDLY_NAME L"MsQuicTestServerRSA"
 #define CXPLAT_TEST_CERT_VALID_CLIENT_FRIENDLY_NAME     L"MsQuicTestClient"
 #define CXPLAT_TEST_CERT_EXPIRED_SERVER_FRIENDLY_NAME   L"MsQuicTestExpiredServer"
 #define CXPLAT_TEST_CERT_EXPIRED_CLIENT_FRIENDLY_NAME   L"MsQuicTestExpiredClient"
 #define CXPLAT_TEST_CERT_VALID_SERVER_SUBJECT_NAME      "MsQuicTestServer"
+#define CXPLAT_TEST_CERT_VALID_SERVER_RSA_SUBJECT_NAME  "MsQuicTestServer"
 #define CXPLAT_TEST_CERT_VALID_CLIENT_SUBJECT_NAME      "MsQuicTestClient"
 #define CXPLAT_TEST_CERT_EXPIRED_SERVER_SUBJECT_NAME    "MsQuicTestExpiredServer"
 #define CXPLAT_TEST_CERT_EXPIRED_CLIENT_SUBJECT_NAME    "MsQuicTestExpiredClient"
@@ -255,7 +257,7 @@ CxPlatCertExtractPrivateKey(
 
     if (QUIC_FAILED(
         Status =
-            CxPlatCertCreate(CredConfig, &Cert))) {
+            CxPlatCertCreate(CredConfig, 1, &Cert))) {
         QuicTraceEvent(
             LibraryErrorStatus,
             "[ lib] ERROR, %u, %s.",

@@ -30,10 +30,12 @@
 #define CXPLAT_KEY_SIZE                                 2048
 
 #define CXPLAT_TEST_CERT_VALID_SERVER_FRIENDLY_NAME         L"MsQuicTestServer"
+#define CXPLAT_TEST_CERT_VALID_SERVER_RSA_FRIENDLY_NAME     L"MsQuicTestServerRSA"
 #define CXPLAT_TEST_CERT_VALID_CLIENT_FRIENDLY_NAME         L"MsQuicTestClient"
 #define CXPLAT_TEST_CERT_EXPIRED_SERVER_FRIENDLY_NAME       L"MsQuicTestExpiredServer"
 #define CXPLAT_TEST_CERT_EXPIRED_CLIENT_FRIENDLY_NAME       L"MsQuicTestExpiredClient"
 #define CXPLAT_TEST_CERT_VALID_SERVER_SUBJECT_NAME          "MsQuicTestServer"
+#define CXPLAT_TEST_CERT_VALID_SERVER_RSA_SUBJECT_NAME      "MsQuicTestServer"
 #define CXPLAT_TEST_CERT_VALID_CLIENT_SUBJECT_NAME          "MsQuicTestClient"
 #define CXPLAT_TEST_CERT_EXPIRED_SERVER_SUBJECT_NAME        "MsQuicTestExpiredServer"
 #define CXPLAT_TEST_CERT_EXPIRED_CLIENT_SUBJECT_NAME        "MsQuicTestExpiredClient"
@@ -1126,6 +1128,10 @@ CxPlatGetTestCertificate(
         FriendlyName = CXPLAT_TEST_CERT_VALID_SERVER_FRIENDLY_NAME;
         SubjectName = CXPLAT_TEST_CERT_VALID_SERVER_SUBJECT_NAME;
         break;
+    case CXPLAT_TEST_CERT_VALID_SERVER_RSA:
+        FriendlyName = CXPLAT_TEST_CERT_VALID_SERVER_RSA_FRIENDLY_NAME;
+        SubjectName = CXPLAT_TEST_CERT_VALID_SERVER_RSA_SUBJECT_NAME;
+        break;
     case CXPLAT_TEST_CERT_VALID_CLIENT:
         FriendlyName = CXPLAT_TEST_CERT_VALID_CLIENT_FRIENDLY_NAME;
         SubjectName = CXPLAT_TEST_CERT_VALID_CLIENT_SUBJECT_NAME;

@@ -961,7 +961,9 @@ CxPlatTlsSecConfigCreate(
     if (CredConfigFlags & QUIC_CREDENTIAL_FLAG_ENABLE_OCSP ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_USE_SUPPLIED_CREDENTIALS ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_USE_SYSTEM_MAPPER ||
-        CredConfigFlags & QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE) {
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE ||
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_SET_MULTIPLE ||
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_SET_ALLOWED_CERTIFICATE_ALGORITHMS) {
         return QUIC_STATUS_NOT_SUPPORTED; // Not supported by this TLS implementation
     }