advancedtls: add new module for advanced TLS handshaker

[ZhenLian]

This PR contains the implementation and tests of a utility library for some advanced TLS features, including:

1. Credential Reloading: users are able to reload their credentials without restarting the app. Note that the "credential" here can be a private key, its corresponding certificate bundle, or trusted CA certificate bundle.

2. Server Authorization: on client side, we let users specify their own functions to check peers' identities when handshakes are finished. This feature is sometimes also referred to as "secure name checking" or "hostname verification".

There are some previous discussions in this deprecated PR: #3044. The goal of this PR remains the same, but change the APIs to provide better functionalities.
This PR includes the implementation and unit tests and integration tests for the client and server without credential reloading. Next PR will cover the integration tests for credential reloading.

[ZhenLian]

@jiangtaoli2016 Could you please take a first round of review on the API design? Thank you so much for the help!

[jiangtaoli2016]

Thanks Zhen for implementation! Looks very good. A few questions.
I have not reviewed the test file yet.

[jiangtaoli2016]

Some minor comments on test.

[jiangtaoli2016]

We may want to test the cases where the root CA certs do not match the peer certificates. E.g., server provides a valid certificate, but server's CA cert is different from client Root cert.

[ZhenLian]

Added the following test cases:

• Client_reload_both_certs_verifyFunc_Server_reload_both_certs_mutualTLS
• Client_wrong_peer_cert_Server_reload_both_certs_mutualTLS
• Client_wrong_trust_cert_Server_reload_both_certs_mutualTLS
• Client_reload_both_certs_verifyFunc_Server_wrong_peer_cert
• Client_reload_both_certs_verifyFunc_Server_wrong_trust_cert

[jiangtaoli2016]

In current implementation, client has to provide either RootCA or GetRootCA.

We see use case grpc/grpc#20530 that client does not know root CA certs in advance. In that case, we give the power to client to validate via VerifyPeer function (since application can access target name and server certain chain).

Thus, if client does not provide RootCA or GetRootCA, instead of failing, we just don't validate the server cert and let application decide via VerifyPeer. @ZhenLian Could update your implementation as well?

[jiangtaoli2016]

Thanks @ZhenLian for the implementation.
My knowledge in Golang is limited.
@cesarghali Please check Go readability and security suggestions.
@dfawley Please review on API and make sure you are comfortable.

[ZhenLian]

The API is now updated as:
When the client side specifies neither RootCA nor GetRootCA but with VerifyPeer, we will only use VerifyPeer to see if this RPC call is valid.
Note that if client specifies none of the three, we will still fall back to default checks, which are certificate check and host name check.

[cesarghali]

Thanks for the PR. I left some comments in advancedtls.go. I will review advancedtls_test.go next.

[ZhenLian]

@cesarghali Thank you so much for the review! I left a few more comments. Please let me know if anything could be further improved :-)

[ZhenLian]

@cesarghali
Hi Cesar, I've updated the comments inside config() functions and refactored the Options struct as we discussed. Could you please take a look at it(as well as the tests) to see if there are any other things that could be improved? Thank you so much!

[ZhenLian]

Friendly ping :-)

[ZhenLian]

@dfawley
Hi Doug, sorry for the delay of this PR. Now our team has completed the review process. Could you please take a look at the overall structure, the go module files, etc? Thanks in advance for your time!

[dfawley]

Looks good overall, just some minor things.

[ZhenLian]

@dfawley
Hi Doug, thank you so much for the suggestions and comments. I have addressed them all. Could you please take a second look?
By the way, I made another PR, #3300, to fix a small issue found here but might also apply to that place. It would be good if you could take a look as well.
Thanks again for the help :-)