diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 7b94361b..eca08b70 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -38,6 +38,7 @@ pub enum X509_EXTENSION {} pub enum X509_NAME {} pub enum X509_NAME_ENTRY {} pub enum X509_REQ {} +pub enum X509_STORE {} pub enum X509_STORE_CTX {} pub enum bio_st {} pub enum PKCS12 {} @@ -1622,6 +1623,7 @@ extern { pub fn SSL_CTX_use_PrivateKey(ctx: *mut SSL_CTX, key: *mut EVP_PKEY) -> c_int; pub fn SSL_CTX_check_private_key(ctx: *const SSL_CTX) -> c_int; pub fn SSL_CTX_set_client_CA_list(ctx: *mut SSL_CTX, list: *mut stack_st_X509_NAME); + pub fn SSL_CTX_get_cert_store(ctx: *mut SSL_CTX) -> *mut X509_STORE; #[cfg(not(ossl101))] pub fn SSL_CTX_get0_certificate(ctx: *const SSL_CTX) -> *mut X509; @@ -1693,6 +1695,9 @@ extern { pub fn ASN1_STRING_free(x: *mut ASN1_STRING); pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int; + pub fn X509_STORE_free(store: *mut X509_STORE); + pub fn X509_STORE_add_cert(store: *mut X509_STORE, x: *mut X509) -> c_int; + pub fn X509_STORE_CTX_free(ctx: *mut X509_STORE_CTX); pub fn X509_STORE_CTX_get_current_cert(ctx: *mut X509_STORE_CTX) -> *mut X509; pub fn X509_STORE_CTX_get_error(ctx: *mut X509_STORE_CTX) -> c_int; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index c92bf56b..1e0d2e66 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -94,6 +94,7 @@ use {init, cvt, cvt_p}; use dh::DhRef; use ec_key::EcKeyRef; use x509::{X509StoreContextRef, X509FileType, X509, X509Ref, X509VerifyError, X509Name}; +use x509::store::X509StoreBuilderRef; #[cfg(any(ossl102, ossl110))] use verify::X509VerifyParamRef; use pkey::PKeyRef; @@ -739,6 +740,16 @@ impl SslContextBuilder { unsafe { cvt(ffi::SSL_CTX_check_private_key(self.as_ptr())).map(|_| ()) } } + /// Returns a shared reference to the context's certificate store. + pub fn cert_store(&self) -> &X509StoreBuilderRef { + unsafe { X509StoreBuilderRef::from_ptr(ffi::SSL_CTX_get_cert_store(self.as_ptr())) } + } + + /// Returns a mutable reference to the context's certificate store. + pub fn cert_store_mut(&mut self) -> &mut X509StoreBuilderRef { + unsafe { X509StoreBuilderRef::from_ptr_mut(ffi::SSL_CTX_get_cert_store(self.as_ptr())) } + } + pub fn build(self) -> SslContext { let ctx = SslContext(self.0); mem::forget(self); diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index 96c0d585..fa7c6024 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -28,6 +28,7 @@ use std::net::UdpSocket; mod select; +static ROOT_CERT: &'static [u8] = include_bytes!("../../../test/root-ca.pem"); static CERT: &'static [u8] = include_bytes!("../../../test/cert.pem"); static KEY: &'static [u8] = include_bytes!("../../../test/key.pem"); @@ -1192,6 +1193,19 @@ fn client_ca_list() { ctx.set_client_ca_list(names); } +#[test] +fn cert_store() { + let (_s, tcp) = Server::new(); + + let cert = X509::from_pem(ROOT_CERT).unwrap(); + + let mut ctx = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); + ctx.builder_mut().cert_store_mut().add_cert(cert).unwrap(); + let ctx = ctx.build(); + + ctx.connect("foobar.com", tcp).unwrap(); +} + fn _check_kinds() { fn is_send() {} fn is_sync() {} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index e98e6006..e7c633d0 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -36,6 +36,7 @@ pub mod verify; use x509::extension::{ExtensionType, Extension}; pub mod extension; +pub mod store; #[cfg(test)] mod tests; diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs new file mode 100644 index 00000000..01eb0e2f --- /dev/null +++ b/openssl/src/x509/store.rs @@ -0,0 +1,20 @@ +use ffi; +use std::mem; + +use cvt; +use error::ErrorStack; +use types::OpenSslTypeRef; +use x509::X509; + +type_!(X509StoreBuilder, X509StoreBuilderRef, ffi::X509_STORE, ffi::X509_STORE_free); + +impl X509StoreBuilderRef { + /// Adds a certificate to the certificate store. + pub fn add_cert(&mut self, cert: X509) -> Result<(), ErrorStack> { + unsafe { + let ptr = cert.as_ptr(); + mem::forget(cert); // the cert will be freed inside of X509_STORE_add_cert on error + cvt(ffi::X509_STORE_add_cert(self.as_ptr(), ptr)).map(|_| ()) + } + } +}