Add basic X509_STORE access

There's more to do here, but this enabled addition of trusted CAs from
X509 objects.

Closes #394

openssl-sys/src/lib.rs

@@ -38,6 +38,7 @@ pub enum X509_EXTENSION {}
 pub enum X509_NAME {}
 pub enum X509_NAME_ENTRY {}
 pub enum X509_REQ {}
+pub enum X509_STORE {}
 pub enum X509_STORE_CTX {}
 pub enum bio_st {}
 pub enum PKCS12 {}
@@ -1622,6 +1623,7 @@ extern {
     pub fn SSL_CTX_use_PrivateKey(ctx: *mut SSL_CTX, key: *mut EVP_PKEY) -> c_int;
     pub fn SSL_CTX_check_private_key(ctx: *const SSL_CTX) -> c_int;
     pub fn SSL_CTX_set_client_CA_list(ctx: *mut SSL_CTX, list: *mut stack_st_X509_NAME);
+    pub fn SSL_CTX_get_cert_store(ctx: *mut SSL_CTX) -> *mut X509_STORE;
 
     #[cfg(not(ossl101))]
     pub fn SSL_CTX_get0_certificate(ctx: *const SSL_CTX) -> *mut X509;
@@ -1693,6 +1695,9 @@ extern {
     pub fn ASN1_STRING_free(x: *mut ASN1_STRING);
     pub fn ASN1_STRING_length(x: *const ASN1_STRING) -> c_int;
 
+    pub fn X509_STORE_free(store: *mut X509_STORE);
+    pub fn X509_STORE_add_cert(store: *mut X509_STORE, x: *mut X509) -> c_int;
+
     pub fn X509_STORE_CTX_free(ctx: *mut X509_STORE_CTX);
     pub fn X509_STORE_CTX_get_current_cert(ctx: *mut X509_STORE_CTX) -> *mut X509;
     pub fn X509_STORE_CTX_get_error(ctx: *mut X509_STORE_CTX) -> c_int;

openssl/src/ssl/mod.rs

@@ -94,6 +94,7 @@ use {init, cvt, cvt_p};
 use dh::DhRef;
 use ec_key::EcKeyRef;
 use x509::{X509StoreContextRef, X509FileType, X509, X509Ref, X509VerifyError, X509Name};
+use x509::store::X509StoreBuilderRef;
 #[cfg(any(ossl102, ossl110))]
 use verify::X509VerifyParamRef;
 use pkey::PKeyRef;
@@ -739,6 +740,16 @@ impl SslContextBuilder {
         unsafe { cvt(ffi::SSL_CTX_check_private_key(self.as_ptr())).map(|_| ()) }
     }
 
+    /// Returns a shared reference to the context's certificate store.
+    pub fn cert_store(&self) -> &X509StoreBuilderRef {
+        unsafe { X509StoreBuilderRef::from_ptr(ffi::SSL_CTX_get_cert_store(self.as_ptr())) }
+    }
+
+    /// Returns a mutable reference to the context's certificate store.
+    pub fn cert_store_mut(&mut self) -> &mut X509StoreBuilderRef {
+        unsafe { X509StoreBuilderRef::from_ptr_mut(ffi::SSL_CTX_get_cert_store(self.as_ptr())) }
+    }
+
     pub fn build(self) -> SslContext {
         let ctx = SslContext(self.0);
         mem::forget(self);

openssl/src/ssl/tests/mod.rs

@@ -28,6 +28,7 @@ use std::net::UdpSocket;
 
 mod select;
 
+static ROOT_CERT: &'static [u8] = include_bytes!("../../../test/root-ca.pem");
 static CERT: &'static [u8] = include_bytes!("../../../test/cert.pem");
 static KEY: &'static [u8] = include_bytes!("../../../test/key.pem");
 
@@ -1192,6 +1193,19 @@ fn client_ca_list() {
     ctx.set_client_ca_list(names);
 }
 
+#[test]
+fn cert_store() {
+    let (_s, tcp) = Server::new();
+
+    let cert = X509::from_pem(ROOT_CERT).unwrap();
+
+    let mut ctx = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
+    ctx.builder_mut().cert_store_mut().add_cert(cert).unwrap();
+    let ctx = ctx.build();
+
+    ctx.connect("foobar.com", tcp).unwrap();
+}
+
 fn _check_kinds() {
     fn is_send<T: Send>() {}
     fn is_sync<T: Sync>() {}

openssl/src/x509/mod.rs

@@ -36,6 +36,7 @@ pub mod verify;
 use x509::extension::{ExtensionType, Extension};
 
 pub mod extension;
+pub mod store;
 
 #[cfg(test)]
 mod tests;

openssl/src/x509/store.rs

@@ -0,0 +1,20 @@
+use ffi;
+use std::mem;
+
+use cvt;
+use error::ErrorStack;
+use types::OpenSslTypeRef;
+use x509::X509;
+
+type_!(X509StoreBuilder, X509StoreBuilderRef, ffi::X509_STORE, ffi::X509_STORE_free);
+
+impl X509StoreBuilderRef {
+    /// Adds a certificate to the certificate store.
+    pub fn add_cert(&mut self, cert: X509) -> Result<(), ErrorStack> {
+        unsafe {
+            let ptr = cert.as_ptr();
+            mem::forget(cert); // the cert will be freed inside of X509_STORE_add_cert on error
+            cvt(ffi::X509_STORE_add_cert(self.as_ptr(), ptr)).map(|_| ())
+        }
+    }
+}