diff --git a/boring/src/ssl/test/cert_verify.rs b/boring/src/ssl/test/cert_verify.rs index e8e54061..b55cb26a 100644 --- a/boring/src/ssl/test/cert_verify.rs +++ b/boring/src/ssl/test/cert_verify.rs @@ -72,13 +72,34 @@ fn callback_receives_correct_certificate() { assert!(x509.cert().is_some()); assert!(x509.verify_result().is_err()); - let root = x509.current_cert().unwrap(); - let digest = root.digest(MessageDigest::sha1()).unwrap(); - assert_eq!(hex::encode(digest), root_sha1); + let root = x509 + .current_cert() + .unwrap() + .digest(MessageDigest::sha1()) + .unwrap(); + assert_eq!(hex::encode(root), root_sha1); - let leaf = x509.cert().unwrap(); - let digest = leaf.digest(MessageDigest::sha1()).unwrap(); - assert_eq!(hex::encode(digest), leaf_sha1); + let leaf = x509.cert().unwrap().digest(MessageDigest::sha1()).unwrap(); + assert_eq!(hex::encode(leaf), leaf_sha1); + + // Test that `untrusted` is set to the original chain. + assert_eq!(x509.untrusted().unwrap().len(), 2); + let leaf = x509 + .untrusted() + .unwrap() + .get(0) + .unwrap() + .digest(MessageDigest::sha1()) + .unwrap(); + assert_eq!(hex::encode(leaf), leaf_sha1); + let root = x509 + .untrusted() + .unwrap() + .get(1) + .unwrap() + .digest(MessageDigest::sha1()) + .unwrap(); + assert_eq!(hex::encode(root), root_sha1); true }); diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs index bfd7fdd5..94871b93 100644 --- a/boring/src/x509/mod.rs +++ b/boring/src/x509/mod.rs @@ -216,6 +216,21 @@ impl X509StoreContextRef { } } + /// Returns a reference to the `X509` certificates used to initialize the + /// [`X509StoreContextRef`]. + #[corresponds(X509_STORE_CTX_get0_untrusted)] + pub fn untrusted(&self) -> Option<&StackRef> { + unsafe { + let certs = ffi::X509_STORE_CTX_get0_untrusted(self.as_ptr()); + + if certs.is_null() { + None + } else { + Some(StackRef::from_ptr(certs)) + } + } + } + /// Returns a reference to the certificate being verified. /// May return None if a raw public key is being verified. #[corresponds(X509_STORE_CTX_get0_cert)]