cleanup and add negative test

openssl/src/x509/mod.rs

@@ -117,18 +117,21 @@ impl X509StoreContextRef {
     /// # Result
     /// 
     /// The Result must be `Some(None)` to be a valid certificate, otherwise the cert is not valid.
-    pub fn verify_cert(trust: store::X509Store, cert: X509, cert_chain: Stack<X509>) -> Result<Option<X509VerifyError>, ErrorStack> {
+    pub fn verify_cert(trust: store::X509Store, cert: X509, cert_chain: Stack<X509>) -> Result<(), ErrorStack> {
         unsafe {
             ffi::init();
             let context = try!(cvt_p(ffi::X509_STORE_CTX_new()).map(|p| X509StoreContext(p)));
             try!(cvt(ffi::X509_STORE_CTX_init(context.as_ptr(), trust.as_ptr(), cert.as_ptr(), cert_chain.as_ptr()))
                 .map(|_| ()));
+
+            mem::forget(trust);
+            mem::forget(cert);
+            mem::forget(cert_chain);
+
+            // verify_cert returns an error `<= 0` if there was a validation error
             try!(cvt(ffi::X509_verify_cert(context.as_ptr())).map(|_| ()));
             
-            let result = Ok(context.error());
+            Ok(())
-            ffi::X509_STORE_CTX_cleanup(context.as_ptr());
-
-            result
         }
     }
 

openssl/src/x509/tests.rs

@@ -303,5 +303,19 @@ fn test_verify_cert() {
     store_bldr.add_cert(ca).unwrap();
     let store = store_bldr.build();
 
-    assert!(X509StoreContext::verify_cert(store, cert, Stack::new().unwrap()).unwrap().is_none());
+    assert!(X509StoreContext::verify_cert(store, cert, Stack::new().unwrap()).is_ok());
+}
+
+#[test]
+fn test_verify_fails() {
+    let cert = include_bytes!("../../test/cert.pem");
+    let cert = X509::from_pem(cert).unwrap();
+    let ca = include_bytes!("../../test/alt_name_cert.pem");
+    let ca = X509::from_pem(ca).unwrap();
+
+    let mut store_bldr = X509StoreBuilder::new().unwrap();
+    store_bldr.add_cert(ca).unwrap();
+    let store = store_bldr.build();
+
+    assert!(X509StoreContext::verify_cert(store, cert, Stack::new().unwrap()).is_err());
 }