add set_verify_cert_store() to ssl ctx

author: Benjamin Fry <[email protected]> 2017-02-14 23:17:55 -0800
committer: Benjamin Fry <[email protected]> 2017-02-14 23:19:30 -0800
commit: a3ea99672bf986d8ec66ccab43a623c988e31206 (patch)
tree: 7e7fab7241e3dc11dcec6e9ee94294678a746055
parent: De-quote README line (diff)
download: rust-openssl-a3ea99672bf986d8ec66ccab43a623c988e31206.tar.xz
rust-openssl-a3ea99672bf986d8ec66ccab43a623c988e31206.zip
3 files changed, 43 insertions, 0 deletions
diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
index a599c369..6c66447e 100644
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@@ -1143,6 +1143,7 @@ pub const SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: c_int = 65;
 pub const SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: c_int = 70;
 pub const SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: c_int = 71;
 pub const SSL_CTRL_GET_EXTRA_CHAIN_CERTS: c_int = 82;
+pub const SSL_CTRL_SET_VERIFY_CERT_STORE: c_int = 106;
 
 pub const SSL_MODE_ENABLE_PARTIAL_WRITE: c_long = 0x1;
 pub const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: c_long = 0x2;
@@ -1349,6 +1350,10 @@ pub unsafe fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -
     SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509 as *mut c_void)
 }
 
+pub unsafe fn SSL_CTX_set0_verify_cert_store(ctx: *mut SSL_CTX, st: *mut X509_STORE) -> c_long {
+    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, st as *mut c_void)    
+}
+
 pub unsafe fn SSL_CTX_set_tlsext_servername_callback(ctx: *mut SSL_CTX,
                                                      cb: Option<extern fn()>)
                                                      -> c_long {
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index 5a65aa77..bcfcadf9 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -99,6 +99,8 @@ use ec::EcKeyRef;
 use ec::EcKey;
 use x509::{X509StoreContextRef, X509FileType, X509, X509Ref, X509VerifyError, X509Name};
 use x509::store::{X509StoreBuilderRef, X509StoreRef};
+#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))]
+use x509::store::X509Store;
 #[cfg(any(ossl102, ossl110))]
 use verify::X509VerifyParamRef;
 use pkey::PKeyRef;
@@ -652,6 +654,17 @@ impl SslContextBuilder {
         }
     }
 
+    /// Sets a custom X509Store for verifying peer certificates
+    #[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))]
+    pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> {
+        unsafe {
+            // set0 will free, set1 increments, and then requires a free
+            let ptr = cert_store.as_ptr();
+            mem::forget(cert_store);
+            cvt(ffi::SSL_CTX_set0_verify_cert_store(self.as_ptr(), ptr) as c_int).map(|_|())
+        }
+    }
+
     pub fn set_read_ahead(&mut self, read_ahead: bool) {
         unsafe {
             ffi::SSL_CTX_set_read_ahead(self.as_ptr(), read_ahead as c_long);
diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs
index 9c00e3ed..5b52a524 100644
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@@ -173,9 +173,15 @@ macro_rules! run_test(
             use ssl::SSL_VERIFY_PEER;
             use hash::MessageDigest;
             use x509::X509StoreContext;
+            #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
+            use x509::X509;
+            #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
+            use x509::store::X509StoreBuilder;
             use hex::FromHex;
             use foreign_types::ForeignTypeRef;
             use super::Server;
+            #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]            
+            use super::ROOT_CERT;
 
             #[test]
             fn sslv23() {
@@ -221,6 +227,25 @@ run_test!(verify_trusted, |method, stream| {
     }
 });
 
+#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
+run_test!(verify_trusted_with_set_cert, |method, stream| {
+    let x509 = X509::from_pem(ROOT_CERT).unwrap();
+    let mut store = X509StoreBuilder::new().unwrap();
+    store.add_cert(x509).unwrap();
+
+    let mut ctx = SslContext::builder(method).unwrap();
+    ctx.set_verify(SSL_VERIFY_PEER);
+
+    match ctx.set_verify_cert_store(store.build()) {
+        Ok(_) => {}
+        Err(err) => panic!("Unexpected error {:?}", err),
+    }
+    match Ssl::new(&ctx.build()).unwrap().connect(stream) {
+        Ok(_) => (),
+        Err(err) => panic!("Expected success, got {:?}", err),
+    }
+});
+
 run_test!(verify_untrusted_callback_override_ok, |method, stream| {
     let mut ctx = SslContext::builder(method).unwrap();
     ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true);
author	Benjamin Fry <[email protected]>	2017-02-14 23:17:55 -0800
committer	Benjamin Fry <[email protected]>	2017-02-14 23:19:30 -0800
commit	a3ea99672bf986d8ec66ccab43a623c988e31206 (patch)
tree	7e7fab7241e3dc11dcec6e9ee94294678a746055
parent	De-quote README line (diff)
download	rust-openssl-a3ea99672bf986d8ec66ccab43a623c988e31206.tar.xz rust-openssl-a3ea99672bf986d8ec66ccab43a623c988e31206.zip