Skip to content

Commit

Permalink
fixes #2096 -- deprecate X509StoreRef::objects, it is unsound
Browse files Browse the repository at this point in the history
Introduce `X509StoreRef::all_certificates` as a replacement.
  • Loading branch information
alex committed Nov 19, 2023
1 parent 2d9458e commit ce47980
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 5 deletions.
2 changes: 2 additions & 0 deletions openssl-sys/src/handwritten/x509.rs
Original file line number Diff line number Diff line change
Expand Up @@ -644,6 +644,8 @@ const_ptr_api! {
extern "C" {
#[cfg(any(ossl110, libressl270))]
pub fn X509_STORE_get0_objects(ctx: #[const_ptr_if(ossl300)] X509_STORE) -> *mut stack_st_X509_OBJECT;
#[cfg(ossl300)]
pub fn X509_STORE_get1_all_certs(ctx: *mut X509_STORE) -> *mut stack_st_X509;
}
}

Expand Down
6 changes: 4 additions & 2 deletions openssl/src/cipher_ctx.rs
Original file line number Diff line number Diff line change
Expand Up @@ -581,7 +581,8 @@ impl CipherCtxRef {
/// output size check removed. It can be used when the exact
/// buffer size control is maintained by the caller.
///
/// SAFETY: The caller is expected to provide `output` buffer
/// # Safety
/// The caller is expected to provide `output` buffer
/// large enough to contain correct number of bytes. For streaming
/// ciphers the output buffer size should be at least as big as
/// the input buffer. For block ciphers the size of the output
Expand Down Expand Up @@ -693,7 +694,8 @@ impl CipherCtxRef {
/// This function is the same as [`Self::cipher_final`] but with
/// the output buffer size check removed.
///
/// SAFETY: The caller is expected to provide `output` buffer
/// # Safety
/// The caller is expected to provide `output` buffer
/// large enough to contain correct number of bytes. For streaming
/// ciphers the output buffer can be empty, for block ciphers the
/// output buffer should be at least as big as the block.
Expand Down
2 changes: 1 addition & 1 deletion openssl/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@
//! ```
#![doc(html_root_url = "https://docs.rs/openssl/0.10")]
#![warn(rust_2018_idioms)]
#![allow(clippy::uninlined_format_args)]
#![allow(clippy::uninlined_format_args, clippy::needless_doctest_main)]

#[doc(inline)]
pub use ffi::init;
Expand Down
18 changes: 16 additions & 2 deletions openssl/src/x509/store.rs
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,13 @@
//! ```
use cfg_if::cfg_if;
use foreign_types::ForeignTypeRef;
use foreign_types::{ForeignType, ForeignTypeRef};
use std::mem;

use crate::error::ErrorStack;
#[cfg(not(boringssl))]
use crate::ssl::SslFiletype;
use crate::stack::StackRef;
use crate::stack::{Stack, StackRef};
#[cfg(any(ossl102, libressl261))]
use crate::x509::verify::{X509VerifyFlags, X509VerifyParamRef};
use crate::x509::{X509Object, X509PurposeId, X509};
Expand Down Expand Up @@ -260,10 +260,24 @@ foreign_type_and_impl_send_sync! {

impl X509StoreRef {
/// Get a reference to the cache of certificates in this store.
///
/// This method is deprecated. It is **unsound** and will be removed in a
/// future version of rust-openssl. `X509StoreRef::all_certificates`
/// should be used instead.
#[deprecated(
note = "This method is unsound, and will be removed in a future version of rust-openssl. X509StoreRef::all_certificates should be used instead."
)]
#[corresponds(X509_STORE_get0_objects)]
pub fn objects(&self) -> &StackRef<X509Object> {
unsafe { StackRef::from_ptr(X509_STORE_get0_objects(self.as_ptr())) }
}

/// Returns a stack of all the certificates in this store.
#[corresponds(X509_STORE_get1_all_certs)]
#[cfg(ossl300)]
pub fn all_certificates(&self) -> Stack<X509> {
unsafe { Stack::from_ptr(ffi::X509_STORE_get1_all_certs(self.as_ptr())) }
}
}

cfg_if! {
Expand Down
15 changes: 15 additions & 0 deletions openssl/src/x509/tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1177,3 +1177,18 @@ fn test_dist_point_null() {
let cert = X509::from_pem(cert).unwrap();
assert!(cert.crl_distribution_points().is_none());
}

#[test]
#[cfg(ossl300)]
fn test_store_all_certificates() {
let cert = include_bytes!("../../test/cert.pem");
let cert = X509::from_pem(cert).unwrap();

let store = {
let mut b = X509StoreBuilder::new().unwrap();
b.add_cert(cert).unwrap();
b.build()
};

assert_eq!(store.all_certificates().len(), 1);
}

0 comments on commit ce47980

Please sign in to comment.