WIP

est31 · est31 · commit 82ed796167bb · 2020-10-16T13:21:27.000+02:00
diff --git a/src/lib.rs b/src/lib.rs
@@ -24,7 +24,13 @@ mod macos;
 use macos as platform;
 
 use rustls::RootCertStore;
-use std::io::Error;
+use std::io::{Error, ErrorKind};
+use std::io::BufRead;
+
+pub trait RootStoreBuilder {
+    fn load_der(&mut self, der: Vec<u8>) -> Result<(), Error>;
+    fn load_pem_file(&mut self, rd: &mut dyn BufRead) -> Result<(), Error>;
+}
 
 /// Loads root certificates found in the platform's native certificate
 /// store.
@@ -37,5 +43,38 @@ use std::io::Error;
 /// and parsing a ~300KB disk file.  It's therefore prudent to call
 /// this sparingly.
 pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
-    platform::load_native_certs()
+    struct RootCertStoreLoader {
+        store: RootCertStore,
+    };
+    impl RootStoreBuilder for RootCertStoreLoader {
+        fn load_der(&mut self, der: Vec<u8>) -> Result<(), Error> {
+            self.store.add(&rustls::Certificate(der))
+                .map_err(|err| Error::new(ErrorKind::InvalidData, err))
+        }
+        fn load_pem_file(&mut self, rd: &mut dyn BufRead) -> Result<(), Error> {
+            self.store.add_pem_file(rd)
+                .map(|_| ())
+                .map_err(|()| Error::new(ErrorKind::InvalidData, format!("could not load PEM file")))
+        }
+    }
+    let mut loader = RootCertStoreLoader {
+        store: RootCertStore::empty(),
+    };
+    match build_native_certs(&mut loader) {
+        Err(err) if loader.store.is_empty() => Err((None, err)),
+        Err(err) => Err((Some(loader.store), err)),
+        Ok(()) => Ok(loader.store),
+    }
+}
+
+/// Loads root certificates found in the platform's native certificate
+/// store, executing callbacks on the provided builder.
+///
+/// This function fails in a platform-specific way, expressed in a `std::io::Error`.
+///
+/// This function can be expensive: on some platforms it involves loading
+/// and parsing a ~300KB disk file.  It's therefore prudent to call
+/// this sparingly.
+pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
+    platform::build_native_certs(builder)
 }
diff --git a/src/macos.rs b/src/macos.rs
@@ -9,9 +9,7 @@ use std::collections::HashMap;
 
 use crate::PartialResult;
 
-pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
-    let mut store = RootCertStore::empty();
-
+pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
     // The various domains are designed to interact like this:
     //
     // "Per-user Trust Settings override locally administered
@@ -56,7 +54,7 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
         match trusted {
             TrustSettingsForCertificate::TrustRoot |
                 TrustSettingsForCertificate::TrustAsRoot => {
-                match store.add(&rustls::Certificate(der)) {
+                match builder.load_der(der) {
                     Err(err) => {
                         first_error = first_error
                             .or_else(|| Some(Error::new(ErrorKind::InvalidData, err)));
@@ -69,12 +67,8 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
     }
 
     if let Some(err) = first_error {
-        if store.is_empty() {
-            Err((None, err))
-        } else {
-            Err((Some(store), err))
-        }
+        Err(err)
     } else {
-        Ok(store)
+        Ok(())
     }
 }
diff --git a/src/rustls.rs b/src/rustls.rs
diff --git a/src/unix.rs b/src/unix.rs
@@ -1,30 +1,27 @@
+use crate::RootStoreBuilder;
 use openssl_probe;
-use rustls::RootCertStore;
 use std::io::{Error, ErrorKind};
 use std::io::BufReader;
 use std::fs::File;
 use std::path::Path;
 
-use crate::PartialResult;
-
-fn load_file(store: &mut RootCertStore, path: &Path) -> Result<(), Error> {
+fn load_file(builder: &mut impl RootStoreBuilder, path: &Path) -> Result<(), Error> {
     let f = File::open(&path)?;
     let mut f = BufReader::new(f);
-    if store.add_pem_file(&mut f).is_err() {
+    if builder.load_pem_file(&mut f).is_err() {
         Err(Error::new(ErrorKind::InvalidData,
                        format!("Could not load PEM file {:?}", path)))
     } else {
         Ok(())
     }
 }
 
-pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
+pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
     let likely_locations = openssl_probe::probe();
-    let mut store = RootCertStore::empty();
     let mut first_error = None;
 
     if let Some(file) = likely_locations.cert_file {
-        match load_file(&mut store, &file) {
+        match load_file(builder, &file) {
             Err(err) => {
                 first_error = first_error.or_else(|| Some(err));
             }
@@ -33,12 +30,8 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
     }
 
     if let Some(err) = first_error {
-        if store.is_empty() {
-            Err((None, err))
-        } else {
-            Err((Some(store), err))
-        }
+        Err(err)
     } else {
-        Ok(store)
+        Ok(())
     }
 }
diff --git a/src/windows.rs b/src/windows.rs
@@ -15,7 +15,7 @@ fn usable_for_rustls(uses: schannel::cert_context::ValidUses) -> bool {
     }
 }
 
-pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
+pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
     let mut store = RootCertStore::empty();
     let mut first_error = None;
 
@@ -27,7 +27,7 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
             continue;
         }
 
-        match store.add(&rustls::Certificate(cert.to_der().to_vec())) {
+        match builder.load_der(cert.to_der().to_vec()) {
             Err(err) => {
                 first_error = first_error
                     .or_else(|| Some(Error::new(ErrorKind::InvalidData, err)));
@@ -37,12 +37,8 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
     }
 
     if let Some(err) = first_error {
-        if store.is_empty() {
-            Err((None, err))
-        } else {
-            Err((Some(store), err))
-        }
+        Err(err)
     } else {
-        Ok(store)
+        Ok(())
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ fn usable_for_rustls(uses: schannel::cert_context::ValidUses) -> bool {`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`
`18`		`-pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {`
	`18`	`+pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {`
`19`	`19`	`let mut store = RootCertStore::empty();`
`20`	`20`	`let mut first_error = None;`
`21`	`21`
`@@ -27,7 +27,7 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {`
`27`	`27`	`continue;`
`28`	`28`	`}`
`29`	`29`
`30`		`- match store.add(&rustls::Certificate(cert.to_der().to_vec())) {`
	`30`	`+ match builder.load_der(cert.to_der().to_vec()) {`
`31`	`31`	`Err(err) => {`
`32`	`32`	`first_error = first_error`
`33`	`33`	`.or_else(\|\| Some(Error::new(ErrorKind::InvalidData, err)));`
`@@ -37,12 +37,8 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`if let Some(err) = first_error {`
`40`		`- if store.is_empty() {`
`41`		`- Err((None, err))`
`42`		`- } else {`
`43`		`- Err((Some(store), err))`
`44`		`- }`
	`40`	`+ Err(err)`
`45`	`41`	`} else {`
`46`		`- Ok(store)`
	`42`	`+ Ok(())`
`47`	`43`	`}`
`48`	`44`	`}`