WIP

est31 · est31 · commit ec25593b710d · 2020-10-16T13:40:40.000+02:00
diff --git a/src/lib.rs b/src/lib.rs
@@ -24,7 +24,13 @@ mod macos;
 use macos as platform;
 
 use rustls::RootCertStore;
-use std::io::Error;
+use std::io::{Error, ErrorKind};
+use std::io::BufRead;
+
+pub trait RootStoreBuilder {
+    fn load_der(&mut self, der: Vec<u8>) -> Result<(), Error>;
+    fn load_pem_file(&mut self, rd: &mut dyn BufRead) -> Result<(), Error>;
+}
 
 /// Loads root certificates found in the platform's native certificate
 /// store.
@@ -37,5 +43,38 @@ use std::io::Error;
 /// and parsing a ~300KB disk file.  It's therefore prudent to call
 /// this sparingly.
 pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
-    platform::load_native_certs()
+    struct RootCertStoreLoader {
+        store: RootCertStore,
+    };
+    impl RootStoreBuilder for RootCertStoreLoader {
+        fn load_der(&mut self, der: Vec<u8>) -> Result<(), Error> {
+            self.store.add(&rustls::Certificate(der))
+                .map_err(|err| Error::new(ErrorKind::InvalidData, err))
+        }
+        fn load_pem_file(&mut self, rd: &mut dyn BufRead) -> Result<(), Error> {
+            self.store.add_pem_file(rd)
+                .map(|_| ())
+                .map_err(|()| Error::new(ErrorKind::InvalidData, format!("could not load PEM file")))
+        }
+    }
+    let mut loader = RootCertStoreLoader {
+        store: RootCertStore::empty(),
+    };
+    match build_native_certs(&mut loader) {
+        Err(err) if loader.store.is_empty() => Err((None, err)),
+        Err(err) => Err((Some(loader.store), err)),
+        Ok(()) => Ok(loader.store),
+    }
+}
+
+/// Loads root certificates found in the platform's native certificate
+/// store, executing callbacks on the provided builder.
+///
+/// This function fails in a platform-specific way, expressed in a `std::io::Error`.
+///
+/// This function can be expensive: on some platforms it involves loading
+/// and parsing a ~300KB disk file.  It's therefore prudent to call
+/// this sparingly.
+pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
+    platform::build_native_certs(builder)
 }
diff --git a/src/macos.rs b/src/macos.rs
@@ -9,9 +9,7 @@ use std::collections::HashMap;
 
 use crate::PartialResult;
 
-pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
-    let mut store = RootCertStore::empty();
-
+pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
     // The various domains are designed to interact like this:
     //
     // "Per-user Trust Settings override locally administered
@@ -56,7 +54,7 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
         match trusted {
             TrustSettingsForCertificate::TrustRoot |
                 TrustSettingsForCertificate::TrustAsRoot => {
-                match store.add(&rustls::Certificate(der)) {
+                match builder.load_der(der) {
                     Err(err) => {
                         first_error = first_error
                             .or_else(|| Some(Error::new(ErrorKind::InvalidData, err)));
@@ -69,12 +67,8 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
     }
 
     if let Some(err) = first_error {
-        if store.is_empty() {
-            Err((None, err))
-        } else {
-            Err((Some(store), err))
-        }
+        Err(err)
     } else {
-        Ok(store)
+        Ok(())
     }
 }
diff --git a/src/rustls.rs b/src/rustls.rs
diff --git a/src/unix.rs b/src/unix.rs
@@ -1,30 +1,27 @@
+use crate::RootStoreBuilder;
 use openssl_probe;
-use rustls::RootCertStore;
 use std::io::{Error, ErrorKind};
 use std::io::BufReader;
 use std::fs::File;
 use std::path::Path;
 
-use crate::PartialResult;
-
-fn load_file(store: &mut RootCertStore, path: &Path) -> Result<(), Error> {
+fn load_file(builder: &mut impl RootStoreBuilder, path: &Path) -> Result<(), Error> {
     let f = File::open(&path)?;
     let mut f = BufReader::new(f);
-    if store.add_pem_file(&mut f).is_err() {
+    if builder.load_pem_file(&mut f).is_err() {
         Err(Error::new(ErrorKind::InvalidData,
                        format!("Could not load PEM file {:?}", path)))
     } else {
         Ok(())
     }
 }
 
-pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
+pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
     let likely_locations = openssl_probe::probe();
-    let mut store = RootCertStore::empty();
     let mut first_error = None;
 
     if let Some(file) = likely_locations.cert_file {
-        match load_file(&mut store, &file) {
+        match load_file(builder, &file) {
             Err(err) => {
                 first_error = first_error.or_else(|| Some(err));
             }
@@ -33,12 +30,8 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
     }
 
     if let Some(err) = first_error {
-        if store.is_empty() {
-            Err((None, err))
-        } else {
-            Err((Some(store), err))
-        }
+        Err(err)
     } else {
-        Ok(store)
+        Ok(())
     }
 }
diff --git a/src/windows.rs b/src/windows.rs
@@ -1,9 +1,7 @@
+use crate::RootStoreBuilder;
 use schannel;
-use rustls::RootCertStore;
 use std::io::{Error, ErrorKind};
 
-use crate::PartialResult;
-
 static PKIX_SERVER_AUTH: &str = "1.3.6.1.5.5.7.3.1";
 
 fn usable_for_rustls(uses: schannel::cert_context::ValidUses) -> bool {
@@ -15,19 +13,17 @@ fn usable_for_rustls(uses: schannel::cert_context::ValidUses) -> bool {
     }
 }
 
-pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
-    let mut store = RootCertStore::empty();
+pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
     let mut first_error = None;
 
-    let current_user_store = schannel::cert_store::CertStore::open_current_user("ROOT")
-        .map_err(|err| (None, err))?;
+    let current_user_store = schannel::cert_store::CertStore::open_current_user("ROOT")?;
 
     for cert in current_user_store.certs() {
         if !usable_for_rustls(cert.valid_uses().unwrap()) {
             continue;
         }
 
-        match store.add(&rustls::Certificate(cert.to_der().to_vec())) {
+        match builder.load_der(cert.to_der().to_vec()) {
             Err(err) => {
                 first_error = first_error
                     .or_else(|| Some(Error::new(ErrorKind::InvalidData, err)));
@@ -37,12 +33,8 @@ pub fn load_native_certs() -> PartialResult<RootCertStore, Error> {
     }
 
     if let Some(err) = first_error {
-        if store.is_empty() {
-            Err((None, err))
-        } else {
-            Err((Some(store), err))
-        }
+        Err(err)
     } else {
-        Ok(store)
+        Ok(())
     }
 }
