add support for Context.set_cert_store

reaperhulk · reaperhulk · commit d59324949df7 · 2023-04-15T08:16:26.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,6 +25,7 @@ jobs:
           - {VERSION: "3.9", TOXENV: "py39-cryptographyMain"}
           - {VERSION: "3.10", TOXENV: "py310-cryptographyMain"}
           - {VERSION: "3.11", TOXENV: "py311-cryptographyMain"}
+          - {VERSION: "3.11", TOXENV: "py311-cryptography40"}
           - {VERSION: "pypy-3.8", TOXENV: "pypy3-cryptographyMain"}
           - {VERSION: "pypy-3.9", TOXENV: "pypy3-cryptographyMain"}
           # -cryptographyMinimum
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -17,6 +17,7 @@ Changes:
 ^^^^^^^^
 
 - Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``.
+- Added ``Context.set_cert_store`` `#1210 <https://github.com/pyca/pyopenssl/pull/1210>`_.
 
 23.1.1 (2023-03-28)
 -------------------
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
@@ -1399,6 +1399,24 @@ def get_cert_store(self):
         pystore._store = store
         return pystore
 
+    def set_cert_store(self, store):
+        """
+        Set the certificate store for the context.
+        :param store: A X509Store object.
+        :return: None
+        """
+        try:
+            _lib.SSL_CTX_set_cert_store(self._context, store._store)
+            # The store is now owned by the context, so we need to
+            # remove the gc free in the object. We do this after the
+            # set since set may not exist.
+            _ffi.gc(store._store, None)
+        except AttributeError:
+            # This can be removed when we depend on >= 40.0.2
+            raise NotImplementedError(
+                "cryptography must be updated to call this method"
+            )
+
     def set_options(self, options):
         """
         Add options. Options set before are not cleared!
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
@@ -1716,6 +1716,16 @@ def test_get_cert_store(self):
         store = context.get_cert_store()
         assert isinstance(store, X509Store)
 
+    def test_set_cert_store(self):
+        context = Context(SSLv23_METHOD)
+        try:
+            store = X509Store()
+            context.set_cert_store(store)
+            assert store._store == context.get_cert_store()._store
+        except NotImplementedError:
+            pass
+
+
     def test_set_tlsext_use_srtp_not_bytes(self):
         """
         `Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.
diff --git a/tox.ini b/tox.ini
@@ -19,6 +19,8 @@ extras =
 deps =
     coverage>=4.2
     cryptographyMinimum: cryptography==38.0.0
+    # special version to test paths for bindings we temporarily removed
+    cryptography40: cryptography==40.0.1
     randomorder: pytest-randomly
 setenv =
     # Do not allow the executing environment to pollute the test environment
