From 6abac82f13c80a2726fc2e9a0f6913357e93a985 Mon Sep 17 00:00:00 2001
From: Benjamin Fry <benjaminfry@me.com>
Date: Sun, 26 Mar 2017 00:16:27 -0700
Subject: [PATCH] cleanup and add negative test

---
 openssl/src/x509/mod.rs   | 13 ++++++++-----
 openssl/src/x509/tests.rs | 16 +++++++++++++++-
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index 0cfa8ada4..6bb58dbd5 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -117,18 +117,21 @@ impl X509StoreContextRef {
     /// # Result
     /// 
     /// The Result must be `Some(None)` to be a valid certificate, otherwise the cert is not valid.
-    pub fn verify_cert(trust: store::X509Store, cert: X509, cert_chain: Stack<X509>) -> Result<Option<X509VerifyError>, ErrorStack> {
+    pub fn verify_cert(trust: store::X509Store, cert: X509, cert_chain: Stack<X509>) -> Result<(), ErrorStack> {
         unsafe {
             ffi::init();
             let context = try!(cvt_p(ffi::X509_STORE_CTX_new()).map(|p| X509StoreContext(p)));
             try!(cvt(ffi::X509_STORE_CTX_init(context.as_ptr(), trust.as_ptr(), cert.as_ptr(), cert_chain.as_ptr()))
                 .map(|_| ()));
+
+            mem::forget(trust);
+            mem::forget(cert);
+            mem::forget(cert_chain);
+
+            // verify_cert returns an error `<= 0` if there was a validation error
             try!(cvt(ffi::X509_verify_cert(context.as_ptr())).map(|_| ()));
             
-            let result = Ok(context.error());
-            ffi::X509_STORE_CTX_cleanup(context.as_ptr());
-
-            result
+            Ok(())
         }
     }
 
diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs
index 96d457425..7ea91432a 100644
--- a/openssl/src/x509/tests.rs
+++ b/openssl/src/x509/tests.rs
@@ -303,5 +303,19 @@ fn test_verify_cert() {
     store_bldr.add_cert(ca).unwrap();
     let store = store_bldr.build();
 
-    assert!(X509StoreContext::verify_cert(store, cert, Stack::new().unwrap()).unwrap().is_none());
+    assert!(X509StoreContext::verify_cert(store, cert, Stack::new().unwrap()).is_ok());
+}
+
+#[test]
+fn test_verify_fails() {
+    let cert = include_bytes!("../../test/cert.pem");
+    let cert = X509::from_pem(cert).unwrap();
+    let ca = include_bytes!("../../test/alt_name_cert.pem");
+    let ca = X509::from_pem(ca).unwrap();
+
+    let mut store_bldr = X509StoreBuilder::new().unwrap();
+    store_bldr.add_cert(ca).unwrap();
+    let store = store_bldr.build();
+
+    assert!(X509StoreContext::verify_cert(store, cert, Stack::new().unwrap()).is_err());
 }
-- 
GitLab