Don't panic on empty chain

kazk · kazk · commit bf156f078a3a · 2021-11-07T20:30:04.000-08:00
diff --git a/src/imp/openssl.rs b/src/imp/openssl.rs
@@ -116,13 +116,15 @@ fn load_android_root_certs(connector: &mut SslContextBuilder) -> Result<(), Erro
 pub enum Error {
     Normal(ErrorStack),
     Ssl(ssl::Error, X509VerifyResult),
+    EmptyChain,
 }
 
 impl error::Error for Error {
     fn source(&self) -> Option<&(dyn error::Error + 'static)> {
         match *self {
             Error::Normal(ref e) => error::Error::source(e),
             Error::Ssl(ref e, _) => error::Error::source(e),
+            Error::EmptyChain => None,
         }
     }
 }
@@ -133,6 +135,10 @@ impl fmt::Display for Error {
             Error::Normal(ref e) => fmt::Display::fmt(e, fmt),
             Error::Ssl(ref e, X509VerifyResult::OK) => fmt::Display::fmt(e, fmt),
             Error::Ssl(ref e, v) => write!(fmt, "{} ({})", e, v),
+            Error::EmptyChain => write!(
+                fmt,
+                "at least one certificate must be provided to create an identity"
+            ),
         }
     }
 }
@@ -164,14 +170,9 @@ impl Identity {
     pub fn from_pkcs8(buf: &[u8], key: &[u8]) -> Result<Identity, Error> {
         let pkey = PKey::private_key_from_pem(key)?;
         let mut cert_chain = X509::stack_from_pem(buf)?.into_iter();
-        let cert = cert_chain.next();
+        let cert = cert_chain.next().ok_or(Error::EmptyChain)?;
         let chain = cert_chain.collect();
-        Ok(Identity {
-            pkey,
-            // an identity must have at least one certificate, the leaf cert
-            cert: cert.expect("at least one certificate must be provided to create an identity"),
-            chain,
-        })
+        Ok(Identity { pkey, cert, chain })
     }
 }
 
diff --git a/src/imp/schannel.rs b/src/imp/schannel.rs
@@ -98,8 +98,18 @@ impl Identity {
     pub fn from_pkcs8(pem: &[u8], key: &[u8]) -> Result<Identity, Error> {
         let mut store = Memory::new()?.into_store();
         let mut cert_iter = pem::PemBlock::new(pem).into_iter();
-        let leaf = cert_iter.next().expect("at least one certificate must be provided to create an identity");
-        let cert = CertContext::from_pem(std::str::from_utf8(leaf).map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "leaf cert contains invalid utf8"))?)?;
+        let leaf = cert_iter.next().ok_or_else(|| {
+            io::Error::new(
+                io::ErrorKind::InvalidInput,
+                "at least one certificate must be provided to create an identity",
+            )
+        })?;
+        let cert = CertContext::from_pem(std::str::from_utf8(leaf).map_err(|_| {
+            io::Error::new(
+                io::ErrorKind::InvalidInput,
+                "leaf cert contains invalid utf8",
+            )
+        })?)?;
 
         let mut options = AcquireOptions::new();
         options.container("schannel");
diff --git a/src/imp/security_framework.rs b/src/imp/security_framework.rs
@@ -104,10 +104,14 @@ impl Identity {
             .keychain(&keychain)
             .import(&pem)?;
 
-        let ident = SecIdentity::with_certificate(&[keychain], &items.certificates[0])?;
+        let cert = items
+            .certificates
+            .get(0)
+            .ok_or_else(|| Error(base::Error::from(errSecParam)))?;
+        let ident = SecIdentity::with_certificate(&[keychain], cert)?;
         Ok(Identity {
             identity: ident,
-            chain: items.certificates
+            chain: items.certificates,
         })
     }
 

Original file line number	Diff line number	Diff line change
`@@ -116,13 +116,15 @@ fn load_android_root_certs(connector: &mut SslContextBuilder) -> Result<(), Erro`
`116`	`116`	`pub enum Error {`
`117`	`117`	`Normal(ErrorStack),`
`118`	`118`	`Ssl(ssl::Error, X509VerifyResult),`
	`119`	`+ EmptyChain,`
`119`	`120`	`}`
`120`	`121`
`121`	`122`	`impl error::Error for Error {`
`122`	`123`	`fn source(&self) -> Option<&(dyn error::Error + 'static)> {`
`123`	`124`	`match *self {`
`124`	`125`	`Error::Normal(ref e) => error::Error::source(e),`
`125`	`126`	`Error::Ssl(ref e, _) => error::Error::source(e),`
	`127`	`+ Error::EmptyChain => None,`
`126`	`128`	`}`
`127`	`129`	`}`
`128`	`130`	`}`
`@@ -133,6 +135,10 @@ impl fmt::Display for Error {`
`133`	`135`	`Error::Normal(ref e) => fmt::Display::fmt(e, fmt),`
`134`	`136`	`Error::Ssl(ref e, X509VerifyResult::OK) => fmt::Display::fmt(e, fmt),`
`135`	`137`	`Error::Ssl(ref e, v) => write!(fmt, "{} ({})", e, v),`
	`138`	`+ Error::EmptyChain => write!(`
	`139`	`+ fmt,`
	`140`	`+ "at least one certificate must be provided to create an identity"`
	`141`	`+ ),`
`136`	`142`	`}`
`137`	`143`	`}`
`138`	`144`	`}`
`@@ -164,14 +170,9 @@ impl Identity {`
`164`	`170`	`pub fn from_pkcs8(buf: &[u8], key: &[u8]) -> Result<Identity, Error> {`
`165`	`171`	`let pkey = PKey::private_key_from_pem(key)?;`
`166`	`172`	`let mut cert_chain = X509::stack_from_pem(buf)?.into_iter();`
`167`		`- let cert = cert_chain.next();`
	`173`	`+ let cert = cert_chain.next().ok_or(Error::EmptyChain)?;`
`168`	`174`	`let chain = cert_chain.collect();`
`169`		`- Ok(Identity {`
`170`		`- pkey,`
`171`		`- // an identity must have at least one certificate, the leaf cert`
`172`		`- cert: cert.expect("at least one certificate must be provided to create an identity"),`
`173`		`- chain,`
`174`		`- })`
	`175`	`+ Ok(Identity { pkey, cert, chain })`
`175`	`176`	`}`
`176`	`177`	`}`
`177`	`178`