From 4149b4389024169298c59011ab676f91c38f7bc1 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Sun, 27 Jul 2025 23:04:09 +0900 Subject: [PATCH] x509store: fix StoreContext#current_cert Commit ef277083ba76 overlooked a caller of ossl_x509_new() with NULL argument. OpenSSL::X509::StoreContext#current_cert may not have a certificate to return if StoreContext#verify has not been called. --- ext/openssl/ossl_x509store.c | 6 +++++- test/openssl/test_x509store.rb | 12 ++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index 18acdc8ad..8291578f2 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -735,10 +735,14 @@ static VALUE ossl_x509stctx_get_curr_cert(VALUE self) { X509_STORE_CTX *ctx; + X509 *x509; GetX509StCtx(self, ctx); + x509 = X509_STORE_CTX_get_current_cert(ctx); + if (!x509) + return Qnil; - return ossl_x509_new(X509_STORE_CTX_get_current_cert(ctx)); + return ossl_x509_new(x509); } /* diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index 745ae7dd1..c13beae36 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -91,6 +91,18 @@ def test_verify_simple assert_match(/ok/i, store.error_string) assert_equal(OpenSSL::X509::V_OK, store.error) assert_equal([ee1_cert, ca2_cert, ca1_cert], store.chain) + + # Manually instantiated StoreContext + # Nothing trusted + store = OpenSSL::X509::Store.new + ctx = OpenSSL::X509::StoreContext.new(store, ee1_cert) + assert_nil(ctx.current_cert) + assert_nil(ctx.current_crl) + assert_equal(false, ctx.verify) + assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ctx.error) + assert_equal(0, ctx.error_depth) + assert_equal([ee1_cert], ctx.chain) + assert_equal(ee1_cert, ctx.current_cert) end def test_verify_callback