Add precision to certificate chain operations

ctz · ctz · commit eb4304a2fc0a · 2025-08-14T13:08:36.000+01:00
We were convolving functions that operate only on the tail of a certificate
chain (eg, `SSL_CTX_set0_chain`) and those that provide the entire chain in
one (eg, `SSL_CTX_use_certificate_chain_file` or the `Certificate` conf
directive).
diff --git a/src/conf.rs b/src/conf.rs
@@ -180,7 +180,7 @@ impl SslConfigCtx {
             State::ApplyingToCtx(ctx) => {
                 // the "Certificate" command after `SSL_CONF_CTX_set_ssl_ctx` is documented as using
                 // `SSL_CTX_use_certificate_chain_file`.
-                ctx.get_mut().stage_certificate_chain(cert_chain)?;
+                ctx.get_mut().stage_certificate_full_chain(cert_chain)?;
                 ActionResult::Applied
             }
             State::ApplyingToSsl(_) => {
diff --git a/src/entry.rs b/src/entry.rs
@@ -283,7 +283,7 @@ entry! {
                     }
                 };
 
-                match ctx.get_mut().stage_certificate_chain(chain) {
+                match ctx.get_mut().stage_certificate_chain_tail(chain) {
                     Err(e) => e.raise().into(),
                     Ok(()) => C_INT_SUCCESS as i64,
                 }
@@ -481,7 +481,7 @@ entry! {
             Err(err) => return err.raise().into(),
         };
 
-        match ctx.get_mut().stage_certificate_chain(chain) {
+        match ctx.get_mut().stage_certificate_full_chain(chain) {
             Ok(()) => C_INT_SUCCESS,
             Err(e) => e.raise().into(),
         }
@@ -964,7 +964,7 @@ entry! {
                     }
                 };
 
-                match ssl.get_mut().stage_certificate_chain(chain) {
+                match ssl.get_mut().stage_certificate_chain_tail(chain) {
                     Ok(()) => C_INT_SUCCESS as i64,
                     Err(e) => e.raise().into(),
                 }
diff --git a/src/lib.rs b/src/lib.rs
@@ -685,11 +685,18 @@ impl SslContext {
         self.auth_keys.stage_certificate_end_entity(end)
     }
 
-    fn stage_certificate_chain(
+    fn stage_certificate_full_chain(
         &mut self,
         chain: Vec<CertificateDer<'static>>,
     ) -> Result<(), error::Error> {
-        self.auth_keys.stage_certificate_chain(chain)
+        self.auth_keys.stage_certificate_full_chain(chain)
+    }
+
+    fn stage_certificate_chain_tail(
+        &mut self,
+        chain: Vec<CertificateDer<'static>>,
+    ) -> Result<(), error::Error> {
+        self.auth_keys.stage_certificate_chain_tail(chain)
     }
 
     fn commit_private_key(&mut self, key: evp_pkey::EvpPkey) -> Result<(), error::Error> {
@@ -946,11 +953,11 @@ impl Ssl {
         self.auth_keys.stage_certificate_end_entity(end)
     }
 
-    fn stage_certificate_chain(
+    fn stage_certificate_chain_tail(
         &mut self,
         chain: Vec<CertificateDer<'static>>,
     ) -> Result<(), error::Error> {
-        self.auth_keys.stage_certificate_chain(chain)
+        self.auth_keys.stage_certificate_chain_tail(chain)
     }
 
     fn commit_private_key(&mut self, key: evp_pkey::EvpPkey) -> Result<(), error::Error> {
diff --git a/src/sign.rs b/src/sign.rs
@@ -34,7 +34,27 @@ pub struct CertifiedKeySet {
 }
 
 impl CertifiedKeySet {
-    pub fn stage_certificate_chain(
+    /// Set the entirety of the current certificate chain to `chain`.
+    ///
+    /// `chain[0]` is the end-entity cert.
+    pub fn stage_certificate_full_chain(
+        &mut self,
+        mut chain: Vec<CertificateDer<'static>>,
+    ) -> Result<(), error::Error> {
+        match chain.is_empty() {
+            false => {
+                self.stage_certificate_end_entity(chain.remove(0))?;
+                self.stage_certificate_chain_tail(chain)
+            }
+            true => Err(error::Error::bad_data("empty certificate full chain")),
+        }
+    }
+
+    /// Set the "bottom part" of the current certificate chain to `chain`.
+    ///
+    /// This does not contain the end-entity certificate.  That must be provided separately
+    /// with `stage_certificate_end_entity()`.
+    pub fn stage_certificate_chain_tail(
         &mut self,
         chain: Vec<CertificateDer<'static>>,
     ) -> Result<(), error::Error> {

Original file line number	Diff line number	Diff line change
`@@ -180,7 +180,7 @@ impl SslConfigCtx {`
`180`	`180`	`State::ApplyingToCtx(ctx) => {`
`181`	`181`	// the "Certificate" command after `SSL_CONF_CTX_set_ssl_ctx` is documented as using
`182`	`182`	// `SSL_CTX_use_certificate_chain_file`.
`183`		`- ctx.get_mut().stage_certificate_chain(cert_chain)?;`
	`183`	`+ ctx.get_mut().stage_certificate_full_chain(cert_chain)?;`
`184`	`184`	`ActionResult::Applied`
`185`	`185`	`}`
`186`	`186`	`State::ApplyingToSsl(_) => {`
Original file line number	Diff line number	Diff line change
`@@ -283,7 +283,7 @@ entry! {`
`283`	`283`	`}`
`284`	`284`	`};`
`285`	`285`
`286`		`- match ctx.get_mut().stage_certificate_chain(chain) {`
	`286`	`+ match ctx.get_mut().stage_certificate_chain_tail(chain) {`
`287`	`287`	`Err(e) => e.raise().into(),`
`288`	`288`	`Ok(()) => C_INT_SUCCESS as i64,`
`289`	`289`	`}`
`@@ -481,7 +481,7 @@ entry! {`
`481`	`481`	`Err(err) => return err.raise().into(),`
`482`	`482`	`};`
`483`	`483`
`484`		`- match ctx.get_mut().stage_certificate_chain(chain) {`
	`484`	`+ match ctx.get_mut().stage_certificate_full_chain(chain) {`
`485`	`485`	`Ok(()) => C_INT_SUCCESS,`
`486`	`486`	`Err(e) => e.raise().into(),`
`487`	`487`	`}`
`@@ -964,7 +964,7 @@ entry! {`
`964`	`964`	`}`
`965`	`965`	`};`
`966`	`966`
`967`		`- match ssl.get_mut().stage_certificate_chain(chain) {`
	`967`	`+ match ssl.get_mut().stage_certificate_chain_tail(chain) {`
`968`	`968`	`Ok(()) => C_INT_SUCCESS as i64,`
`969`	`969`	`Err(e) => e.raise().into(),`
`970`	`970`	`}`