add contents of PEM file to RootCertStore

src/verify.rs

@@ -8,6 +8,9 @@ use msgs::handshake::ASN1Cert;
 use msgs::handshake::DigitallySignedStruct;
 use msgs::handshake::SignatureAndHashAlgorithm;
 use handshake::HandshakeError;
+use pemfile;
+
+use std::io;
 
 /* Which signature verification mechanisms we support.  No particular
  * order. */
@@ -63,6 +66,7 @@ impl RootCertStore {
     RootCertStore { roots: Vec::new() }
   }
 
+  /// Add a single DER-encoded certificate to the store.
   pub fn add(&mut self, der: &[u8]) -> Result<(), webpki::Error> {
     let ta = try!(
       webpki::trust_anchor_util::cert_der_as_trust_anchor(Input::new(der).unwrap())
@@ -72,6 +76,31 @@ impl RootCertStore {
     self.roots.push(ota);
     Ok(())
   }
+
+  /// Parse a PEM file and add all certificates found inside.
+  /// Errors are non-specific; they may be io errors in `rd` and
+  /// PEM format errors, but not certificate validity errors.
+  ///
+  /// This is because large collections of root certificates often
+  /// include ancient or syntactictally invalid certificates.  CAs
+  /// are competent like that.
+  ///
+  /// Returns the number of certificates added, and the number
+  /// which were extracted from the PEM but ultimately unsuitable.
+  pub fn add_pem_file(&mut self, rd: &mut io::BufRead) -> Result<(usize, usize), ()> {
+    let ders = try!(pemfile::certs(rd));
+    let mut valid_count = 0;
+    let mut invalid_count = 0;
+
+    for der in ders {
+      match self.add(&der) {
+        Ok(_) => valid_count += 1,
+        Err(_) => invalid_count += 1
+      }
+    }
+
+    Ok((valid_count, invalid_count))
+  }
 }
 
 /* Verify a the certificate chain `presented_certs` against the roots