docs: add Store docs (#9416)

woodruffw · alex · web-flow · commit f4362f4e6a10 · 2023-08-14T18:48:27.000Z
* docs: add Store docs

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

* src, tests: don't allow empty stores

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

* Update docs/x509/verification.rst

Co-authored-by: Alex Gaynor &lt;alex.gaynor@gmail.com&gt;

---------

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;
Co-authored-by: Alex Gaynor &lt;alex.gaynor@gmail.com&gt;
diff --git a/docs/x509/index.rst b/docs/x509/index.rst
@@ -11,6 +11,7 @@ certificates are commonly used in protocols like `TLS`_.
     tutorial
     certificate-transparency
     ocsp
+    verification
     reference
 
 .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst
@@ -0,0 +1,23 @@
+X.509 verification
+==================
+
+.. currentmodule:: cryptography.x509.verification
+
+Support for X.509 certificate verification, also known as path validation,
+chain building, etc.
+
+.. note::
+    This module is a work in progress, and does not yet contain a fully usable
+    X.509 path validation implementation.
+
+.. class:: Store(certs)
+
+    .. versionadded:: 42.0.0
+
+    A Store is an opaque set of public keys and subject identifiers that are
+    considered trusted *a priori*. Stores are typically created from the host
+    OS's root of trust, from a well-known source such as a browser CA bundle,
+    or from a small set of manually pre-trusted entities.
+
+    :param certs: A list of one or more :class:`~cryptography.x509.Certificate`
+        instances.
diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs
@@ -15,6 +15,11 @@ struct PyStore(Vec<pyo3::Py<PyCertificate>>);
 impl PyStore {
     #[new]
     fn new(certs: Vec<pyo3::Py<PyCertificate>>) -> pyo3::PyResult<Self> {
+        if certs.is_empty() {
+            return Err(pyo3::exceptions::PyValueError::new_err(
+                "can't create an empty store",
+            ));
+        }
         Ok(Self(certs))
     }
 }
diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py
@@ -12,6 +12,10 @@
 
 
 class TestStore:
+    def test_store_rejects_empty_list(self):
+        with pytest.raises(ValueError):
+            Store([])
+
     def test_store_rejects_non_certificates(self):
         with pytest.raises(TypeError):
             Store(["not a cert"])  # type: ignore[list-item]

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,11 @@ struct PyStore(Vec<pyo3::Py<PyCertificate>>);`
`15`	`15`	`impl PyStore {`
`16`	`16`	`#[new]`
`17`	`17`	`fn new(certs: Vec<pyo3::Py<PyCertificate>>) -> pyo3::PyResult<Self> {`
	`18`	`+ if certs.is_empty() {`
	`19`	`+ return Err(pyo3::exceptions::PyValueError::new_err(`
	`20`	`+ "can't create an empty store",`
	`21`	`+ ));`
	`22`	`+ }`
`18`	`23`	`Ok(Self(certs))`
`19`	`24`	`}`
`20`	`25`	`}`