Updated to 2024 edition.

Author: ancwrd1

Cargo.toml

@@ -8,7 +8,7 @@ repository = "https://github.com/rustls/rustls-cng"
 documentation = "https://docs.rs/rustls-cng"
 readme = "README.md"
 keywords = ["cng", "tls", "rustls", "windows"]
-edition = "2021"
+edition = "2024"
 publish = false
 
 [package.metadata.docs.rs]
@@ -19,7 +19,7 @@ no-default-features = true
 rustls = { git = "https://github.com/rustls/rustls.git", default-features = false, features = ["std"] }
 rustls-pki-types = "1"
 time = { version = "0.3.43", default-features = false, optional = true }
-windows-sys = { version = "0.60", features = ["Win32_Foundation", "Win32_Security_Cryptography"] }
+windows-sys = { version = "0.61", features = ["Win32_Foundation", "Win32_Security_Cryptography"] }
 
 [dev-dependencies]
 anyhow = "1"

examples/server.rs

@@ -7,9 +7,9 @@ use std::{
 
 use clap::Parser;
 use rustls::{
+    RootCertStore, ServerConfig, ServerConnection, Stream,
     server::{ClientHello, ResolvesServerCert, WebPkiClientVerifier},
     sign::CertifiedKey,
-    RootCertStore, ServerConfig, ServerConnection, Stream,
 };
 
 use rustls_cng::{
@@ -98,10 +98,7 @@ fn handle_connection(mut stream: TcpStream, config: Arc<ServerConfig>) -> anyhow
         tls_stream.conn.negotiated_cipher_suite()
     );
     println!("SNI host name: {:?}", tls_stream.conn.server_name());
-    println!(
-        "Peer certificates: {:?}",
-        tls_stream.conn.peer_certificates().map(|c| c.len())
-    );
+    println!("Peer identity: {:?}", tls_stream.conn.peer_identity());
 
     let mut buf = [0u8; 4];
     tls_stream.read_exact(&mut buf)?;

src/store.rs

@@ -4,7 +4,7 @@ use std::{os::raw::c_void, ptr};
 
 use windows_sys::Win32::Security::Cryptography::*;
 
-use crate::{cert::CertContext, error::CngError, Result};
+use crate::{Result, cert::CertContext, error::CngError};
 
 const MY_ENCODING_TYPE: CERT_QUERY_ENCODING_TYPE = PKCS_7_ASN_ENCODING | X509_ASN_ENCODING;
 
@@ -184,16 +184,25 @@ impl CertStore {
     ) -> Result<Vec<CertContext>> {
         let mut certs = Vec::new();
 
-        let mut cert: *mut CERT_CONTEXT = ptr::null_mut();
-
-        loop {
-            cert = CertFindCertificateInStore(self.0, MY_ENCODING_TYPE, 0, flags, find_param, cert);
-            if cert.is_null() {
-                break;
-            } else {
-                // increase refcount because it will be released by next call to CertFindCertificateInStore
-                let cert = CertDuplicateCertificateContext(cert);
-                certs.push(CertContext::new_owned(cert))
+        unsafe {
+            let mut cert: *mut CERT_CONTEXT = ptr::null_mut();
+
+            loop {
+                cert = CertFindCertificateInStore(
+                    self.0,
+                    MY_ENCODING_TYPE,
+                    0,
+                    flags,
+                    find_param,
+                    cert,
+                );
+                if cert.is_null() {
+                    break;
+                } else {
+                    // increase refcount because it will be released by next call to CertFindCertificateInStore
+                    let cert = CertDuplicateCertificateContext(cert);
+                    certs.push(CertContext::new_owned(cert))
+                }
             }
         }
         Ok(certs)
@@ -204,34 +213,37 @@ impl CertStore {
         find_param: *const c_void,
     ) -> Result<Vec<CertContext>> {
         let mut certs = Vec::new();
-        let mut cert: *mut CERT_CONTEXT = ptr::null_mut();
-        let hash_blob = &*(find_param as *const CRYPT_INTEGER_BLOB);
-        let sha256_hash = std::slice::from_raw_parts(hash_blob.pbData, hash_blob.cbData as usize);
-        loop {
-            cert = CertFindCertificateInStore(
-                self.0,
-                MY_ENCODING_TYPE,
-                0,
-                CERT_FIND_ANY,
-                find_param,
-                cert,
-            );
-            if cert.is_null() {
-                break;
-            } else {
-                let mut prop_data = [0u8; 32];
-                let mut prop_data_len = prop_data.len() as u32;
 
-                if CertGetCertificateContextProperty(
+        unsafe {
+            let mut cert: *mut CERT_CONTEXT = ptr::null_mut();
+            let hash_blob = &*(find_param as *const CRYPT_INTEGER_BLOB);
+            let sha256_hash = std::slice::from_raw_parts(hash_blob.pbData, hash_blob.cbData as usize);
+            loop {
+                cert = CertFindCertificateInStore(
+                    self.0,
+                    MY_ENCODING_TYPE,
+                    0,
+                    CERT_FIND_ANY,
+                    find_param,
                     cert,
-                    CERT_SHA256_HASH_PROP_ID,
-                    prop_data.as_mut_ptr() as *mut c_void,
-                    &mut prop_data_len,
-                ) != 0
-                    && prop_data[..prop_data_len as usize] == sha256_hash[..]
-                {
-                    let cert = CertDuplicateCertificateContext(cert);
-                    certs.push(CertContext::new_owned(cert))
+                );
+                if cert.is_null() {
+                    break;
+                } else {
+                    let mut prop_data = [0u8; 32];
+                    let mut prop_data_len = prop_data.len() as u32;
+
+                    if CertGetCertificateContextProperty(
+                        cert,
+                        CERT_SHA256_HASH_PROP_ID,
+                        prop_data.as_mut_ptr() as *mut c_void,
+                        &mut prop_data_len,
+                    ) != 0
+                        && prop_data[..prop_data_len as usize] == sha256_hash[..]
+                    {
+                        let cert = CertDuplicateCertificateContext(cert);
+                        certs.push(CertContext::new_owned(cert))
+                    }
                 }
             }
         }