From d59324949df7a35ff051db68c6c7b54e82294e8b Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 15 Apr 2023 08:16:26 +0800
Subject: [PATCH] add support for Context.set_cert_store

---
 .github/workflows/ci.yml |  1 +
 CHANGELOG.rst            |  1 +
 src/OpenSSL/SSL.py       | 18 ++++++++++++++++++
 tests/test_ssl.py        | 10 ++++++++++
 tox.ini                  |  2 ++
 5 files changed, 32 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d120cf627..4d3af582d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,6 +25,7 @@ jobs:
           - {VERSION: "3.9", TOXENV: "py39-cryptographyMain"}
           - {VERSION: "3.10", TOXENV: "py310-cryptographyMain"}
           - {VERSION: "3.11", TOXENV: "py311-cryptographyMain"}
+          - {VERSION: "3.11", TOXENV: "py311-cryptography40"}
           - {VERSION: "pypy-3.8", TOXENV: "pypy3-cryptographyMain"}
           - {VERSION: "pypy-3.9", TOXENV: "pypy3-cryptographyMain"}
           # -cryptographyMinimum
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 8a0957e2e..8500eef60 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -17,6 +17,7 @@ Changes:
 ^^^^^^^^
 
 - Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``.
+- Added ``Context.set_cert_store`` `#1210 <https://github.com/pyca/pyopenssl/pull/1210>`_.
 
 23.1.1 (2023-03-28)
 -------------------
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index efbf7907e..cdca21454 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1399,6 +1399,24 @@ def get_cert_store(self):
         pystore._store = store
         return pystore
 
+    def set_cert_store(self, store):
+        """
+        Set the certificate store for the context.
+        :param store: A X509Store object.
+        :return: None
+        """
+        try:
+            _lib.SSL_CTX_set_cert_store(self._context, store._store)
+            # The store is now owned by the context, so we need to
+            # remove the gc free in the object. We do this after the
+            # set since set may not exist.
+            _ffi.gc(store._store, None)
+        except AttributeError:
+            # This can be removed when we depend on >= 40.0.2
+            raise NotImplementedError(
+                "cryptography must be updated to call this method"
+            )
+
     def set_options(self, options):
         """
         Add options. Options set before are not cleared!
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 024436f06..537bacf1d 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -1716,6 +1716,16 @@ def test_get_cert_store(self):
         store = context.get_cert_store()
         assert isinstance(store, X509Store)
 
+    def test_set_cert_store(self):
+        context = Context(SSLv23_METHOD)
+        try:
+            store = X509Store()
+            context.set_cert_store(store)
+            assert store._store == context.get_cert_store()._store
+        except NotImplementedError:
+            pass
+
+
     def test_set_tlsext_use_srtp_not_bytes(self):
         """
         `Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.
diff --git a/tox.ini b/tox.ini
index a298c9416..37548b296 100644
--- a/tox.ini
+++ b/tox.ini
@@ -19,6 +19,8 @@ extras =
 deps =
     coverage>=4.2
     cryptographyMinimum: cryptography==38.0.0
+    # special version to test paths for bindings we temporarily removed
+    cryptography40: cryptography==40.0.1
     randomorder: pytest-randomly
 setenv =
     # Do not allow the executing environment to pollute the test environment