[compat] Store#add_cert and add_crl handle wrong argument

kares · claude · kares · commit b731047f529c · 2026-03-22T19:29:41.000+01:00
CRuby raises TypeError with a descriptive message (e.g. "wrong argument
type String (expected OpenSSL/X509)"). JRuby was raising StoreError
with "No message available" because the null cert/CRL passed through to
the store internals. Now validates type upfront.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/main/java/org/jruby/ext/openssl/X509Store.java b/src/main/java/org/jruby/ext/openssl/X509Store.java
@@ -202,19 +202,25 @@ public IRubyObject set_default_paths(final ThreadContext context) {
     }
 
     @JRubyMethod
-    public X509Store add_cert(final IRubyObject cert) {
-        X509AuxCertificate auxCert = cert instanceof X509Cert ? ((X509Cert) cert).getAuxCert() : null;
+    public X509Store add_cert(final ThreadContext context, final IRubyObject cert) {
+        if (!(cert instanceof X509Cert)) {
+            throw context.runtime.newTypeError(cert, _X509(context.runtime).getClass("Certificate"));
+        }
+        X509AuxCertificate auxCert = ((X509Cert) cert).getAuxCert();
         if ( store.addCertificate(auxCert) != 1 ) {
-            throw newStoreError(getRuntime(), X509Error.getLastErrorMessage());
+            throw newStoreError(context.runtime, X509Error.getLastErrorMessage());
         }
         return this;
     }
 
     @JRubyMethod
-    public X509Store add_crl(final IRubyObject crl) {
-        java.security.cert.X509CRL jCRL = (crl instanceof X509CRL) ? ((X509CRL) crl).getCRL() : null;
+    public X509Store add_crl(final ThreadContext context, final IRubyObject crl) {
+        if (!(crl instanceof X509CRL)) {
+            throw context.runtime.newTypeError(crl, _X509(context.runtime).getClass("CRL"));
+        }
+        java.security.cert.X509CRL jCRL = ((X509CRL) crl).getCRL();
         if ( store.addCRL(jCRL) != 1 ) {
-            throw newStoreError(getRuntime(), X509Error.getLastErrorMessage());
+            throw newStoreError(context.runtime, X509Error.getLastErrorMessage());
         }
         return this;
     }
diff --git a/src/test/ruby/x509/test_x509store.rb b/src/test/ruby/x509/test_x509store.rb
@@ -121,6 +121,19 @@ def test_store_context_verify_raises_on_reuse
     assert_raise(OpenSSL::X509::StoreError) { ctx.verify }
   end
 
+  # CRuby raises TypeError (not StoreError) for wrong argument types
+  def test_add_cert_type_check
+    store = OpenSSL::X509::Store.new
+    assert_raise(TypeError) { store.add_cert("not a cert") }
+    assert_raise(TypeError) { store.add_cert(nil) }
+  end
+
+  def test_add_crl_type_check
+    store = OpenSSL::X509::Store.new
+    assert_raise(TypeError) { store.add_crl("not a crl") }
+    assert_raise(TypeError) { store.add_crl(nil) }
+  end
+
   def test_use_non_existing_cert_file
     ENV['SSL_CERT_FILE'] = 'non-existing-file.crt'
     store = OpenSSL::X509::Store.new
