mongodb · NoahStapp · Jul 23, 2024 · Jul 23, 2024 · Jul 23, 2024 · ShaneHarvey
diff --git a/pymongo/pyopenssl_context.py b/pymongo/pyopenssl_context.py
@@ -292,7 +292,7 @@ def load_cert_chain(
         # Password callback MUST be set first or it will be ignored.
         if password:
 
-            def _pwcb(_max_length: int, _prompt_twice: bool, _user_data: bytes) -> bytes:
+            def _pwcb(_max_length: int, _prompt_twice: bool, _user_data: Optional[bytes]) -> bytes:
                 # XXX:We could check the password length against what OpenSSL
                 # tells us is the max, but we can't raise an exception, so...
                 # warn?
@@ -332,14 +332,17 @@ def _load_certifi(self) -> None:
     def _load_wincerts(self, store: str) -> None:
         """Attempt to load CA certs from Windows trust store."""
         cert_store = self._ctx.get_cert_store()
-        oid = _stdlibssl.Purpose.SERVER_AUTH.oid
-
-        for cert, encoding, trust in _stdlibssl.enum_certificates(store):  # type: ignore
-            if encoding == "x509_asn":
-                if trust is True or oid in trust:
-                    cert_store.add_cert(
-                        _crypto.X509.from_cryptography(x509.load_der_x509_certificate(cert))
-                    )
+        if cert_store is not None:
+            oid = _stdlibssl.Purpose.SERVER_AUTH.oid
+
+            for cert, encoding, trust in _stdlibssl.enum_certificates(store):  # type: ignore
+                if encoding == "x509_asn":
+                    if trust is True or oid in trust:
+                        cert_store.add_cert(
+                            _crypto.X509.from_cryptography(x509.load_der_x509_certificate(cert))
+                        )
+        else:
+            raise _ConfigurationError("The current CA context does not have a X509Store object.")
 
     def load_default_certs(self) -> None:
         """A PyOpenSSL version of load_default_certs from CPython."""