summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG.rst3
-rw-r--r--doc/api/crypto.rst1
-rw-r--r--src/OpenSSL/crypto.py1
-rw-r--r--tests/test_crypto.py13
4 files changed, 18 insertions, 0 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index e09f648..04b24a0 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -16,6 +16,9 @@ Deprecations:
Changes:
^^^^^^^^
+- Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users
+ to perform certificate verification on partial certificate chains.
+ `#1166 <https://github.com/pyca/pyopenssl/pull/1166>`_
22.1.0 (2022-09-25)
-------------------
diff --git a/doc/api/crypto.rst b/doc/api/crypto.rst
index cdaa736..ead4ad0 100644
--- a/doc/api/crypto.rst
+++ b/doc/api/crypto.rst
@@ -149,6 +149,7 @@ X509StoreFlags constants
.. data:: INHIBIT_MAP
.. data:: NOTIFY_POLICY
.. data:: CHECK_SS_SIGNATURE
+ .. data:: PARTIAL_CHAIN
.. _openssl-x509storeflags:
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index 18b4590..4d7d03a 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -1611,6 +1611,7 @@ class X509StoreFlags:
INHIBIT_MAP: int = _lib.X509_V_FLAG_INHIBIT_MAP
NOTIFY_POLICY: int = _lib.X509_V_FLAG_NOTIFY_POLICY
CHECK_SS_SIGNATURE: int = _lib.X509_V_FLAG_CHECK_SS_SIGNATURE
+ PARTIAL_CHAIN: int = _lib.X509_V_FLAG_PARTIAL_CHAIN
class X509Store:
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index e7b13fc..88756f0 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -4285,6 +4285,19 @@ class TestX509StoreContext:
assert str(exc.value) == "unable to get local issuer certificate"
+ def test_verify_with_partial_chain(self):
+ store = X509Store()
+ store.add_cert(self.intermediate_cert)
+
+ store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+ with pytest.raises(X509StoreContextError):
+ store_ctx.verify_certificate()
+
+ # Now set the partial verification flag for verification.
+ store.set_flags(X509StoreFlags.PARTIAL_CHAIN)
+ store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+ assert store_ctx.verify_certificate() is None
+
class TestSignVerify:
"""