From 83ef2306a1481e0cf7f53899c390497256711e29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ndor=20Oroszi?= <oroszisam@gmail.com>
Date: Mon, 12 Oct 2020 15:42:23 +0200
Subject: Allow using additional untrusted certificates for chain building in
 X509StoreContext (#948)

The additional certificates provided in the new `chain` parameter will be
untrusted but may be used to build the chain.

This makes it easier to validate a certificate against a store which
contains only root ca certificates, and the intermediates come from e.g.
the same untrusted source as the certificate to be verified.

Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
---
 CHANGELOG.rst | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'CHANGELOG.rst')

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index e5f08d2..2ba1f7f 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -24,6 +24,9 @@ Deprecations:
 Changes:
 ^^^^^^^^
 
+- Added a new optional ``chain`` parameter to ``OpenSSL.crypto.X509StoreContext()``
+  where additional untrusted certificates can be specified to help chain building.
+  `#948 <https://github.com/pyca/pyopenssl/pull/948>`_
 - Added ``OpenSSL.crypto.X509Store.load_locations`` to set trusted
   certificate file bundles and/or directories for verification.
   `#943 <https://github.com/pyca/pyopenssl/pull/943>`_
-- 
cgit v1.2.1