diff --git a/CHANGELOG.rst b/CHANGELOG.rst index e09f648e3..04b24a0d5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,9 @@ Deprecations: Changes: ^^^^^^^^ +- Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users + to perform certificate verification on partial certificate chains. + `#1166 `_ 22.1.0 (2022-09-25) ------------------- diff --git a/doc/api/crypto.rst b/doc/api/crypto.rst index cdaa736b5..ead4ad09d 100644 --- a/doc/api/crypto.rst +++ b/doc/api/crypto.rst @@ -149,6 +149,7 @@ X509StoreFlags constants .. data:: INHIBIT_MAP .. data:: NOTIFY_POLICY .. data:: CHECK_SS_SIGNATURE + .. data:: PARTIAL_CHAIN .. _openssl-x509storeflags: diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index 18b4590dc..4d7d03a49 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -1611,6 +1611,7 @@ class X509StoreFlags: INHIBIT_MAP: int = _lib.X509_V_FLAG_INHIBIT_MAP NOTIFY_POLICY: int = _lib.X509_V_FLAG_NOTIFY_POLICY CHECK_SS_SIGNATURE: int = _lib.X509_V_FLAG_CHECK_SS_SIGNATURE + PARTIAL_CHAIN: int = _lib.X509_V_FLAG_PARTIAL_CHAIN class X509Store: diff --git a/tests/test_crypto.py b/tests/test_crypto.py index e7b13fcad..88756f04b 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -4285,6 +4285,19 @@ def test_verify_failure_with_empty_ca_directory(self, tmpdir): assert str(exc.value) == "unable to get local issuer certificate" + def test_verify_with_partial_chain(self): + store = X509Store() + store.add_cert(self.intermediate_cert) + + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + with pytest.raises(X509StoreContextError): + store_ctx.verify_certificate() + + # Now set the partial verification flag for verification. + store.set_flags(X509StoreFlags.PARTIAL_CHAIN) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + assert store_ctx.verify_certificate() is None + class TestSignVerify: """