From 08468b26763d34d329b29ae555b57adad8e67c3e Mon Sep 17 00:00:00 2001 From: epiphyte Date: Thu, 15 Dec 2022 18:23:52 -0500 Subject: [PATCH 1/4] Add support for X509_V_FLAG_PARTIAL_CHAIN --- CHANGELOG.rst | 2 ++ doc/api/crypto.rst | 1 + src/OpenSSL/crypto.py | 1 + tests/test_crypto.py | 13 +++++++++++++ 4 files changed, 17 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index e09f648e3..98742c0a2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,8 @@ Deprecations: Changes: ^^^^^^^^ +- Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users + to perform certificate verification on partial certificate chains. 22.1.0 (2022-09-25) ------------------- diff --git a/doc/api/crypto.rst b/doc/api/crypto.rst index cdaa736b5..ead4ad09d 100644 --- a/doc/api/crypto.rst +++ b/doc/api/crypto.rst @@ -149,6 +149,7 @@ X509StoreFlags constants .. data:: INHIBIT_MAP .. data:: NOTIFY_POLICY .. data:: CHECK_SS_SIGNATURE + .. data:: PARTIAL_CHAIN .. _openssl-x509storeflags: diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index 18b4590dc..4d7d03a49 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -1611,6 +1611,7 @@ class X509StoreFlags: INHIBIT_MAP: int = _lib.X509_V_FLAG_INHIBIT_MAP NOTIFY_POLICY: int = _lib.X509_V_FLAG_NOTIFY_POLICY CHECK_SS_SIGNATURE: int = _lib.X509_V_FLAG_CHECK_SS_SIGNATURE + PARTIAL_CHAIN: int = _lib.X509_V_FLAG_PARTIAL_CHAIN class X509Store: diff --git a/tests/test_crypto.py b/tests/test_crypto.py index e7b13fcad..262e2316e 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -10,6 +10,7 @@ from subprocess import PIPE, Popen from warnings import simplefilter +import OpenSSL.crypto from cryptography import x509 from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import ec, ed25519, ed448, rsa @@ -4285,6 +4286,18 @@ def test_verify_failure_with_empty_ca_directory(self, tmpdir): assert str(exc.value) == "unable to get local issuer certificate" + def test_verify_with_partial_chain(self): + store = X509Store() + store.add_cert(self.intermediate_cert) + + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + with pytest.raises(OpenSSL.crypto.X509StoreContextError): + store_ctx.verify_certificate() + + # Now set the partial verification flag for verification. + store.set_flags(X509StoreFlags.PARTIAL_CHAIN) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + assert store_ctx.verify_certificate() is None class TestSignVerify: """ From 369395ceec14d939e6f26516ba5ba14b87d5907d Mon Sep 17 00:00:00 2001 From: epiphyte Date: Thu, 15 Dec 2022 18:27:32 -0500 Subject: [PATCH 2/4] Remove unneeded import --- tests/test_crypto.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/test_crypto.py b/tests/test_crypto.py index 262e2316e..c3a31457e 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -10,7 +10,6 @@ from subprocess import PIPE, Popen from warnings import simplefilter -import OpenSSL.crypto from cryptography import x509 from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import ec, ed25519, ed448, rsa @@ -4291,7 +4290,7 @@ def test_verify_with_partial_chain(self): store.add_cert(self.intermediate_cert) store_ctx = X509StoreContext(store, self.intermediate_server_cert) - with pytest.raises(OpenSSL.crypto.X509StoreContextError): + with pytest.raises(X509StoreContextError): store_ctx.verify_certificate() # Now set the partial verification flag for verification. From 90cb6cad4c2f7de9c724b720f01f30414a172f62 Mon Sep 17 00:00:00 2001 From: epiphyte Date: Thu, 15 Dec 2022 18:34:37 -0500 Subject: [PATCH 3/4] Update changelog to add PR number. --- CHANGELOG.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 98742c0a2..04b24a0d5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -18,6 +18,7 @@ Changes: - Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users to perform certificate verification on partial certificate chains. + `#1166 `_ 22.1.0 (2022-09-25) ------------------- From daa64646b7813e58d21108ed70888238cbc48277 Mon Sep 17 00:00:00 2001 From: epiphyte Date: Thu, 15 Dec 2022 18:53:52 -0500 Subject: [PATCH 4/4] Fix whitespace issue identified by black --- tests/test_crypto.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/test_crypto.py b/tests/test_crypto.py index c3a31457e..88756f04b 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -4298,6 +4298,7 @@ def test_verify_with_partial_chain(self): store_ctx = X509StoreContext(store, self.intermediate_server_cert) assert store_ctx.verify_certificate() is None + class TestSignVerify: """ Tests for `OpenSSL.crypto.sign` and `OpenSSL.crypto.verify`.