diff options
| -rw-r--r-- | CHANGELOG.rst | 3 | ||||
| -rw-r--r-- | doc/api/crypto.rst | 1 | ||||
| -rw-r--r-- | src/OpenSSL/crypto.py | 1 | ||||
| -rw-r--r-- | tests/test_crypto.py | 13 |
4 files changed, 18 insertions, 0 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index e09f648..04b24a0 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,9 @@ Deprecations: Changes: ^^^^^^^^ +- Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users + to perform certificate verification on partial certificate chains. + `#1166 <https://github.com/pyca/pyopenssl/pull/1166>`_ 22.1.0 (2022-09-25) ------------------- diff --git a/doc/api/crypto.rst b/doc/api/crypto.rst index cdaa736..ead4ad0 100644 --- a/doc/api/crypto.rst +++ b/doc/api/crypto.rst @@ -149,6 +149,7 @@ X509StoreFlags constants .. data:: INHIBIT_MAP .. data:: NOTIFY_POLICY .. data:: CHECK_SS_SIGNATURE + .. data:: PARTIAL_CHAIN .. _openssl-x509storeflags: diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index 18b4590..4d7d03a 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -1611,6 +1611,7 @@ class X509StoreFlags: INHIBIT_MAP: int = _lib.X509_V_FLAG_INHIBIT_MAP NOTIFY_POLICY: int = _lib.X509_V_FLAG_NOTIFY_POLICY CHECK_SS_SIGNATURE: int = _lib.X509_V_FLAG_CHECK_SS_SIGNATURE + PARTIAL_CHAIN: int = _lib.X509_V_FLAG_PARTIAL_CHAIN class X509Store: diff --git a/tests/test_crypto.py b/tests/test_crypto.py index e7b13fc..88756f0 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -4285,6 +4285,19 @@ class TestX509StoreContext: assert str(exc.value) == "unable to get local issuer certificate" + def test_verify_with_partial_chain(self): + store = X509Store() + store.add_cert(self.intermediate_cert) + + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + with pytest.raises(X509StoreContextError): + store_ctx.verify_certificate() + + # Now set the partial verification flag for verification. + store.set_flags(X509StoreFlags.PARTIAL_CHAIN) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + assert store_ctx.verify_certificate() is None + class TestSignVerify: """ |