Skip to content

Commit

Permalink
Add support for X509_V_FLAG_PARTIAL_CHAIN
Browse files Browse the repository at this point in the history
  • Loading branch information
vEpiphyte committed Dec 15, 2022
1 parent 6c0772a commit 45c535f
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ Deprecations:
Changes:
^^^^^^^^

- Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users
to perform certificate verification on partial certificate chains.

22.1.0 (2022-09-25)
-------------------
Expand Down
1 change: 1 addition & 0 deletions doc/api/crypto.rst
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ X509StoreFlags constants
.. data:: INHIBIT_MAP
.. data:: NOTIFY_POLICY
.. data:: CHECK_SS_SIGNATURE
.. data:: PARTIAL_CHAIN

.. _openssl-x509storeflags:

Expand Down
1 change: 1 addition & 0 deletions src/OpenSSL/crypto.py
Original file line number Diff line number Diff line change
Expand Up @@ -1611,6 +1611,7 @@ class X509StoreFlags:
INHIBIT_MAP: int = _lib.X509_V_FLAG_INHIBIT_MAP
NOTIFY_POLICY: int = _lib.X509_V_FLAG_NOTIFY_POLICY
CHECK_SS_SIGNATURE: int = _lib.X509_V_FLAG_CHECK_SS_SIGNATURE
PARTIAL_CHAIN: int = _lib.X509_V_FLAG_PARTIAL_CHAIN


class X509Store:
Expand Down
13 changes: 13 additions & 0 deletions tests/test_crypto.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
from subprocess import PIPE, Popen
from warnings import simplefilter

import OpenSSL.crypto
from cryptography import x509
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec, ed25519, ed448, rsa
Expand Down Expand Up @@ -4285,6 +4286,18 @@ def test_verify_failure_with_empty_ca_directory(self, tmpdir):

assert str(exc.value) == "unable to get local issuer certificate"

def test_verify_with_partial_chain(self):
store = X509Store()
store.add_cert(self.intermediate_cert)

store_ctx = X509StoreContext(store, self.intermediate_server_cert)
with pytest.raises(OpenSSL.crypto.X509StoreContextError):
store_ctx.verify_certificate()

# Now set the partial verification flag for verification.
store.set_flags(X509StoreFlags.PARTIAL_CHAIN)
store_ctx = X509StoreContext(store, self.intermediate_server_cert)
assert store_ctx.verify_certificate() is None

class TestSignVerify:
"""
Expand Down

0 comments on commit 45c535f

Please sign in to comment.