Add support for X509_V_FLAG_PARTIAL_CHAIN

Author: vEpiphyte

CHANGELOG.rst

@@ -16,6 +16,8 @@ Deprecations:
 Changes:
 ^^^^^^^^
 
+- Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users
+  to perform certificate verification on partial certificate chains.
 
 22.1.0 (2022-09-25)
 -------------------

doc/api/crypto.rst

@@ -149,6 +149,7 @@ X509StoreFlags constants
     .. data:: INHIBIT_MAP
     .. data:: NOTIFY_POLICY
     .. data:: CHECK_SS_SIGNATURE
+    .. data:: PARTIAL_CHAIN
 
 .. _openssl-x509storeflags:
 

src/OpenSSL/crypto.py

@@ -1611,6 +1611,7 @@ class X509StoreFlags:
     INHIBIT_MAP: int = _lib.X509_V_FLAG_INHIBIT_MAP
     NOTIFY_POLICY: int = _lib.X509_V_FLAG_NOTIFY_POLICY
     CHECK_SS_SIGNATURE: int = _lib.X509_V_FLAG_CHECK_SS_SIGNATURE
+    PARTIAL_CHAIN: int = _lib.X509_V_FLAG_PARTIAL_CHAIN
 
 
 class X509Store:

tests/test_crypto.py

@@ -10,6 +10,7 @@
 from subprocess import PIPE, Popen
 from warnings import simplefilter
 
+import OpenSSL.crypto
 from cryptography import x509
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ec, ed25519, ed448, rsa
@@ -4285,6 +4286,18 @@ def test_verify_failure_with_empty_ca_directory(self, tmpdir):
 
         assert str(exc.value) == "unable to get local issuer certificate"
 
+    def test_verify_with_partial_chain(self):
+        store = X509Store()
+        store.add_cert(self.intermediate_cert)
+
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        with pytest.raises(OpenSSL.crypto.X509StoreContextError):
+            store_ctx.verify_certificate()
+
+        # Now set the partial verification flag for verification.
+        store.set_flags(X509StoreFlags.PARTIAL_CHAIN)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        assert store_ctx.verify_certificate() is None
 
 class TestSignVerify:
     """