support for partial chain verification in X509StoreContext

[jvanasco]

openssl supports verifying a partial chain on the commandline:

openssl verify -partial_chain -trusted intermediate_1.pem intermediate_2.pem

This functionality does not seem possible in pyopenssl. I tried using X509StoreContext as I use to validate entire chains as passing. This raises an exception that it can not locate the issuer certificate. I believe this exception is happening due to the "trusted" item not being self-signed, but have not been able to dig deep enough in this library to confirm. Similar code, with a self-signed root, works as expected.

store = X509Store()
int_1 = load_certificate(FILETYPE_PEM, int_1_pem)
store.add_cert(int_1)

int_2 = load_certificate(FILETYPE_PEM, int_2_pem)
_store_ctx = X509StoreContext(store, int_2)
_store_ctx.verify_certificate()

Perhaps this could be supported with a partial=True keyword, or similar, to .verify_certificate() ?

This is a simplified example. The use-case: Given a chai of two or more intermediates (and potentially an end-entity) but no self-signed trusted root, I am trying to ensure the referential integrity and correct ordering.

[tiran]

You are looking for the verify flag X509_V_FLAG_PARTIAL_CHAIN. I don't know how to set this in pyopenssl, though.

[facutuesca]

This is possible using X509Store::set_flags():

from OpenSSL.crypto import X509Store, X509StoreFlags

store = X509Store()
store.set_flags(X509StoreFlags.PARTIAL_CHAIN)

@mhils I think this one can be closed