bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)

This short PR exposes an openssl flag that wasn't exposed. I've also updated to doc to reflect the change. It's heavily inspired by 990fcaac3c.
2025-01-22 16:35:16 +08:00 · 2021-04-19 13:51:18 +02:00 · 2021-04-19 13:51:18 +02:00 · 64d975202f
commit 64d975202f
parent d37b74f341
4 changed files with 18 additions and 0 deletions
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@ -650,6 +650,17 @@ Constants

   .. versionadded:: 3.4.4

+.. data:: VERIFY_X509_PARTIAL_CHAIN
+
+   Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
+   accept intermediate CAs in the trust store to be treated as trust-anchors,
+   in the same way as the self-signed root CA certificates. This makes it
+   possible to trust certificates issued by an intermediate CA without having
+   to trust its ancestor root CA.
+
+   .. versionadded:: 3.10
+
+
 .. class:: VerifyFlags

   :class:`enum.IntFlag` collection of VERIFY_* constants.
--- a/Misc/ACKS
+++ b/Misc/ACKS
@ -157,6 +157,7 @@ Michel Van den Bergh
 Julian Berman
 Brice Berna
 Olivier Bernard
+Vivien Bernet-Rollande
 Maxwell Bernstein
 Eric Beser
 Steven Bethard
--- a/Misc/NEWS.d/next/Library/2020-06-02-21-32-33.bpo-40849.zpeKx3.rst
+++ b/Misc/NEWS.d/next/Library/2020-06-02-21-32-33.bpo-40849.zpeKx3.rst
@ -0,0 +1 @@
+Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -5630,6 +5630,11 @@ sslmodule_init_constants(PyObject *m)
    PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
                            X509_V_FLAG_TRUSTED_FIRST);

+#ifdef X509_V_FLAG_PARTIAL_CHAIN
+    PyModule_AddIntConstant(m, "VERIFY_X509_PARTIAL_CHAIN",
+                            X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+
    /* Alert Descriptions from ssl.h */
    /* note RESERVED constants no longer intended for use have been removed */
    /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 */