bpo-40849: Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag (GH-20463)

l0x-c0d3z · web-flow · commit 64d975202f7a · 2021-04-19T04:51:18.000-07:00
This short PR exposes an openssl flag that wasn't exposed. I've also updated to doc to reflect the change. It's heavily inspired by 990fcaa.
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
@@ -650,6 +650,17 @@ Constants
 
    .. versionadded:: 3.4.4
 
+.. data:: VERIFY_X509_PARTIAL_CHAIN
+
+   Possible value for :attr:`SSLContext.verify_flags`. It instructs OpenSSL to
+   accept intermediate CAs in the trust store to be treated as trust-anchors,
+   in the same way as the self-signed root CA certificates. This makes it
+   possible to trust certificates issued by an intermediate CA without having
+   to trust its ancestor root CA.
+
+   .. versionadded:: 3.10
+
+
 .. class:: VerifyFlags
 
    :class:`enum.IntFlag` collection of VERIFY_* constants.
diff --git a/Misc/ACKS b/Misc/ACKS
@@ -157,6 +157,7 @@ Michel Van den Bergh
 Julian Berman
 Brice Berna
 Olivier Bernard
+Vivien Bernet-Rollande
 Maxwell Bernstein
 Eric Beser
 Steven Bethard
diff --git a/Misc/NEWS.d/next/Library/2020-06-02-21-32-33.bpo-40849.zpeKx3.rst b/Misc/NEWS.d/next/Library/2020-06-02-21-32-33.bpo-40849.zpeKx3.rst
@@ -0,0 +1 @@
+Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -5630,6 +5630,11 @@ sslmodule_init_constants(PyObject *m)
     PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
                             X509_V_FLAG_TRUSTED_FIRST);
 
+#ifdef X509_V_FLAG_PARTIAL_CHAIN
+    PyModule_AddIntConstant(m, "VERIFY_X509_PARTIAL_CHAIN",
+                            X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+
     /* Alert Descriptions from ssl.h */
     /* note RESERVED constants no longer intended for use have been removed */
     /* http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 */

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Expose X509_V_FLAG_PARTIAL_CHAIN ssl flag`