Add support for X509_V_FLAG_PARTIAL_CHAIN (#1166)

* Add support for X509_V_FLAG_PARTIAL_CHAIN

* Remove unneeded import

* Update changelog to add PR number.

* Fix whitespace issue identified by black

CHANGELOG.rst

@@ -16,6 +16,9 @@ Deprecations:
 Changes:
 ^^^^^^^^
 
+- Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users
+  to perform certificate verification on partial certificate chains.
+  `#1166 <https://github.com/pyca/pyopenssl/pull/1166>`_
 
 22.1.0 (2022-09-25)
 -------------------

doc/api/crypto.rst

@@ -149,6 +149,7 @@ X509StoreFlags constants
     .. data:: INHIBIT_MAP
     .. data:: NOTIFY_POLICY
     .. data:: CHECK_SS_SIGNATURE
+    .. data:: PARTIAL_CHAIN
 
 .. _openssl-x509storeflags:
 

src/OpenSSL/crypto.py

@@ -1611,6 +1611,7 @@ class X509StoreFlags:
     INHIBIT_MAP: int = _lib.X509_V_FLAG_INHIBIT_MAP
     NOTIFY_POLICY: int = _lib.X509_V_FLAG_NOTIFY_POLICY
     CHECK_SS_SIGNATURE: int = _lib.X509_V_FLAG_CHECK_SS_SIGNATURE
+    PARTIAL_CHAIN: int = _lib.X509_V_FLAG_PARTIAL_CHAIN
 
 
 class X509Store:

tests/test_crypto.py

@@ -4285,6 +4285,19 @@ def test_verify_failure_with_empty_ca_directory(self, tmpdir):
 
         assert str(exc.value) == "unable to get local issuer certificate"
 
+    def test_verify_with_partial_chain(self):
+        store = X509Store()
+        store.add_cert(self.intermediate_cert)
+
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        with pytest.raises(X509StoreContextError):
+            store_ctx.verify_certificate()
+
+        # Now set the partial verification flag for verification.
+        store.set_flags(X509StoreFlags.PARTIAL_CHAIN)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        assert store_ctx.verify_certificate() is None
+
 
 class TestSignVerify:
     """