Retrieve chain after certificate validation - what should API look like? (original) (raw)

It would be nice if we could fetch and examine the chain after calling verify_certificate (Which calls X509_verify_cert). https://pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509StoreContext)

I'm wondering what you think the API should look like. Fetch the entire chain at once and return it to the user, or allows the user to actually iterate over the chain?

Here's an example that shows how to parse the chain after a X509_verify_cert call: https://github.com/openssl/openssl/blob/master/apps/verify.c#L243

I'm willing to implement this feature - I don't think it should be too hard, but it can be quite valuable.