Comment 8 for bug 892522

Yes, the API that I provided does not check a complete trust chain (like openssl verify with the CApath option does, i.e. it uses a whole directory as a truststore). It is only intended to tell the user: "Is the signature of certificate X by issuer Y correct?". Although it would be rather trivial to extend the API to the latter case (i.e. insert many certificates in the store and require a complete chain of trust until a root CA is hit), that's not what I intended.

If that would be what is wanted, the issuer parameter could be changed into a tuple of X509 objects which would all be inserted in the truststore. Then also add a kwarg "trustchain" in which you can specify a bool that tells if you would only want to check the *immediate* relationship between two certificates (that's what I need) or if you would want to build a complete trustchain (that is what you need, if I understand correctly).