Issue #18138: Implement cadata argument of SSLContext.load_verify_location()

to load CA certificates and CRL from memory. It supports PEM and DER
encoded strings.

1 files changed, 10 insertions, 1 deletions

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 96cae9d..943a8f8 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -821,6 +821,7 @@ to speed up repeated connections from the same clients.
 
    .. versionadded:: 3.4
 
+
 .. method:: SSLContext.load_cert_chain(certfile, keyfile=None, password=None)
 
    Load a private key and the corresponding certificate.  The *certfile*
@@ -851,7 +852,7 @@ to speed up repeated connections from the same clients.
    .. versionchanged:: 3.3
       New optional argument *password*.
 
-.. method:: SSLContext.load_verify_locations(cafile=None, capath=None)
+.. method:: SSLContext.load_verify_locations(cafile=None, capath=None, cadata=None)
 
    Load a set of "certification authority" (CA) certificates used to validate
    other peers' certificates when :data:`verify_mode` is other than
@@ -867,6 +868,14 @@ to speed up repeated connections from the same clients.
    following an `OpenSSL specific layout
    <http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html>`_.
 
+   The *cadata* object, if present, is either an ASCII string of one or more
+   PEM-encoded certificates or a bytes-like object of DER-encoded
+   certificates. Like with *capath* extra lines around PEM-encoded
+   certificates are ignored but at least one certificate must be present.
+
+   .. versionchanged:: 3.4
+      New optional argument *cadata*
+
 .. method:: SSLContext.get_ca_certs(binary_form=False)
 
    Get a list of loaded "certification authority" (CA) certificates. If the