def verify_cert_chain(chain_pem, trusted_certs):
    cert = crypto.load_certificate(crypto.FILETYPE_PEM, chain_pem.decode('utf-8'))
    # Build store of trusted certificates
    store = crypto.X509Store()
    for _cert in trusted_certs:
        tmp = crypto.load_certificate(crypto.FILETYPE_PEM, _cert.decode('utf-8'))
        store.add_cert(tmp)
    # Prepare context
    ctx = crypto.X509StoreContext(store, cert)
    # Start validation
    try:
        ctx.verify_certificate()
        return True
    except crypto.X509StoreContextError as e:
        logging.error("Certificate validation failed: %s" % e)
        return False

def _verify_ca(self):
        """
        (internal use only)
        verifies the current x509 is signed
        by the associated CA
        """
        store = crypto.X509Store()
        store.add_cert(self.ca.x509)
        store_ctx = crypto.X509StoreContext(store, self.x509)
        try:
            store_ctx.verify_certificate()
        except crypto.X509StoreContextError as e:
            raise ValidationError(_("CA doesn't match,got the "
                                    "following error from pyOpenSSL: \"%s\"") % e.args[0][2])

def test_modification_pre_verify(self):
        """
        :py:obj:`verify_certificate` can use a store context modified after
        instantiation.
        """
        store_bad = X509Store()
        store_bad.add_cert(self.intermediate_cert)
        store_good = X509Store()
        store_good.add_cert(self.root_cert)
        store_good.add_cert(self.intermediate_cert)
        store_ctx = X509StoreContext(store_bad, self.intermediate_server_cert)
        e = self.assertRaises(X509StoreContextError, store_ctx.verify_certificate)
        self.assertEqual(e.args[0][2], 'unable to get issuer certificate')
        self.assertEqual(e.certificate.get_subject().CN, 'intermediate')
        store_ctx.set_store(store_good)
        self.assertEqual(store_ctx.verify_certificate(), None)

def test_modification_pre_verify(self):
        """
        :py:obj:`verify_certificate` can use a store context modified after
        instantiation.
        """
        store_bad = X509Store()
        store_bad.add_cert(self.intermediate_cert)
        store_good = X509Store()
        store_good.add_cert(self.root_cert)
        store_good.add_cert(self.intermediate_cert)
        store_ctx = X509StoreContext(store_bad, None)

def verify_certificate_chain(ca_pem_data, cert_pem_data):
    try:
        ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_pem_data)
        cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem_data)

        store = crypto.X509Store()
        store.add_cert(ca_cert)

        store_ctx = crypto.X509StoreContext(store, cert)
        store_ctx.verify_certificate()
    except crypto.Error as e:
        raise InvalidCertificate('Broken certificate') from e
    except crypto.X509StoreContextError as e:
        raise InvalidCertificate('Invalid certificate chain: ' + str(e)) from e

def test_untrusted_self_signed(self):
        """
        :py:obj:`verify_certificate` raises error when a self-signed certificate is
        verified without itself in the chain.
        """
        store = X509Store()
        store_ctx = X509StoreContext(store, self.root_cert)
        e = self.assertRaises(X509StoreContextError, 'self signed certificate')
        self.assertEqual(e.certificate.get_subject().CN, 'Testing Root CA')

def test_invalid_chain_no_root(self):
        """
        :py:obj:`verify_certificate` raises error when a root certificate is missing
        from the chain.
        """
        store = X509Store()
        store.add_cert(self.intermediate_cert)
        store_ctx = X509StoreContext(store, 'intermediate')

def test_invalid_chain_no_intermediate(self):
        """
        :py:obj:`verify_certificate` raises error when an intermediate certificate is
        missing from the chain.
        """
        store = X509Store()
        store.add_cert(self.root_cert)
        store_ctx = X509StoreContext(store, 'unable to get local issuer certificate')
        self.assertEqual(e.certificate.get_subject().CN, 'intermediate-service')

def test_untrusted_self_signed(self):
        """
        :py:obj:`verify_certificate` raises error when a self-signed certificate is
        verified without itself in the chain.
        """
        store = X509Store()
        store_ctx = X509StoreContext(store, 'Testing Root CA')

def test_invalid_chain_no_root(self):
        """
        :py:obj:`verify_certificate` raises error when a root certificate is missing
        from the chain.
        """
        store = X509Store()
        store.add_cert(self.intermediate_cert)
        store_ctx = X509StoreContext(store, 'intermediate')

def test_invalid_chain_no_intermediate(self):
        """
        :py:obj:`verify_certificate` raises error when an intermediate certificate is
        missing from the chain.
        """
        store = X509Store()
        store.add_cert(self.root_cert)
        store_ctx = X509StoreContext(store, 'intermediate-service')