diff options
| -rw-r--r-- | crypto/x509/x509_vfy.c | 12 | ||||
| -rw-r--r-- | doc/man1/openssl-verification-options.pod | 2 |
2 files changed, 9 insertions, 5 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f5849a5603..1bef0a3665 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -316,10 +316,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert) } /* - * Find in given STACK_OF(X509) sk an issuer cert of given cert x. - * The issuer must not yet be in ctx->chain, where the exceptional case - * that x is self-issued and ctx->chain has just one element is allowed. - * Prefer the first one that is not expired, else take the last expired one. + * Find in given STACK_OF(X509) |sk| an issuer cert (if any) of given cert |x|. + * The issuer must not yet be in |ctx->chain|, yet allowing the exception that + * |x| is self-issued and |ctx->chain| has just one element. + * Prefer the first non-expired one, else take the most recently expired one. */ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { @@ -333,7 +333,9 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) || !sk_X509_contains(ctx->chain, issuer))) { if (x509_check_cert_time(ctx, issuer, -1)) return issuer; - rv = issuer; + if (rv == NULL || ASN1_TIME_compare(X509_get0_notAfter(issuer), + X509_get0_notAfter(rv)) > 0) + rv = issuer; } } return rv; diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index af1c7e3a43..620eacf5cc 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -36,6 +36,8 @@ name of the current certificate are subject to further tests. The relevant authority key identifier components of the current certificate (if present) must match the subject key identifier (if present) and issuer and serial number of the candidate issuer certificate. +If there is such a certificate, the first one found that is currently valid +is taken, otherwise the one that expired most recently of all such certificates. The lookup first searches for issuer certificates in the trust store. If it does not find a match there it consults |