mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

find_issuer(): When returning an expired issuer, take the most recently expired one

Browse Source 
Also point out in the documenting comment that a non-expired issuer is preferred.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13805)
This commit is contained in:
Dr. David von Oheimb 2021-01-07 20:02:39 +01:00 committed by Dr. David von Oheimb
parent f5f4fbaa44
commit c476c06f50
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
crypto/x509/x509_vfy.c
View File

@ -316,10 +316,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)
} }
/* /*
* Find in given STACK_OF(X509) sk an issuer cert of given cert x. * Find in given STACK_OF(X509) |sk| an issuer cert (if any) of given cert |x|.
* The issuer must not yet be in ctx->chain, where the exceptional case * The issuer must not yet be in |ctx->chain|, yet allowing the exception that
* that x is self-issued and ctx->chain has just one element is allowed. * |x| is self-issued and |ctx->chain| has just one element.
* Prefer the first one that is not expired, else take the last expired one. * Prefer the first non-expired one, else take the most recently expired one.
*/ */
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{ {
@ -333,6 +333,8 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
|| !sk_X509_contains(ctx->chain, issuer))) { || !sk_X509_contains(ctx->chain, issuer))) {
if (x509_check_cert_time(ctx, issuer, -1)) if (x509_check_cert_time(ctx, issuer, -1))
return issuer; return issuer;
if (rv == NULL || ASN1_TIME_compare(X509_get0_notAfter(issuer),
X509_get0_notAfter(rv)) > 0)
rv = issuer; rv = issuer;
} }
} }

2
doc/man1/openssl-verification-options.pod
View File

@ -36,6 +36,8 @@ name of the current certificate are subject to further tests.
The relevant authority key identifier components of the current certificate The relevant authority key identifier components of the current certificate
(if present) must match the subject key identifier (if present) (if present) must match the subject key identifier (if present)
and issuer and serial number of the candidate issuer certificate. and issuer and serial number of the candidate issuer certificate.
If there is such a certificate, the first one found that is currently valid
is taken, otherwise the one that expired most recently of all such certificates.
The lookup first searches for issuer certificates in the trust store. The lookup first searches for issuer certificates in the trust store.
If it does not find a match there it consults If it does not find a match there it consults