}
/*
- * Find in given STACK_OF(X509) sk an issuer cert of given cert x.
- * The issuer must not yet be in ctx->chain, where the exceptional case
- * that x is self-issued and ctx->chain has just one element is allowed.
- * Prefer the first one that is not expired, else take the last expired one.
+ * Find in given STACK_OF(X509) |sk| an issuer cert (if any) of given cert |x|.
+ * The issuer must not yet be in |ctx->chain|, yet allowing the exception that
+ * |x| is self-issued and |ctx->chain| has just one element.
+ * Prefer the first non-expired one, else take the most recently expired one.
*/
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
|| !sk_X509_contains(ctx->chain, issuer))) {
if (x509_check_cert_time(ctx, issuer, -1))
return issuer;
- rv = issuer;
+ if (rv == NULL || ASN1_TIME_compare(X509_get0_notAfter(issuer),
+ X509_get0_notAfter(rv)) > 0)
+ rv = issuer;
}
}
return rv;
The relevant authority key identifier components of the current certificate
(if present) must match the subject key identifier (if present)
and issuer and serial number of the candidate issuer certificate.
+If there is such a certificate, the first one found that is currently valid
+is taken, otherwise the one that expired most recently of all such certificates.
The lookup first searches for issuer certificates in the trust store.
If it does not find a match there it consults