X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fx509%2Fx509_vfy.c;h=7bac3c6f24bb3fb4822faa03f19d4719d7e69d38;hp=70011fd73316cce7e79591b97919a0b055aae962;hb=db28aa86e00b9121bee94d1e65506bf22d5ca6e3;hpb=2da2ff50650c8e372f7a0e0bc8d0091bc230517d

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 70011fd733..7bac3c6f24 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -215,6 +215,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		/* If we are self signed, we break */
 		if (cert_self_signed(x))
 			break;
+		/* If asked see if we can find issuer in trusted store first */
+		if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+			{
+			ok = ctx->get_issuer(&xtmp, ctx, x);
+			if (ok < 0)
+				return ok;
+			/* If successful for now free up cert so it
+			 * will be picked up again later.
+			 */
+			if (ok > 0)
+				{
+				X509_free(xtmp);
+				break;
+				}
+			}
 
 		/* If we were passed a cert chain, use it first */
 		if (ctx->untrusted != NULL)