Restore last-resort expired untrusted intermediate issuers
authorViktor Dukhovni <openssl-users@dukhovni.org>
Fri, 25 Nov 2016 05:38:04 +0000 (00:38 -0500)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Sat, 3 Dec 2016 00:37:45 +0000 (19:37 -0500)
Reviewed-by: Matt Caswell <matt@openssl.org>
crypto/x509/x509_vfy.c

index 9fbef116be2c2d46f0948110bb4a336b7c12ce82..ebc442400501c3ee28852dcda048c2ac617e120f 100644 (file)
@@ -308,16 +308,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
     int i;
+    X509 *issuer, *rv = NULL;
 
     for (i = 0; i < sk_X509_num(sk); i++) {
-        X509 *issuer = sk_X509_value(sk, i);
-
-        if (!ctx->check_issued(ctx, x, issuer))
-            continue;
-        if (x509_check_cert_time(ctx, issuer, -1))
-            return issuer;
+        issuer = sk_X509_value(sk, i);
+        if (ctx->check_issued(ctx, x, issuer)) {
+            rv = issuer;
+            if (x509_check_cert_time(ctx, rv, -1))
+                break;
+        }
     }
-    return NULL;
+    return rv;
 }
 
 /* Given a possible certificate and issuer check them */