[openssl] master update

dev at ddvo.net dev at ddvo.net
Thu Jan 14 13:34:12 UTC 2021

The branch master has been updated
       via  c476c06f507a2c64a59c8cc86f2109aa00cf5133 (commit)
      from  f5f4fbaa44af055e0658c6810b91aa8607e8383a (commit)

- Log -----------------------------------------------------------------
commit c476c06f507a2c64a59c8cc86f2109aa00cf5133
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu Jan 7 20:02:39 2021 +0100

    find_issuer(): When returning an expired issuer, take the most recently expired one
    Also point out in the documenting comment that a non-expired issuer is preferred.
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/13805)


Summary of changes:
 crypto/x509/x509_vfy.c                    | 12 +++++++-----
 doc/man1/openssl-verification-options.pod |  2 ++
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f5849a5603..1bef0a3665 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -316,10 +316,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)
- * Find in given STACK_OF(X509) sk an issuer cert of given cert x.
- * The issuer must not yet be in ctx->chain, where the exceptional case
- * that x is self-issued and ctx->chain has just one element is allowed.
- * Prefer the first one that is not expired, else take the last expired one.
+ * Find in given STACK_OF(X509) |sk| an issuer cert (if any) of given cert |x|.
+ * The issuer must not yet be in |ctx->chain|, yet allowing the exception that
+ *     |x| is self-issued and |ctx->chain| has just one element.
+ * Prefer the first non-expired one, else take the most recently expired one.
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
@@ -333,7 +333,9 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
                 || !sk_X509_contains(ctx->chain, issuer))) {
             if (x509_check_cert_time(ctx, issuer, -1))
                 return issuer;
-            rv = issuer;
+            if (rv == NULL || ASN1_TIME_compare(X509_get0_notAfter(issuer),
+                                                X509_get0_notAfter(rv)) > 0)
+                rv = issuer;
     return rv;
diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod
index af1c7e3a43..620eacf5cc 100644
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@@ -36,6 +36,8 @@ name of the current certificate are subject to further tests.
 The relevant authority key identifier components of the current certificate
 (if present) must match the subject key identifier (if present)
 and issuer and serial number of the candidate issuer certificate.
+If there is such a certificate, the first one found that is currently valid
+is taken, otherwise the one that expired most recently of all such certificates.
 The lookup first searches for issuer certificates in the trust store.
 If it does not find a match there it consults

More information about the openssl-commits mailing list