Commit c476c06f50 for

commit c476c06f507a2c64a59c8cc86f2109aa00cf5133
Author: Dr. David von Oheimb <>
Date:   Thu Jan 7 20:02:39 2021 +0100

    find_issuer(): When returning an expired issuer, take the most recently expired one

    Also point out in the documenting comment that a non-expired issuer is preferred.

    Reviewed-by: Tomas Mraz <>
    (Merged from

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f5849a5603..1bef0a3665 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -316,10 +316,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)

- * Find in given STACK_OF(X509) sk an issuer cert of given cert x.
- * The issuer must not yet be in ctx->chain, where the exceptional case
- * that x is self-issued and ctx->chain has just one element is allowed.
- * Prefer the first one that is not expired, else take the last expired one.
+ * Find in given STACK_OF(X509) |sk| an issuer cert (if any) of given cert |x|.
+ * The issuer must not yet be in |ctx->chain|, yet allowing the exception that
+ *     |x| is self-issued and |ctx->chain| has just one element.
+ * Prefer the first non-expired one, else take the most recently expired one.
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
@@ -333,7 +333,9 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
                 || !sk_X509_contains(ctx->chain, issuer))) {
             if (x509_check_cert_time(ctx, issuer, -1))
                 return issuer;
-            rv = issuer;
+            if (rv == NULL || ASN1_TIME_compare(X509_get0_notAfter(issuer),
+                                                X509_get0_notAfter(rv)) > 0)
+                rv = issuer;
     return rv;
diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod
index af1c7e3a43..620eacf5cc 100644
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@@ -36,6 +36,8 @@ name of the current certificate are subject to further tests.
 The relevant authority key identifier components of the current certificate
 (if present) must match the subject key identifier (if present)
 and issuer and serial number of the candidate issuer certificate.
+If there is such a certificate, the first one found that is currently valid
+is taken, otherwise the one that expired most recently of all such certificates.

 The lookup first searches for issuer certificates in the trust store.
 If it does not find a match there it consults