instead of finding the issuer of the last certificate, probe in reverse order

This allows for handling of disappeared/expired root certificates which might still be a dependency for a present cross signed certificate
2022-07-27 13:34:11 +02:00 · 2022-07-27 13:34:11 +02:00 · 6dda760ffd
commit 6dda760ffd
parent 5cce5722c5
1 changed files with 9 additions and 1 deletions
--- a/sort_certificate.py
+++ b/sort_certificate.py
@ -176,7 +176,15 @@ def find_root(x509_objects, root_issuers):
    '''
    Find a suitable anchor by finding the intermediate that was signed by root
    '''
-    root_cert = root_issuers[str(x509_objects[-1].get_issuer())]
+    root_cert = None
+    for x509_object in reversed(x509_objects):
+        if str(x509_object.get_issuer()) in root_issuers:
+            root_cert = root_issuers[str(x509_object.get_issuer())]
+            break
+    if not root_cert:
+        raise CertificateComponentException('Unable to find a suitable '
+                                            'trusted root certificate '
+                                            'for bundle')
    logging.debug('Retrieved root certificate %s', root_cert.get_subject())
    return root_cert