From 6dda760ffdc66de9c64c10b1a05f0ff57c597265 Mon Sep 17 00:00:00 2001
From: Ruben van Staveren <ruben@verweg.com>
Date: Wed, 27 Jul 2022 13:34:11 +0200
Subject: [PATCH] instead of finding the issuer of the last certificate, probe
 in reverse order This allows for handling of disappeared/expired root
 certificates which might still be a dependency for a present cross signed
 certificate

---
 sort_certificate.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/sort_certificate.py b/sort_certificate.py
index 582bec7..98fb7b0 100755
--- a/sort_certificate.py
+++ b/sort_certificate.py
@@ -176,7 +176,15 @@ def find_root(x509_objects, root_issuers):
     '''
     Find a suitable anchor by finding the intermediate that was signed by root
     '''
-    root_cert = root_issuers[str(x509_objects[-1].get_issuer())]
+    root_cert = None
+    for x509_object in reversed(x509_objects):
+        if str(x509_object.get_issuer()) in root_issuers:
+            root_cert = root_issuers[str(x509_object.get_issuer())]
+            break
+    if not root_cert:
+        raise CertificateComponentException('Unable to find a suitable '
+                                            'trusted root certificate '
+                                            'for bundle')
     logging.debug('Retrieved root certificate %s', root_cert.get_subject())
     return root_cert