From ba94ceb9cc1cb2c6ab371e94b9f9c879c12402dc Mon Sep 17 00:00:00 2001
From: Ruben van Staveren <ruben@verweg.com>
Date: Wed, 27 Jul 2022 11:19:35 +0200
Subject: [PATCH] Improved handling of cross signed intermediates. #1

---
 sort_certificate.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/sort_certificate.py b/sort_certificate.py
index db26b60..03305ac 100755
--- a/sort_certificate.py
+++ b/sort_certificate.py
@@ -187,11 +187,12 @@ def find_intermediate_root(x509_objects, root_issuers):
     '''
 
     # Some intermediates have the *same* subject as some root certificates.
-    # blacklist them
-    # XXX better use pubkey/hash for that, but can't find the appropriate
-    # interface to that at the moment
+    # blacklist them if their issuer and subject name is present in the root
+    # bundle
     excluded_issuers = [str(x.get_subject()) for x in x509_objects
-                        if x.get_subject() != x.get_issuer()]
+                        if x.get_subject() != x.get_issuer()
+                        and str(x.get_issuer()) in root_issuers
+                        and str(x.get_subject()) in root_issuers]
 
     logging.debug('Known root issuers\n\t%s', '\n\t'.join(root_issuers))
     logging.debug('Excluding issuers because of potential intermediates\n\t%s',