Improved handling of cross signed intermediates. #1

2022-07-27 11:19:35 +02:00 · 2022-07-27 11:19:35 +02:00 · ba94ceb9cc
commit ba94ceb9cc
parent ebe467260a
1 changed files with 5 additions and 4 deletions
--- a/sort_certificate.py
+++ b/sort_certificate.py
@ -187,11 +187,12 @@ def find_intermediate_root(x509_objects, root_issuers):
    '''

    # Some intermediates have the *same* subject as some root certificates.
-    # blacklist them
-    # XXX better use pubkey/hash for that, but can't find the appropriate
-    # interface to that at the moment
+    # blacklist them if their issuer and subject name is present in the root
+    # bundle
    excluded_issuers = [str(x.get_subject()) for x in x509_objects
-                        if x.get_subject() != x.get_issuer()]
+                        if x.get_subject() != x.get_issuer()
+                        and str(x.get_issuer()) in root_issuers
+                        and str(x.get_subject()) in root_issuers]

    logging.debug('Known root issuers\n\t%s', '\n\t'.join(root_issuers))
    logging.debug('Excluding issuers because of potential intermediates\n\t%s',