From c9eedd087bd9c5fe1425da3eeaa42d89ef40ed56 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <code@pcvolkmer.de>
Date: Fri, 24 Jan 2025 18:22:21 +0100
Subject: [PATCH] fix: only the last cert can have an empty authority key

---
 src/lib.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/lib.rs b/src/lib.rs
index d9e254f..da3390a 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -317,7 +317,11 @@ impl Chain {
     pub fn is_valid(&self) -> bool {
         let mut x: Option<PKey<Public>> = None;
         let mut time_issue = false;
-        for cert in self.certs.iter().rev() {
+
+        for (idx, cert) in self.certs.iter().rev().enumerate() {
+            if cert.authority_key_id().to_string() == "*Empty*" && idx > 0 {
+                return false;
+            }
             if !cert.within_timerange(&SystemTime::now()) {
                 time_issue = true;
             }