diff --git a/src/XrdCrypto/XrdCryptoX509Chain.cc b/src/XrdCrypto/XrdCryptoX509Chain.cc
index bc924a6..2cdd22e 100644
--- a/src/XrdCrypto/XrdCryptoX509Chain.cc
+++ b/src/XrdCrypto/XrdCryptoX509Chain.cc
@@ -71,6 +71,7 @@ XrdCryptoX509Chain::XrdCryptoX509Chain(XrdCryptoX509 *c)
current = 0;
begin = 0;
end = 0;
+ effca = 0;
size = 0;
lastError = "";
caname = "";
@@ -94,6 +95,8 @@ XrdCryptoX509Chain::XrdCryptoX509Chain(XrdCryptoX509 *c)
else
statusCA = kValid;
}
+ // Search for the effective CA
+ SetEffectiveCA();
}
}
@@ -106,6 +109,7 @@ XrdCryptoX509Chain::XrdCryptoX509Chain(XrdCryptoX509Chain *ch)
current = 0;
begin = 0;
end = 0;
+ effca = 0;
size = 0;
lastError = ch->LastError();
caname = ch->CAname();
@@ -122,6 +126,7 @@ XrdCryptoX509Chain::XrdCryptoX509Chain(XrdCryptoX509Chain *ch)
if (end)
end->SetNext(nc);
end = nc;
+ if (c == ch->EffCA()) effca = nc;
size++;
// Go to Next
c = ch->Next();
@@ -164,6 +169,7 @@ void XrdCryptoX509Chain::Cleanup(bool keepCA)
current = 0;
begin = 0;
end = 0;
+ effca = 0;
size = 0;
lastError = "";
caname = "";
@@ -275,7 +281,7 @@ void XrdCryptoX509Chain::InsertAfter(XrdCryptoX509 *c, XrdCryptoX509 *cp)
end = nc;
} else {
- // Referebce certificate not in the list
+ // Reference certificate not in the list
// If new, add in last position; otherwise leave it where it is
if (!nc)
PushBack(c);
@@ -545,6 +551,8 @@ int XrdCryptoX509Chain::Reorder()
if (size < 2) {
DEBUG("Nothing to reorder (size: "<<size<<")");
+ // Search for the effective CA (the last one, in case of subCAs)
+ SetEffectiveCA();
return 0;
}
@@ -613,6 +621,9 @@ int XrdCryptoX509Chain::Reorder()
np = np->Next();
}
+ // Search for the effective CA (the last one, in case of subCAs)
+ SetEffectiveCA();
+
// Check consistency
if (left > 0) {
DEBUG("Inconsistency found: "<<left<<
@@ -625,6 +636,28 @@ int XrdCryptoX509Chain::Reorder()
}
//___________________________________________________________________________
+void XrdCryptoX509Chain::SetEffectiveCA()
+{
+ // Search for the effective CA (the last one, in case of subCAs)
+ effca = 0;
+ XrdCryptoX509ChainNode *np = begin;
+ while (np) {
+ if (np->Cert()) {
+ if (np->Cert()->type == XrdCryptoX509::kCA) {
+ effca = np;
+ } else {
+ break;
+ }
+ }
+ np = np->Next();
+ }
+ if (effca && effca->Cert()) {
+ caname = effca->Cert()->Subject();
+ cahash = effca->Cert()->SubjectHash();
+ }
+}
+
+//___________________________________________________________________________
bool XrdCryptoX509Chain::Verify(EX509ChainErr &errcode, x509ChainVerifyOpt_t *vopt)
{
// Verify cross signatures of the chain
diff --git a/src/XrdCrypto/XrdCryptoX509Chain.hh b/src/XrdCrypto/XrdCryptoX509Chain.hh
index ebd29f2..5813002 100644
--- a/src/XrdCrypto/XrdCryptoX509Chain.hh
+++ b/src/XrdCrypto/XrdCryptoX509Chain.hh
@@ -111,6 +111,7 @@ public:
const char *EECname();
const char *CAhash();
const char *EEChash();
+ XrdCryptoX509 *EffCA() const { return effca ? effca->Cert() : (XrdCryptoX509 *)0; }
// Modifiers
void InsertAfter(XrdCryptoX509 *c, XrdCryptoX509 *cp);
@@ -147,6 +148,7 @@ protected:
XrdCryptoX509ChainNode *current;
XrdCryptoX509ChainNode *end;
XrdCryptoX509ChainNode *previous;
+ XrdCryptoX509ChainNode *effca;
int size;
XrdOucString lastError;
XrdOucString caname;
@@ -162,6 +164,7 @@ protected:
XrdCryptoX509ChainNode *FindSubject(const char *subject,
ESearchMode mode = kExact,
XrdCryptoX509ChainNode **p = 0);
+ void SetEffectiveCA();
bool Verify(EX509ChainErr &e, const char *msg,
XrdCryptoX509::EX509Type type, int when,
XrdCryptoX509 *xcer, XrdCryptoX509 *xsig,
diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc
index 67101ec..a08235a 100644
--- a/src/XrdSecgsi/XrdSecProtocolgsi.cc
+++ b/src/XrdSecgsi/XrdSecProtocolgsi.cc
@@ -4403,7 +4403,7 @@ int XrdSecProtocolgsi::GetCA(const char *cahash,
// Get CRL, if required
ok = 1;
if (CRLCheck > 0) {
- if ((crl = LoadCRL(chain->Begin(), cahash, cf, CRLDownload))) {
+ if ((crl = LoadCRL(chain->EffCA(), cahash, cf, CRLDownload))) {
// Good CA
DEBUG("CRL successfully loaded");
} else {