@bbockelm commented on this pull request.

> -        if (SecEntity.moninfo) free(SecEntity.moninfo);
-        SecEntity.moninfo = X509_NAME_oneline(X509_get_subject_name(peer_cert), NULL, 0);
-        TRACEI(DEBUG, " Subject name is : '" << SecEntity.moninfo << "'");
-        
-        mape = servGMap->dn2user(SecEntity.moninfo, bufname, sizeof(bufname), 0);
-        if ( !mape ) {
-          TRACEI(DEBUG, " Mapping name: " << SecEntity.moninfo << " --> " << bufname);
-          if (SecEntity.name) free(SecEntity.name);
-          SecEntity.name = strdup(bufname);
-        }
-        else {
-          TRACEI(ALL, " Mapping name: " << SecEntity.moninfo << " Failed. err: " << mape);
-        }
-      }
-      
+  if (!dn) {

No... the EEC for a plain certificate is still the correct subject (at least, this was done correctly for my testing).

The algorithm for discovering the EEC is (basically) to order the chain and, starting at the end, walking up the chain. The EEC is the last certificate discovered that is not marked as a CA (a well-defined attribute within X509).

Did your testing reveal issues here?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/1224#discussion_r445012050", "url": "https://github.com/xrootd/xrootd/pull/1224#discussion_r445012050", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1