Hi,
I am trying to compare two certificates by comparing their public keys.
Just to give a reference I designed a certificate cache for verifying
signatures (no private keys), every new certificate goes through the
full verify process, check issuer path, and check signature
(X509_verify()) and check dates and CRL. But after in cache if I get
another request with the same issuer and same serial #, then I look it
up in the cache, if it is in the cache I just want to compare public
keys, and if equal verify signature with one of them (it should not
matter which one I would use for that).
I am using OpenSSL and although they have the X509_cmp() function, I
prefer not to use it because it rehashes the certificate (or at least
it seems so to me) and I want to get the maximum performance I can
get., so I built my own compare function and I would like to hear your
opinion.
Can there be any situations that the public key will not be loaded in
that object (see code), and therefore the compare might return as TRUE
but it is not the same public key, for example is there a difference
between where they store different sizes of certificates (2048 bit vs.
768) or X.509v3 vs. X.509v1 or algorithms DSA vs. RSA?
Also is that public key object always loaded from after I have called
the PEM_read_bio_X509() function?
Here is a snap shot of my compare code:
int gms_x509_compare_public_keys(X509 * cert1, X509 * cert2)
{
ASN1_BIT_STRING * pk1 = cert1->cert_info->key->public_key;
ASN1_BIT_STRING * pk2 = cert2->cert_info->key->public_key;
if (pk1->length != pk2->length)
return pk1->length - pk2->length;
return memcmp((char *)pk1->data, (char *)pk2->data, pk1->length);
}
Thanks in advance,
Joe
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
