memcmp in this case is reading 10 32-bit words into registers, and XORing the appropriate pairs. If any of them don't match, it fails. You can't exactly get much faster than that.
Since the hash on each certificate is calculated once, and then is cached (the hash takes into account the entire certificate, not just the public key -- this can become important if the same public key occurs in two separate certificates, one valid and one invalid), the memcmp() route is the fastest option. (Note also that every time a certificate is initially presented, it must be fully hashed in order to verify the certificate chain.) -Kyle H On 1/26/06, Joe Gluck <[EMAIL PROTECTED]> wrote: > Thank you. > I still am not sure if it the best idea, > > Because i will be getting for example 1,000,000 a times in a day the > same certificate, I don't want to do that even short process if not > necessary, what I could do is compare the times between X509_cmp() and > my code, or even to doing memcmp() on the original text of the X509. > > So I would like to know if any one thinks there is a problem with how > i am doing it, or if it will be slower then using some other way to do > it? > > Thanks in advance (And thank you Dr. Stephen Henson) > > Joe > > On 1/26/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > > On Thu, Jan 26, 2006, Joe Gluck wrote: > > > > > That is great to know because I did not know if while loading the > > > certiicate it parses the fields and hashes or just loads it. > > > > > > > It parses most fields. The public key and extension parts aren't parsed > > until > > a call is explicitly made to parse them. > > > > > > > But any way, if I call the X509_cmp() it will do the > > > X509_check_purpose() and I would like to avoid that by just getting > > > the public key part and doing memcmp on it with the one already in my > > > cache. > > > > > > > X509_check_purpose() with those parameters just checks to see if the hash > > (and > > other things) is valid, if not calculating it and then returns. So after > > that > > first call it is a no op. > > > > Steve. > > -- > > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > > OpenSSL project core developer and freelance consultant. > > Funding needed! Details on homepage. > > Homepage: http://www.drh-consultancy.demon.co.uk > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > Development Mailing List openssl-dev@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
