On Thu, Jan 26, 2006, Joe Gluck wrote: > Thank you. > I still am not sure if it the best idea, > > Because i will be getting for example 1,000,000 a times in a day the > same certificate, I don't want to do that even short process if not > necessary, what I could do is compare the times between X509_cmp() and > my code, or even to doing memcmp() on the original text of the X509. > > So I would like to know if any one thinks there is a problem with how > i am doing it, or if it will be slower then using some other way to do > it? >
Your algorithm ends up accessing X509 structure internals which isn't a good idea if it can be avoided. It also doesn't compare the whole public key: you'd also need to compare the algorithm type and its parameters (if any). There are sound reasons as to why you should also check parameters. If you don't there are some interesting key substitution attacks that could spoil your whole day... If structure internal access is considered acceptable you can cut the whole thing down to the memcmp() of X509_cmp(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
