That is correct but in my case I am getting the cert in PEM, and it is created by another application we develop so it should be an exact duplicate if it is actually the same one.
On 1/26/06, Lev Walkin <[EMAIL PROTECTED]> wrote: > Joe Gluck wrote: > > That attack is interesting, how can that be done, (sorry for bothering you > > :-) ) > > > > But cutting down the X509_cmp will not work because the memcmp > > compares the hash which if I will cut out the X509_check_purpose lines > > will not make any sense. > > > > But I think the best idea is to compare the entire text of the entire > > certificate (The text as I get in a PEM format before loading it into > > the X509 object. it is faster than hashing the same size and comparing > > the hash. > > You should then consider comparing DER encoding, not the PEM wrapper > around the DER certificate contents. > > PEM encoding of the same certificate can be different, due to relaxed > rules about whitespace characters. > > > Thanks > > > > On 1/26/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > >> On Thu, Jan 26, 2006, Joe Gluck wrote: > >> > >>> Thank you. > >>> I still am not sure if it the best idea, > >>> > >>> Because i will be getting for example 1,000,000 a times in a day the > >>> same certificate, I don't want to do that even short process if not > >>> necessary, what I could do is compare the times between X509_cmp() and > >>> my code, or even to doing memcmp() on the original text of the X509. > >>> > >>> So I would like to know if any one thinks there is a problem with how > >>> i am doing it, or if it will be slower then using some other way to do > >>> it? > >>> > >> Your algorithm ends up accessing X509 structure internals which isn't a > >> good > >> idea if it can be avoided. It also doesn't compare the whole public key: > >> you'd > >> also need to compare the algorithm type and its parameters (if any). There > >> are > >> sound reasons as to why you should also check parameters. If you don't > >> there > >> are some interesting key substitution attacks that could spoil your whole > >> day... > >> > >> If structure internal access is considered acceptable you can cut the whole > >> thing down to the memcmp() of X509_cmp(). > >> > >> Steve. > >> -- > >> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > >> OpenSSL project core developer and freelance consultant. > >> Funding needed! Details on homepage. > >> Homepage: http://www.drh-consultancy.demon.co.uk > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> Development Mailing List openssl-dev@openssl.org > >> Automated List Manager [EMAIL PROTECTED] > >> > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > Development Mailing List openssl-dev@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
