We first encode in a base64 then add it into a SMTP email header, so i don't think any mail system on the way would play with the value of the base64, because that can break any system that works over SMTP.
What they might do is change the line length and add some \r\n and or white spaces but those we clear any way before decoding the base64, so after this process it is guaranteed to be the same exact PEM file. And there is only one system that will create the original PEM file so I don't think that is an issue. Joe On 1/26/06, Lev Walkin <[EMAIL PROTECTED]> wrote: > Joe Gluck wrote: > > That is correct but in my case I am getting the cert in PEM, and it is > > created by another application we develop so it should be an exact > > duplicate if it is actually the same one. > > This is only true if you can guarantee that the certificate in PEM > reaches your system only once. > > If you can transfer PEM from the application your team is developing > using different means (email, file transfer, web publishing), it is > practically guaranteed that the PEM contents would not match. If only > for different line ending conventions between different systems. > > Even if you can guarantee that the certificate reaches your certificate > storage only once, you can just as well compare a pointer to the > structure which keeps this certificate's PEM contens. > > > > On 1/26/06, Lev Walkin <[EMAIL PROTECTED]> wrote: > >> Joe Gluck wrote: > >>> That attack is interesting, how can that be done, (sorry for bothering > >>> you :-) ) > >>> > >>> But cutting down the X509_cmp will not work because the memcmp > >>> compares the hash which if I will cut out the X509_check_purpose lines > >>> will not make any sense. > >>> > >>> But I think the best idea is to compare the entire text of the entire > >>> certificate (The text as I get in a PEM format before loading it into > >>> the X509 object. it is faster than hashing the same size and comparing > >>> the hash. > >> You should then consider comparing DER encoding, not the PEM wrapper > >> around the DER certificate contents. > >> > >> PEM encoding of the same certificate can be different, due to relaxed > >> rules about whitespace characters. > >> > >>> Thanks > >>> > >>> On 1/26/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > >>>> On Thu, Jan 26, 2006, Joe Gluck wrote: > >>>> > >>>>> Thank you. > >>>>> I still am not sure if it the best idea, > >>>>> > >>>>> Because i will be getting for example 1,000,000 a times in a day the > >>>>> same certificate, I don't want to do that even short process if not > >>>>> necessary, what I could do is compare the times between X509_cmp() and > >>>>> my code, or even to doing memcmp() on the original text of the X509. > >>>>> > >>>>> So I would like to know if any one thinks there is a problem with how > >>>>> i am doing it, or if it will be slower then using some other way to do > >>>>> it? > >>>>> > >>>> Your algorithm ends up accessing X509 structure internals which isn't a > >>>> good > >>>> idea if it can be avoided. It also doesn't compare the whole public key: > >>>> you'd > >>>> also need to compare the algorithm type and its parameters (if any). > >>>> There are > >>>> sound reasons as to why you should also check parameters. If you don't > >>>> there > >>>> are some interesting key substitution attacks that could spoil your > >>>> whole day... > >>>> > >>>> If structure internal access is considered acceptable you can cut the > >>>> whole > >>>> thing down to the memcmp() of X509_cmp(). > >>>> > >>>> Steve. > >>>> -- > >>>> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > >>>> OpenSSL project core developer and freelance consultant. > >>>> Funding needed! Details on homepage. > >>>> Homepage: http://www.drh-consultancy.demon.co.uk > >>>> ______________________________________________________________________ > >>>> OpenSSL Project http://www.openssl.org > >>>> Development Mailing List openssl-dev@openssl.org > >>>> Automated List Manager [EMAIL PROTECTED] > >>>> > >>> ______________________________________________________________________ > >>> OpenSSL Project http://www.openssl.org > >>> Development Mailing List openssl-dev@openssl.org > >>> Automated List Manager [EMAIL PROTECTED] > >>> > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> Development Mailing List openssl-dev@openssl.org > >> Automated List Manager [EMAIL PROTECTED] > >> > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > Development Mailing List openssl-dev@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
