I was also concerned about some one messing with the headers or any other field, but those check I did only after the public key did not match, because if the public key matches to one in the cache and the one in the cache is fully verified, then I don't care for additional checks.
And if it fails I can call additional functions to analyze the reason for the error. but the idea of comparing first just a few bytes I am not sure it will be so much faster, because the memcmp internally also does not compare the entire block at once, and if finds an unequal it will stop comparing on the spot and return. The only thing that might make it a bit slower is if it first loads the entire block into some other place in memory which I doubt because it can't compare the entire block at once anyway. Thanks, Joe On 1/26/06, Richard Salz <[EMAIL PROTECTED]> wrote: > You should probably also be concerned with someone messing with the > header and making you get "false" denials. For that reason, and because > it's generally safer, you want to use the DER, not any wrapped format; for > example, line endings might change. > > Doing memcmp() on the DER will be more efficient (time and space) than > X509_cmp, not the least of which is that it avoids creating an X509 from > the DER. > > So now the question is, are there times when you can avoid the memcmp? > Sure. Since you've done the base64 decode, you should have the length, so > compare lengths first. Second, compare some initial bytes. Any > certificate will start with the same few bytes, so something like > comparing bytes 4-8, or the *last* four bytes of each DER buffer, can be > done, and only call memcmp if they match. At start time, take the four > bytes from your known-correct DER, pack them into an int, and then when > you get a new cert coming in, do the same pack and then a single integer > compare. If they match, do memcmp. > > Hope this helps. > > /r$ > > -- > SOA Appliance Group > IBM Application Integration Middleware > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
