It depends on what you mean by 'comparing' two certs. in NSS, whenever you get CERTCertificate structure (through the normal means), if two certs are identical, they will simply be two different references to the same CERTCertificate pointer. If you are paranoid (or you got one structure from CERT_DecodeCertificate(), you can to a SECITEM_CompareItem on the derCert value. That will tell you if you have the identical cert.
This is not the case you want to check, however (which is why there is not CERT_Compare function, it usually is the wrong thing to do). Usually you validate that the certs verify correctly (signatures are OK, and they chain to some trusted certificate). This you simply compare SubjectNames for the certificates. This allows you to update one side with new certs without breaking anything. Another component you can compare is the public keys, but then you can only upgrade using the same key set. In your particular example, it seems like you are not really using a PKI, but trying to force a 'fixed key' system, since both the client and the server must have access to the same private key (or the SSL handshake will not work when they are using the same certificate). This is a very dubious use of SSL, and I'd look for other ways to accomplish the same idea. bob Patrick wrote: > What's the best way to compare 2 certs in NSS? > > In my NSS server, I want to compare the cert I get from client > (SSL_PeerCertificate) with a cert I pull out of the server's cert db (using > CERT_FindCertByName ). I'm expecting the client to present the same cert the > server is using... > > Anyway the best way I saw was to convert the NSS cert structure to a SECItem > item, and then use the SECITEM_CompareItem function. > Is there a better way? > > I would recommend putting a CERT_Compare(CERTCertificate *cert1, > CERTCertificate *cert2) in the NSS API. Comparing certs should be a pretty > common operation I would think. > > -- Patrick > > >
