That attack is interesting, how can that be done, (sorry for bothering you :-) )
But cutting down the X509_cmp will not work because the memcmp compares the hash which if I will cut out the X509_check_purpose lines will not make any sense. But I think the best idea is to compare the entire text of the entire certificate (The text as I get in a PEM format before loading it into the X509 object. it is faster than hashing the same size and comparing the hash. Thanks On 1/26/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > On Thu, Jan 26, 2006, Joe Gluck wrote: > > > Thank you. > > I still am not sure if it the best idea, > > > > Because i will be getting for example 1,000,000 a times in a day the > > same certificate, I don't want to do that even short process if not > > necessary, what I could do is compare the times between X509_cmp() and > > my code, or even to doing memcmp() on the original text of the X509. > > > > So I would like to know if any one thinks there is a problem with how > > i am doing it, or if it will be slower then using some other way to do > > it? > > > > Your algorithm ends up accessing X509 structure internals which isn't a good > idea if it can be avoided. It also doesn't compare the whole public key: you'd > also need to compare the algorithm type and its parameters (if any). There are > sound reasons as to why you should also check parameters. If you don't there > are some interesting key substitution attacks that could spoil your whole > day... > > If structure internal access is considered acceptable you can cut the whole > thing down to the memcmp() of X509_cmp(). > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
