If you run an SHA hash on the PEM-formatted certificate that you receive, then you can just use that as a primary key into a database of some form that stores the certificate, as well as the information that it authenticates.
-Kyle H On 1/26/06, Joe Gluck <[EMAIL PROTECTED]> wrote: > That attack is interesting, how can that be done, (sorry for bothering you > :-) ) > > But cutting down the X509_cmp will not work because the memcmp > compares the hash which if I will cut out the X509_check_purpose lines > will not make any sense. > > But I think the best idea is to compare the entire text of the entire > certificate (The text as I get in a PEM format before loading it into > the X509 object. it is faster than hashing the same size and comparing > the hash. > > Thanks > > On 1/26/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > > On Thu, Jan 26, 2006, Joe Gluck wrote: > > > > > Thank you. > > > I still am not sure if it the best idea, > > > > > > Because i will be getting for example 1,000,000 a times in a day the > > > same certificate, I don't want to do that even short process if not > > > necessary, what I could do is compare the times between X509_cmp() and > > > my code, or even to doing memcmp() on the original text of the X509. > > > > > > So I would like to know if any one thinks there is a problem with how > > > i am doing it, or if it will be slower then using some other way to do > > > it? > > > > > > > Your algorithm ends up accessing X509 structure internals which isn't a good > > idea if it can be avoided. It also doesn't compare the whole public key: > > you'd > > also need to compare the algorithm type and its parameters (if any). There > > are > > sound reasons as to why you should also check parameters. If you don't there > > are some interesting key substitution attacks that could spoil your whole > > day... > > > > If structure internal access is considered acceptable you can cut the whole > > thing down to the memcmp() of X509_cmp(). > > > > Steve. > > -- > > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > > OpenSSL project core developer and freelance consultant. > > Funding needed! Details on homepage. > > Homepage: http://www.drh-consultancy.demon.co.uk > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > Development Mailing List openssl-dev@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
