Re: Comparing certificates, with out rehashing (compare public keys - issuer and serial number)

[Lev Walkin]

Joe Gluck wrote:

That attack is interesting, how can that be done, (sorry for bothering you :-) )

But cutting down the X509_cmp will not work because the memcmp
compares the hash which if I will cut out the X509_check_purpose lines
will not make any sense.

But I think the best idea is to compare the entire text of the entire
certificate (The text as I get in a PEM format before loading it into
the X509 object. it is faster than hashing the same size and comparing
the hash.

You should then consider comparing DER encoding, not the PEM wrapper
around the DER certificate contents.

PEM encoding of the same certificate can be different, due to relaxed
rules about whitespace characters.

Thanks

On 1/26/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:

On Thu, Jan 26, 2006, Joe Gluck wrote:

Thank you.
I still am not sure if it the best idea,

Because i will be getting for example 1,000,000 a times in a day the
same certificate, I don't want to do that even short process if not
necessary, what I could do is compare the times between X509_cmp() and
my code, or even to doing memcmp() on the original text of the X509.

So I would like to know if any one thinks there is a problem with how
i am doing it, or if it will be slower then using some other way to do
it?

Your algorithm ends up accessing X509 structure internals which isn't a good
idea if it can be avoided. It also doesn't compare the whole public key: you'd
also need to compare the algorithm type and its parameters (if any). There are
sound reasons as to why you should also check parameters. If you don't there
are some interesting key substitution attacks that could spoil your whole day...

If structure internal access is considered acceptable you can cut the whole
thing down to the memcmp() of X509_cmp().

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]