You should probably also be concerned with someone messing with the header and making you get "false" denials. For that reason, and because it's generally safer, you want to use the DER, not any wrapped format; for example, line endings might change.
Doing memcmp() on the DER will be more efficient (time and space) than X509_cmp, not the least of which is that it avoids creating an X509 from the DER. So now the question is, are there times when you can avoid the memcmp? Sure. Since you've done the base64 decode, you should have the length, so compare lengths first. Second, compare some initial bytes. Any certificate will start with the same few bytes, so something like comparing bytes 4-8, or the *last* four bytes of each DER buffer, can be done, and only call memcmp if they match. At start time, take the four bytes from your known-correct DER, pack them into an int, and then when you get a new cert coming in, do the same pack and then a single integer compare. If they match, do memcmp. Hope this helps. /r$ -- SOA Appliance Group IBM Application Integration Middleware ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]