You should probably also be concerned with someone messing with the
header and making you get "false" denials. For that reason, and because
it's generally safer, you want to use the DER, not any wrapped format; for
example, line endings might change.
Doing memcmp() on the DER will be more efficient (time and space) than
X509_cmp, not the least of which is that it avoids creating an X509 from
the DER.
So now the question is, are there times when you can avoid the memcmp?
Sure. Since you've done the base64 decode, you should have the length, so
compare lengths first. Second, compare some initial bytes. Any
certificate will start with the same few bytes, so something like
comparing bytes 4-8, or the *last* four bytes of each DER buffer, can be
done, and only call memcmp if they match. At start time, take the four
bytes from your known-correct DER, pack them into an int, and then when
you get a new cert coming in, do the same pack and then a single integer
compare. If they match, do memcmp.
Hope this helps.
/r$
--
SOA Appliance Group
IBM Application Integration Middleware
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
