This is a discussion on Re: Comparing certificates, with out rehashing (compare public keys - issuer and serial number) - Openssl ; On Fri, Jan 27, 2006, Richard Salz wrote: > > I'd consider an implementation of memcmp that doesn't early stop as soon > > > as it sees a difference as completely broken, performance wise. Memcmp > > returns an ...
On Fri, Jan 27, 2006, Richard Salz wrote:
> > I'd consider an implementation of memcmp that doesn't early stop as soon
> > as it sees a difference as completely broken, performance wise. Memcmp
> > returns an ordered comparison but that can be done as soon as the first
> > bit difference is seen.
> Me too. But look at the ASN1 for a certificate. Given two certs, how far
> down the chain are you first likely to see a difference? Use that as your
> DER offset. That's why I suggested starting at the *end*. I should have
> left out the part about starting at the beginning.
The first four octets will most likely be 0x30, 0x82, len_high, len_low so yes
that wont tell you much. Starting from the end will access the signature
which for valid (not maliciously constructed) certificates is likely to differ
For a valid match you still need to compare the whole thing of course.
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
OpenSSL Project http://www.openssl.org
Development Mailing List firstname.lastname@example.org
Automated List Manager email@example.com