On Fri, Jan 27, 2006, Richard Salz wrote:

> > I'd consider an implementation of memcmp that doesn't early stop as soon

> > as it sees a difference as completely broken, performance wise. Memcmp
> > returns an ordered comparison but that can be done as soon as the first
> > bit difference is seen.

> Me too. But look at the ASN1 for a certificate. Given two certs, how far
> down the chain are you first likely to see a difference? Use that as your
> DER offset. That's why I suggested starting at the *end*. I should have
> left out the part about starting at the beginning.

The first four octets will most likely be 0x30, 0x82, len_high, len_low so yes
that wont tell you much. Starting from the end will access the signature
which for valid (not maliciously constructed) certificates is likely to differ
pretty quickly.

For a valid match you still need to compare the whole thing of course.

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org