List:       mozilla-crypto
Subject:    Re: Encoding and comparing certificates with NSS
From:       Ambroz Bizjak <ambrop7 () gmail ! com>
Date:       2011-02-01 11:22:45
Message-ID: f480e89c-05eb-40b9-817b-9f6054cf04c6 () o39g2000prb ! googlegroups ! com
[Download RAW message or body]

On Feb 1, 12:45 am, Robert Relyea <rrel...@redhat.com> wrote:

> If I were you, I'd double check my byte compare code in B. Try
> connecting to A with one cert and to B with another and make sure it
> fails. In our previous example, you clearly had a mangled version of
> certificate C sent to be, but you indicated that B accepted C's real
> cert as equal. That tells me you may not be doing your compare correctly.

Thank you, but the byte compare is fine. It was working because I was
comparing two re-encoded certs: A re-encoded C's cert and sent it to
B, and when B accepted the connection from C, it also re-encoded the
cert, and they matched because both A and B were doing the re-encoding
the same way. Also when I fixed A to send B the real cert and left B
to compare it against the re-encoded cert, the compare failed, which
proves that it's comparing fine.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto