Compare SSL certificates through signature: is this enough?

Question

Compare SSL certificates through signature: is this enough?

The system architecture I'm working on requires a comparison between two SSL / TLS certificates (usually X.509). That is, I need to check if the two certificates match or not.

I don’t care if they are expired or self-signed, I just want to be sure that they are not changed in any way.

What is the most correct way to perform such an operation? Would it be sufficient to compare the two signatures (two bytes []) of these certificates, or is this operation subject to actions that I have not considered so far?

+4

java android ssl-certificate

Sebastiano Mar 15 '13 at 10:56

source share

1 answer

class stacker · Accepted Answer · 2013-03-15T11:10:30+0000

I don’t think that comparing two signatures is enough, unless your code directly receives certificates from any instance, which ensures that the signature has also been verified on the certificate itself. Therefore, in many cases, I would say no.

I believe that the most flexible, correct way would be to verify the integrity of the two certificates (body versus signature) individually, and then directly compare all the information in the certificates that you need to be identical. (I do it this way because I'm not sure if you need full identification).

However, if your goal is to verify the certificate sent by the server for authentication, then it is not necessary to have a copy of the entire certificate in your code; in this case, you can check the server certificate, and then check its body for a secure hash, which is stored in your application.

Compare SSL certificates through signature: is this enough?

More articles: