1
SSL_CTX *ctx1;
SSL_CTX *ctx2;

X509 *defaultDeviceCert = SSL_CTX_get0_certificate(ctx1);   
X509 *ldapDeviceCert = SSL_CTX_get0_certificate(ctx2);

X509_cmp(defaultDeviceCert, ldapDeviceCert);

i tried to compare without loading certificate to ctx1 and ctx2. X509_cmp function crashes memory.

int X509_cmp(const X509 *a, const X509 *b)
{
    int rv;

    /* ensure hash is valid */
    X509_check_purpose((X509 *)a, -1, 0);
    X509_check_purpose((X509 *)b, -1, 0);

    rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
    if (rv)
        return rv;
    /* Check for match against stored encoding too */
    if (!a->cert_info->enc.modified && !b->cert_info->enc.modified) {
        rv = (int)(a->cert_info->enc.len - b->cert_info->enc.len);
        if (rv)
            return rv;
        return memcmp(a->cert_info->enc.enc, b->cert_info->enc.enc,
                      a->cert_info->enc.len);
    }
    return rv;
}

X509_check_purpose function is crashed.

Generally in my application, i load certificate to both SSL context ctx1 and ctx2. but, in some cases, it will not load certificate. it will compare it. how can i handle such situation.

  • Please make a [minimal, **complete** and **verifiable** example](http://stackoverflow.com/help/mcve). With what you show so far it is impossible to reproduce the problem. My guess is that the X509* you give to the function is somehow invalid (like already freed) but this is impossible to verify with what you offer as information. – Steffen Ullrich Aug 23 '16 at 13:55
  • 1
    You gotta do better than a simple `memcmp`. For the higher level questions, see [How to get the Root CA Certificate Fingerprint using openssl](http://stackoverflow.com/a/38904220/608639) and the answer that starts with *"I'll wander into the pool with an answer for "X.509 certificate equivalency" since its not readily apparent or easy to come by."*. – jww Sep 12 '16 at 12:52

0 Answers0