Java – compare SSL certificates by signature: is that enough?

Android

The system architecture I am working on needs to compare two SSL / TLS (usually X.509) certificates. That is, I need to verify whether the two certificates are the same

I don't care if they expire or self - sign, I just want to make sure they haven't been changed in any way

Which method is the most correct? Is it enough to compare the two signatures of these certificates (two bytes []), or is this operation prone to vulnerabilities I haven't considered so far?

resolvent:

I don't think it's enough to compare two signatures, unless your code directly obtains the certificate from an instance, which ensures that the signature has also been checked according to the certificate itself. So in many cases, I will say: No

I think the most flexible and correct method is to check the integrity of the two certificates (body and signature) respectively, and then directly compare all the information you need in the certificates. (I say this because I'm not sure you need complete identity)

However, if your goal is to check whether the certificate sent by the server is true, it is not necessarily wise to obtain a copy of the whole Certificate in your code; In this case, you can verify the server's certificate and then check its body against the security hash stored in the application

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>