Singh, Rahul - SINRY001 wrote:
>
> Hi,
> I am doing a project that is using the SSLeay library. I started using the
> library before I found out about openssl and would not like to change to
> openssl if I have to rewrite my code. is there much difference in ssleay and
> openssl? would I have to redo a lot to make the change?
>
You shouldn't have to change very much. However some things needed all
manner of hacks to get working with SSLeay (like certificate extensions)
these should be easier with OpenSSL.
> The problem I am having is that i would like to embed a fingerprint biometric
> (unsigned char * biometric) into an X.509 Certificate as an attribute object. I
> think i should be able to put it as part of the DN but that would not be
> appropriate.
>
> I have some example code by Eric Young (req.c) that adds attribute objects to
> an X.509 request but there is nothing about adding those attributes to the
> X.509 certificate itself. Can this be done using SSLeay or is the facility not
> available? if not in SSLeay can i do it using openssl?
>
> if in neither then how would I go about including the boimetric template into
> the X.509 Certificate?
>
Placing it in the DN is not advisable, there's enough rubbish in there
as it is.
Assuming there isn't some standard for this already (you might like to
ask in some other mailing lists) then the best place is in a certificate
extension.
I'd say something like "Subject Alternative Name" is most appropriate.
This according to RFC2459 "allows additional identities to be bound to
the subject of the certificate" currently things like email addresses or
domain names etc.
There is an option called "OtherName" which has this format:
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
What this means is you include an OID and then can but what you want in
the value. An example would be to register an OID that will mean "XXXX
biometric data" (where XXXX is whatever format you are using) and then
just put the data as an OCTET STRING in the value.
Check out the documentation in doc/openssl.txt for information on the
certificate extension code.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
