At 09:58 07.01.00 +0100, Flemming Jans wrote:
Hello Flemming,
>Andrew Cooke wrote:
>>
>> Flemming Jans wrote:
>> > I'm using openssl 0.9.4 on Sparc Solaris 2.6/2.7 for a webserver like
>> > process which must recognize customers from a simple username/password
>> > scheme or from a client certificate.
>> >
>> > The customer 'subscription' is stored in a database where the username
>> > is the unique identifier.
>> >
>> > 1) When using a client certificate I guess the unique username must be
>> > stored in the certificate right ? Is the field Common Name (CN) used for
>> > this purpose ? Am I guaranteed that this field is unique or is this up
>> > to the CA issuing the certificate?
>>
>> Since openssl is both open source and can generate certificates, I can't
>> think of a mechanism that could possibly guarantee that CNs were
>> unique! The simplest solution might be to use the hash of the
>> certificate (SSL_get_peer_certificate; x509_digest) - for all practical
>> purposes, this is unique.
>
>Ok, I have tried the following code snip which works:
>
>client_cert = SSL_get_peer_certificate(con);
>X509_digest(client_cert, EVP_md5(), digest, &digest_len);
>
>Which message digest should I use ? md5 or other ? Is the digest
>guaranteed to be unique mathematically or how does a digest work??
>From all I've heard, sha1 is a better digest.
There are collisions possible.
But it is very unlikely that the other data would be a valid cert.
If you are really concerned you could calculate 2 digests (SHA1, MD5)
and use a concatenation of these:
1. It is possible that there is some data with the same digest (MD5)
as the cert.
2. It is very unlikely this other data (from 1.) is a valid cert.
3. It is possible that there is some data with the same digest (SHA1)
as the cert.
4. It is very unlikely this other data (from 3.) is a valid cert.
5. Has ever somebody calculated the propability of 2 digests
colliding on the same data ?
6. I won't think about the propability of some data from 5.
to be a valid cert.
By
Goetz
--
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
