> Richard Dykiel wrote:
>
> Hello,
> I am studying how pkcs7 works in openssl, particularly for encryption
> (enveloped data). Except if I made a mistake, it seems that pkcs7
> encryption is made in memory, hence precluding encrypting very huge
> files: am I right?
>
Yes you are. Unfortunately the way OpenSSL handles ASN1 is also memory
rather than I/O based.
> Say you want to envelop a file:
> - PKCS7_dataInit returns a BIO (p7bio) that is a
> BIO_f_cipher+BIO_s_mem
> - data is enveloped by BIO_write(p7bio, data)
> - PKCS7_dataFinal "steals" the memory buffer of p7bio to attach it to
> the p7 structure
> - i2d_PKCS7_bio encodes the p7 structure in asn.1: in fact
> ASN1_i2d_bio gets called and it works entirely in a malloced temporary
> memory buffer!!
>
> So if we encode a given file, the endoded data are present twice in
> memory: in the p7structure, and in the asn1 temporary buffer.
>
> What directions should I take if I want to be able to encrypt large
> files in pkcs7 structures? It seems to me I should rewrite some PKCS7
> functions, as well as try to change the ASN1 encoding so that it can
> work as a BIO filter?
>
Encrypting huge files isn't too hard. You chop up the PKCS#7 structure
round the encrypted content and dump the encrypted stuff as an "on the
fly" indefinite length constructed OCTET STRING.
The really nasty bit is decrypting if you want to properly handle
the relevant ASN1 nuances and persuade the internal memory based stuff
to work.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
