On Thu, Sep 05, 2002, Chris Jarshant wrote:
>
> > > Which shows the "-nd" flag (and corresponding
> > > API, PKCS7_set_detached()) has no effect. Anyone
> > > know why? Is this a permanent change?
> >
> > The preferred method for using PKCS#7 is the high level API or the smime
> > utility, the 'sign' utility is rather old and clunky.
> >
> > I'll check to see if this happens with the smime utility.
> >
> > Steve.
>
> Steve,
>
> Thanks a bunch for the tip. I was just using the "sign" utility
> to illustrate the ineffectiveness of the PKCS7_set_detached()
> API in recent versions of the toolkit.
>
There is a bug but its AFAICS 0.9.7+ only, 0.9.6g seemed to
work. I'll fix it shortly..
> Which High-level APIs were you referring to? If you are
> referring to the PKCS7_sign() API, I looked into using it,
> but the problem is that the data I want to sign is only available
> from running a series of commands in a row. the PKCS7_sign()
> API only takes one BIO. Perhaps I should investigate writing
> my own BIO type that can take an array of shell commands,
> and produces the output from the shell commands when
> you read from the BIO? for example:
>
> BIO b = new my_bio();
> b.addCommand("/usr/bin/echo foo");
> b.addCommand("/usr/bin/echo bar");
> char *result = b.BIO_read(...);
>
> and result would be "foobar".
>
If the data isn't too large then a memory BIO may do the
trick: see BIO_s_mem manual page.
> If I did this, could I then pass it to
> PKCS7_sign()? Is it possible for 3rd-party developers such
> as myself to write my own BIO, without doing so in the
> openssl environment that openssl API developers have?
> The other drawback was that I saw a lot of "smime"-looking
> things going on in PKCS7_sign(), which is of no use to
> me, and worries me that it might interfere with what my
> application is doing. I don't want or need PCKS7-signed
> objects floating around with smime-looking attributes.
>
You can get rid of many of the S/MIME related attributes
by passing the relevant flags to PKCS7_sign (see the
smime manual page and smime.c source code).
> Currently I am using something like this:
>
> PKCS7_content_new(p7, ...);
> p7bio = PKCS7_dataInit(...);
> PKCS7_set_detached(p7);
> while ((data = get_some_data()) != NULL) {
> BIO_write(p7bio, data);
> }
> PKCS7_dataFinal(p7, p7bio);
> fp = resulting_signature_file();
> PEM_write_PKCS7(fp, p7);
>
> Is there a better way?
>
If the data will fit in a memory BIO then PKCS7_sign
should be OK. If it is too large then currently you
may have to use the low level API.
I'll look into extending PKCS7_sign() to handle
this case too.
Steve.
--
Dr. Stephen Henson [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
