On Mon, Nov 28, 2005, Brian Daugherty wrote: > hi, > > I need to PKCS7 sign and verify a several megabyte buffer. > This raises lots of fun issues with streaming and memory management. > > From what I've been able to learn so far using a detached > PKCS7 structure along with PKCS7_dataInit() and PKCS7_dataFinal() > calls to stream the large content buffer is the way to go for > calculating the signature. > > One of the requirements I have is that the detached content and > the PKCS7 signatures must both be stored in a single file. This > means I'll have my PKCS7 signed structure in DER format trailed by > the signed contents. Creating the file is straightforward. Reading > it in for verification it is something I'm confused about. > > Is there a way for to determine the actual length of the > PKCS7_SIGNED data so I can find the offset of the contents? > > What I want is to call d2i_pkcs7_bio() to retreive the PKCS7_SIGNED > data, then use its size to skip ahead to the correct offset and > start the signature validation. If it helps at all both the > PKCS7_SIGNED data and the signed content will already be loaded into > memory (however there's not enough memory to allocate space for the > ASN1 parsing of both). >
Ideally the thing should be handleable in BER format if the OpenSSL ASN1 code streamed data properly. Unfortunately I haven't been able to get enough people interested in that so far... Anyway calling i2d_PKCS7() on the PKCS7 structure will return its length which you can then use as an offset. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
