On Tue, Feb 26, 2013, Dirk-Willem van Gulik wrote: > > On 23 Feb 2013, at 14:47, Dirk-Willem van Gulik wrote: > > > I am struggling to find a clean way to add a pub-key to encrypt against to > > an existing pkcs7/smime file. Without having to change the existing entries. > > > > The use case is that of a key rollover (on for example a very long term > > backup) where one would want to add an extra decryption key (years) later. > > And ideally do so without disturbing the old keys already there*. The > > old(er) keys can stay; and the length (or key itself) does not need to be > > updated in this particular use case. So I had hoped that I could simply > > decrypt one of the keys; re-encrypt it with the new cert and add it to the > > sequence of CN/serial/rsaEncryption preceeding the pkcs7-data block. > > > > However looking at PKCS7_final/PKCS7_dataFinal - it seems that the api's in > > openssl for this are not ideal -- all the work is inside PKCS7_dataInit - > > which also does a lot of other things. > > > > Is there a clean API to use for this ? Is the best approach to simply > > cut-and-paste PKCS7_encrypt and fiddle with things ? > > > > Any advice appreciated, > > We ended writing up below - which basically pulls in the ASN1 structure and > tries to manipulate it without much ado. No idea if this is a good or bad > idea - but for our limited use it it 'works for me'. Comments and advice > appreciated. > > Note that we had to pull in some non-exposed functions from pk7_lib/doit.c - > so perhaps longer term it would be nice to see such as part of the API. >
When I first looked at this I'd hoped that you could do it cleanly using the CMS API. You can *almost* get there but not quite. There are functions to access and decrypt the recipient info structure and save the content encryption key and add new recpient certificate details. Unfortunately there is a missing piece: there is no way to currently encrypt the extracted content encryption key with the newly added recipient. That will be fixed at some point. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
