Detached envelope

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Detached envelope

Pablo J Royo
Hi:
 
Is there any way to create a detached PKCS7 envelope with openssl utilities (smime) ?
 
Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Detached envelope

Victor B. Wagner
On 2005.11.03 at 09:27:21 +0100, Pablo J Royo wrote:

>
>    Hi:
>
>
>
>    Is there any way to create a detached PKCS7 envelope with openssl
>    utilities (smime) ?

Create S/MIME message and extract signature part using any
mime-capable tool or just some text processing utitity
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Detached envelope

Pablo J Royo

> >    Is there any way to create a detached PKCS7 envelope with openssl
> >    utilities (smime) ?
>
> Create S/MIME message and extract signature part using any
> mime-capable tool or just some text processing utitity

This is not an option, because I need to do this inside my programs.

I've been searching Internet with no results. It seems nobody is using
detached envelopes.

In fact, I have used OpenSSL pkcs7 routines to create and read detached
envelopes, but I'm not sure if my envelopes are correct, because there is no
other application to check them.
All I know is that CryptoAPI correctly reads my PKCS7 headers, but gives an
ASN1 bad tag error when reading the (detached) ciphered data, or tries to
decipher more bytes than I put on my envelope, so I don't know what part is
failing, if encryption or decryption.
Thanks anyway.






______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Detached envelope

Dr. Stephen Henson
On Fri, Nov 04, 2005, Pablo J Royo wrote:

> In fact, I have used OpenSSL pkcs7 routines to create and read detached
> envelopes, but I'm not sure if my envelopes are correct, because there is no
> other application to check them.
> All I know is that CryptoAPI correctly reads my PKCS7 headers, but gives an
> ASN1 bad tag error when reading the (detached) ciphered data, or tries to
> decipher more bytes than I put on my envelope, so I don't know what part is
> failing, if encryption or decryption.

Neither the OpenSSL command line utility (smime) nor the simplified S/MIME API
support detached data with the PKCS#7 enveloped data type. I've not come
across them in practice.

You should however be able to reattach/detach the envelope from the PKCS7
structure.

Then if a reattached envelope can be decrypted OK by the smime utility it
should be OK.

Not sure why CryptoAPI would give a bad tag error on the detached data, it
shouldn't be using an ASN1 parser on it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Detached envelope

Victor B. Wagner
In reply to this post by Pablo J Royo
On 2005.11.04 at 14:02:04 +0100, Pablo J Royo wrote:

>
> > >    Is there any way to create a detached PKCS7 envelope with openssl
> > >    utilities (smime) ?
> >
> > Create S/MIME message and extract signature part using any
> > mime-capable tool or just some text processing utitity
>
> This is not an option, because I need to do this inside my programs.

It is no problem. "mime-capable tool" can be a library routine as well.

With some effort you even can keep every bit temporary data in the core
memory, avoiding writing of temporary files. BIO abstraction in OpenSSL
is powerful enough to do this.

> I've been searching Internet with no results. It seems nobody is using
> detached envelopes.
>
> In fact, I have used OpenSSL pkcs7 routines to create and read detached
> envelopes, but I'm not sure if my envelopes are correct, because there is no
> other application to check them.

If openssl utility is able to check them using -contents option, they
are probably correct.

> All I know is that CryptoAPI correctly reads my PKCS7 headers, but gives an
> ASN1 bad tag error when reading the (detached) ciphered data, or tries to
> decipher more bytes than I put on my envelope, so I don't know what part is
> failing, if encryption or decryption.

I've thought that detached envelopes are for signing, not for
encryption. I cannot imagine useful application for detached envelope
for encrypted data.

Can you point me to the standard document which describes usage of
detached envelopes for ENCRYPTED data?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Detached envelope

Pablo J Royo
> With some effort you even can keep every bit temporary data in the core
> memory, avoiding writing of temporary files. BIO abstraction in OpenSSL
> is powerful enough to do this.

The reason I want to use detached data, is to avoid having all my data  in
memory. Now, OpenSSL handles all PKCS7 stuff in memory.
Using detached data is possible to cipher the stream of bytes, no matter how
big it is,  with the symmetric key, then dump the PKCS7 with this key
encrypted.
In fact, may be more correct to change i2d_PKCS7 and d2i_PKCS7 in some way,
so pointers to access the data are not used, but a BIO so you can
read/create big PKCS7 without loading them in memory.

> Can you point me to the standard document which describes usage of
> detached envelopes for ENCRYPTED data?
>
No, I can't...but I can't find some place where it said is prohibited. My
app must transport big amounts of data, so I can't load them in memory, so
if I want to keep on using OpenSSL to assure portability I must use detached
PKCS7.
Anyway, I think the use of detached or not is an app issue, more than a
standard issue.




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Detached envelope

Victor B. Wagner
On 2005.11.07 at 10:14:42 +0100, Pablo J Royo wrote:

> > With some effort you even can keep every bit temporary data in the core
> > memory, avoiding writing of temporary files. BIO abstraction in OpenSSL
> > is powerful enough to do this.
>
> The reason I want to use detached data, is to avoid having all my data  in
> memory. Now, OpenSSL handles all PKCS7 stuff in memory.
> Using detached data is possible to cipher the stream of bytes, no matter how
> big it is,  with the symmetric key, then dump the PKCS7 with this key
> encrypted.
> In fact, may be more correct to change i2d_PKCS7 and d2i_PKCS7 in some way,
> so pointers to access the data are not used, but a BIO so you can
> read/create big PKCS7 without loading them in memory.

There is patch somewhere which does allow to handle big files.
Look into contrib directory on OpenSSL site.

Really, standards allow stream processing of PKCS7 data, and BIO
abstraction in OpenSSL is powerful enough to handle any pkcs7 operation
without having everything in core. At least in some cases.
It is just problem of pkcs7 routines that they do not support stream
operations.

There is real problem with stream operations on S/MIME data, because
S/MIME doesn't allow any digest except (now considered insecure MD5 and
SHA1) to be specified in MIME headers.

But it is not a problem for opaque signing and encryption/decription,
because in PKCS7 digest is specified by OID.

>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Detached envelope

Dr. Stephen Henson
On Mon, Nov 07, 2005, Victor B. Wagner wrote:

>
> Really, standards allow stream processing of PKCS7 data, and BIO
> abstraction in OpenSSL is powerful enough to handle any pkcs7 operation
> without having everything in core. At least in some cases.
> It is just problem of pkcs7 routines that they do not support stream
> operations.
>
> There is real problem with stream operations on S/MIME data, because
> S/MIME doesn't allow any digest except (now considered insecure MD5 and
> SHA1) to be specified in MIME headers.
>
> But it is not a problem for opaque signing and encryption/decription,
> because in PKCS7 digest is specified by OID.
>

There is partial support for streaming of the cleartext signed data in 0.9.9.

I have some prototype code which can encode any PKCS#7 type by streaming but it
really needs the companion decoder routines which are much harder to handle.

As far as full streaming support is concerned its the same story as with
S/MIME v3. People express an interest from time to time but so far no one will
fund its development.

If anyone *is* interested in funding either they should contact me privately.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]