PKCS7 encoding large content buffers

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PKCS7 encoding large content buffers

Brian Daugherty
hi,

I need to PKCS7 sign and verify a several megabyte buffer.
This raises lots of fun issues with streaming and memory management.

 From what I've been able to learn so far using a detached
PKCS7 structure along with  PKCS7_dataInit() and PKCS7_dataFinal()
calls to stream the large content buffer is the way to go for
calculating the signature.

One of the requirements I have is that the detached content and
the PKCS7 signatures must both be stored in a single file. This
means I'll have my PKCS7 signed structure in DER format trailed by
the signed contents. Creating the file is straightforward. Reading
it in for verification it is something I'm confused about.

Is there a way for to determine the actual length of the
PKCS7_SIGNED data so I can find the offset of the contents?

What I want is to call d2i_pkcs7_bio() to retreive the PKCS7_SIGNED
data, then use its size to skip ahead to the correct offset and
start the signature validation. If it helps at all both the
PKCS7_SIGNED data and the signed content will already be loaded into
memory (however there's not enough memory to allocate space for the
ASN1 parsing of both).

thanks,
brian
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: PKCS7 encoding large content buffers

Dr. Stephen Henson
On Mon, Nov 28, 2005, Brian Daugherty wrote:

> hi,
>
> I need to PKCS7 sign and verify a several megabyte buffer.
> This raises lots of fun issues with streaming and memory management.
>
> From what I've been able to learn so far using a detached
> PKCS7 structure along with  PKCS7_dataInit() and PKCS7_dataFinal()
> calls to stream the large content buffer is the way to go for
> calculating the signature.
>
> One of the requirements I have is that the detached content and
> the PKCS7 signatures must both be stored in a single file. This
> means I'll have my PKCS7 signed structure in DER format trailed by
> the signed contents. Creating the file is straightforward. Reading
> it in for verification it is something I'm confused about.
>
> Is there a way for to determine the actual length of the
> PKCS7_SIGNED data so I can find the offset of the contents?
>
> What I want is to call d2i_pkcs7_bio() to retreive the PKCS7_SIGNED
> data, then use its size to skip ahead to the correct offset and
> start the signature validation. If it helps at all both the
> PKCS7_SIGNED data and the signed content will already be loaded into
> memory (however there's not enough memory to allocate space for the
> ASN1 parsing of both).
>

Ideally the thing should be handleable in BER format if the OpenSSL ASN1 code
streamed data properly. Unfortunately I haven't been able to get enough people
interested in that so far...

Anyway calling i2d_PKCS7() on the PKCS7 structure will return its length which
you can then use as an offset.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]