Grant Mills wrote:
All,
Is there a way to simply extract the message digest from a PKCS #7
signature? Here is a little back ground to hopefully explain the
context.
We have separate data and signature. In order to reduce memory
requirements, we'd like to generate our digest while we decompress the
image.
You should be able to do calculate the digest and decompress your image
at the same time irregardless of getting the digest out.
The OpenSSL src/crypto/pkcs7/verify.c is a test program that calls
PKCS7_dataInit, loops reading 4K blocks which does the digest
inside the BIO stack, then calls PKCS7_get_signer_info to verify.
You could process your data in the same loop as the digest
is being collected. The sample program uses 4K block, you could
use something else.
After the image is decompressed, we'll extract the digest from
the signature and compare. If they compare, we'd continue starting
up. If the comparison failed, we'd scrub the uncompressed image from
memory.
The exact order might differ, since padding the generated digest
might depend on the digest in the signature. However, I don't
perceive those details as being insurmountable.
Any help and thoughts on pitfalls to watch for will be
appreciated. Thanks in advance.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
