Thanks.
Assuming I'd undertake this endeavor:
1- would this be of any interest for openssl?
2- if yes, would some openssl developer assist in the design? I can do the
coding, but I'm new on openssl and the modifications require knowledge of
BIO & ASN1 internals: I'd need some hints to design properly and take the
right implementation choices.
This project could start something like end april, beg may. In the meantime
I must implement a solution based on signed data structures.
----- Original Message -----
From: Dr Stephen Henson <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 24, 2000 11:01 PM
Subject: Re: pkcs7 encryption limited by memory?
> > Richard Dykiel wrote:
> >
> > Hello,
> > I am studying how pkcs7 works in openssl, particularly for encryption
> > (enveloped data). Except if I made a mistake, it seems that pkcs7
> > encryption is made in memory, hence precluding encrypting very huge
> > files: am I right?
> >
>
> Yes you are. Unfortunately the way OpenSSL handles ASN1 is also memory
> rather than I/O based.
>
> > Say you want to envelop a file:
> > - PKCS7_dataInit returns a BIO (p7bio) that is a
> > BIO_f_cipher+BIO_s_mem
> > - data is enveloped by BIO_write(p7bio, data)
> > - PKCS7_dataFinal "steals" the memory buffer of p7bio to attach it to
> > the p7 structure
> > - i2d_PKCS7_bio encodes the p7 structure in asn.1: in fact
> > ASN1_i2d_bio gets called and it works entirely in a malloced temporary
> > memory buffer!!
> >
> > So if we encode a given file, the endoded data are present twice in
> > memory: in the p7structure, and in the asn1 temporary buffer.
> >
> > What directions should I take if I want to be able to encrypt large
> > files in pkcs7 structures? It seems to me I should rewrite some PKCS7
> > functions, as well as try to change the ASN1 encoding so that it can
> > work as a BIO filter?
> >
>
> Encrypting huge files isn't too hard. You chop up the PKCS#7 structure
> round the encrypted content and dump the encrypted stuff as an "on the
> fly" indefinite length constructed OCTET STRING.
>
> The really nasty bit is decrypting if you want to properly handle
> the relevant ASN1 nuances and persuade the internal memory based stuff
> to work.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
