> > Which shows the "-nd" flag (and corresponding
> > API, PKCS7_set_detached()) has no effect. Anyone
> > know why? Is this a permanent change?
>
> The preferred method for using PKCS#7 is the high level API or the smime
> utility, the 'sign' utility is rather old and clunky.
>
> I'll check to see if this happens with the smime utility.
>
> Steve.
Steve,
Thanks a bunch for the tip. I was just using the "sign" utility
to illustrate the ineffectiveness of the PKCS7_set_detached()
API in recent versions of the toolkit.
Which High-level APIs were you referring to? If you are
referring to the PKCS7_sign() API, I looked into using it,
but the problem is that the data I want to sign is only available
from running a series of commands in a row. the PKCS7_sign()
API only takes one BIO. Perhaps I should investigate writing
my own BIO type that can take an array of shell commands,
and produces the output from the shell commands when
you read from the BIO? for example:
BIO b = new my_bio();
b.addCommand("/usr/bin/echo foo");
b.addCommand("/usr/bin/echo bar");
char *result = b.BIO_read(...);
and result would be "foobar".
If I did this, could I then pass it to
PKCS7_sign()? Is it possible for 3rd-party developers such
as myself to write my own BIO, without doing so in the
openssl environment that openssl API developers have?
The other drawback was that I saw a lot of "smime"-looking
things going on in PKCS7_sign(), which is of no use to
me, and worries me that it might interfere with what my
application is doing. I don't want or need PCKS7-signed
objects floating around with smime-looking attributes.
Currently I am using something like this:
PKCS7_content_new(p7, ...);
p7bio = PKCS7_dataInit(...);
PKCS7_set_detached(p7);
while ((data = get_some_data()) != NULL) {
BIO_write(p7bio, data);
}
PKCS7_dataFinal(p7, p7bio);
fp = resulting_signature_file();
PEM_write_PKCS7(fp, p7);
Is there a better way?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
