> > Which shows the "-nd" flag (and corresponding > > API, PKCS7_set_detached()) has no effect. Anyone > > know why? Is this a permanent change? > > The preferred method for using PKCS#7 is the high level API or the smime > utility, the 'sign' utility is rather old and clunky. > > I'll check to see if this happens with the smime utility. > > Steve.
Steve, Thanks a bunch for the tip. I was just using the "sign" utility to illustrate the ineffectiveness of the PKCS7_set_detached() API in recent versions of the toolkit. Which High-level APIs were you referring to? If you are referring to the PKCS7_sign() API, I looked into using it, but the problem is that the data I want to sign is only available from running a series of commands in a row. the PKCS7_sign() API only takes one BIO. Perhaps I should investigate writing my own BIO type that can take an array of shell commands, and produces the output from the shell commands when you read from the BIO? for example: BIO b = new my_bio(); b.addCommand("/usr/bin/echo foo"); b.addCommand("/usr/bin/echo bar"); char *result = b.BIO_read(...); and result would be "foobar". If I did this, could I then pass it to PKCS7_sign()? Is it possible for 3rd-party developers such as myself to write my own BIO, without doing so in the openssl environment that openssl API developers have? The other drawback was that I saw a lot of "smime"-looking things going on in PKCS7_sign(), which is of no use to me, and worries me that it might interfere with what my application is doing. I don't want or need PCKS7-signed objects floating around with smime-looking attributes. Currently I am using something like this: PKCS7_content_new(p7, ...); p7bio = PKCS7_dataInit(...); PKCS7_set_detached(p7); while ((data = get_some_data()) != NULL) { BIO_write(p7bio, data); } PKCS7_dataFinal(p7, p7bio); fp = resulting_signature_file(); PEM_write_PKCS7(fp, p7); Is there a better way? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]