On Mon, Jun 14, 2010, cc 9108 wrote: > > What's the reason for having in openssl both a PKCS7_* and a CMS_* API > that are this similar ? > > Obviously the CMS_* API can handle some CMS mechanims the PKCS7 one > can't, but is there anything the PKCS7 API can handle that the CMS API > doesn't ? > > In a program that currently uses calls the PKCS7_* functions, can they > be replaced by CMS_* with no loss of functionality, still handling > 100% of old PKCS#7 messages, only gaining support for the new CMS > options ? > > If no special option is selected (no CMS_USE_KEYID for example), will > CMS_sign generate the same format as PKCS7_sign ? > > Thanks in advance for the precision you can give me. >
The PKCS7 API is far older than the CMS one and is retained for compatibility. The only thing PKCS7 can handle that CMS can't is structures where embedded content is not of type data: the formats are incompatible. OpenSSL wont normally generate those unless you do some very low level things. The reason why there are two options is that it wasn't possible to make the PKCS7 structures compatible with CMS without breaking binary compatibility: the PKCS7 structures are in public header files. The CMS structures avoid this problem by making all the structures opaque and in private header files. Yes if you use CMS_sign() without special options it is compatible with PKCS7: one of the CMS tests does interop between the PKCS7 and CMS APIs. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
