On 8/3/2012 10:32 AM, Maciej Pawlus wrote:
Hi,
I need to sign mobileconfig file before sending it to the iOS device.
For this I want to call openssl as a separate process. However I do not
want to operate on physical files, as it requires a lot of read/write
operations which will slow down the whole process and cause file
handling issues. I would like to use streams in a form of pipe instead.
Basically what I want to achieve is to imitate the following command:
"openssl smime -sign -in input_mobileconfig -out output_mobileconfig
-signer my_certificate -inkey my_pricate_key -outform der -nodetach"
without having files stored on hard drive.
I know there is "-stream/-indef" option, but according to documentation
"it enables experimental streaming I/O support; as a result the encoding
is BER using indefinite length constructed encoding and no longer DER;
streaming is supported for the -encrypt operation and the -sign
operation if the content is not detached". I tried it, but the output
has different format and it is not recognized by iOS.
So I would like to know if it is possible to provide input as a stream
and get output as stream in DER format, so that later I can create
Filestream based on it and return it as a response to the device?
My development environment is C# / MS VS 2010 Ultimate. Any help will be
highly appreciated.
Your best bet would be to use the OpenSSL C API from C++ (via .NET
InterOp or IJW to your own mix of managed an unmanaged C++ glue
code), or a prepackaged .NET wrapper for the OpenSSL API (there
probably is one, I have never needed it myself).
Based on the source code in apps/smime.c, I guess the main functions
to call would be PKCS7_sign() followed by PKCS7_sign_add_signer(),
PKCS7_final() and ???_write_bio_PKCS7().
In the OpenSSL API, pass your "input_mobileconfig" as a "memory BIO",
or as a simple byte array (depending on which API you end up calling),
and similarly retrieve the result as another "memory BIO" or byte
array.
Your certificate and private key would be loaded once for multiple
transactions into appropriate types of OpenSSL objects, which can
then be passed to multiple signing operations without reloading
them.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
