On Fri, Aug 03, 2012, Jakob Bohm wrote: > On 8/3/2012 10:32 AM, Maciej Pawlus wrote: > >Hi, > > > >I need to sign mobileconfig file before sending it to the iOS device. > >For this I want to call openssl as a separate process. However I do not > >want to operate on physical files, as it requires a lot of read/write > >operations which will slow down the whole process and cause file > >handling issues. I would like to use streams in a form of pipe instead. > > > >Basically what I want to achieve is to imitate the following command: > >"openssl smime -sign -in input_mobileconfig -out output_mobileconfig > >-signer my_certificate -inkey my_pricate_key -outform der -nodetach" > >without having files stored on hard drive. > > > >I know there is "-stream/-indef" option, but according to documentation > >"it enables experimental streaming I/O support; as a result the encoding > >is BER using indefinite length constructed encoding and no longer DER; > >streaming is supported for the -encrypt operation and the -sign > >operation if the content is not detached". I tried it, but the output > >has different format and it is not recognized by iOS. > > > >So I would like to know if it is possible to provide input as a stream > >and get output as stream in DER format, so that later I can create > >Filestream based on it and return it as a response to the device? > > > >My development environment is C# / MS VS 2010 Ultimate. Any help will be > >highly appreciated. > > > Your best bet would be to use the OpenSSL C API from C++ (via .NET > InterOp or IJW to your own mix of managed an unmanaged C++ glue > code), or a prepackaged .NET wrapper for the OpenSSL API (there > probably is one, I have never needed it myself). > > Based on the source code in apps/smime.c, I guess the main functions > to call would be PKCS7_sign() followed by PKCS7_sign_add_signer(), > PKCS7_final() and ???_write_bio_PKCS7(). > > In the OpenSSL API, pass your "input_mobileconfig" as a "memory BIO", > or as a simple byte array (depending on which API you end up calling), > and similarly retrieve the result as another "memory BIO" or byte > array. > > Your certificate and private key would be loaded once for multiple > transactions into appropriate types of OpenSSL objects, which can > then be passed to multiple signing operations without reloading > them. >
Yes memory BIOs is the way to go for this. There is a simpler example of S/MIME signing in demos/smime/smsign.c . It doesn't use memory BIOs or DER output format but is easy to adapt. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
