Folks, I am struggling to find a clean way to add a pub-key to encrypt against to an existing pkcs7/smime file. Without having to change the existing entries.
The use case is that of a key rollover (on for example a very long term backup) where one would want to add an extra decryption key (years) later. And ideally do so without disturbing the old keys already there*. The old(er) keys can stay; and the length (or key itself) does not need to be updated in this particular use case. So I had hoped that I could simply decrypt one of the keys; re-encrypt it with the new cert and add it to the sequence of CN/serial/rsaEncryption preceeding the pkcs7-data block. However looking at PKCS7_final/PKCS7_dataFinal - it seems that the api's in openssl for this are not ideal -- all the work is inside PKCS7_dataInit - which also does a lot of other things. Is there a clean API to use for this ? Is the best approach to simply cut-and-paste PKCS7_encrypt and fiddle with things ? Any advice appreciated, Dw. *: As it is not very desirable in this case to have to supply the existing/other public keys too during this process; as the processes around it would allow for the relatively easy insertion of a cert with alice her name/serial matching those in the envelope (but under control of charlie); and it is not that practical to have the certs in the pkcs7 struct - as it is not desirable to code who can decrypt anyway.______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
