> From: owner-openssl-us...@openssl.org On Behalf Of redpath > Sent: Wednesday, 24 April, 2013 18:10
> I saw the CMS but I did not see how to store raw data which I need to > extract? > Lets assume the data was a JPG and I created signature from > the MD (SHA1) > how can I get the JPG use it and validate it. I looked at the > PKCS7 and no > mention of adding > objects. > The PKCS7_* API, and the newer and more complete CMS_* API, is designed to do most of the work for you. PKCS7_sign or CMS_sign takes the data as a BIO to allow streaming from a (large) file or pipe or such, but if you have your data in memory just use a mem-BIO; computes a signature* using a given privatekey and cert(s); and produces the result structure, or if streaming sets-up to produce it. * By default these APIs do the "two level" signature: hash the data, put that hash into AuthenticatedAttributes along with other stuff, hash AuthenticatedAttributes and pk-sign that hash. You can specify _NOATTR to reduce this to just hash the data and pk-sign that (first) hash. I hope you didn't mean the *commandline* utility pkcs7. Despite the name, that handles only "p7b" objects, i.e. degenerate PKCS7 containing no actual data or signature used only to transport cert(s) or (less often) CRL(s). To do proper-pkcs7 signed or encrypted at commandline, use smime or cms with format PEM or DER. > Any example is best to learn assuming > data (JPG) derived MD from it for a signature and I have a > private key. > If you really want to do it yourself, the older PKCS7_ module exposes the C structs, which you could fill in and then I think plain (nonstream) i2d_ or PEM_write_ should work, although I haven't tested. > I am assuming RSA though I would like to do ECDSA. > These APIs will use any privatekey for which a signature scheme is available; that's RSA DSA ECDSA (or pedantically EC; openssl uses the same EC_KEY struct for ECDSA and ECDH). (In general openssl routines using EVP_PKEY will handle many key types, that's exactly what the EVP level is for.) I still encounter a few reliers (or other systems) now and then who don't support ECDSA, though less than a few years ago. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
