CMS_sign/CMS_final streaming

Michael Richardson mcr at
Thu Aug 5 00:54:08 UTC 2021

Dirk-Willem van Gulik <dirkx at> wrote:
    > I have very large globs  of on the fly generated data that are to be
    > signed and output as a base64 payload followed by a separate PKCS#7
    > package with a detached signature at the end of the transmission[1].

    > I’d like to avoid CMS_sign/CMS_final having to rely on a BIO_s_mem(),
    > disk-storage or similar.

    > But rather simply do something like calculating the SHA256 as the
    > payload is streamed out.  And then have a CMS_sign/final do the deed
    > with that SHA256 rather than a BIO.

My understanding from reading the CMS man pages is that it is done by
providing a NULL value for the content.  I haven't done this myself, but
encountered the hints at, for instance:

I'd go look in the tests directory for some code that calls CMS_final(), and
maybe that will provide a workable example for you.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <>

More information about the openssl-users mailing list