CMS_sign/CMS_final streaming

Dirk-Willem van Gulik dirkx at
Thu Aug 5 11:09:24 UTC 2021

> On 5 Aug 2021, at 02:54, Michael Richardson <mcr at> wrote:
> Dirk-Willem van Gulik <dirkx at> wrote:
>> I have very large globs  of on the fly generated data that are to be
>> signed and output as a base64 payload followed by a separate PKCS#7
>> package with a detached signature at the end of the transmission[1].
>> I’d like to avoid CMS_sign/CMS_final having to rely on a BIO_s_mem(),
>> disk-storage or similar.
>> But rather simply do something like calculating the SHA256 as the
>> payload is streamed out.  And then have a CMS_sign/final do the deed
>> with that SHA256 rather than a BIO.
> My understanding from reading the CMS man pages is that it is done by
> providing a NULL value for the content.  I haven't done this myself, but
> encountered the hints at, for instance:
> I'd go look in the tests directory for some code that calls CMS_final(), and
> maybe that will provide a workable example for you.

That is what I had expected - but as far as I can trace it - all called end up going through cms_DigestedData_do_final() that contains a EVP_DigestFinal_ex(). :(.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the openssl-users mailing list