wolfSSL has extended its PKCS7 capabilities to better handle indefinite length encodings, particularly in streaming scenarios. While basic support for indefinite length verification existed, recent updates have refined the wc_PKCS7_VerifySignedData() API to process multipart and indefinite length content more efficiently in a streaming manner.(wolfSSL)
Key Enhancements
- Streaming Verification: The wc_PKCS7_VerifySignedData() function now supports verifying PKCS7 data with indefinite lengths without requiring the entire content to be buffered in memory.
- Improved Decoding: Enhancements in decoding functions allow for better handling of BER-encoded PKCS7 structures with indefinite lengths.
Example Usage
The wolfssl-examples repository provides practical demonstrations of these enhancements. For instance, the pkcs7-stream-verify example illustrates how to verify PKCS7 signed data in a streaming context:
PKCS7 pkcs7;
byte buffer[BUFFER_SIZE];
int ret;
// Initialize PKCS7 structure
wc_PKCS7_Init(&pkcs7, NULL, INVALID_DEVID);
// Set up certificate and key
pkcs7.cert = cert;
pkcs7.certSz = certSz;
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
// Begin streaming verification
ret = wc_PKCS7_VerifySignedData(&pkcs7, buffer, bufferSz);
if (ret != 0) {
// Handle error
}
// Continue processing as needed
This approach allows applications to process and verify large or streaming PKCS7 data efficiently, without the need to load the entire content into memory.
Benefits
- Efficiency: Reduces memory usage by processing data in chunks.
- Flexibility: Supports a wider range of PKCS7 encoding scenarios, including those using indefinite lengths.
- Standards Compliance: Aligns with BER encoding standards for PKCS7 structures.(GitHub)
These enhancements make wolfSSL more adaptable for applications requiring secure, real-time data processing.
If you have questiona about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now