What is the SecTransform equivalent of the OpenSSL EVP_DigestSignInit() call?

With OpenSSL deprecated on the Mac, I need to replace the EVP_DigestSignUpdate() function in the following code:


EVP_DigestSignInit()

EVP_DigestSignUpdate()

EVP_DigestSignUpdate()

EVP_DigestSignUpdate()

...

EVP_DigestSignFinal()


Much googling and manual reading leads me to the SecTransformExecute() function, however it appears (but is never explicitly stated) that SecTransformExecute() can only ever be called once, implying that it is impossible to sign or verify unbounded/streamed data.


All of the examples I can find encrypt/sign a contrived single block of plaintext, which is an edge case - in the real world data is unbounded and not all present at once.


OpenSSL handles this by allowing the EVP_DigestSignUpdate() function to be called more than once. How does the SecTransform API handle this case? Does anyone have any example code that makes this clear?

Replies

While SecTransform hasn’t been formally deprecated, it’s not an API that’s got a lot of traction and it’s probably not the best idea to switch to it today. What sort of digest are you trying to sign? And with what key?

In most cases you can achieve this goal using

SecKeyCreateSignature
, using it in one of two ways:
  • In the ‘one shot’ case, you pass in the data and an algorithm key that contains

    Message
    .
  • In the streaming case, you first use CommonCrypto to calculate the digest and then call

    SecKeyCreateSignature
    with that digest and an algorithm key that contains
    Digest
    .

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"