1 Reply
      Latest reply on Jul 16, 2018 9:41 AM by eskimo
      minfrin Level 1 Level 1 (0 points)

        With OpenSSL deprecated on the Mac, I need to replace the EVP_DigestSignUpdate() function in the following code:

         

        EVP_DigestSignInit()

        EVP_DigestSignUpdate()

        EVP_DigestSignUpdate()

        EVP_DigestSignUpdate()

        ...

        EVP_DigestSignFinal()

         

        Much googling and manual reading leads me to the SecTransformExecute() function, however it appears (but is never explicitly stated) that SecTransformExecute() can only ever be called once, implying that it is impossible to sign or verify unbounded/streamed data.

         

        All of the examples I can find encrypt/sign a contrived single block of plaintext, which is an edge case - in the real world data is unbounded and not all present at once.

         

        OpenSSL handles this by allowing the EVP_DigestSignUpdate() function to be called more than once. How does the SecTransform API handle this case? Does anyone have any example code that makes this clear?

        • Re: What is the SecTransform equivalent of the OpenSSL EVP_DigestSignInit() call?
          eskimo Apple Staff Apple Staff (9,180 points)

          While SecTransform hasn’t been formally deprecated, it’s not an API that’s got a lot of traction and it’s probably not the best idea to switch to it today.  What sort of digest are you trying to sign?  And with what key?

          In most cases you can achieve this goal using SecKeyCreateSignature, using it in one of two ways:

          • In the ‘one shot’ case, you pass in the data and an algorithm key that contains Message.

          • In the streaming case, you first use CommonCrypto to calculate the digest and then call SecKeyCreateSignature with that digest and an algorithm key that contains Digest.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"