Background: I've inherited an embedded linux-based system that contains an SMTP proxy and some wacky constraints that I just have to live with. It sits between an SMTP client and server. When an SMTP client connects, the proxy opens a connection to the server and passes the client's data to the server after some on-the-fly processing.
The challenge: I need to sign and/or encrypt the email on its way to the server using standard PKI techniques and S/MIME formats (see RFC2311, for example). I have access to all the required public keys from the appropriate certificates.
The wacky constraints (please just accept them, as they're far beyond my control):
- I can't store the email; it must be processed on-the-fly.
- I can do the encryption locally using the public keys, but I cannot access the private keys directly, which means the digital signature must be done by a "signing device" through a 9600bps connection.
- Typical email messages are tens or hundreds of MB in size. (The email server and recipients can handle those sizes; the only issue is the unacceptable delay when signing.)
- Any new code should be in C, but it's acceptable, for example, to pipe the data to a stand-alone utility for encryption/signature as long as the data is never stored (e.g. no temporary files).
- Delivery is in 14-21 days.
Questions:
- I was hoping to find an open-source utility or library that would generate the appropriate MIME headers and encrypt/sign a blob of data, but I didn't find that on Sourceforge, Google code, etc. Have you used one that you could recommend?
- I was desperately hoping to find an RFC that says it's acceptable to hash the 100MB of data and then sign the hash, as that would mitigate the 9600bps bottleneck. But again, no luck. Is there an industry-standard "shortcut" (RFC?) that would be compatible with typical email clients?
Thanks for your thoughts.