After spending last weekend studying the PKCS #7 and CMS (RFC 3852) specifications, I dedicated this weekend to assembling a Bacula ASN.1 syntax for signing file data and implementing the requisite changes in the backup, verification , and digest handling code paths.
While I would have liked to make use of either PKCS #7 or RFC 3852, OpenSSL's current BER encoder and PKCS #7 API are not capable of handling streaming encoding and decoding. As such, I've designed an ASN.1 syntax inspired by RFC 3852, working around the lack of streaming support by using detached signatures and session key information.
Additionally, I've added support for SHA-256 and SHA-512 digests when using OpenSSL 0.9.8 or greater and completed a great deal of code cleanup. You can find the full ChangeLog below.
Next Up:
The latest patchset is available here: bacula-crypto-3.diff.gz