thanks for this Ken. That's quite a recipe. Heuristic. Kabbalistic
incantation...
Heh. I mean ... toolbox approach!
It gets complicated when you start wanting to integrate this into nmh.
A lot of the default tools want to work on a whole file; in theory
for encryption this isn't required because you can use indefinite encoding
for the encrypted data (since PKCS#7 is BER not DER), but I haven't
quite worked out the right way of dealing with things like PIN prompts
(like if you're searching through messages, do you want a PIN prompt
coming up to decrypt the message? Where do you prompt for a PIN when
dealing with message composition for signing?).
Also, assuming you are dealing with smartcards, you are probably going
to have to involve a PKCS#11 module at some point. And that ends up being
a complicated mess, especially when dealing with OpenSSL. You CAN configure
OpenSSL to use a PKCS#11 module, but it's a mess and has a lot of moving
parts. I've looked at dyanmically loading an encryption engine that
makes calls to a PKCS#11 module to JUST deal with the encryption pieces,
but that also is a challenge. Sigh. Nothing is easy.
--Ken