Creating a pkcs#7 object in C with external digital signature

Question

I am using a smart card device used to sign pdf document. I already know how to sign the pdf using itext.

I have a 20 byte sha-1 hash, 256 byte signature (rsa encrypted by smart card private key) and a public key (.cer certificate)

Is there a way to create a pkcs#7 binary object in C, using a free library such as cryptlib?

Answer 1

You seem to want to generate a PKCS#7 / CMS (cryptographic message syntax) signature using a pre-calculated signature.

This is - to my surprise - possible but for a very big IF. That IF is that the CMS message doesn't contain any additional meta data that needs to be signed. In the badly phrased words of the CMS RFC:

...

When the signedAttrs field is absent, only the octets comprising the

value of the SignedData encapContentInfo eContent OCTET STRING (e.g.,
the contents of a file) are input to the message digest calculation.
This has the advantage that the length of the content being signed
need not be known in advance of the signature generation process.

...

You can exclude the signedAtrrs in for instance OpenSSL using the -noattr command line option. Unfortunately I did not find a direct way to include the signature value itself, but this is very likely to be possible using the C API of OpenSSL - and as OpenSSL is Open Source, it would of course be possible to amend this problem if it isn't.

---

Notes:

• A good hack would be to create a signature over a zero byte value using a different key when performing CMS, then look up that value (by binary search or by parsing the ASN.1 CMS structures) and then replace that signature with the one you've generated;
• CryptLib and SHA-1 are only useful when you are planning to travel back in time. I strongly recommend to use well maintained libraries and - of course - secure hash.