You seem to want to generate a PKCS#7 / CMS (cryptographic message syntax) signature using a pre-calculated signature.
This is - to my surprise - possible but for a very big IF. That IF is that the CMS message doesn't contain any additional meta data that needs to be signed. In the badly phrased words of the CMS RFC:
...
When the signedAttrs field is absent, only the octets comprising the
value of the SignedData encapContentInfo eContent OCTET STRING (e.g.,
the contents of a file) are input to the message digest calculation.
This has the advantage that the length of the content being signed
need not be known in advance of the signature generation process.
...
You can exclude the signedAtrrs
in for instance OpenSSL using the -noattr
command line option. Unfortunately I did not find a direct way to include the signature value itself, but this is very likely to be possible using the C API of OpenSSL - and as OpenSSL is Open Source, it would of course be possible to amend this problem if it isn't.
Notes:
- A good hack would be to create a signature over a zero byte value using a different key when performing CMS, then look up that value (by binary search or by parsing the ASN.1 CMS structures) and then replace that signature with the one you've generated;
- CryptLib and SHA-1 are only useful when you are planning to travel back in time. I strongly recommend to use well maintained libraries and - of course - secure hash.