I have a CMS (PKCS#7) file containing the following:
- the content to be signed (a few lines of ASCII text)
- the signer’s X.509 certificate
- the content’s digest (sha256 hash)
- the signature
Now I need to replace the signature (and the certificate) with one coming from Vault. Vault does not offer the creation of CMS files, so I need to manually do that. The steps would be:
- extract the content’s digest (probably wrapped in some ASN.1 container)
- send that binary (base64 encoded) to the Vault Transit engine and have it signed
- assemble the original content with the new signature and the new certificate into a new CMS file (using low-level ASN.1 tools)
However, this is quite elaborate and I’m struggling with the implementation. Has anyone done that and is willing to share the tools?
Background: We build embedded Linux images using the rauc SW update mechanism. Rauc uses CMS files for signing of software bundles. With openssl instead of Vault, I would use the following command to create the CMS file, as described here:
openssl cms -sign -signer new-signer.cert.pem -CAfile new-ca-cert.pem -inkey new-signer.key.pem -nodetach -in manifest.raucm -outform der -out new-signature.cms
Thanks for any help,
Georg