I’d love transit to be quiet about what it gest with prehashed=True, it expects the input to really be a hash value.
My use case is creating PKCS#7 files of the signedData variety. I can create the exact structures needed by heavy ASN.1 work in Python. But then I can’t use Vault to sign it because what needs to be signed is an encoded DigestInfo sequence instead of the plain digest itself. With prehashed=True, the operation is rejected. With prehashed=False, a signature is produced, but OpenSSL rejects it.
I have done similar things with the transit backend in the past, but there the hashing was OK.
It is well known that you should hash before signing, among other reasons, to make sure the input to the signature is shorter than the key modulus and to make difficult a chosen plaintext attack.
But this is a special case, the input is both bounded and the result of a digesting operation.
Can we have this? Or can anyone suggest some other way to achieve this?