OpenSSL / libcrypto - 添加新签名

Question

我有以下用例：我收到一条带有独立CMS签名的邮件。我想在不改变第一个签名的情况下添加新签名。

我的代码如下所示：

unsigned int cms_flags = CMS_PARTIAL | CMS_DETACHED;
CMS_ContentInfo *cms=NULL;

// Load and parse previous signature
bio_p7s = BIO_new_file(p7s_path, "r");
if (bio_p7s == NULL) {
    ...
}
if (!d2i_CMS_bio(bio_p7s, &cms)) {
    ...
}

// Open input (content file)
bio_in = BIO_new_file(content_path, "r");
if (bio_in == NULL) {
    ...
}

// Sign!
CMS_SignerInfo *sig;
sig = CMS_add1_signer(cms, cert_x509, key_pair, EVP_sha512(), cms_flags);
if (sig == NULL) {
    ...
}
if (!CMS_SignerInfo_sign(sig)) {
    ...
}

// Add certificates
for (int i = 0; i < sk_X509_num(full_chain); i++) {
    X509 *x = sk_X509_value(full_chain, i);
    if (!CMS_add1_cert(cms, x)) {
        ...
    }
}

// Open output
bio_out = BIO_new_file(output.mb_str(), "w");
if (bio_out == NULL) {
    ...
}

// Finalize
if (CMS_final(cms, bio_in, NULL, cms_flags)) {
    ...
}

// Write output
int err = i2d_CMS_bio(bio_out, cms);
if (err == 0) {
    ...
}
if (BIO_flush(bio_out) != 1) {
    ...
}
BIO_free(bio_out);
CMS_ContentInfo_free(cms);

但是，我收到以下错误：

139702829592704:error:2E096085:CMS routines:cms_SignerInfo_content_sign:no private key:crypto/cms/cms_sd.c:546:
139702829592704:error:2E07F067:CMS routines:CMS_final:cms datafinal error:crypto/cms/cms_smime.c:772:

如果我不致电CMS_final，我会收到缺少messagedigest属性的p7s文件。

如何强制OpenSSL仅为新签名计算messagedigest？