When trying to re-sign a CMS using CMS_NO_ATTR and/or CMS_KEY_PARAM via command-line or directly the output CMS does not contain the new signature and is corrupted.
I believe the root cause is that when resign is executed the CMS_final() is not called and instead the i2d_CMS_bio() is called, while its logic is incomplete.
Description
When trying to re-sign a CMS using CMS_NO_ATTR and/or CMS_KEY_PARAM via command-line or directly the output CMS does not contain the new signature and is corrupted.
A full reproduction code is available https://github.com/alonbl/openssl-cms-pss.
I believe the root cause is that when resign is executed the CMS_final() is not called and instead the i2d_CMS_bio() is called, while its logic is incomplete.
References
Discussion
openssl-users
Tested Branches
Reproduction
Repo
https://github.com/alonbl/openssl-cms-pss
Script
Output