Include the option PKI_CMS_ADD_SIGNINGCERT (Cms.SigDataOptions.AddSigningCertificate)
to add an ESS Signing Certificate Attribute to the signed attributes.
The signing certificate attribute is designed to prevent simple substitution and re-issue attacks
by cryptographically linking the certificate used to create the signature with the signature itself.
This is required for B-level conformance with CAdES-BES [CADES], which in turn refers to
ESS [RFC2634] and [RFC5035].
Include the option PKI_CMS_ADD_ALGPROTECT (Cms.SigDataOptions. AddAlgProtection)
to add an Algorithm Protection Attribute to the signed attributes.
This is in accordance with [RFC6211].
If a CMS validator supports this attribute (which this Toolkit now does - see CMS_VerifySigData),
then additional checks are made to protect against signature and message digest algorithm substitution attacks.