? echo cleartext | sign | enc | pkcs#7

Hello All,

I need to send UDP datagrams from numerous client machines
in signed+encrypted form. Origilal messages are text lines,
from 50 to 1800 characters long,
1 to 100 messages per second per client.

Options are:

1. Asymmetric. Generate two RSA keypairs per client,
sign with private A, encrypt with public B, base64, send.
This is a well tested solution, no performance issues.
main difficulty is key management. Key is 2048 long,
all datagrams are 2048 long, no matter how long
original messages are. Good obscurity :-)

2. Symmetric proprietary format.
For every message:
Sign with prvate A.
Generate random password, encrypt the payload with it.
Encrypt this password with public B, prepend to payload.
Also a tested solution. Disadvandage is key management
and proprietary message format.

3. Send a message as a pkcs#7 token.
Lots of advantages, as we have pkcs#7 capable HSM
on datagram collection server, and the relevant CA can
be used for certificate management on the clients.
Question is, can I generate pkcs#7 from cleartext + (PEM keys or
certificates)?
How?

Or I totally misunderstand the whole idea?

Thanks,
Andrei