Paul Kehrer

@Lukasa It's on my list! (But you should remind me on occasion)

CMS is an enormous (and terrible) specification so you'll need to very precisely define what it is you need. This really means spelunking through RFCs and determining the minimal set...

We use OpenSSL to load these keys so either we're missing some paths to load this type or else OpenSSL itself doesn't support this. I've never seen a key of...

Just some followup here for tracking: OpenSSL does not currently support this (https://github.com/openssl/openssl/issues/10468) but has an open PR with a "post-3.0" milestone (https://github.com/openssl/openssl/pull/13942). As it stands we won't be able...

This isn't passing CI because it needs to correctly handle OpenSSL versions where these APIs don't exist. That said, I'd like to understand what your plans on here. We don't...

Looks like boringssl needs to implement the weird NID mapping to PBES2 choice that OpenSSL added if we want to support this. See: https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/pkcs8/pkcs8.c#492 @davidben is there another way to...

Is the request here to be able to return attached data that the SignatureBuilder encodes? I don't really want to return that without verification, which is a challenge for the...

references #1957 and #1660 (although that issue overlaps but is not the same as this). If the scope of this issue is limited to validation of a cert by an...

Added `signature` #2387, but we're going to need something that outputs `tbsCertificate` as well if you want to verify a signature.

If we end up going down this path we'll either need a `tbs_certificate` property so you can use the hazmat asym verification primitives or else we'll need to define new...