Re: Re: Best practices for signature verifcation

[Taavi Eomäe <taavi () zone ee>]

Hi,

On 03.01.2026 22:41, Demi Marie Obenour wrote:
> Are you concerned about the attack surface of these libraries?
> OpenSSL has a substantial history of vulnerabilities.  One of the
> goals of OpenSSH signatures is to be easy to correctly implement,
> even in languages like C.
>
> I'd be interested in what ASN.1 compilers and libraries you recommend,
> especially ones that support BER instead of only DER.  I actually tried
> writing one myself and it's not easy, though definitely not impossible.
On 05.01.2026 21:05, Demi Marie Obenour wrote:
> Microsoft has a spec, and it does use a fairly reasonable subset
> of CMS, but it is still quite complex.  Much of the complexity is
> likely in the X.509 certificate handling, though.  This assumes one
> uses a special-purpose CMS implementation and not a general-purpose,
> overcomplicated one.

I have a working implementation for S/MIME with BER support* written in 
Rust. Using RustTLS, the crates behind pyca/cryptography for X.509 
certificate handling and indygreg/cryptography-rs for the CMS. Took me a 
few days to write a PoC, so it's very doable. Especially for a vendor 
with an actual need (for a memory-safe implementation).

In my experience PGP/GPG is much worse to implement and much less 
well-defined than S/MIME. That is just spec-wise, even if you manage to 
write a memory-safe implementation.


I plan on upstreaming S/MIME support to pyca/cryptography for it to be 
able to fully check the certificates conform to the CABf S/MIME 
baseline. The maintainers of the project are also thinking about making 
the crates more generally usable.

There's also an Authenticode/PE implementation written in Rust on 
GitHub, haven't taken a close look though.


* - Because CMS currently requires it. But it's a remnant that could be 
removed, there's even a lazy justification for it in the RFC.