Verifying PKCS7 CMS message with hazmat OpenSSL Bindings #12406
Description
Hello,
Currently I'm attempting to implement a portion of the OpenSSL cms command line application in pure python to avoid calling subprocess in my software to validate some CMS messages. Basically, the following command:
echo veryCoolCMSdata | openssl cms -verify -binary -inform der -CAfile ./mychain.pem
I saw wider CMS support was "dropped" with #924
From there I've taken notice of the cryptography module and how it implemented OpenSSL bindings. This was used to advise someone to verify using a modified version of a "_pkcs7_verify" helper in the codebase on #6413 which called the backend functions directly. While the OP of that thread claimed it worked for his CMS case, I haven't managed to reproduce the success.
In my attempts, I've noticed the bindings for functions such as CMS_verify and d2i_CMS_bio in the OpenSSL Backend don't seem to exist.
Currently I'm a bit concerned whether attempting the procedure with the PKCS7 bindings is advisable for validating CMS, even if there's a good PR for verifying PKCS7 at #12267. Is it safe to do? I have a lack of experience with this.
Thanks