Verifying PKCS7 CMS message with hazmat OpenSSL Bindings

[lgcCerti]

Hello,

Currently I'm attempting to implement a portion of the OpenSSL cms command line application in pure python to avoid calling subprocess in my software to validate some CMS messages. Basically, the following command:

echo veryCoolCMSdata | openssl cms -verify -binary -inform der -CAfile ./mychain.pem 

I saw wider CMS support was "dropped" with #924

From there I've taken notice of the cryptography module and how it implemented OpenSSL bindings. This was used to advise someone to verify using a modified version of a "_pkcs7_verify" helper in the codebase on #6413 which called the backend functions directly. While the OP of that thread claimed it worked for his CMS case, I haven't managed to reproduce the success.

In my attempts, I've noticed the bindings for functions such as CMS_verify and d2i_CMS_bio in the OpenSSL Backend don't seem to exist.

Currently I'm a bit concerned whether attempting the procedure with the PKCS7 bindings is advisable for validating CMS, even if there's a good PR for verifying PKCS7 at #12267. Is it safe to do? I have a lack of experience with this.

Thanks

[alex]

We definitely do not recommend using the PKCS#7 bindings directly at this point. #12267 tracks adding proper support, and is being actively worked on, so I'm going to close this as a duplicate of that.