diff --git a/Cargo.lock b/Cargo.lock
index 4a095aa4f..e5d7b5502 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -800,6 +800,7 @@ dependencies = [
  "assert_cmd",
  "atree",
  "c2pa",
+ "c2pa-crypto",
  "clap",
  "env_logger",
  "glob",
diff --git a/cli/Cargo.toml b/cli/Cargo.toml
index d4b1c1066..4a9b6f8db 100644
--- a/cli/Cargo.toml
+++ b/cli/Cargo.toml
@@ -27,6 +27,7 @@ c2pa = { path = "../sdk", version = "0.40.0", features = [
 	"pdf",
 	"unstable_api",
 ] }
+c2pa-crypto = { path = "../internal/crypto", version = "0.2.0" }
 clap = { version = "4.5.10", features = ["derive", "env"] }
 env_logger = "0.11.4"
 glob = "0.3.1"
diff --git a/cli/src/callback_signer.rs b/cli/src/callback_signer.rs
index 6f4928b9e..b07ef6290 100644
--- a/cli/src/callback_signer.rs
+++ b/cli/src/callback_signer.rs
@@ -18,6 +18,10 @@ use std::{
 
 use anyhow::{bail, Context};
 use c2pa::{Error, Signer, SigningAlg};
+use c2pa_crypto::{
+    raw_signature::{RawSigner, RawSignerError},
+    time_stamp::TimeStampProvider,
+};
 
 use crate::signer::SignConfig;
 
@@ -183,6 +187,53 @@ impl Signer for CallbackSigner<'_> {
     fn time_authority_url(&self) -> Option<String> {
         self.config.tsa_url.clone()
     }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(self)
+    }
+}
+
+impl RawSigner for CallbackSigner<'_> {
+    fn sign(&self, data: &[u8]) -> Result<Vec<u8>, RawSignerError> {
+        self.callback.sign(data).map_err(|e| {
+            eprintln!("Unable to embed signature into asset. {}", e);
+            RawSignerError::InternalError(e.to_string())
+        })
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.config.alg
+    }
+
+    fn cert_chain(&self) -> Result<Vec<Vec<u8>>, RawSignerError> {
+        let cert_contents = std::fs::read(&self.config.sign_cert_path)?;
+
+        let mut pems = pem::parse_many(cert_contents).map_err(|_| Error::CoseInvalidCert)?;
+        // [pem::parse_many] returns an empty vector if you supply invalid contents, like json, for example.
+        // Check here if the pems vector is empty.
+        if pems.is_empty() {
+            return Err(RawSignerError::InvalidSigningCredentials(
+                "no certificates provided".to_string(),
+            ));
+        }
+
+        let sign_cert = pems
+            .drain(..)
+            .map(|p| p.into_contents())
+            .collect::<Vec<Vec<u8>>>();
+
+        Ok(sign_cert)
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.config.reserve_size
+    }
+}
+
+impl TimeStampProvider for CallbackSigner<'_> {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.config.tsa_url.clone()
+    }
 }
 
 #[cfg(test)]
@@ -214,7 +265,7 @@ mod test {
         let callback = Box::new(mock_callback_signer);
         let signer = CallbackSigner::new(callback, config);
 
-        assert_eq!(signer.sign(&[]).unwrap(), expected);
+        assert_eq!(Signer::sign(&signer, &[]).unwrap(), expected);
     }
 
     #[test]
@@ -237,7 +288,10 @@ mod test {
         let callback = Box::new(mock_callback_signer);
         let signer = CallbackSigner::new(callback, config);
 
-        assert!(matches!(signer.sign(&[]), Err(Error::EmbeddingError)));
+        assert!(matches!(
+            Signer::sign(&signer, &[]),
+            Err(Error::EmbeddingError)
+        ));
     }
 
     #[test]
@@ -291,8 +345,8 @@ mod test {
         let callback = Box::<MockSignCallback>::default();
         let signer = CallbackSigner::new(callback, esc);
 
-        assert_eq!(signer.alg(), expected_alg);
-        assert_eq!(signer.reserve_size(), expected_reserve_size);
+        assert_eq!(Signer::alg(&signer), expected_alg);
+        assert_eq!(Signer::reserve_size(&signer), expected_reserve_size);
     }
 
     #[test]
diff --git a/internal/crypto/src/asn1/rfc3161.rs b/internal/crypto/src/asn1/rfc3161.rs
index 03b89ffc3..789ee7c6e 100644
--- a/internal/crypto/src/asn1/rfc3161.rs
+++ b/internal/crypto/src/asn1/rfc3161.rs
@@ -24,11 +24,6 @@ use crate::asn1::{rfc4210::PkiFreeText, rfc5652::ContentInfo};
 /// 1.2.840.113549.1.9.16.1.4
 pub const OID_CONTENT_TYPE_TST_INFO: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 4]);
 
-/// id-aa-timeStampToken
-///
-/// 1.2.840.113549.1.9.16.2.14
-pub const OID_TIME_STAMP_TOKEN: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 2, 14]);
-
 /// A time-stamp request.
 ///
 /// ```ASN.1
@@ -53,6 +48,7 @@ pub struct TimeStampReq {
 }
 
 impl TimeStampReq {
+    #[allow(dead_code)] // not used on all platforms
     pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
         cons.take_sequence(|cons| {
             let version = Integer::take_from(cons)?;
@@ -149,17 +145,6 @@ impl TimeStampResp {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            self.status.encode_ref(),
-            if let Some(time_stamp_token) = &self.time_stamp_token {
-                Some(time_stamp_token)
-            } else {
-                None
-            },
-        ))
-    }
 }
 
 /// PKI status info
@@ -191,16 +176,6 @@ impl PkiStatusInfo {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            self.status.encode(),
-            self.status_string
-                .as_ref()
-                .map(|status_string| status_string.encode_ref()),
-            self.fail_info.as_ref().map(|fail_info| fail_info.encode()),
-        ))
-    }
 }
 
 /// PKI status.
diff --git a/internal/crypto/src/asn1/rfc3281.rs b/internal/crypto/src/asn1/rfc3281.rs
index 8b0505cb8..180088b27 100644
--- a/internal/crypto/src/asn1/rfc3281.rs
+++ b/internal/crypto/src/asn1/rfc3281.rs
@@ -79,6 +79,7 @@ impl AttributeCertificateInfo {
 }
 
 #[derive(Clone, Copy, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum AttCertVersion {
     V2 = 1,
 }
@@ -104,6 +105,7 @@ pub struct Holder {
 }
 
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum DigestedObjectType {
     PublicKey = 0,
     PublicKeyCert = 1,
@@ -142,6 +144,7 @@ pub struct ObjectDigestInfo {
 /// }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum AttCertIssuer {
     V1Form(GeneralNames),
     V2Form(Box<V2Form>),
diff --git a/internal/crypto/src/asn1/rfc4210.rs b/internal/crypto/src/asn1/rfc4210.rs
index 39022baaa..93dc3719d 100644
--- a/internal/crypto/src/asn1/rfc4210.rs
+++ b/internal/crypto/src/asn1/rfc4210.rs
@@ -8,7 +8,6 @@
 
 use bcder::{
     decode::{Constructed, DecodeError, Source},
-    encode::{self, Values},
     Tag, Utf8String,
 };
 
@@ -27,10 +26,6 @@ impl PkiFreeText {
         cons.take_opt_sequence(|cons| Self::from_sequence(cons))
     }
 
-    pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_sequence(|cons| Self::from_sequence(cons))
-    }
-
     pub fn from_sequence<S: Source>(
         cons: &mut Constructed<S>,
     ) -> Result<Self, DecodeError<S::Error>> {
@@ -44,8 +39,4 @@ impl PkiFreeText {
 
         Ok(Self(res))
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence(encode::slice(&self.0, |x| x.clone().encode()))
-    }
 }
diff --git a/internal/crypto/src/asn1/rfc5652.rs b/internal/crypto/src/asn1/rfc5652.rs
index 5032f15e8..ba8883d1b 100644
--- a/internal/crypto/src/asn1/rfc5652.rs
+++ b/internal/crypto/src/asn1/rfc5652.rs
@@ -29,43 +29,11 @@ use x509_certificate::{asn1time::*, rfc3280::*, rfc5280::*, rfc5652::*};
 
 use crate::asn1::rfc3281::AttributeCertificate;
 
-/// The data content type.
-///
-/// `id-data` in the specification.
-///
-/// 1.2.840.113549.1.7.1
-pub const OID_ID_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 1]);
-
 /// The signed-data content type.
 ///
 /// 1.2.840.113549.1.7.2
 pub const OID_ID_SIGNED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 2]);
 
-/// Enveloped data content type.
-///
-/// 1.2.840.113549.1.7.3
-pub const OID_ENVELOPE_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 3]);
-
-/// Digested-data content type.
-///
-/// 1.2.840.113549.1.7.5
-pub const OID_DIGESTED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 5]);
-
-/// Encrypted-data content type.
-///
-/// 1.2.840.113549.1.7.6
-pub const OID_ENCRYPTED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 6]);
-
-/// Authenticated-data content type.
-///
-/// 1.2.840.113549.1.9.16.1.2
-pub const OID_AUTHENTICATED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 2]);
-
-/// Identifies the content-type attribute.
-///
-/// 1.2.840.113549.1.9.3
-pub const OID_CONTENT_TYPE: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 3]);
-
 /// Identifies the message-digest attribute.
 ///
 /// 1.2.840.113549.1.9.4
@@ -76,11 +44,6 @@ pub const OID_MESSAGE_DIGEST: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9,
 /// 1.2.840.113549.1.9.5
 pub const OID_SIGNING_TIME: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 5]);
 
-/// Identifies the countersignature attribute.
-///
-/// 1.2.840.113549.1.9.6
-pub const OID_COUNTER_SIGNATURE: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 6]);
-
 /// Content info.
 ///
 /// ```ASN.1
@@ -158,23 +121,6 @@ pub struct SignedData {
 }
 
 impl SignedData {
-    /// Attempt to decode BER encoded bytes to a parsed data structure.
-    pub fn decode_ber(data: &[u8]) -> Result<Self, DecodeError<std::convert::Infallible>> {
-        Constructed::decode(data, bcder::Mode::Ber, Self::decode)
-    }
-
-    pub fn decode<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_sequence(|cons| {
-            let oid = Oid::take_from(cons)?;
-
-            if oid != OID_ID_SIGNED_DATA {
-                return Err(cons.content_err("expected signed data OID"));
-            }
-
-            cons.take_constructed_if(Tag::CTX_0, Self::take_from)
-        })
-    }
-
     pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
         cons.take_sequence(|cons| {
             let version = CmsVersion::take_from(cons)?;
@@ -197,25 +143,6 @@ impl SignedData {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            OID_ID_SIGNED_DATA.encode_ref(),
-            encode::sequence_as(
-                Tag::CTX_0,
-                encode::sequence((
-                    self.version.encode(),
-                    self.digest_algorithms.encode_ref(),
-                    self.content_info.encode_ref(),
-                    self.certificates
-                        .as_ref()
-                        .map(|certs| certs.encode_ref_as(Tag::CTX_0)),
-                    // TODO crls.
-                    self.signer_infos.encode_ref(),
-                )),
-            ),
-        ))
-    }
 }
 
 /// Digest algorithm identifiers.
@@ -252,10 +179,6 @@ impl DigestAlgorithmIdentifiers {
             Ok(Self(identifiers))
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::set(&self.0)
-    }
 }
 
 pub type DigestAlgorithmIdentifier = AlgorithmIdentifier;
@@ -294,10 +217,6 @@ impl SignerInfos {
             Ok(Self(infos))
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::set(&self.0)
-    }
 }
 
 /// Encapsulated content info.
@@ -343,15 +262,6 @@ impl EncapsulatedContentInfo {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            self.content_type.encode_ref(),
-            self.content
-                .as_ref()
-                .map(|content| encode::sequence_as(Tag::CTX_0, content.encode_ref())),
-        ))
-    }
 }
 
 /// Per-signer information.
@@ -647,10 +557,6 @@ impl DerefMut for SignedAttributes {
 }
 
 impl SignedAttributes {
-    pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_set(|cons| Self::take_from_set(cons))
-    }
-
     pub fn take_from_set<S: Source>(
         cons: &mut Constructed<S>,
     ) -> Result<Self, DecodeError<S::Error>> {
@@ -759,10 +665,6 @@ impl DerefMut for UnsignedAttributes {
 }
 
 impl UnsignedAttributes {
-    pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_set(|cons| Self::take_from_set(cons))
-    }
-
     pub fn take_from_set<S: Source>(
         cons: &mut Constructed<S>,
     ) -> Result<Self, DecodeError<S::Error>> {
@@ -846,6 +748,8 @@ pub type UnprotectedAttributes = Vec<Attribute>;
 ///   ori [4] OtherRecipientInfo }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
+#[allow(clippy::enum_variant_names)]
 pub enum RecipientInfo {
     KeyTransRecipientInfo(KeyTransRecipientInfo),
     KeyAgreeRecipientInfo(KeyAgreeRecipientInfo),
@@ -881,6 +785,7 @@ pub struct KeyTransRecipientInfo {
 ///   subjectKeyIdentifier [0] SubjectKeyIdentifier }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum RecipientIdentifier {
     IssuerAndSerialNumber(IssuerAndSerialNumber),
     SubjectKeyIdentifier(SubjectKeyIdentifier),
@@ -914,6 +819,7 @@ pub struct KeyAgreeRecipientInfo {
 ///   originatorKey [1] OriginatorPublicKey }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum OriginatorIdentifierOrKey {
     IssuerAndSerialNumber(IssuerAndSerialNumber),
     SubjectKeyIdentifier(SubjectKeyIdentifier),
@@ -957,6 +863,7 @@ pub struct RecipientEncryptedKey {
 ///   rKeyId [0] IMPLICIT RecipientKeyIdentifier }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum KeyAgreeRecipientIdentifier {
     IssuerAndSerialNumber(IssuerAndSerialNumber),
     RKeyId(RecipientKeyIdentifier),
@@ -1135,6 +1042,7 @@ impl RevocationInfoChoices {
 ///   other [1] IMPLICIT OtherRevocationInfoFormat }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum RevocationInfoChoice {
     Crl(Box<CertificateList>),
     Other(OtherRevocationInfoFormat),
@@ -1268,10 +1176,6 @@ impl CertificateSet {
 
         Ok(Self(certs))
     }
-
-    pub fn encode_ref_as(&self, tag: Tag) -> impl Values + '_ {
-        encode::set_as(tag, &self.0)
-    }
 }
 
 /// Issuer and serial number.
@@ -1372,10 +1276,6 @@ pub struct OtherKeyAttribute {
 
 pub type ContentType = Oid;
 
-pub type MessageDigest = OctetString;
-
-pub type SigningTime = Time;
-
 /// Time variant.
 ///
 /// ```ASN.1
@@ -1416,6 +1316,4 @@ impl From<Time> for chrono::DateTime<chrono::Utc> {
     }
 }
 
-pub type CounterSignature = SignerInfo;
-
 pub type AttributeCertificateV2 = AttributeCertificate;
diff --git a/internal/crypto/src/cose/error.rs b/internal/crypto/src/cose/error.rs
index 0b1d6ef8b..40710feaa 100644
--- a/internal/crypto/src/cose/error.rs
+++ b/internal/crypto/src/cose/error.rs
@@ -15,7 +15,7 @@ use thiserror::Error;
 
 use crate::{
     cose::{CertificateProfileError, CertificateTrustError},
-    raw_signature::RawSignatureValidationError,
+    raw_signature::{RawSignatureValidationError, RawSignerError},
     time_stamp::TimeStampError,
 };
 
@@ -66,7 +66,15 @@ pub enum CoseError {
     #[error(transparent)]
     CertificateTrustError(#[from] CertificateTrustError),
 
-    /// An error was occurred when interpreting the underlying raw signature.
+    /// The box size provided for the signature is too small.
+    #[error("the signature box is too small")]
+    BoxSizeTooSmall,
+
+    /// An error occurred when generating the underlying raw signature.
+    #[error(transparent)]
+    RawSignerError(#[from] RawSignerError),
+
+    /// An error occurred when interpreting the underlying raw signature.
     #[error(transparent)]
     RawSignatureValidationError(#[from] RawSignatureValidationError),
 
diff --git a/internal/crypto/src/cose/mod.rs b/internal/crypto/src/cose/mod.rs
index 04dd158ac..3d5751bcb 100644
--- a/internal/crypto/src/cose/mod.rs
+++ b/internal/crypto/src/cose/mod.rs
@@ -29,15 +29,26 @@ pub use error::CoseError;
 mod ocsp;
 pub use ocsp::{check_ocsp_status, check_ocsp_status_async, OcspFetchPolicy};
 
+mod sign;
+pub use sign::{sign, sign_async};
+
 mod sign1;
-pub use sign1::{cert_chain_from_sign1, parse_cose_sign1, signing_alg_from_sign1};
+pub use sign1::{
+    cert_chain_from_sign1, parse_cose_sign1, signing_alg_from_sign1, signing_time_from_sign1,
+    signing_time_from_sign1_async,
+};
 
 mod sigtst;
-pub use sigtst::{
-    add_sigtst_header, add_sigtst_header_async, cose_countersign_data, parse_and_validate_sigtst,
-    parse_and_validate_sigtst_async, validate_cose_tst_info, validate_cose_tst_info_async,
-    TstToken,
+pub(crate) use sigtst::{
+    add_sigtst_header, add_sigtst_header_async, validate_cose_tst_info,
+    validate_cose_tst_info_async,
 };
 
+mod time_stamp_storage;
+pub use time_stamp_storage::TimeStampStorage;
+
+mod validation_info;
+pub use validation_info::ValidationInfo;
+
 mod verifier;
 pub use verifier::Verifier;
diff --git a/internal/crypto/src/cose/ocsp.rs b/internal/crypto/src/cose/ocsp.rs
index f27a7c487..fa43f545c 100644
--- a/internal/crypto/src/cose/ocsp.rs
+++ b/internal/crypto/src/cose/ocsp.rs
@@ -27,8 +27,6 @@ use crate::{
 
 /// Given a COSE signature, extract the OCSP data and validate the status of
 /// that report.
-///
-/// TO DO: Determine if this needs to remain fully public after refactoring.
 #[async_generic]
 pub fn check_ocsp_status(
     sign1: &CoseSign1,
diff --git a/internal/crypto/src/cose/sign.rs b/internal/crypto/src/cose/sign.rs
new file mode 100644
index 000000000..fc954c266
--- /dev/null
+++ b/internal/crypto/src/cose/sign.rs
@@ -0,0 +1,401 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use async_generic::async_generic;
+use ciborium::value::Value;
+use coset::{
+    iana::{self, EnumI64},
+    CoseSign1, CoseSign1Builder, Header, HeaderBuilder, Label, ProtectedHeader,
+    TaggedCborSerializable,
+};
+use serde_bytes::ByteBuf;
+
+use crate::{
+    cose::{add_sigtst_header, add_sigtst_header_async, CoseError, TimeStampStorage},
+    p1363::{der_to_p1363, parse_ec_der_sig},
+    raw_signature::{AsyncRawSigner, RawSigner, SigningAlg},
+};
+
+/// Given an arbitrary block of data and a [`RawSigner`] or [`AsyncRawSigner`]
+/// instance, generate a COSE signature for that block of data.
+///
+/// Returns a byte vector that is a `Cose_Sign1` data structure.
+///
+/// From [§14.5, X.509 Certificates] of the C2PA Technical Specification:
+///
+/// > X.509 Certificates are stored as defined by [RFC 9360] (CBOR Object
+/// > Signing and Encryption (COSE): Header Parameters for Carrying and
+/// > Referencing X.509 Certificates). For convenience, the definition of
+/// > `x5chain` is copied below.
+/// >
+/// > ...
+/// >
+/// > `x5chain`: This header parameter contains an ordered array of X.509
+/// > certificates. The certificates are to be ordered starting with the
+/// > certificate containing the end-entity key followed by the certificate that
+/// > signed it, and so on. There is no requirement for the entire chain to be
+/// > present in the element if there is reason to believe that the relying
+/// > party already has, or can locate, the missing certificates. This means
+/// > that the relying party is still required to do path building but that a
+/// > candidate path is proposed in this header parameter.
+/// >
+/// > The trust mechanism MUST process any certificates in this parameter as
+/// > untrusted input. The presence of a self-signed certificate in the
+/// > parameter MUST NOT cause the update of the set of trust anchors without
+/// > some out-of-band confirmation. As the contents of this header parameter
+/// > are untrusted input, the header parameter can be in either the protected
+/// > or unprotected header bucket. Sending the header parameter in the
+/// > unprotected header bucket allows an intermediary to remove or add
+/// > certificates.
+/// >
+/// > The end-entity certificate MUST be integrity protected by COSE. This can,
+/// > for example, be done by sending the header parameter in the protected
+/// > header, sending an `x5chain` in the unprotected header combined with an
+/// > `x5t` in the protected header, or including the end-entity certificate in
+/// > the `external_aad`.
+/// >
+/// > This header parameter allows for a single X.509 certificate or a chain of
+/// > X.509 certificates to be carried in the message.
+/// >
+/// > * If a single certificate is conveyed, it is placed in a CBOR byte string.
+/// > * If multiple certificates are conveyed, a CBOR array of byte strings is
+/// > used, with each certificate being in its own byte string.
+///
+/// [§14.5, X.509 Certificates]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#x509_certificates
+/// [RFC 9360]: https://datatracker.ietf.org/doc/html/rfc9360
+#[async_generic(async_signature(
+    signer: &dyn AsyncRawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage
+))]
+pub fn sign(
+    signer: &dyn RawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage,
+) -> Result<Vec<u8>, CoseError> {
+    if _sync {
+        match tss {
+            TimeStampStorage::V1_sigTst => sign_v1(signer, data, box_size, tss),
+            TimeStampStorage::V2_sigTst2_CTT => sign_v2(signer, data, box_size, tss),
+        }
+    } else {
+        match tss {
+            TimeStampStorage::V1_sigTst => sign_v1_async(signer, data, box_size, tss).await,
+            TimeStampStorage::V2_sigTst2_CTT => sign_v2_async(signer, data, box_size, tss).await,
+        }
+    }
+}
+
+#[async_generic(async_signature(
+    signer: &dyn AsyncRawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage
+))]
+pub fn sign_v1(
+    signer: &dyn RawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage,
+) -> Result<Vec<u8>, CoseError> {
+    let alg = signer.alg();
+
+    let protected_header = if _sync {
+        build_protected_header(signer, alg)?
+    } else {
+        build_protected_header_async(signer, alg).await?
+    };
+
+    // We don't use the additional data header.
+    let aad: &[u8; 0] = b"";
+
+    // V1: Generate time stamp then sign.
+    let unprotected_header = if _sync {
+        build_unprotected_header(signer, data, &protected_header, tss)?
+    } else {
+        build_unprotected_header_async(signer, data, &protected_header, tss).await?
+    };
+
+    let sign1_builder = CoseSign1Builder::new()
+        .protected(protected_header.header.clone())
+        .unprotected(unprotected_header)
+        .payload(data.to_vec());
+
+    let mut sign1 = sign1_builder.build();
+
+    let tbs = coset::sig_structure_data(
+        coset::SignatureContext::CoseSign1,
+        sign1.protected.clone(),
+        None,
+        aad,
+        sign1.payload.as_ref().unwrap_or(&vec![]),
+    );
+
+    let signature = if _sync {
+        signer.sign(&tbs)?
+    } else {
+        signer.sign(tbs).await?
+    };
+
+    // Fix up signatures that may be in the wrong format.
+    sign1.signature = match alg {
+        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
+            if parse_ec_der_sig(&signature).is_ok() {
+                // Fix up DER signature to be in P1363 format.
+                der_to_p1363(&signature, alg)?
+            } else {
+                signature
+            }
+        }
+        _ => signature,
+    };
+
+    // The payload is provided elsewhere, so we don't need to repeat it in the
+    // `Cose_Sign1` structure.
+    sign1.payload = None;
+    pad_cose_sig(&mut sign1, box_size)
+}
+
+#[async_generic(async_signature(
+    signer: &dyn AsyncRawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage
+))]
+pub fn sign_v2(
+    signer: &dyn RawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage,
+) -> Result<Vec<u8>, CoseError> {
+    let alg = signer.alg();
+
+    let protected_header = if _sync {
+        build_protected_header(signer, alg)?
+    } else {
+        build_protected_header_async(signer, alg).await?
+    };
+
+    // We don't use the additional data header.
+    let aad: &[u8; 0] = b"";
+
+    // V2: Sign then generate time stamp.
+    let sign1_builder = CoseSign1Builder::new()
+        .protected(protected_header.header.clone())
+        .payload(data.to_vec());
+
+    let mut sign1 = sign1_builder.build();
+
+    let tbs = coset::sig_structure_data(
+        coset::SignatureContext::CoseSign1,
+        sign1.protected.clone(),
+        None,
+        aad,
+        sign1.payload.as_ref().unwrap_or(&vec![]),
+    );
+
+    let signature = if _sync {
+        signer.sign(&tbs)?
+    } else {
+        signer.sign(tbs).await?
+    };
+
+    // Fix up signatures that may be in the wrong format.
+    sign1.signature = match alg {
+        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
+            if parse_ec_der_sig(&signature).is_ok() {
+                // Fix up DER signature to be in P1363 format.
+                der_to_p1363(&signature, alg)?
+            } else {
+                signature
+            }
+        }
+        _ => signature,
+    };
+
+    // The payload is provided elsewhere, so we don't need to repeat it in the
+    // `Cose_Sign1` structure.
+    sign1.payload = None;
+
+    let sig_data = ByteBuf::from(sign1.signature.clone());
+    let mut sig_data_cbor: Vec<u8> = vec![];
+    ciborium::into_writer(&sig_data, &mut sig_data_cbor)
+        .map_err(|e| CoseError::CborGenerationError(e.to_string()))?;
+
+    // Fill in the unprotected header with time stamp data.
+    let unprotected_header = if _sync {
+        build_unprotected_header(signer, &sig_data_cbor, &protected_header, tss)?
+    } else {
+        build_unprotected_header_async(signer, &sig_data_cbor, &protected_header, tss).await?
+    };
+
+    sign1.unprotected = unprotected_header;
+
+    pad_cose_sig(&mut sign1, box_size)
+}
+
+#[async_generic(async_signature(signer: &dyn AsyncRawSigner, alg: SigningAlg))]
+fn build_protected_header(
+    signer: &dyn RawSigner,
+    alg: SigningAlg,
+) -> Result<ProtectedHeader, CoseError> {
+    let mut protected_h = match alg {
+        SigningAlg::Ps256 => HeaderBuilder::new().algorithm(iana::Algorithm::PS256),
+        SigningAlg::Ps384 => HeaderBuilder::new().algorithm(iana::Algorithm::PS384),
+        SigningAlg::Ps512 => HeaderBuilder::new().algorithm(iana::Algorithm::PS512),
+        SigningAlg::Es256 => HeaderBuilder::new().algorithm(iana::Algorithm::ES256),
+        SigningAlg::Es384 => HeaderBuilder::new().algorithm(iana::Algorithm::ES384),
+        SigningAlg::Es512 => HeaderBuilder::new().algorithm(iana::Algorithm::ES512),
+        SigningAlg::Ed25519 => HeaderBuilder::new().algorithm(iana::Algorithm::EdDSA),
+    };
+
+    let certs = signer.cert_chain()?;
+
+    let sc_der_array_or_bytes = match certs.len() {
+        1 => Value::Bytes(certs[0].clone()),
+        _ => Value::Array(certs.into_iter().map(Value::Bytes).collect()),
+    };
+
+    // Add certs to protected header.
+    protected_h = protected_h.value(
+        iana::HeaderParameter::X5Chain.to_i64(),
+        sc_der_array_or_bytes.clone(),
+    );
+
+    let protected_header = protected_h.build();
+    let ph2 = ProtectedHeader {
+        original_data: None,
+        header: protected_header.clone(),
+    };
+
+    Ok(ph2)
+}
+
+#[async_generic(async_signature(signer: &dyn AsyncRawSigner, data: &[u8], p_header: &ProtectedHeader,     tss: TimeStampStorage,))]
+fn build_unprotected_header(
+    signer: &dyn RawSigner,
+    data: &[u8],
+    p_header: &ProtectedHeader,
+    tss: TimeStampStorage,
+) -> Result<Header, CoseError> {
+    // signed_data_from_time_stamp_response
+
+    // TO DO: Continue with diff here ... (let maybe_cts etc)
+
+    let unprotected_h = HeaderBuilder::new();
+
+    let mut unprotected_h = if _sync {
+        add_sigtst_header(signer, data, p_header, unprotected_h, tss)?
+    } else {
+        add_sigtst_header_async(signer, data, p_header, unprotected_h, tss).await?
+    };
+
+    // Set the OCSP responder response if available.
+    let ocsp_val = if _sync {
+        signer.ocsp_response()
+    } else {
+        signer.ocsp_response().await
+    };
+
+    if let Some(ocsp) = ocsp_val {
+        let mut ocsp_vec: Vec<Value> = Vec::new();
+        let mut r_vals: Vec<(Value, Value)> = vec![];
+
+        ocsp_vec.push(Value::Bytes(ocsp));
+        r_vals.push((Value::Text("ocspVals".to_string()), Value::Array(ocsp_vec)));
+
+        unprotected_h = unprotected_h.text_value("rVals".to_string(), Value::Map(r_vals));
+    }
+
+    // Build complete header.
+    Ok(unprotected_h.build())
+}
+
+const PAD: &str = "pad";
+const PAD2: &str = "pad2";
+const PAD_OFFSET: usize = 7;
+
+// Pad the CoseSign1 structure with zeroes to match the reserved box size. There
+// are some values lengths that are impossible to hit with a single padding so
+// when that happens a second padding is added to change the remaining needed
+// padding. The default initial guess works for almost all sizes, without the
+// need for additional loops.
+fn pad_cose_sig(sign1: &mut CoseSign1, end_size: usize) -> Result<Vec<u8>, CoseError> {
+    let mut sign1_clone = sign1.clone();
+
+    let cur_vec = sign1_clone
+        .to_tagged_vec()
+        .map_err(|e| CoseError::CborGenerationError(e.to_string()))?;
+
+    let cur_size = cur_vec.len();
+    if cur_size == end_size {
+        return Ok(cur_vec);
+    }
+
+    // check for box too small and matched size
+    if cur_size + PAD_OFFSET > end_size {
+        return Err(CoseError::BoxSizeTooSmall);
+    }
+
+    // Start close to desired end size, accounting for label.
+    let mut padding_found = false;
+    let mut last_pad = 0;
+    let mut target_guess = end_size - cur_size - PAD_OFFSET;
+
+    loop {
+        sign1_clone = sign1.clone();
+
+        // Replace padding with new estimate.
+        for header_pair in &mut sign1_clone.unprotected.rest {
+            if header_pair.0 == Label::Text("pad".to_string()) {
+                if let Value::Bytes(b) = &header_pair.1 {
+                    last_pad = b.len();
+                }
+                header_pair.1 = Value::Bytes(vec![0u8; target_guess]);
+                padding_found = true;
+                break;
+            }
+        }
+
+        // If there was no padding, add it and try again.
+        if !padding_found {
+            sign1_clone.unprotected.rest.push((
+                Label::Text(PAD.to_string()),
+                Value::Bytes(vec![0u8; target_guess]),
+            ));
+            return pad_cose_sig(&mut sign1_clone, end_size);
+        }
+
+        // Get current CBOR vec to see if we reached target size.
+        let new_cbor = sign1_clone
+            .to_tagged_vec()
+            .map_err(|e| CoseError::CborGenerationError(e.to_string()))?;
+
+        match new_cbor.len() < end_size {
+            true => target_guess += 1,
+            false if new_cbor.len() == end_size => return Ok(new_cbor),
+            false => break,
+            // ^^ We could not match end_size in a single pad so break and add a second.
+        }
+    }
+
+    // If we reach here, we need a new second padding object to hit exact size.
+    sign1.unprotected.rest.push((
+        Label::Text(PAD2.to_string()),
+        Value::Bytes(vec![0u8; last_pad - 10]),
+    ));
+
+    pad_cose_sig(sign1, end_size)
+}
diff --git a/internal/crypto/src/cose/sign1.rs b/internal/crypto/src/cose/sign1.rs
index 0df7e54c8..6eb2c121e 100644
--- a/internal/crypto/src/cose/sign1.rs
+++ b/internal/crypto/src/cose/sign1.rs
@@ -11,6 +11,7 @@
 // specific language governing permissions and limitations under
 // each license.
 
+use async_generic::async_generic;
 use c2pa_status_tracker::{log_item, validation_codes::CLAIM_SIGNATURE_MISMATCH, StatusTracker};
 use ciborium::value::Value;
 use coset::{
@@ -18,7 +19,10 @@ use coset::{
     CoseSign1, Label, RegisteredLabelWithPrivate, TaggedCborSerializable,
 };
 
-use crate::{cose::CoseError, SigningAlg};
+use crate::{
+    cose::{validate_cose_tst_info, validate_cose_tst_info_async, CoseError},
+    raw_signature::SigningAlg,
+};
 
 /// Parse a byte slice as a COSE Sign1 data structure.
 ///
@@ -50,7 +54,7 @@ pub fn parse_cose_sign1(
     Ok(sign1)
 }
 
-/// TEMPORARILY PUBLIC while refactoring.
+/// TO DO: Documentation for this function.
 pub fn signing_alg_from_sign1(sign1: &coset::CoseSign1) -> Result<SigningAlg, CoseError> {
     let Some(ref alg) = sign1.protected.header.alg else {
         return Err(CoseError::UnsupportedSigningAlgorithm);
@@ -83,7 +87,7 @@ pub fn signing_alg_from_sign1(sign1: &coset::CoseSign1) -> Result<SigningAlg, Co
     }
 }
 
-/// TEMPORARILY PUBLIC while refactoring.
+/// TO DO: Documentation for this function.
 pub fn cert_chain_from_sign1(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>, CoseError> {
     // Check the protected header first.
     let Some(value) = sign1
@@ -159,3 +163,26 @@ fn cert_chain_from_cbor_value(value: Value) -> Result<Vec<Vec<u8>>, CoseError> {
         _ => Err(CoseError::MissingSigningCertificateChain),
     }
 }
+
+/// Return the time of signing for this signature.
+///
+/// Should not be used for certificate validation.
+#[async_generic]
+pub fn signing_time_from_sign1(
+    sign1: &coset::CoseSign1,
+    data: &[u8],
+) -> Option<chrono::DateTime<chrono::Utc>> {
+    // get timestamp info if available
+
+    let time_stamp_info = if _sync {
+        validate_cose_tst_info(sign1, data)
+    } else {
+        validate_cose_tst_info_async(sign1, data).await
+    };
+
+    if let Ok(tst_info) = time_stamp_info {
+        Some(tst_info.gen_time.into())
+    } else {
+        None
+    }
+}
diff --git a/internal/crypto/src/cose/sigtst.rs b/internal/crypto/src/cose/sigtst.rs
index bf6410049..1faee0ce8 100644
--- a/internal/crypto/src/cose/sigtst.rs
+++ b/internal/crypto/src/cose/sigtst.rs
@@ -11,17 +11,19 @@
 // specific language governing permissions and limitations under
 // each license.
 
+use asn1_rs::nom::AsBytes;
 use async_generic::async_generic;
+use bcder::decode::Constructed;
 use ciborium::value::Value;
 use coset::{sig_structure_data, HeaderBuilder, Label, ProtectedHeader, SignatureContext};
 use serde::{Deserialize, Serialize};
+use serde_bytes::ByteBuf;
 
 use crate::{
-    asn1::rfc3161::TstInfo,
-    cose::CoseError,
-    time_stamp::{
-        verify_time_stamp, verify_time_stamp_async, AsyncTimeStampProvider, TimeStampProvider,
-    },
+    asn1::rfc3161::{TimeStampResp, TstInfo},
+    cose::{CoseError, TimeStampStorage},
+    raw_signature::{AsyncRawSigner, RawSigner},
+    time_stamp::{verify_time_stamp, verify_time_stamp_async, ContentInfo, TimeStampResponse},
 };
 
 /// Given a COSE signature, retrieve the `sigTst` header from it and validate
@@ -29,14 +31,19 @@ use crate::{
 ///
 /// Return a [`TstInfo`] struct if available and valid.
 #[async_generic]
-pub fn validate_cose_tst_info(sign1: &coset::CoseSign1, data: &[u8]) -> Result<TstInfo, CoseError> {
-    let Some(sigtst) = &sign1
+pub(crate) fn validate_cose_tst_info(
+    sign1: &coset::CoseSign1,
+    data: &[u8],
+) -> Result<TstInfo, CoseError> {
+    let Some((sigtst, tss)) = &sign1
         .unprotected
         .rest
         .iter()
         .find_map(|x: &(Label, Value)| {
-            if x.0 == Label::Text("sigTst".to_string()) {
-                Some(x.1.clone())
+            if x.0 == Label::Text("sigTst2".to_string()) {
+                Some((x.1.clone(), TimeStampStorage::V2_sigTst2_CTT))
+            } else if x.0 == Label::Text("sigTst".to_string()) {
+                Some((x.1.clone(), TimeStampStorage::V1_sigTst))
             } else {
                 None
             }
@@ -45,14 +52,27 @@ pub fn validate_cose_tst_info(sign1: &coset::CoseSign1, data: &[u8]) -> Result<T
         return Err(CoseError::NoTimeStampToken);
     };
 
+    // `maybe_sig_data` has to be declared outside the match block below so that the
+    // slice we return can live long enough.
+    let mut maybe_sig_data: Vec<u8> = vec![];
+    let tbs = match tss {
+        TimeStampStorage::V1_sigTst => data,
+        TimeStampStorage::V2_sigTst2_CTT => {
+            let sig_data = ByteBuf::from(sign1.signature.clone());
+            ciborium::into_writer(&sig_data, &mut maybe_sig_data)
+                .map_err(|e| CoseError::CborParsingError(e.to_string()))?;
+            maybe_sig_data.as_slice()
+        }
+    };
+
     let mut time_cbor: Vec<u8> = vec![];
     ciborium::into_writer(sigtst, &mut time_cbor)
         .map_err(|e| CoseError::InternalError(e.to_string()))?;
 
     let tst_infos = if _sync {
-        parse_and_validate_sigtst(&time_cbor, data, &sign1.protected)?
+        parse_and_validate_sigtst(&time_cbor, tbs, &sign1.protected)?
     } else {
-        parse_and_validate_sigtst_async(&time_cbor, data, &sign1.protected).await?
+        parse_and_validate_sigtst_async(&time_cbor, tbs, &sign1.protected).await?
     };
 
     // For now, we only pay attention to the first time stamp header.
@@ -71,7 +91,7 @@ pub fn validate_cose_tst_info(sign1: &coset::CoseSign1, data: &[u8]) -> Result<T
 ///
 /// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
 #[async_generic]
-pub fn parse_and_validate_sigtst(
+pub(crate) fn parse_and_validate_sigtst(
     sigtst_cbor: &[u8],
     data: &[u8],
     p_header: &ProtectedHeader,
@@ -117,7 +137,7 @@ pub fn cose_countersign_data(data: &[u8], p_header: &ProtectedHeader) -> Vec<u8>
 ///
 /// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
 #[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
-pub struct TstToken {
+pub(crate) struct TstToken {
     #[allow(missing_docs)]
     #[serde(with = "serde_bytes")]
     pub val: Vec<u8>,
@@ -130,28 +150,31 @@ struct TstContainer {
 }
 
 impl TstContainer {
-    pub fn add_token(&mut self, token: TstToken) {
+    pub(crate) fn add_token(&mut self, token: TstToken) {
         self.tst_tokens.push(token);
     }
 }
 
-/// TO DO: Determine if this needs to be public after refactoring.
-///
 /// Given a COSE [`ProtectedHeader`] and an arbitrary block of data, use the
 /// provided [`TimeStampProvider`] or [`AsyncTimeStampProvider`] to request a
 /// timestamp for that block of data.
+///
+/// [`TimeStampProvider`]: crate::time_stamp::TimeStampProvider
+/// [`AsyncTimeStampProvider`]: crate::time_stamp::AsyncTimeStampProvider
 #[async_generic(
     async_signature(
-        ts_provider: &dyn AsyncTimeStampProvider,
+        ts_provider: &dyn AsyncRawSigner,
         data: &[u8],
         p_header: &ProtectedHeader,
         mut header_builder: HeaderBuilder,
+        tss: TimeStampStorage,
     ))]
-pub fn add_sigtst_header(
-    ts_provider: &dyn TimeStampProvider,
+pub(crate) fn add_sigtst_header(
+    ts_provider: &dyn RawSigner,
     data: &[u8],
     p_header: &ProtectedHeader,
     mut header_builder: HeaderBuilder,
+    tss: TimeStampStorage,
 ) -> Result<HeaderBuilder, CoseError> {
     let sd = cose_countersign_data(data, p_header);
 
@@ -162,7 +185,16 @@ pub fn add_sigtst_header(
     };
 
     if let Some(cts) = maybe_cts {
-        let cts = cts?;
+        let mut cts = cts?;
+
+        if tss == TimeStampStorage::V2_sigTst2_CTT {
+            // In `sigTst2`, we use only the `TimeStampToken` and not `TimeStampRsp` for
+            // sigTst2
+            cts = timestamptoken_from_timestamprsp(&cts).ok_or(CoseError::CborGenerationError(
+                "unable to generate time stamp token".to_string(),
+            ))?;
+        }
+
         let cts = make_cose_timestamp(&cts);
 
         let mut sigtst_vec: Vec<u8> = vec![];
@@ -172,7 +204,14 @@ pub fn add_sigtst_header(
         let sigtst_cbor: Value = ciborium::from_reader(sigtst_vec.as_slice())
             .map_err(|e| CoseError::CborGenerationError(e.to_string()))?;
 
-        header_builder = header_builder.text_value("sigTst".to_string(), sigtst_cbor);
+        match tss {
+            TimeStampStorage::V1_sigTst => {
+                header_builder = header_builder.text_value("sigTst".to_string(), sigtst_cbor);
+            }
+            TimeStampStorage::V2_sigTst2_CTT => {
+                header_builder = header_builder.text_value("sigTst2".to_string(), sigtst_cbor);
+            }
+        }
     }
 
     Ok(header_builder)
@@ -189,3 +228,28 @@ fn make_cose_timestamp(ts_data: &[u8]) -> TstContainer {
 
     container
 }
+
+// Return timeStampToken used by sigTst2.
+fn timestamptoken_from_timestamprsp(ts: &[u8]) -> Option<Vec<u8>> {
+    let ts_resp = TimeStampResponse(
+        Constructed::decode(ts, bcder::Mode::Der, TimeStampResp::take_from).ok()?,
+    );
+
+    let tst = ts_resp.0.time_stamp_token?;
+
+    let a: Result<Vec<u32>, CoseError> = tst
+        .content_type
+        .iter()
+        .map(|v| {
+            v.to_u32()
+                .ok_or(CoseError::InternalError("invalid component".to_string()))
+        })
+        .collect();
+
+    let ci = ContentInfo {
+        content_type: rasn::types::ObjectIdentifier::new(a.ok()?)?,
+        content: rasn::types::Any::new(tst.content.as_bytes().to_vec()),
+    };
+
+    rasn::der::encode(&ci).ok()
+}
diff --git a/internal/crypto/src/cose/time_stamp_storage.rs b/internal/crypto/src/cose/time_stamp_storage.rs
new file mode 100644
index 000000000..b5a30ff91
--- /dev/null
+++ b/internal/crypto/src/cose/time_stamp_storage.rs
@@ -0,0 +1,51 @@
+// Copyright 2025 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+/// The `TimeStampStorage` parameter defines how [RFC 3161] time stamps are to
+/// be stored in a COSE signature.
+///
+/// This is as defined in [§10.3.2.5.4, Storing the time-stamp], of version 2.1
+/// of the C2PA Technical Specification.
+///
+/// [§10.3.2.5.4, Storing the time-stamp]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_storing_the_time_stamp
+/// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
+#[allow(non_camel_case_types)] // We choose to match the exact header names as used in the C2PA specification.
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub enum TimeStampStorage {
+    /// v1 time-stamps _(deprecated)_ are stored in a COSE unprotected header
+    /// whose label is the string `sigTst`. If present, the value of this header
+    /// shall be a `tstContainer` defined by [Example 2, “CDDL for
+    /// `tstContainer`”]. The content of the `TimeStampResp` structure received
+    /// in reply from the TSA shall be stored as the value of the `val property
+    /// of an element of `tstTokens`.
+    ///
+    /// [Example 2, “CDDL for `tstContainer`”]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#tstContainer-CDDL
+    V1_sigTst,
+
+    /// v2 time-stamps shall be stored in a COSE unprotected header whose label
+    /// is the string `sigTst2`. When present, the value of this header shall be
+    /// a `tstContainer` defined by [Example 2, “CDDL for `tstContainer`”]. The
+    /// content of value of the `timeStampToken` field of the `TimeStampResp`
+    /// structure received in reply from the TSA shall be stored as the value of
+    /// the `val` property of an element of `tstTokens`.
+    ///
+    /// **NOTE:** A v2 time-stamp is equivalent to the "CTT" model of [COSE
+    /// Header parameter for RFC 3161 Time-Stamp Tokens Draft]. It requires that
+    /// the complete signature structure be completed prior to time-stamping,
+    /// thus enabling the time-stamp to serve as a countersignature on the
+    /// entire signature structure, including the actual certificate.
+    ///
+    /// [Example 2, “CDDL for `tstContainer`”]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#tstContainer-CDDL
+    /// [COSE Header parameter for RFC 3161 Time-Stamp Tokens Draft]: https://datatracker.ietf.org/doc/draft-ietf-cose-tsa-tst-header-parameter/
+    V2_sigTst2_CTT,
+}
diff --git a/internal/crypto/src/validation_info.rs b/internal/crypto/src/cose/validation_info.rs
similarity index 89%
rename from internal/crypto/src/validation_info.rs
rename to internal/crypto/src/cose/validation_info.rs
index 41724a29d..d7f5d6421 100644
--- a/internal/crypto/src/validation_info.rs
+++ b/internal/crypto/src/cose/validation_info.rs
@@ -16,7 +16,7 @@
 use chrono::{DateTime, Utc};
 use x509_parser::num_bigint::BigUint;
 
-use crate::SigningAlg;
+use crate::raw_signature::SigningAlg;
 
 /// Describes a signature's validation data and status.
 #[derive(Debug, Default)]
@@ -34,11 +34,15 @@ pub struct ValidationInfo {
     pub issuer_org: Option<String>,
 
     /// Signature validity
+    ///
+    /// TO REVIEW: What does this `bool` mean?
     pub validated: bool,
 
     /// Certificate chain used to validate the signature
     pub cert_chain: Vec<u8>,
 
     /// Signature revocation status
+    ///
+    /// TO REVIEW: What does this `bool` mean?
     pub revocation_status: Option<bool>,
 }
diff --git a/internal/crypto/src/cose/verifier.rs b/internal/crypto/src/cose/verifier.rs
index 24eda68cc..1171d82ec 100644
--- a/internal/crypto/src/cose/verifier.rs
+++ b/internal/crypto/src/cose/verifier.rs
@@ -31,12 +31,11 @@ use crate::{
     cose::{
         cert_chain_from_sign1, check_certificate_profile, parse_cose_sign1, signing_alg_from_sign1,
         validate_cose_tst_info, validate_cose_tst_info_async, CertificateTrustError,
-        CertificateTrustPolicy, CoseError,
+        CertificateTrustPolicy, CoseError, ValidationInfo,
     },
     p1363::parse_ec_der_sig,
-    raw_signature::{async_validator_for_signing_alg, validator_for_signing_alg},
+    raw_signature::{async_validator_for_signing_alg, validator_for_signing_alg, SigningAlg},
     time_stamp::TimeStampError,
-    SigningAlg, ValidationInfo,
 };
 
 /// A `Verifier` reads a COSE signature and reports on its validity.
@@ -44,6 +43,7 @@ use crate::{
 /// It can provide different levels of verification depending on the enum value
 /// chosen.
 #[derive(Debug)]
+#[non_exhaustive]
 pub enum Verifier<'a> {
     /// Use a [`CertificateTrustPolicy`] to validate the signing certificate's
     /// profile against C2PA requirements _and_ validate the certificate's
@@ -89,16 +89,6 @@ impl Verifier<'_> {
             validate_cose_tst_info_async(&sign1, data).await
         };
 
-        if _sync {
-            self.verify_profile(&sign1, &tst_info_res, validation_log)?;
-            self.verify_trust(&sign1, &tst_info_res, validation_log)?;
-        } else {
-            self.verify_profile_async(&sign1, &tst_info_res, validation_log)
-                .await?;
-            self.verify_trust_async(&sign1, &tst_info_res, validation_log)
-                .await?;
-        }
-
         match alg {
             SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
                 if parse_ec_der_sig(&sign1.signature).is_ok() {
@@ -114,6 +104,16 @@ impl Verifier<'_> {
             _ => (),
         }
 
+        if _sync {
+            self.verify_profile(&sign1, &tst_info_res, validation_log)?;
+            self.verify_trust(&sign1, &tst_info_res, validation_log)?;
+        } else {
+            self.verify_profile_async(&sign1, &tst_info_res, validation_log)
+                .await?;
+            self.verify_trust_async(&sign1, &tst_info_res, validation_log)
+                .await?;
+        }
+
         // Reconstruct payload and additional data as it should have been at time of
         // signing.
         sign1.payload = Some(data.to_vec());
@@ -164,10 +164,8 @@ impl Verifier<'_> {
     }
 
     /// Verify certificate profile if so configured.
-    ///
-    /// TO DO: This might not need to be public after refactoring.
     #[async_generic]
-    pub fn verify_profile(
+    pub(crate) fn verify_profile(
         &self,
         sign1: &CoseSign1,
         tst_info_res: &Result<TstInfo, CoseError>,
@@ -236,10 +234,8 @@ impl Verifier<'_> {
     }
 
     /// Verify certificate profile if so configured.
-    ///
-    /// TO DO: This might not need to be public after refactoring.
     #[async_generic]
-    pub fn verify_trust(
+    pub(crate) fn verify_trust(
         &self,
         sign1: &CoseSign1,
         tst_info_res: &Result<TstInfo, CoseError>,
diff --git a/internal/crypto/src/hash.rs b/internal/crypto/src/hash.rs
index 418b31c63..5e45d6ada 100644
--- a/internal/crypto/src/hash.rs
+++ b/internal/crypto/src/hash.rs
@@ -14,7 +14,8 @@
 //! Hash convenience functions.
 
 /// Given a byte slice, return the SHA-1 hash of that content.
-pub fn sha1(data: &[u8]) -> Vec<u8> {
+#[allow(dead_code)] // not used on all platforms
+pub(crate) fn sha1(data: &[u8]) -> Vec<u8> {
     use sha1::{Digest, Sha1};
 
     let mut hasher = Sha1::default();
diff --git a/internal/crypto/src/internal/time.rs b/internal/crypto/src/internal/time.rs
index 408450bc5..c057c0f5c 100644
--- a/internal/crypto/src/internal/time.rs
+++ b/internal/crypto/src/internal/time.rs
@@ -11,8 +11,6 @@
 // specific language governing permissions and limitations under
 // each license.
 
-#![allow(dead_code)] // TEMPORARY while building
-
 use chrono::{DateTime, Utc};
 
 /// Return the current time in UTC.
diff --git a/internal/crypto/src/lib.rs b/internal/crypto/src/lib.rs
index 9ef132b9c..9794c7504 100644
--- a/internal/crypto/src/lib.rs
+++ b/internal/crypto/src/lib.rs
@@ -19,7 +19,7 @@
 #![doc = include_str!("../README.md")]
 #![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg, doc_cfg_hide))]
 
-pub mod asn1;
+pub(crate) mod asn1;
 pub mod base64;
 pub mod cose;
 pub mod hash;
@@ -32,19 +32,12 @@ compile_error!("OpenSSL feature is not compatible with WASM platform");
 #[cfg(feature = "openssl")]
 pub mod openssl;
 
-pub mod p1363;
-// ^^ TO REVIEW: Can this be made pub(crate) once refactoring is done?
+pub(crate) mod p1363;
 
 pub mod raw_signature;
 
-mod signing_alg;
-pub use signing_alg::{SigningAlg, UnknownAlgorithmError};
-
 pub mod time_stamp;
 
-mod validation_info;
-pub use validation_info::ValidationInfo;
-
 #[cfg(all(target_arch = "wasm32", not(target_os = "wasi")))]
 pub mod webcrypto;
 
diff --git a/internal/crypto/src/ocsp/fetch.rs b/internal/crypto/src/ocsp/fetch.rs
index 440851b16..0eefa37e0 100644
--- a/internal/crypto/src/ocsp/fetch.rs
+++ b/internal/crypto/src/ocsp/fetch.rs
@@ -29,7 +29,7 @@ use crate::base64;
 /// will attempt to retrieve the raw DER-encoded OCSP response.
 ///
 /// Not available on WASM builds.
-pub fn fetch_ocsp_response(certs: &[Vec<u8>]) -> Option<Vec<u8>> {
+pub(crate) fn fetch_ocsp_response(certs: &[Vec<u8>]) -> Option<Vec<u8>> {
     // There must be at least one cert that isn't an end-entity cert.
     if certs.len() < 2 {
         return None;
diff --git a/internal/crypto/src/ocsp/mod.rs b/internal/crypto/src/ocsp/mod.rs
index 371a7ce57..d621f6f22 100644
--- a/internal/crypto/src/ocsp/mod.rs
+++ b/internal/crypto/src/ocsp/mod.rs
@@ -50,7 +50,7 @@ impl Default for OcspResponse {
 
 impl OcspResponse {
     /// Convert an OCSP response in DER format to `OcspResponse`.
-    pub fn from_der_checked(
+    pub(crate) fn from_der_checked(
         der: &[u8],
         signing_time: Option<DateTime<Utc>>,
         validation_log: &mut impl StatusTracker,
@@ -265,7 +265,8 @@ impl OcspResponse {
 
 /// Describes errors that can be identified when parsing an OCSP response.
 #[derive(Debug, Eq, Error, PartialEq)]
-pub enum OcspError {
+#[allow(unused)] // InvalidSystemTime may not exist on all platforms.
+pub(crate) enum OcspError {
     /// An invalid certificate was detected.
     #[error("Invalid certificate detected")]
     InvalidCertificate,
@@ -289,4 +290,4 @@ const DATE_FMT: &str = "%Y-%m-%d %H:%M:%S %Z";
 mod fetch;
 
 #[cfg(not(target_arch = "wasm32"))]
-pub use fetch::fetch_ocsp_response;
+pub(crate) use fetch::fetch_ocsp_response;
diff --git a/internal/crypto/src/openssl/cert_chain.rs b/internal/crypto/src/openssl/cert_chain.rs
index f8442bfb3..5d531fcfb 100644
--- a/internal/crypto/src/openssl/cert_chain.rs
+++ b/internal/crypto/src/openssl/cert_chain.rs
@@ -11,8 +11,6 @@
 // specific language governing permissions and limitations under
 // each license.
 
-#![allow(dead_code)] // TEMPORARY while refactoring
-
 use openssl::x509::X509;
 
 // Verify the certificate chain order.
diff --git a/internal/crypto/src/openssl/check_certificate_trust.rs b/internal/crypto/src/openssl/check_certificate_trust.rs
index 127750f12..adc526301 100644
--- a/internal/crypto/src/openssl/check_certificate_trust.rs
+++ b/internal/crypto/src/openssl/check_certificate_trust.rs
@@ -38,7 +38,10 @@ pub(crate) fn check_certificate_trust(
     let cert = X509::from_der(cert_der)?;
 
     let mut builder = openssl::x509::store::X509StoreBuilder::new()?;
+    builder.set_flags(X509VerifyFlags::X509_STRICT)?;
+
     let mut verify_param = openssl::x509::verify::X509VerifyParam::new()?;
+    verify_param.set_flags(X509VerifyFlags::X509_STRICT)?;
 
     if let Some(st) = signing_time_epoch {
         verify_param.set_time(st);
diff --git a/internal/crypto/src/openssl/signers/ecdsa_signer.rs b/internal/crypto/src/openssl/signers/ecdsa_signer.rs
index aa35635e4..c52417e2f 100644
--- a/internal/crypto/src/openssl/signers/ecdsa_signer.rs
+++ b/internal/crypto/src/openssl/signers/ecdsa_signer.rs
@@ -22,9 +22,8 @@ use openssl::{
 use crate::{
     openssl::{cert_chain::check_chain_order, OpenSslMutex},
     p1363::der_to_p1363,
-    raw_signature::{RawSigner, RawSignerError},
+    raw_signature::{RawSigner, RawSignerError, SigningAlg},
     time_stamp::TimeStampProvider,
-    SigningAlg,
 };
 
 enum EcdsaSigningAlg {
diff --git a/internal/crypto/src/openssl/signers/ed25519_signer.rs b/internal/crypto/src/openssl/signers/ed25519_signer.rs
index 63e6f574f..9d2b1d94b 100644
--- a/internal/crypto/src/openssl/signers/ed25519_signer.rs
+++ b/internal/crypto/src/openssl/signers/ed25519_signer.rs
@@ -19,9 +19,8 @@ use openssl::{
 
 use crate::{
     openssl::{cert_chain::check_chain_order, OpenSslMutex},
-    raw_signature::{RawSigner, RawSignerError},
+    raw_signature::{RawSigner, RawSignerError, SigningAlg},
     time_stamp::TimeStampProvider,
-    SigningAlg,
 };
 
 /// Implements `RawSigner` trait using OpenSSL's implementation of
diff --git a/internal/crypto/src/openssl/signers/mod.rs b/internal/crypto/src/openssl/signers/mod.rs
index 639d0a1c5..0977a803c 100644
--- a/internal/crypto/src/openssl/signers/mod.rs
+++ b/internal/crypto/src/openssl/signers/mod.rs
@@ -14,10 +14,7 @@
 //! This module binds OpenSSL logic for generating raw signatures to this
 //! crate's [`RawSigner`] trait.
 
-use crate::{
-    raw_signature::{RawSigner, RawSignerError},
-    SigningAlg,
-};
+use crate::raw_signature::{RawSigner, RawSignerError, SigningAlg};
 
 mod ecdsa_signer;
 mod ed25519_signer;
diff --git a/internal/crypto/src/openssl/signers/rsa_signer.rs b/internal/crypto/src/openssl/signers/rsa_signer.rs
index 98e58cd26..d9fea36f7 100644
--- a/internal/crypto/src/openssl/signers/rsa_signer.rs
+++ b/internal/crypto/src/openssl/signers/rsa_signer.rs
@@ -21,9 +21,8 @@ use openssl::{
 
 use crate::{
     openssl::{cert_chain::check_chain_order, OpenSslMutex},
-    raw_signature::{RawSigner, RawSignerError},
+    raw_signature::{RawSigner, RawSignerError, SigningAlg},
     time_stamp::TimeStampProvider,
-    SigningAlg,
 };
 
 enum RsaSigningAlg {
diff --git a/internal/crypto/src/openssl/validators/mod.rs b/internal/crypto/src/openssl/validators/mod.rs
index f22e4fd5f..815a9ec2a 100644
--- a/internal/crypto/src/openssl/validators/mod.rs
+++ b/internal/crypto/src/openssl/validators/mod.rs
@@ -16,10 +16,7 @@
 
 use bcder::Oid;
 
-use crate::{
-    raw_signature::{oids::*, RawSignatureValidator},
-    SigningAlg,
-};
+use crate::raw_signature::{oids::*, RawSignatureValidator, SigningAlg};
 
 mod ecdsa_validator;
 pub use ecdsa_validator::EcdsaValidator;
diff --git a/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs b/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs
index 77f292fec..b8544107d 100644
--- a/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs
+++ b/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs
@@ -23,10 +23,7 @@ use crate::{
 /// An `RsaLegacyValidator` can validate raw signatures with an RSA signature
 /// algorithm that is not supported directly by C2PA. (Some RFC 3161 time stamp
 /// providers issue these signatures, which is why it's supported here.)
-///
-/// TEMPORARILY public; will move to `pub(crate)` visibility later in the
-/// refactoring.
-pub enum RsaLegacyValidator {
+pub(crate) enum RsaLegacyValidator {
     Sha1,
     Rsa256,
     Rsa384,
diff --git a/internal/crypto/src/p1363.rs b/internal/crypto/src/p1363.rs
index ef70cb4eb..0baf5a848 100644
--- a/internal/crypto/src/p1363.rs
+++ b/internal/crypto/src/p1363.rs
@@ -19,6 +19,8 @@ use x509_parser::der_parser::{
     error::BerResult,
 };
 
+use crate::raw_signature::{RawSignerError, SigningAlg};
+
 /// Parse an ASN.1 DER object that contains a P1363 format into its components.
 ///
 /// This format is used by C2PA to describe ECDSA signature keys.
@@ -44,8 +46,6 @@ pub struct EcSigComps<'a> {
     pub s: &'a [u8],
 }
 
-use crate::{raw_signature::RawSignerError, SigningAlg};
-
 pub(crate) fn der_to_p1363(data: &[u8], alg: SigningAlg) -> Result<Vec<u8>, RawSignerError> {
     // P1363 format: r | s
 
diff --git a/internal/crypto/src/raw_signature/mod.rs b/internal/crypto/src/raw_signature/mod.rs
index 68d2d9c3c..949a524c5 100644
--- a/internal/crypto/src/raw_signature/mod.rs
+++ b/internal/crypto/src/raw_signature/mod.rs
@@ -13,16 +13,20 @@
 
 //! Tools for working with raw signature algorithms.
 
+pub(crate) mod oids;
+
 pub(crate) mod signer;
 pub use signer::{
     async_signer_from_cert_chain_and_private_key, signer_from_cert_chain_and_private_key,
     AsyncRawSigner, RawSigner, RawSignerError,
 };
 
-pub(crate) mod oids;
+mod signing_alg;
+pub use signing_alg::{SigningAlg, UnknownAlgorithmError};
 
 mod validator;
+pub(crate) use validator::validator_for_sig_and_hash_algs;
 pub use validator::{
-    async_validator_for_signing_alg, validator_for_sig_and_hash_algs, validator_for_signing_alg,
-    AsyncRawSignatureValidator, RawSignatureValidationError, RawSignatureValidator,
+    async_validator_for_signing_alg, validator_for_signing_alg, AsyncRawSignatureValidator,
+    RawSignatureValidationError, RawSignatureValidator,
 };
diff --git a/internal/crypto/src/raw_signature/signer.rs b/internal/crypto/src/raw_signature/signer.rs
index 24dab81b0..32b88b1b6 100644
--- a/internal/crypto/src/raw_signature/signer.rs
+++ b/internal/crypto/src/raw_signature/signer.rs
@@ -15,8 +15,8 @@ use async_trait::async_trait;
 use thiserror::Error;
 
 use crate::{
+    raw_signature::SigningAlg,
     time_stamp::{AsyncTimeStampProvider, TimeStampError, TimeStampProvider},
-    SigningAlg,
 };
 
 /// Implementations of the `RawSigner` trait generate a cryptographic signature
@@ -155,10 +155,11 @@ impl From<crate::webcrypto::WasmCryptoError> for RawSignerError {
 /// certificate and private key.
 ///
 /// Which signers are available may vary depending on the platform and which
-/// crate features were enabled.
+/// crate features were enabled. If the desired signing algorithm is
+/// unavailable, will respond with `Err(RawSignerError::InternalError)`.
 ///
-/// Returns `None` if the signing algorithm is unsupported. May return an `Err`
-/// response if the certificate chain or private key are invalid.
+/// May return an `Err` response if the certificate chain or private key are
+/// invalid.
 #[allow(unused)] // arguments may or may not be used depending on crate features
 pub fn signer_from_cert_chain_and_private_key(
     cert_chain: &[u8],
@@ -195,10 +196,11 @@ pub fn signer_from_cert_chain_and_private_key(
 /// certificate and private key.
 ///
 /// Which signers are available may vary depending on the platform and which
-/// crate features were enabled.
+/// crate features were enabled. If the desired signing algorithm is
+/// unavailable, will respond with `Err(RawSignerError::InternalError)`.
 ///
-/// Returns `None` if the signing algorithm is unsupported. May return an `Err`
-/// response if the certificate chain or private key are invalid.
+/// May return an `Err` response if the certificate chain or private key are
+/// invalid.
 #[allow(unused)] // arguments may or may not be used depending on crate features
 pub fn async_signer_from_cert_chain_and_private_key(
     cert_chain: &[u8],
diff --git a/internal/crypto/src/signing_alg.rs b/internal/crypto/src/raw_signature/signing_alg.rs
similarity index 99%
rename from internal/crypto/src/signing_alg.rs
rename to internal/crypto/src/raw_signature/signing_alg.rs
index 9b2d3c292..256870747 100644
--- a/internal/crypto/src/signing_alg.rs
+++ b/internal/crypto/src/raw_signature/signing_alg.rs
@@ -28,6 +28,7 @@ use serde::{Deserialize, Serialize};
 /// [§13.2, “Digital Signatures”]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_digital_signatures
 #[derive(Copy, Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
 #[cfg_attr(feature = "json_schema", derive(JsonSchema))]
+#[non_exhaustive]
 pub enum SigningAlg {
     /// ECDSA with SHA-256
     Es256,
diff --git a/internal/crypto/src/raw_signature/validator.rs b/internal/crypto/src/raw_signature/validator.rs
index 26ed86726..7cc9bd61b 100644
--- a/internal/crypto/src/raw_signature/validator.rs
+++ b/internal/crypto/src/raw_signature/validator.rs
@@ -15,8 +15,7 @@ use async_trait::async_trait;
 use bcder::Oid;
 use thiserror::Error;
 
-use super::oids::*;
-use crate::SigningAlg;
+use crate::raw_signature::{oids::*, SigningAlg};
 
 /// A `RawSignatureValidator` implementation checks a signature encoded using a
 /// specific signature algorithm and a private/public key pair.
@@ -25,8 +24,8 @@ use crate::SigningAlg;
 /// another signature mechanism. In the C2PA ecosystem, this wrapper is
 /// typically COSE, but `RawSignatureValidator` does not implement COSE.
 pub trait RawSignatureValidator {
-    /// Return `true` if the signature `sig` is valid for the raw content `data`
-    /// and the public key `public_key`.
+    /// Return `Ok(())` if the signature `sig` is valid for the raw content
+    /// `data` and the public key `public_key`.
     fn validate(
         &self,
         sig: &[u8],
@@ -44,14 +43,14 @@ pub trait RawSignatureValidator {
 ///
 /// The WASM implementation of `c2pa-crypto` also implements
 /// [`RawSignatureValidator`] (the synchronous version), but some encryption
-/// algorithms are not fully supported. When possible, it's preferable to use
-/// this implementation.
+/// algorithms are not supported. For that reason, it's preferable to use this
+/// implementation on WASM.
 ///
 /// [`RawSignatureValidator`]: crate::raw_signature::RawSignatureValidator
 #[async_trait(?Send)]
 pub trait AsyncRawSignatureValidator {
-    /// Return `true` if the signature `sig` is valid for the raw content `data`
-    /// and the public key `public_key`.
+    /// Return `Ok(())` if the signature `sig` is valid for the raw content
+    /// `data` and the public key `public_key`.
     async fn validate_async(
         &self,
         sig: &[u8],
@@ -103,10 +102,7 @@ pub fn async_validator_for_signing_alg(
 ///
 /// Which validators are available may vary depending on the platform and
 /// which crate features were enabled.
-///
-/// TEMPORARILY PUBLIC: This will become `pub(crate)` once time stamp code moves
-/// into c2pa-crypto
-pub fn validator_for_sig_and_hash_algs(
+pub(crate) fn validator_for_sig_and_hash_algs(
     sig_alg: &Oid,
     hash_alg: &Oid,
 ) -> Option<Box<dyn RawSignatureValidator>> {
diff --git a/internal/crypto/src/tests/cose/certificate_trust_policy.rs b/internal/crypto/src/tests/cose/certificate_trust_policy.rs
index 243225b8f..d2ec2b860 100644
--- a/internal/crypto/src/tests/cose/certificate_trust_policy.rs
+++ b/internal/crypto/src/tests/cose/certificate_trust_policy.rs
@@ -18,8 +18,7 @@ use x509_parser::{extensions::ExtendedKeyUsage, pem::Pem};
 
 use crate::{
     cose::{CertificateTrustError, CertificateTrustPolicy, InvalidCertificateError},
-    raw_signature::signer::test_signer,
-    SigningAlg,
+    raw_signature::{signer::test_signer, SigningAlg},
 };
 
 #[test]
diff --git a/internal/crypto/src/tests/openssl/signers/ecdsa_signer.rs b/internal/crypto/src/tests/openssl/signers/ecdsa_signer.rs
index 858418deb..6948c71ac 100644
--- a/internal/crypto/src/tests/openssl/signers/ecdsa_signer.rs
+++ b/internal/crypto/src/tests/openssl/signers/ecdsa_signer.rs
@@ -15,8 +15,9 @@ use openssl::x509::X509;
 
 use crate::{
     openssl::{signers::signer_from_cert_chain_and_private_key, validators::EcdsaValidator},
-    raw_signature::{async_signer_from_cert_chain_and_private_key, RawSignatureValidator},
-    SigningAlg,
+    raw_signature::{
+        async_signer_from_cert_chain_and_private_key, RawSignatureValidator, SigningAlg,
+    },
 };
 
 #[test]
diff --git a/internal/crypto/src/tests/openssl/signers/ed25519_signer.rs b/internal/crypto/src/tests/openssl/signers/ed25519_signer.rs
index d7a2de19f..c158434c9 100644
--- a/internal/crypto/src/tests/openssl/signers/ed25519_signer.rs
+++ b/internal/crypto/src/tests/openssl/signers/ed25519_signer.rs
@@ -15,8 +15,9 @@ use openssl::x509::X509;
 
 use crate::{
     openssl::{signers::signer_from_cert_chain_and_private_key, validators::Ed25519Validator},
-    raw_signature::{async_signer_from_cert_chain_and_private_key, RawSignatureValidator},
-    SigningAlg,
+    raw_signature::{
+        async_signer_from_cert_chain_and_private_key, RawSignatureValidator, SigningAlg,
+    },
 };
 
 #[test]
diff --git a/internal/crypto/src/tests/openssl/signers/rsa_signer.rs b/internal/crypto/src/tests/openssl/signers/rsa_signer.rs
index 74ae59f35..5914f8f43 100644
--- a/internal/crypto/src/tests/openssl/signers/rsa_signer.rs
+++ b/internal/crypto/src/tests/openssl/signers/rsa_signer.rs
@@ -15,8 +15,9 @@ use openssl::x509::X509;
 
 use crate::{
     openssl::{signers::signer_from_cert_chain_and_private_key, validators::RsaValidator},
-    raw_signature::{async_signer_from_cert_chain_and_private_key, RawSignatureValidator},
-    SigningAlg,
+    raw_signature::{
+        async_signer_from_cert_chain_and_private_key, RawSignatureValidator, SigningAlg,
+    },
 };
 
 #[test]
diff --git a/internal/crypto/src/tests/raw_signature/validator.rs b/internal/crypto/src/tests/raw_signature/validator.rs
index 3fdc27879..75201eca9 100644
--- a/internal/crypto/src/tests/raw_signature/validator.rs
+++ b/internal/crypto/src/tests/raw_signature/validator.rs
@@ -16,10 +16,8 @@ use rasn::types::OctetString;
 #[cfg(target_arch = "wasm32")]
 use wasm_bindgen_test::wasm_bindgen_test;
 
-use crate::{
-    raw_signature::{
-        validator_for_sig_and_hash_algs, validator_for_signing_alg, RawSignatureValidationError,
-    },
+use crate::raw_signature::{
+    validator_for_sig_and_hash_algs, validator_for_signing_alg, RawSignatureValidationError,
     SigningAlg,
 };
 
diff --git a/internal/crypto/src/tests/signing_alg.rs b/internal/crypto/src/tests/signing_alg.rs
index 2835294a3..92adafc54 100644
--- a/internal/crypto/src/tests/signing_alg.rs
+++ b/internal/crypto/src/tests/signing_alg.rs
@@ -14,7 +14,7 @@
 #[cfg(target_arch = "wasm32")]
 use wasm_bindgen_test::wasm_bindgen_test;
 
-use crate::signing_alg::{SigningAlg, UnknownAlgorithmError};
+use crate::raw_signature::{SigningAlg, UnknownAlgorithmError};
 
 #[test]
 #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
diff --git a/internal/crypto/src/tests/webcrypto/signers/ed25519_signer.rs b/internal/crypto/src/tests/webcrypto/signers/ed25519_signer.rs
index 9770f6673..6d11753c9 100644
--- a/internal/crypto/src/tests/webcrypto/signers/ed25519_signer.rs
+++ b/internal/crypto/src/tests/webcrypto/signers/ed25519_signer.rs
@@ -14,9 +14,8 @@
 use wasm_bindgen_test::wasm_bindgen_test;
 
 use crate::{
-    raw_signature::{signer_from_cert_chain_and_private_key, RawSignatureValidator},
+    raw_signature::{signer_from_cert_chain_and_private_key, RawSignatureValidator, SigningAlg},
     webcrypto::validators::Ed25519Validator,
-    SigningAlg,
 };
 
 #[wasm_bindgen_test]
diff --git a/internal/crypto/src/tests/webcrypto/validators/async_validators.rs b/internal/crypto/src/tests/webcrypto/validators/async_validators.rs
index ec5ff9e92..aa32958a3 100644
--- a/internal/crypto/src/tests/webcrypto/validators/async_validators.rs
+++ b/internal/crypto/src/tests/webcrypto/validators/async_validators.rs
@@ -16,11 +16,10 @@ use rasn::types::OctetString;
 use wasm_bindgen_test::wasm_bindgen_test;
 
 use crate::{
-    raw_signature::RawSignatureValidationError,
+    raw_signature::{RawSignatureValidationError, SigningAlg},
     webcrypto::{
         async_validator_for_sig_and_hash_algs, async_validators::async_validator_for_signing_alg,
     },
-    SigningAlg,
 };
 
 const SAMPLE_DATA: &[u8] = b"some sample content to sign";
diff --git a/internal/crypto/src/time_stamp/mod.rs b/internal/crypto/src/time_stamp/mod.rs
index 6e9495610..4d2922d0c 100644
--- a/internal/crypto/src/time_stamp/mod.rs
+++ b/internal/crypto/src/time_stamp/mod.rs
@@ -27,7 +27,7 @@ mod provider;
 pub use provider::{default_rfc3161_message, AsyncTimeStampProvider, TimeStampProvider};
 
 mod response;
+pub(crate) use response::{ContentInfo, TimeStampResponse};
 
 mod verify;
-/// TEMPORARILY PUBLIC while refactoring
-pub use verify::{verify_time_stamp, verify_time_stamp_async};
+pub(crate) use verify::{verify_time_stamp, verify_time_stamp_async};
diff --git a/internal/crypto/src/time_stamp/response.rs b/internal/crypto/src/time_stamp/response.rs
index ee0fb9ec5..c9f961547 100644
--- a/internal/crypto/src/time_stamp/response.rs
+++ b/internal/crypto/src/time_stamp/response.rs
@@ -14,8 +14,6 @@
 use bcder::decode::Constructed;
 use rasn::{AsnType, Decode, Decoder, Encode, Encoder};
 
-#[cfg(not(target_arch = "wasm32"))]
-use crate::asn1::rfc3161::PkiStatus;
 use crate::{
     asn1::{
         rfc3161::{TimeStampResp, TimeStampToken, TstInfo, OID_CONTENT_TYPE_TST_INFO},
@@ -24,10 +22,8 @@ use crate::{
     time_stamp::TimeStampError,
 };
 
-#[cfg(not(target_arch = "wasm32"))]
 pub(crate) struct TimeStampResponse(pub TimeStampResp);
 
-#[cfg(not(target_arch = "wasm32"))]
 impl std::ops::Deref for TimeStampResponse {
     type Target = TimeStampResp;
 
@@ -36,16 +32,19 @@ impl std::ops::Deref for TimeStampResponse {
     }
 }
 
-#[cfg(not(target_arch = "wasm32"))]
 impl TimeStampResponse {
     /// Return `true` if the request was successful.
+    #[cfg(not(target_arch = "wasm32"))]
     pub(crate) fn is_success(&self) -> bool {
+        use crate::asn1::rfc3161::PkiStatus;
+
         matches!(
             self.0.status.status,
             PkiStatus::Granted | PkiStatus::GrantedWithMods
         )
     }
 
+    #[cfg(not(target_arch = "wasm32"))]
     pub(crate) fn signed_data(&self) -> Result<Option<SignedData>, TimeStampError> {
         if let Some(token) = &self.0.time_stamp_token {
             if token.content_type == OID_ID_SIGNED_DATA {
@@ -66,6 +65,7 @@ impl TimeStampResponse {
         }
     }
 
+    #[cfg(not(target_arch = "wasm32"))]
     pub(crate) fn tst_info(&self) -> Result<Option<TstInfo>, TimeStampError> {
         if let Some(signed_data) = self.signed_data()? {
             if signed_data.content_info.content_type == OID_CONTENT_TYPE_TST_INFO {
@@ -89,14 +89,13 @@ impl TimeStampResponse {
 }
 
 #[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
-struct ContentInfo {
-    content_type: rasn::types::ObjectIdentifier,
+pub(crate) struct ContentInfo {
+    pub(crate) content_type: rasn::types::ObjectIdentifier,
 
     #[rasn(tag(explicit(0)))]
-    content: rasn::types::Any,
+    pub(crate) content: rasn::types::Any,
 }
 
-/// TO REVIEW: Does this need to be public after refactoring?
 pub(crate) fn signed_data_from_time_stamp_response(
     ts_resp: &[u8],
 ) -> Result<Option<SignedData>, TimeStampError> {
@@ -135,8 +134,7 @@ pub(crate) fn signed_data_from_time_stamp_response(
     ))
 }
 
-/// TO REVIEW: Does this need to be public after refactoring?
-pub fn tst_info_from_signed_data(
+pub(crate) fn tst_info_from_signed_data(
     signed_data: &SignedData,
 ) -> Result<Option<TstInfo>, TimeStampError> {
     if signed_data.content_info.content_type != OID_CONTENT_TYPE_TST_INFO {
diff --git a/internal/crypto/src/time_stamp/verify.rs b/internal/crypto/src/time_stamp/verify.rs
index a8989c7c3..71455e585 100644
--- a/internal/crypto/src/time_stamp/verify.rs
+++ b/internal/crypto/src/time_stamp/verify.rs
@@ -11,9 +11,6 @@
 // specific language governing permissions and limitations under
 // each license.
 
-#![allow(unreachable_code)] // TEMPORARY: can't build on non-OpenSSL/non-WASM config without this
-#![allow(unused_variables)] // TEMPORARY: can't build on non-OpenSSL/non-WASM config without this
-
 use std::ops::Deref;
 
 use async_generic::async_generic;
@@ -38,10 +35,8 @@ use crate::{
 };
 
 /// Decode the TimeStampToken info and verify it against the supplied data.
-///
-/// TEMPORARILY PUBLIC while refactoring
 #[async_generic]
-pub fn verify_time_stamp(ts: &[u8], data: &[u8]) -> Result<TstInfo, TimeStampError> {
+pub(crate) fn verify_time_stamp(ts: &[u8], data: &[u8]) -> Result<TstInfo, TimeStampError> {
     // Did the time stamp expire between issuance and verification?
     let Some(sd) = signed_data_from_time_stamp_response(ts)? else {
         return Err(TimeStampError::DecodeError(
diff --git a/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs b/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs
index eecba1db8..26548e65a 100644
--- a/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs
+++ b/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs
@@ -71,9 +71,7 @@ impl AsyncRawSignatureValidator for EcdsaValidator {
 
         let crypto_key: CryptoKey = JsFuture::from(promise)
             .await
-            .map_err(|_err| {
-                RawSignatureValidationError::InternalError("unable to create CryptoKey promise")
-            })?
+            .map_err(|_err| RawSignatureValidationError::InternalError("invalid ECDSA key"))?
             .into();
 
         let algorithm = EcdsaParams(hash).as_js_object().map_err(|_err| {
diff --git a/internal/crypto/src/webcrypto/async_validators/mod.rs b/internal/crypto/src/webcrypto/async_validators/mod.rs
index 446cd6f78..00dacc21b 100644
--- a/internal/crypto/src/webcrypto/async_validators/mod.rs
+++ b/internal/crypto/src/webcrypto/async_validators/mod.rs
@@ -13,10 +13,7 @@
 
 use bcder::Oid;
 
-use crate::{
-    raw_signature::{oids::*, AsyncRawSignatureValidator},
-    SigningAlg,
-};
+use crate::raw_signature::{oids::*, AsyncRawSignatureValidator, SigningAlg};
 
 /// Return an async validator for the given signing algorithm.
 pub fn async_validator_for_signing_alg(
@@ -35,10 +32,7 @@ pub fn async_validator_for_signing_alg(
 
 /// Return a built-in async signature validator for the requested signature
 /// algorithm as identified by OID.
-///
-/// TEMPORARILY PUBLIC: This will become `pub(crate)` once time stamp code moves
-/// into c2pa-crypto.
-pub fn async_validator_for_sig_and_hash_algs(
+pub(crate) fn async_validator_for_sig_and_hash_algs(
     sig_alg: &Oid,
     hash_alg: &Oid,
 ) -> Option<Box<dyn AsyncRawSignatureValidator>> {
diff --git a/internal/crypto/src/webcrypto/check_certificate_trust.rs b/internal/crypto/src/webcrypto/check_certificate_trust.rs
index c29b52581..f4f2dac6e 100644
--- a/internal/crypto/src/webcrypto/check_certificate_trust.rs
+++ b/internal/crypto/src/webcrypto/check_certificate_trust.rs
@@ -20,9 +20,8 @@ use x509_parser::{
 use crate::{
     cose::{CertificateTrustError, CertificateTrustPolicy},
     p1363::der_to_p1363,
-    raw_signature::RawSignatureValidationError,
+    raw_signature::{RawSignatureValidationError, SigningAlg},
     webcrypto::async_validator_for_signing_alg,
-    SigningAlg,
 };
 
 pub(crate) async fn check_certificate_trust(
diff --git a/internal/crypto/src/webcrypto/mod.rs b/internal/crypto/src/webcrypto/mod.rs
index 55408d717..ec62a2f1a 100644
--- a/internal/crypto/src/webcrypto/mod.rs
+++ b/internal/crypto/src/webcrypto/mod.rs
@@ -20,7 +20,7 @@
 //! [`SubtleCrypto`]: https://rustwasm.github.io/wasm-bindgen/api/web_sys/struct.SubtleCrypto.html
 
 pub(crate) mod async_validators;
-pub use async_validators::{
+pub(crate) use async_validators::{
     async_validator_for_sig_and_hash_algs, async_validator_for_signing_alg,
 };
 
diff --git a/internal/crypto/src/webcrypto/signers/ed25519_signer.rs b/internal/crypto/src/webcrypto/signers/ed25519_signer.rs
index a7d3871a4..6805a66b2 100644
--- a/internal/crypto/src/webcrypto/signers/ed25519_signer.rs
+++ b/internal/crypto/src/webcrypto/signers/ed25519_signer.rs
@@ -15,9 +15,8 @@ use ed25519_dalek::{pkcs8::DecodePrivateKey, SigningKey};
 use x509_parser::{error::PEMError, pem::Pem};
 
 use crate::{
-    raw_signature::{RawSigner, RawSignerError},
+    raw_signature::{RawSigner, RawSignerError, SigningAlg},
     time_stamp::TimeStampProvider,
-    SigningAlg,
 };
 
 /// Implements `RawSigner` trait using `ed25519_dalek` crate's implementation of
diff --git a/internal/crypto/src/webcrypto/signers/mod.rs b/internal/crypto/src/webcrypto/signers/mod.rs
index 134f3d664..29d195f65 100644
--- a/internal/crypto/src/webcrypto/signers/mod.rs
+++ b/internal/crypto/src/webcrypto/signers/mod.rs
@@ -11,10 +11,7 @@
 // specific language governing permissions and limitations under
 // each license.
 
-use crate::{
-    raw_signature::{RawSigner, RawSignerError},
-    SigningAlg,
-};
+use crate::raw_signature::{RawSigner, RawSignerError, SigningAlg};
 
 mod ed25519_signer;
 
diff --git a/internal/crypto/src/webcrypto/validators/mod.rs b/internal/crypto/src/webcrypto/validators/mod.rs
index 5e2d5dff4..679e83c0c 100644
--- a/internal/crypto/src/webcrypto/validators/mod.rs
+++ b/internal/crypto/src/webcrypto/validators/mod.rs
@@ -16,10 +16,7 @@
 
 use bcder::Oid;
 
-use crate::{
-    raw_signature::{oids::*, RawSignatureValidator},
-    SigningAlg,
-};
+use crate::raw_signature::{oids::*, RawSignatureValidator, SigningAlg};
 
 mod ecdsa_validator;
 pub use ecdsa_validator::EcdsaValidator;
diff --git a/sdk/examples/client/client.rs b/sdk/examples/client/client.rs
index 5ce2fc501..2d4aa3f84 100644
--- a/sdk/examples/client/client.rs
+++ b/sdk/examples/client/client.rs
@@ -20,7 +20,7 @@ use c2pa::{
     assertions::{c2pa_action, labels, Action, Actions, CreativeWork, Exif, SchemaDotOrgPerson},
     create_signer, Builder, ClaimGeneratorInfo, Ingredient, Reader, Relationship,
 };
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::SigningAlg;
 
 const GENERATOR: &str = "test_app/0.1";
 const INDENT_SPACE: usize = 2;
diff --git a/sdk/examples/data_hash.rs b/sdk/examples/data_hash.rs
index 0ab36a331..fe20b67f0 100644
--- a/sdk/examples/data_hash.rs
+++ b/sdk/examples/data_hash.rs
@@ -31,7 +31,7 @@ use c2pa::{
     Result,
 };
 #[cfg(not(target_arch = "wasm32"))]
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::SigningAlg;
 
 fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
     println!("DataHash demo");
diff --git a/sdk/examples/v2api.rs b/sdk/examples/v2api.rs
index 9bd6a3e1b..d1811ceca 100644
--- a/sdk/examples/v2api.rs
+++ b/sdk/examples/v2api.rs
@@ -16,7 +16,7 @@ use std::io::{Cursor, Seek};
 
 use anyhow::Result;
 use c2pa::{settings::load_settings_from_str, Builder, CallbackSigner, Reader};
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::SigningAlg;
 use serde_json::json;
 
 const TEST_IMAGE: &[u8] = include_bytes!("../tests/fixtures/CA.jpg");
diff --git a/sdk/src/asset_handlers/c2pa_io.rs b/sdk/src/asset_handlers/c2pa_io.rs
index 4dca3475e..0db895ac7 100644
--- a/sdk/src/asset_handlers/c2pa_io.rs
+++ b/sdk/src/asset_handlers/c2pa_io.rs
@@ -146,7 +146,7 @@ pub mod tests {
     #![allow(clippy::expect_used)]
     #![allow(clippy::unwrap_used)]
 
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     use c2pa_status_tracker::OneShotStatusTracker;
     use tempfile::tempdir;
 
diff --git a/sdk/src/builder.rs b/sdk/src/builder.rs
index 95a289689..88da3a41f 100644
--- a/sdk/src/builder.rs
+++ b/sdk/src/builder.rs
@@ -1083,7 +1083,7 @@ mod tests {
     #![allow(clippy::unwrap_used)]
     use std::io::Cursor;
 
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     use serde_json::json;
     #[cfg(target_arch = "wasm32")]
     use wasm_bindgen_test::*;
diff --git a/sdk/src/callback_signer.rs b/sdk/src/callback_signer.rs
index c71cf6095..355358d93 100644
--- a/sdk/src/callback_signer.rs
+++ b/sdk/src/callback_signer.rs
@@ -17,7 +17,10 @@
 //! using a callback and public signing certificates.
 
 use async_trait::async_trait;
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::{
+    raw_signature::{AsyncRawSigner, RawSigner, RawSignerError, SigningAlg},
+    time_stamp::{AsyncTimeStampProvider, TimeStampProvider},
+};
 
 use crate::{AsyncSigner, Error, Result, Signer};
 
@@ -159,6 +162,38 @@ impl Signer for CallbackSigner {
     fn time_authority_url(&self) -> Option<String> {
         self.tsa_url.clone()
     }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(self)
+    }
+}
+
+impl RawSigner for CallbackSigner {
+    // TO DISCUSS WITH GAVIN: Perhaps we could make CallbackSigner's API return c2pa_crypto::Result<..., RawSignerError> instead?
+    fn sign(&self, data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+        (self.callback)(self.context, data)
+            .map_err(|e| RawSignerError::InternalError(e.to_string()))
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.alg
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        let pems = pem::parse_many(&self.certs)
+            .map_err(|e| RawSignerError::InvalidSigningCredentials(e.to_string()))?;
+        Ok(pems.into_iter().map(|p| p.into_contents()).collect())
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.reserve_size
+    }
+}
+
+impl TimeStampProvider for CallbackSigner {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.tsa_url.clone()
+    }
 }
 
 #[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
@@ -189,4 +224,38 @@ impl AsyncSigner for CallbackSigner {
     async fn send_timestamp_request(&self, _message: &[u8]) -> Option<Result<Vec<u8>>> {
         None
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(self)
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl AsyncRawSigner for CallbackSigner {
+    // TO DISCUSS WITH GAVIN: Perhaps we could make CallbackSigner's API return c2pa_crypto::Result<..., RawSignerError> instead?
+    async fn sign(&self, data: Vec<u8>) -> std::result::Result<Vec<u8>, RawSignerError> {
+        (self.callback)(self.context, &data)
+            .map_err(|e| RawSignerError::InternalError(e.to_string()))
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.alg
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        let pems = pem::parse_many(&self.certs)
+            .map_err(|e| RawSignerError::InvalidSigningCredentials(e.to_string()))?;
+        Ok(pems.into_iter().map(|p| p.into_contents()).collect())
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.reserve_size
+    }
+}
+
+impl AsyncTimeStampProvider for CallbackSigner {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.tsa_url.clone()
+    }
 }
diff --git a/sdk/src/claim.rs b/sdk/src/claim.rs
index 33c2cbe8f..ff85a24a7 100644
--- a/sdk/src/claim.rs
+++ b/sdk/src/claim.rs
@@ -18,9 +18,8 @@ use std::{collections::HashMap, fmt};
 use async_generic::async_generic;
 use c2pa_crypto::{
     base64,
-    cose::{parse_cose_sign1, CertificateTrustPolicy, OcspFetchPolicy},
+    cose::{parse_cose_sign1, CertificateTrustPolicy, OcspFetchPolicy, ValidationInfo},
     ocsp::OcspResponse,
-    ValidationInfo,
 };
 use c2pa_status_tracker::{log_item, OneShotStatusTracker, StatusTracker};
 use chrono::{DateTime, Utc};
diff --git a/sdk/src/cose_sign.rs b/sdk/src/cose_sign.rs
index 7a18647ce..45015c334 100644
--- a/sdk/src/cose_sign.rs
+++ b/sdk/src/cose_sign.rs
@@ -16,21 +16,10 @@
 #![deny(missing_docs)]
 
 use async_generic::async_generic;
-use c2pa_crypto::{
-    cose::{
-        add_sigtst_header, add_sigtst_header_async, check_certificate_profile,
-        CertificateTrustPolicy,
-    },
-    p1363::parse_ec_der_sig,
-    SigningAlg,
+use c2pa_crypto::cose::{
+    check_certificate_profile, sign, sign_async, CertificateTrustPolicy, TimeStampStorage,
 };
 use c2pa_status_tracker::OneShotStatusTracker;
-use ciborium::value::Value;
-use coset::{
-    iana::{self, EnumI64},
-    CoseSign1, CoseSign1Builder, Header, HeaderBuilder, Label, ProtectedHeader,
-    TaggedCborSerializable,
-};
 
 use crate::{
     claim::Claim, cose_validator::verify_cose, settings::get_settings_value, AsyncSigner, Error,
@@ -64,10 +53,11 @@ pub fn sign_claim(claim_bytes: &[u8], signer: &dyn Signer, box_size: usize) -> R
     let label = "dummy_label";
     let _claim = Claim::from_data(label, claim_bytes)?;
 
+    // TEMPORARY: assume time stamp V1 until we plumb this through further
     let signed_bytes = if _sync {
-        cose_sign(signer, claim_bytes, box_size)
+        cose_sign(signer, claim_bytes, box_size, TimeStampStorage::V1_sigTst)
     } else {
-        cose_sign_async(signer, claim_bytes, box_size).await
+        cose_sign_async(signer, claim_bytes, box_size, TimeStampStorage::V1_sigTst).await
     };
 
     match signed_bytes {
@@ -98,55 +88,21 @@ pub fn sign_claim(claim_bytes: &[u8], signer: &dyn Signer, box_size: usize) -> R
     }
 }
 
-fn signing_cert_valid(signing_cert: &[u8]) -> Result<()> {
-    // make sure signer certs are valid
-    let mut cose_log = OneShotStatusTracker::default();
-    let mut passthrough_cap = CertificateTrustPolicy::default();
-
-    // allow user EKUs through this check if configured
-    if let Ok(Some(trust_config)) = get_settings_value::<Option<String>>("trust.trust_config") {
-        passthrough_cap.add_valid_ekus(trust_config.as_bytes());
-    }
-
-    Ok(check_certificate_profile(
-        signing_cert,
-        &passthrough_cap,
-        &mut cose_log,
-        None,
-    )?)
-}
-
 /// Returns signed Cose_Sign1 bytes for `data`.
 /// The Cose_Sign1 will be signed with the algorithm from [`Signer`].
 #[async_generic(async_signature(
     signer: &dyn AsyncSigner,
     data: &[u8],
-    box_size: usize
+    box_size: usize,
+    time_stamp_storage: TimeStampStorage,
 ))]
-pub(crate) fn cose_sign(signer: &dyn Signer, data: &[u8], box_size: usize) -> Result<Vec<u8>> {
-    // 13.2.1. X.509 Certificates
-    //
-    // X.509 Certificates are stored in a header named x5chain draft-ietf-cose-x509.
-    // The value is a CBOR array of byte strings, each of which contains the certificate
-    // encoded as ASN.1 distinguished encoding rules (DER). This array must contain at
-    // least one element. The first element of the array must be the certificate of
-    // the signer, and the subjectPublicKeyInfo element of the certificate will be the
-    // public key used to validate the signature. The Validity member of the TBSCertificate
-    // sequence provides the time validity period of the certificate.
-
-    /*
-       This header parameter allows for a single X.509 certificate or a
-       chain of X.509 certificates to be carried in the message.
-
-       *  If a single certificate is conveyed, it is placed in a CBOR
-           byte string.
-
-       *  If multiple certificates are conveyed, a CBOR array of byte
-           strings is used, with each certificate being in its own byte
-           string.
-    */
-
-    // make sure the signing cert is valid
+pub(crate) fn cose_sign(
+    signer: &dyn Signer,
+    data: &[u8],
+    box_size: usize,
+    time_stamp_storage: TimeStampStorage,
+) -> Result<Vec<u8>> {
+    // Make sure the signing cert is valid.
     let certs = signer.certs()?;
     if let Some(signing_cert) = certs.first() {
         signing_cert_valid(signing_cert)?;
@@ -154,269 +110,44 @@ pub(crate) fn cose_sign(signer: &dyn Signer, data: &[u8], box_size: usize) -> Re
         return Err(Error::CoseNoCerts);
     }
 
-    let alg = signer.alg();
-
-    // build complete header
-    let (protected_header, unprotected_header) = if _sync {
-        build_headers(signer, data, alg)?
-    } else {
-        build_headers_async(signer, data, alg).await?
-    };
-
-    let aad: &[u8; 0] = b""; // no additional data required here
-
-    let sign1_builder = CoseSign1Builder::new()
-        .protected(protected_header)
-        .unprotected(unprotected_header)
-        .payload(data.to_vec());
-
-    let mut sign1 = sign1_builder.build();
-
-    let tbs = coset::sig_structure_data(
-        coset::SignatureContext::CoseSign1,
-        sign1.protected.clone(),
-        None,
-        aad,
-        sign1.payload.as_ref().unwrap_or(&vec![]),
-    );
-
-    let signature = if _sync {
-        signer.sign(&tbs)?
-    } else {
-        signer.sign(tbs).await?
-    };
-
-    // fix up signatures that may be in the wrong format
-    sign1.signature = match alg {
-        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
-            if parse_ec_der_sig(&signature).is_ok() {
-                // fix up DER signature to be in P1363 format
-                der_to_p1363(&signature, alg)?
-            } else {
-                signature
-            }
-        }
-        _ => signature,
-    };
-
-    sign1.payload = None; // clear the payload since it is known
-
-    let c2pa_sig_data = pad_cose_sig(&mut sign1, box_size)?;
-
-    // println!("sig: {}", Hexlify(&c2pa_sig_data));
-
-    Ok(c2pa_sig_data)
-}
-
-fn der_to_p1363(data: &[u8], alg: SigningAlg) -> Result<Vec<u8>> {
-    // P1363 format: r | s
-
-    let (_, p) = parse_ec_der_sig(data).map_err(|_err| Error::InvalidEcdsaSignature)?;
-
-    let mut r = extfmt::Hexlify(p.r).to_string();
-    let mut s = extfmt::Hexlify(p.s).to_string();
-
-    let sig_len: usize = match alg {
-        SigningAlg::Es256 => 64,
-        SigningAlg::Es384 => 96,
-        SigningAlg::Es512 => 132,
-        _ => return Err(Error::UnsupportedType),
-    };
-
-    // pad or truncate as needed
-    let rp = if r.len() > sig_len {
-        // truncate
-        let offset = r.len() - sig_len;
-        &r[offset..r.len()]
+    let raw_signer = if _sync {
+        signer.raw_signer()
     } else {
-        // pad
-        while r.len() != sig_len {
-            r.insert(0, '0');
-        }
-        r.as_ref()
+        signer.async_raw_signer()
     };
 
-    let sp = if s.len() > sig_len {
-        // truncate
-        let offset = s.len() - sig_len;
-        &s[offset..s.len()]
+    if _sync {
+        Ok(sign(*raw_signer, data, box_size, time_stamp_storage)?)
     } else {
-        // pad
-        while s.len() != sig_len {
-            s.insert(0, '0');
-        }
-        s.as_ref()
-    };
-
-    if rp.len() != sig_len || rp.len() != sp.len() {
-        return Err(Error::InvalidEcdsaSignature);
+        Ok(sign_async(*raw_signer, data, box_size, time_stamp_storage).await?)
     }
-
-    // merge r and s strings
-    let mut new_sig = rp.to_string();
-    new_sig.push_str(sp);
-
-    // convert back from hex string to byte array
-    (0..new_sig.len())
-        .step_by(2)
-        .map(|i| {
-            u8::from_str_radix(&new_sig[i..i + 2], 16).map_err(|_err| Error::InvalidEcdsaSignature)
-        })
-        .collect()
 }
 
-#[async_generic(async_signature(signer: &dyn AsyncSigner, data: &[u8], alg: SigningAlg))]
-fn build_headers(signer: &dyn Signer, data: &[u8], alg: SigningAlg) -> Result<(Header, Header)> {
-    let mut protected_h = match alg {
-        SigningAlg::Ps256 => HeaderBuilder::new().algorithm(iana::Algorithm::PS256),
-        SigningAlg::Ps384 => HeaderBuilder::new().algorithm(iana::Algorithm::PS384),
-        SigningAlg::Ps512 => HeaderBuilder::new().algorithm(iana::Algorithm::PS512),
-        SigningAlg::Es256 => HeaderBuilder::new().algorithm(iana::Algorithm::ES256),
-        SigningAlg::Es384 => HeaderBuilder::new().algorithm(iana::Algorithm::ES384),
-        SigningAlg::Es512 => HeaderBuilder::new().algorithm(iana::Algorithm::ES512),
-        SigningAlg::Ed25519 => HeaderBuilder::new().algorithm(iana::Algorithm::EdDSA),
-    };
-
-    let certs = signer.certs()?;
-
-    let ocsp_val = if _sync {
-        signer.ocsp_val()
-    } else {
-        signer.ocsp_val().await
-    };
-
-    let sc_der_array_or_bytes = match certs.len() {
-        1 => Value::Bytes(certs[0].clone()), // single cert
-        _ => {
-            let mut sc_der_array: Vec<Value> = Vec::new();
-            for cert in certs {
-                sc_der_array.push(Value::Bytes(cert));
-            }
-            Value::Array(sc_der_array) // provide vec of certs when required
-        }
-    };
-
-    // add certs to protected header (spec 1.3 now requires integer 33(X5Chain) in favor of string "x5chain" going forward)
-    protected_h = protected_h.value(
-        iana::HeaderParameter::X5Chain.to_i64(),
-        sc_der_array_or_bytes.clone(),
-    );
-
-    let protected_header = protected_h.build();
-    let ph2 = ProtectedHeader {
-        original_data: None,
-        header: protected_header.clone(),
-    };
-
-    let unprotected_h = HeaderBuilder::new();
-
-    let mut unprotected_h = if _sync {
-        if let Some(tsp) = signer.time_stamp_provider() {
-            add_sigtst_header(*tsp, data, &ph2, unprotected_h)?
-        } else {
-            unprotected_h
-        }
-    } else {
-        if let Some(tsp) = signer.async_time_stamp_provider() {
-            add_sigtst_header_async(*tsp, data, &ph2, unprotected_h).await?
-        } else {
-            unprotected_h
-        }
-    };
-
-    // set the ocsp responder response if available
-    if let Some(ocsp) = ocsp_val {
-        let mut ocsp_vec: Vec<Value> = Vec::new();
-        let mut r_vals: Vec<(Value, Value)> = vec![];
-
-        ocsp_vec.push(Value::Bytes(ocsp));
-        r_vals.push((Value::Text("ocspVals".to_string()), Value::Array(ocsp_vec)));
-
-        unprotected_h = unprotected_h.text_value("rVals".to_string(), Value::Map(r_vals));
-    }
-
-    // build complete header
-    let unprotected_header = unprotected_h.build();
-
-    Ok((protected_header, unprotected_header))
-}
-
-const PAD: &str = "pad";
-const PAD2: &str = "pad2";
-const PAD_OFFSET: usize = 7;
-
-// Pad the CoseSign1 structure with 0s to match the reserved box size.
-// There are some values lengths that are impossible to hit with a single padding so
-// when that happens a second padding is added to change the remaining needed padding.
-// The default initial guess works for almost all sizes, without the need for additional loops.
-fn pad_cose_sig(sign1: &mut CoseSign1, end_size: usize) -> Result<Vec<u8>> {
-    let mut sign1_clone = sign1.clone();
-    let cur_vec = sign1_clone
-        .to_tagged_vec()
-        .map_err(|_e| Error::CoseSignature)?;
-    let cur_size = cur_vec.len();
-
-    if cur_size == end_size {
-        return Ok(cur_vec);
-    }
-
-    // check for box too small and matched size
-    if cur_size + PAD_OFFSET > end_size {
-        return Err(Error::CoseSigboxTooSmall);
-    }
-
-    let mut padding_found = false;
-    let mut last_pad = 0;
-    let mut target_guess = end_size - cur_size - PAD_OFFSET; // start close to desired end_size accounting for label
-    loop {
-        // clone to use
-        sign1_clone = sign1.clone();
-
-        // replace padding with new estimate
-        for header_pair in &mut sign1_clone.unprotected.rest {
-            if header_pair.0 == Label::Text("pad".to_string()) {
-                if let Value::Bytes(b) = &header_pair.1 {
-                    last_pad = b.len();
-                }
-                header_pair.1 = Value::Bytes(vec![0u8; target_guess]);
-                padding_found = true;
-                break;
-            }
-        }
-
-        // if there was no padding add it and call again
-        if !padding_found {
-            sign1_clone.unprotected.rest.push((
-                Label::Text(PAD.to_string()),
-                Value::Bytes(vec![0u8; target_guess]),
-            ));
-            return pad_cose_sig(&mut sign1_clone, end_size);
-        }
-
-        // get current cbor vec to size if we reached target size
-        let new_cbor = sign1_clone
-            .to_tagged_vec()
-            .map_err(|_e| Error::CoseSignature)?;
+fn signing_cert_valid(signing_cert: &[u8]) -> Result<()> {
+    // make sure signer certs are valid
+    let mut cose_log = OneShotStatusTracker::default();
+    let mut passthrough_cap = CertificateTrustPolicy::default();
 
-        match new_cbor.len() < end_size {
-            true => target_guess += 1,
-            false if new_cbor.len() == end_size => return Ok(new_cbor),
-            false => break, // we could not match end_size in a single pad so break and add a second
-        }
+    // allow user EKUs through this check if configured
+    if let Ok(Some(trust_config)) = get_settings_value::<Option<String>>("trust.trust_config") {
+        passthrough_cap.add_valid_ekus(trust_config.as_bytes());
     }
 
-    // if we reach here we need a new second padding object to hit exact size
-    sign1.unprotected.rest.push((
-        Label::Text(PAD2.to_string()),
-        Value::Bytes(vec![0u8; last_pad - 10]),
-    ));
-    pad_cose_sig(sign1, end_size)
+    Ok(check_certificate_profile(
+        signing_cert,
+        &passthrough_cap,
+        &mut cose_log,
+        None,
+    )?)
 }
 
 #[cfg(test)]
 mod tests {
     #![allow(clippy::unwrap_used)]
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::{
+        raw_signature::{RawSigner, RawSignerError, SigningAlg},
+        time_stamp::{TimeStampError, TimeStampProvider},
+    };
 
     use super::sign_claim;
     #[cfg(not(target_arch = "wasm32"))]
@@ -432,7 +163,7 @@ mod tests {
         let claim_bytes = claim.data().unwrap();
 
         let signer = test_signer(SigningAlg::Ps256);
-        let box_size = signer.reserve_size();
+        let box_size = Signer::reserve_size(signer.as_ref());
 
         let cose_sign1 = sign_claim(&claim_bytes, signer.as_ref(), box_size).unwrap();
 
@@ -442,7 +173,7 @@ mod tests {
     #[cfg(all(feature = "openssl_sign", feature = "file_io"))]
     #[actix::test]
     async fn test_sign_claim_async() {
-        use c2pa_crypto::SigningAlg;
+        use c2pa_crypto::raw_signature::SigningAlg;
 
         use crate::{cose_sign::sign_claim_async, AsyncSigner};
 
@@ -475,8 +206,8 @@ mod tests {
             Ok(b"totally bogus signature".to_vec())
         }
 
-        fn alg(&self) -> c2pa_crypto::SigningAlg {
-            c2pa_crypto::SigningAlg::Ps256
+        fn alg(&self) -> c2pa_crypto::raw_signature::SigningAlg {
+            c2pa_crypto::raw_signature::SigningAlg::Ps256
         }
 
         fn certs(&self) -> Result<Vec<Vec<u8>>> {
@@ -492,6 +223,40 @@ mod tests {
         fn send_timestamp_request(&self, _message: &[u8]) -> Option<crate::error::Result<Vec<u8>>> {
             Some(Ok(Vec::new()))
         }
+
+        fn raw_signer(&self) -> Box<&dyn c2pa_crypto::raw_signature::RawSigner> {
+            Box::new(self)
+        }
+    }
+
+    impl RawSigner for BogusSigner {
+        fn sign(&self, _data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+            eprintln!("Canary, canary, please cause this deploy to fail!");
+            Ok(b"totally bogus signature".to_vec())
+        }
+
+        fn alg(&self) -> c2pa_crypto::raw_signature::SigningAlg {
+            c2pa_crypto::raw_signature::SigningAlg::Ps256
+        }
+
+        fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+            let cert_vec: Vec<u8> = Vec::new();
+            let certs = vec![cert_vec];
+            Ok(certs)
+        }
+
+        fn reserve_size(&self) -> usize {
+            1024
+        }
+    }
+
+    impl TimeStampProvider for BogusSigner {
+        fn send_time_stamp_request(
+            &self,
+            _message: &[u8],
+        ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
+            Some(Ok(Vec::new()))
+        }
     }
 
     #[test]
diff --git a/sdk/src/cose_validator.rs b/sdk/src/cose_validator.rs
index 9547af2ac..48f2c7a08 100644
--- a/sdk/src/cose_validator.rs
+++ b/sdk/src/cose_validator.rs
@@ -16,10 +16,10 @@ use std::io::Cursor;
 use async_generic::async_generic;
 use c2pa_crypto::{
     cose::{
-        cert_chain_from_sign1, parse_cose_sign1, signing_alg_from_sign1, validate_cose_tst_info,
-        validate_cose_tst_info_async, CertificateTrustPolicy, Verifier,
+        cert_chain_from_sign1, parse_cose_sign1, signing_alg_from_sign1, signing_time_from_sign1,
+        signing_time_from_sign1_async, CertificateTrustPolicy, ValidationInfo, Verifier,
     },
-    SigningAlg, ValidationInfo,
+    raw_signature::SigningAlg,
 };
 use c2pa_status_tracker::StatusTracker;
 use x509_parser::{num_bigint::BigUint, prelude::*};
@@ -75,27 +75,6 @@ fn dump_cert_chain(certs: &[Vec<u8>]) -> Result<Vec<u8>> {
     Ok(out_buf)
 }
 
-// Note: this function is only used to get the display string and not for cert validation.
-#[async_generic]
-fn get_signing_time(
-    sign1: &coset::CoseSign1,
-    data: &[u8],
-) -> Option<chrono::DateTime<chrono::Utc>> {
-    // get timestamp info if available
-
-    let time_stamp_info = if _sync {
-        validate_cose_tst_info(sign1, data)
-    } else {
-        validate_cose_tst_info_async(sign1, data).await
-    };
-
-    if let Ok(tst_info) = time_stamp_info {
-        Some(gt_to_datetime(tst_info.gen_time))
-    } else {
-        None
-    }
-}
-
 fn extract_subject_from_cert(cert: &X509Certificate) -> Result<String> {
     cert.subject()
         .iter_organization()
@@ -130,9 +109,9 @@ pub(crate) fn get_signing_info(
                 Ok(der_bytes) => {
                     if let Ok((_rem, signcert)) = X509Certificate::from_der(&der_bytes) {
                         date = if _sync {
-                            get_signing_time(&sign1, data)
+                            signing_time_from_sign1(&sign1, data)
                         } else {
-                            get_signing_time_async(&sign1, data).await
+                            signing_time_from_sign1_async(&sign1, data).await
                         };
                         issuer_org = extract_subject_from_cert(&signcert).ok();
                         cert_serial_number = Some(extract_serial_from_cert(&signcert));
@@ -168,18 +147,12 @@ pub(crate) fn get_signing_info(
     }
 }
 
-fn gt_to_datetime(
-    gt: x509_certificate::asn1time::GeneralizedTime,
-) -> chrono::DateTime<chrono::Utc> {
-    gt.into()
-}
-
 #[allow(unused_imports)]
 #[allow(clippy::unwrap_used)]
 #[cfg(feature = "openssl_sign")]
 #[cfg(test)]
 pub mod tests {
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     use c2pa_status_tracker::DetailedStatusTracker;
     use ciborium::Value;
     use coset::Label;
@@ -207,15 +180,16 @@ pub mod tests {
 
         let cose_sign1 = parse_cose_sign1(&cose_bytes, &claim_bytes, &mut validation_log).unwrap();
 
-        let signing_time = get_signing_time(&cose_sign1, &claim_bytes);
+        let signing_time = signing_time_from_sign1(&cose_sign1, &claim_bytes);
 
         assert_eq!(signing_time, None);
     }
     #[test]
     #[cfg(feature = "openssl_sign")]
     fn test_stapled_ocsp() {
-        use c2pa_crypto::raw_signature::{
-            signer_from_cert_chain_and_private_key, RawSigner, RawSignerError,
+        use c2pa_crypto::{
+            raw_signature::{signer_from_cert_chain_and_private_key, RawSigner, RawSignerError},
+            time_stamp::{TimeStampError, TimeStampProvider},
         };
 
         let mut validation_log = DetailedStatusTracker::default();
@@ -229,19 +203,19 @@ pub mod tests {
         let pem_key = include_bytes!("../tests/fixtures/certs/ps256.pem").to_vec();
         let ocsp_rsp_data = include_bytes!("../tests/fixtures/ocsp_good.data");
 
-        let signer =
+        let raw_signer =
             signer_from_cert_chain_and_private_key(&sign_cert, &pem_key, SigningAlg::Ps256, None)
                 .unwrap();
 
         // create a test signer that supports stapling
         struct OcspSigner {
-            pub signer: Box<dyn crate::Signer>,
+            pub raw_signer: Box<dyn RawSigner>,
             pub ocsp_rsp: Vec<u8>,
         }
 
         impl crate::Signer for OcspSigner {
             fn sign(&self, data: &[u8]) -> Result<Vec<u8>> {
-                self.signer.sign(data)
+                Ok(self.raw_signer.sign(data)?)
             }
 
             fn alg(&self) -> SigningAlg {
@@ -249,27 +223,81 @@ pub mod tests {
             }
 
             fn certs(&self) -> Result<Vec<Vec<u8>>> {
-                self.signer.certs()
+                Ok(self.raw_signer.cert_chain()?)
             }
 
             fn reserve_size(&self) -> usize {
-                self.signer.reserve_size()
+                self.raw_signer.reserve_size()
             }
 
             fn ocsp_val(&self) -> Option<Vec<u8>> {
                 Some(self.ocsp_rsp.clone())
             }
+
+            fn raw_signer(&self) -> Box<&dyn RawSigner> {
+                Box::new(self)
+            }
+        }
+
+        impl RawSigner for OcspSigner {
+            fn sign(&self, data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+                self.raw_signer.sign(data)
+            }
+
+            fn alg(&self) -> SigningAlg {
+                self.raw_signer.alg()
+            }
+
+            fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+                self.raw_signer.cert_chain()
+            }
+
+            fn reserve_size(&self) -> usize {
+                self.raw_signer.reserve_size()
+            }
+
+            fn ocsp_response(&self) -> Option<Vec<u8>> {
+                eprintln!("THE ONE I WANTED @ 287");
+                Some(self.ocsp_rsp.clone())
+            }
+        }
+
+        impl TimeStampProvider for OcspSigner {
+            fn time_stamp_service_url(&self) -> Option<String> {
+                self.raw_signer.time_stamp_service_url()
+            }
+
+            fn time_stamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+                self.raw_signer.time_stamp_request_headers()
+            }
+
+            fn time_stamp_request_body(
+                &self,
+                message: &[u8],
+            ) -> std::result::Result<Vec<u8>, TimeStampError> {
+                self.raw_signer.time_stamp_request_body(message)
+            }
+
+            fn send_time_stamp_request(
+                &self,
+                message: &[u8],
+            ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
+                self.raw_signer.send_time_stamp_request(message)
+            }
         }
 
         let ocsp_signer = OcspSigner {
-            signer: Box::new(crate::signer::RawSignerWrapper(signer)),
+            raw_signer,
             ocsp_rsp: ocsp_rsp_data.to_vec(),
         };
 
         // sign and staple
-        let cose_bytes =
-            crate::cose_sign::sign_claim(&claim_bytes, &ocsp_signer, ocsp_signer.reserve_size())
-                .unwrap();
+        let cose_bytes = crate::cose_sign::sign_claim(
+            &claim_bytes,
+            &ocsp_signer,
+            RawSigner::reserve_size(&ocsp_signer),
+        )
+        .unwrap();
 
         let cose_sign1 = parse_cose_sign1(&cose_bytes, &claim_bytes, &mut validation_log).unwrap();
         let ocsp_stapled = get_ocsp_der(&cose_sign1).unwrap();
diff --git a/sdk/src/create_signer.rs b/sdk/src/create_signer.rs
index 67fb1887f..111a5333b 100644
--- a/sdk/src/create_signer.rs
+++ b/sdk/src/create_signer.rs
@@ -18,7 +18,7 @@
 #[cfg(feature = "file_io")]
 use std::path::Path;
 
-use c2pa_crypto::{raw_signature::signer_from_cert_chain_and_private_key, SigningAlg};
+use c2pa_crypto::raw_signature::{signer_from_cert_chain_and_private_key, SigningAlg};
 
 use crate::{error::Result, signer::RawSignerWrapper, Signer};
 
diff --git a/sdk/src/error.rs b/sdk/src/error.rs
index 136428188..4502c2b54 100644
--- a/sdk/src/error.rs
+++ b/sdk/src/error.rs
@@ -13,7 +13,7 @@
 
 // #![deny(missing_docs)] (we'll turn this on once fully documented)
 
-use c2pa_crypto::cose::CoseError;
+use c2pa_crypto::{cose::CoseError, raw_signature::RawSignerError, time_stamp::TimeStampError};
 use thiserror::Error;
 
 /// `Error` enumerates errors returned by most C2PA toolkit operations.
@@ -358,8 +358,44 @@ impl From<CoseError> for Error {
             CoseError::TimeStampError(e) => e.into(),
             CoseError::CertificateProfileError(e) => e.into(),
             CoseError::CertificateTrustError(e) => e.into(),
+            CoseError::BoxSizeTooSmall => Self::CoseSigboxTooSmall,
+            CoseError::RawSignerError(e) => e.into(),
             CoseError::RawSignatureValidationError(e) => e.into(),
             CoseError::InternalError(e) => Self::InternalError(e),
         }
     }
 }
+
+impl From<Error> for CoseError {
+    fn from(err: Error) -> Self {
+        match err {
+            Error::CoseX5ChainMissing => Self::MissingSigningCertificateChain,
+            Error::CoseVerifier => Self::MultipleSigningCertificateChains,
+            Error::NotFound => Self::NoTimeStampToken,
+            Error::CoseSignatureAlgorithmNotSupported => Self::UnsupportedSigningAlgorithm,
+            Error::InvalidEcdsaSignature => Self::InvalidEcdsaSignature,
+            Error::CoseTimeStampGeneration => Self::CborGenerationError(err.to_string()),
+            Error::TimeStampError(e) => Self::TimeStampError(e),
+            Error::CertificateProfileError(e) => Self::CertificateProfileError(e),
+            Error::CertificateTrustError(e) => Self::CertificateTrustError(e),
+            Error::CoseSigboxTooSmall => Self::BoxSizeTooSmall,
+            Error::RawSignerError(e) => Self::RawSignerError(e),
+            Error::RawSignatureValidationError(e) => Self::RawSignatureValidationError(e),
+            _ => Self::InternalError(err.to_string()),
+        }
+    }
+}
+
+impl From<Error> for RawSignerError {
+    fn from(err: Error) -> Self {
+        // See if better mappings exist, but I doubt it.
+        Self::InternalError(err.to_string())
+    }
+}
+
+impl From<Error> for TimeStampError {
+    fn from(err: Error) -> Self {
+        // See if better mappings exist, but I doubt it.
+        Self::InternalError(err.to_string())
+    }
+}
diff --git a/sdk/src/jumbf_io.rs b/sdk/src/jumbf_io.rs
index 7e11ae36e..baaf7f12f 100644
--- a/sdk/src/jumbf_io.rs
+++ b/sdk/src/jumbf_io.rs
@@ -349,7 +349,7 @@ pub mod tests {
 
     use std::io::Seek;
 
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
 
     use super::*;
     use crate::{
diff --git a/sdk/src/lib.rs b/sdk/src/lib.rs
index 49c45ac9a..80e61c7e1 100644
--- a/sdk/src/lib.rs
+++ b/sdk/src/lib.rs
@@ -118,7 +118,7 @@ pub use assertions::Relationship;
 pub use asset_io::{CAIRead, CAIReadWrite};
 #[cfg(feature = "unstable_api")]
 pub use builder::{Builder, ManifestDefinition};
-pub use c2pa_crypto::SigningAlg;
+pub use c2pa_crypto::raw_signature::SigningAlg;
 pub use callback_signer::{CallbackFunc, CallbackSigner};
 pub use claim_generator_info::ClaimGeneratorInfo;
 pub use dynamic_assertion::DynamicAssertion;
diff --git a/sdk/src/manifest.rs b/sdk/src/manifest.rs
index 0246c7310..02324ea9c 100644
--- a/sdk/src/manifest.rs
+++ b/sdk/src/manifest.rs
@@ -16,7 +16,7 @@ use std::{borrow::Cow, collections::HashMap, io::Cursor, slice::Iter};
 use std::{fs::create_dir_all, path::Path};
 
 use async_generic::async_generic;
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::SigningAlg;
 use log::{debug, error};
 #[cfg(feature = "json_schema")]
 use schemars::JsonSchema;
@@ -1505,7 +1505,7 @@ pub(crate) mod tests {
     use std::io::Cursor;
 
     #[cfg(any(feature = "file_io", target_arch = "wasm32"))]
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     #[cfg(feature = "file_io")]
     use c2pa_status_tracker::{DetailedStatusTracker, StatusTracker};
     #[cfg(feature = "file_io")]
diff --git a/sdk/src/resource_store.rs b/sdk/src/resource_store.rs
index c5229d23b..0d75c36ec 100644
--- a/sdk/src/resource_store.rs
+++ b/sdk/src/resource_store.rs
@@ -404,7 +404,7 @@ mod tests {
 
     use std::io::Cursor;
 
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
 
     use super::*;
     use crate::{utils::test_signer::test_signer, Builder, Reader};
diff --git a/sdk/src/signer.rs b/sdk/src/signer.rs
index 3f70031ed..9e8bc680d 100644
--- a/sdk/src/signer.rs
+++ b/sdk/src/signer.rs
@@ -13,9 +13,8 @@
 
 use async_trait::async_trait;
 use c2pa_crypto::{
-    raw_signature::RawSigner,
-    time_stamp::{AsyncTimeStampProvider, TimeStampProvider},
-    SigningAlg,
+    raw_signature::{AsyncRawSigner, RawSigner, RawSignerError, SigningAlg},
+    time_stamp::{TimeStampError, TimeStampProvider},
 };
 
 use crate::{DynamicAssertion, Result};
@@ -99,12 +98,15 @@ pub trait Signer {
         Vec::new()
     }
 
-    /// If this struct also implements [`TimeStampProvider`], return a reference to that struct.
+    /// This struct must also implement [`RawSigner`]. Return a reference
+    /// to that trait implementation.
     ///
-    /// [`TimeStampProvider`]: c2pa_crypto::time_stamp::TimeStampProvider
-    fn time_stamp_provider(&self) -> Option<Box<&dyn TimeStampProvider>> {
-        None
-    }
+    /// NOTE: Due to limitations in some of the FFI tooling that we use to bridge
+    /// c2pa-rs to other languages, we can not make [`RawSigner`] a supertrait of
+    /// this trait. This API is a workaround for that limitation.
+    ///
+    /// [`RawSigner`]: c2pa_crypto::raw_signature::RawSigner
+    fn raw_signer(&self) -> Box<&dyn RawSigner>;
 }
 
 /// Trait to allow loading of signing credential from external sources
@@ -219,12 +221,15 @@ pub trait AsyncSigner: Sync {
         Vec::new()
     }
 
-    /// If this struct also implements [`AsyncTimeStampProvider`], return a reference to that struct.
+    /// This struct must also implement [`AsyncRawSigner`]. Return a reference
+    /// to that trait implementation.
     ///
-    /// [`AsyncTimeStampProvider`]: c2pa_crypto::time_stamp::AsyncTimeStampProvider
-    fn async_time_stamp_provider(&self) -> Option<Box<&dyn AsyncTimeStampProvider>> {
-        None
-    }
+    /// NOTE: Due to limitations in some of the FFI tooling that we use to bridge
+    /// c2pa-rs to other languages, we can not make [`AsyncRawSigner`] a supertrait
+    /// of this trait. This API is a workaround for that limitation.
+    ///
+    /// [`AsyncRawSigner`]: c2pa_crypto::raw_signature::AsyncRawSigner
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner>;
 }
 
 /// The `AsyncSigner` trait generates a cryptographic signature over a byte array.
@@ -298,12 +303,15 @@ pub trait AsyncSigner {
         Vec::new()
     }
 
-    /// If this struct also implements [`AsyncTimeStampProvider`], return a reference to that struct.
+    /// This struct must also implement [`AsyncRawSigner`]. Return a reference
+    /// to that trait implementation.
     ///
-    /// [`AsyncTimeStampProvider`]: c2pa_crypto::time_stamp::AsyncTimeStampProvider
-    fn async_time_stamp_provider<'a>(&'a self) -> Option<Box<&'a dyn AsyncTimeStampProvider>> {
-        None
-    }
+    /// NOTE: Due to limitations in some of the FFI tooling that we use to bridge
+    /// c2pa-rs to other languages, we can not make [`AsyncRawSigner`] a supertrait
+    /// of this trait. This API is a workaround for that limitation.
+    ///
+    /// [`AsyncRawSigner`]: c2pa_crypto::raw_signature::AsyncRawSigner
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner>;
 }
 
 #[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
@@ -368,8 +376,57 @@ impl Signer for Box<dyn Signer> {
         (**self).send_timestamp_request(message)
     }
 
-    fn time_stamp_provider(&self) -> Option<Box<&dyn TimeStampProvider>> {
-        (**self).time_stamp_provider()
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        (**self).raw_signer()
+    }
+}
+
+impl RawSigner for Box<dyn Signer> {
+    fn sign(&self, data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+        Ok(self.as_ref().sign(data)?)
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.as_ref().alg()
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(self.as_ref().certs()?)
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.as_ref().reserve_size()
+    }
+
+    fn ocsp_response(&self) -> Option<Vec<u8>> {
+        eprintln!("HUH, A DIFFERENT I WANTED @ 397");
+        self.as_ref().ocsp_val()
+    }
+}
+
+impl TimeStampProvider for Box<dyn Signer> {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.as_ref().time_authority_url()
+    }
+
+    fn time_stamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        self.as_ref().timestamp_request_headers()
+    }
+
+    fn time_stamp_request_body(
+        &self,
+        message: &[u8],
+    ) -> std::result::Result<Vec<u8>, TimeStampError> {
+        Ok(self.as_ref().sign(message)?)
+    }
+
+    fn send_time_stamp_request(
+        &self,
+        message: &[u8],
+    ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
+        self.as_ref()
+            .send_timestamp_request(message)
+            .map(|r| Ok(r?))
     }
 }
 
@@ -419,6 +476,10 @@ impl AsyncSigner for Box<dyn AsyncSigner + Send + Sync> {
     fn dynamic_assertions(&self) -> Vec<Box<dyn DynamicAssertion>> {
         (**self).dynamic_assertions()
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        (**self).async_raw_signer()
+    }
 }
 
 #[cfg(target_arch = "wasm32")]
@@ -467,6 +528,10 @@ impl AsyncSigner for Box<dyn AsyncSigner> {
     fn dynamic_assertions(&self) -> Vec<Box<dyn DynamicAssertion>> {
         (**self).dynamic_assertions()
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        (**self).async_raw_signer()
+    }
 }
 
 #[cfg_attr(target_arch = "wasm32", allow(dead_code))]
@@ -512,4 +577,8 @@ impl Signer for RawSignerWrapper {
             .send_time_stamp_request(message)
             .map(|r| r.map_err(|e| e.into()))
     }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(&*self.0)
+    }
 }
diff --git a/sdk/src/store.rs b/sdk/src/store.rs
index 2049d2204..2289314a5 100644
--- a/sdk/src/store.rs
+++ b/sdk/src/store.rs
@@ -24,7 +24,7 @@ use std::{
 use async_generic::async_generic;
 use async_recursion::async_recursion;
 use c2pa_crypto::{
-    cose::{parse_cose_sign1, CertificateTrustPolicy},
+    cose::{parse_cose_sign1, CertificateTrustPolicy, TimeStampStorage},
     hash::sha256,
 };
 use c2pa_status_tracker::{log_item, DetailedStatusTracker, OneShotStatusTracker, StatusTracker};
@@ -494,7 +494,8 @@ impl Store {
                 // Let the signer do all the COSE processing and return the structured COSE data.
                 return signer.sign(&claim_bytes); // do not verify remote signers (we never did)
             } else {
-                cose_sign(signer, &claim_bytes, box_size)
+                // TEMPORARY: Assume V1 until we plumb things through further.
+                cose_sign(signer, &claim_bytes, box_size, TimeStampStorage::V1_sigTst)
             }
         } else {
             if signer.direct_cose_handling() {
@@ -502,7 +503,8 @@ impl Store {
                 return signer.sign(claim_bytes.clone()).await;
             // do not verify remote signers (we never did)
             } else {
-                cose_sign_async(signer, &claim_bytes, box_size).await
+                // TEMPORARY: Assume V1 until we plumb things through further.
+                cose_sign_async(signer, &claim_bytes, box_size, TimeStampStorage::V1_sigTst).await
             }
         };
         match result {
@@ -3595,7 +3597,10 @@ pub mod tests {
 
     use std::io::Write;
 
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::{
+        raw_signature::{RawSigner, RawSignerError, SigningAlg},
+        time_stamp::TimeStampProvider,
+    };
     use c2pa_status_tracker::StatusTracker;
     use memchr::memmem;
     use serde::Serialize;
@@ -3836,8 +3841,32 @@ pub mod tests {
         fn reserve_size(&self) -> usize {
             42
         }
+
+        fn raw_signer(&self) -> Box<&dyn RawSigner> {
+            Box::new(self)
+        }
+    }
+
+    impl RawSigner for BadSigner {
+        fn sign(&self, _data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+            Ok(b"not a valid signature".to_vec())
+        }
+
+        fn alg(&self) -> SigningAlg {
+            SigningAlg::Ps256
+        }
+
+        fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+            Ok(Vec::new())
+        }
+
+        fn reserve_size(&self) -> usize {
+            42
+        }
     }
 
+    impl TimeStampProvider for BadSigner {}
+
     #[test]
     #[cfg(feature = "file_io")]
     fn test_detects_unverifiable_signature() {
@@ -3865,7 +3894,7 @@ pub mod tests {
     #[test]
     #[cfg(feature = "file_io")]
     fn test_sign_with_expired_cert() {
-        use c2pa_crypto::SigningAlg;
+        use c2pa_crypto::raw_signature::SigningAlg;
 
         use crate::create_signer;
 
@@ -5660,7 +5689,7 @@ pub mod tests {
 
         // get a placeholder the manifest
         let placeholder = store
-            .get_data_hashed_manifest_placeholder(signer.reserve_size(), "jpeg")
+            .get_data_hashed_manifest_placeholder(Signer::reserve_size(&signer), "jpeg")
             .unwrap();
 
         let temp_dir = tempfile::tempdir().unwrap();
@@ -5731,7 +5760,7 @@ pub mod tests {
 
         // get a placeholder for the manifest
         let placeholder = store
-            .get_data_hashed_manifest_placeholder(signer.reserve_size(), "jpeg")
+            .get_data_hashed_manifest_placeholder(Signer::reserve_size(&signer), "jpeg")
             .unwrap();
 
         let temp_dir = tempfile::tempdir().unwrap();
@@ -5849,7 +5878,7 @@ pub mod tests {
         // get the embeddable manifest
         let mut input_stream = std::fs::File::open(ap).unwrap();
         let placed_manifest = store
-            .get_placed_manifest(signer.reserve_size(), "jpg", &mut input_stream)
+            .get_placed_manifest(Signer::reserve_size(&signer), "jpg", &mut input_stream)
             .unwrap();
 
         // insert manifest into output asset
@@ -5897,6 +5926,7 @@ pub mod tests {
     #[cfg(feature = "openssl_sign")]
     async fn test_dynamic_assertions() {
         use async_trait::async_trait;
+        use c2pa_crypto::raw_signature::AsyncRawSigner;
 
         #[derive(Serialize)]
         struct TestAssertion {
@@ -5935,62 +5965,48 @@ pub mod tests {
 
         /// This is an async signer wrapped around a local temp signer,
         /// that implements the dynamic assertion trait.
-        struct DynamicSigner {
-            alg: SigningAlg,
-            certs: Vec<Vec<u8>>,
-            reserve_size: usize,
-            tsa_url: Option<String>,
-            ocsp_val: Option<Vec<u8>>,
-        }
+        struct DynamicSigner(Box<dyn AsyncSigner>);
 
         impl DynamicSigner {
             fn new() -> Self {
-                let signer = test_signer(SigningAlg::Ps256);
-                DynamicSigner {
-                    alg: signer.alg(),
-                    certs: signer.certs().unwrap_or_default(),
-                    reserve_size: signer.reserve_size(),
-                    tsa_url: signer.time_authority_url(),
-                    ocsp_val: signer.ocsp_val(),
-                }
+                Self(async_test_signer(SigningAlg::Ps256))
             }
         }
 
         #[async_trait::async_trait]
         impl crate::AsyncSigner for DynamicSigner {
             async fn sign(&self, data: Vec<u8>) -> crate::error::Result<Vec<u8>> {
-                let signer = test_signer(SigningAlg::Ps256);
-                signer.sign(&data)
+                self.0.sign(data).await
             }
 
             fn alg(&self) -> SigningAlg {
-                self.alg
+                self.0.alg()
             }
 
             fn certs(&self) -> crate::Result<Vec<Vec<u8>>> {
-                let mut output: Vec<Vec<u8>> = Vec::new();
-                for v in &self.certs {
-                    output.push(v.clone());
-                }
-                Ok(output)
+                self.0.certs()
             }
 
             fn reserve_size(&self) -> usize {
-                self.reserve_size
+                self.0.reserve_size()
             }
 
             fn time_authority_url(&self) -> Option<String> {
-                self.tsa_url.clone()
+                self.0.time_authority_url()
             }
 
             async fn ocsp_val(&self) -> Option<Vec<u8>> {
-                self.ocsp_val.clone()
+                self.0.ocsp_val().await
             }
 
             // Returns our dynamic assertion here.
             fn dynamic_assertions(&self) -> Vec<Box<dyn crate::DynamicAssertion>> {
                 vec![Box::new(TestDynamicAssertion {})]
             }
+
+            fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+                self.0.async_raw_signer()
+            }
         }
 
         let file_buffer = include_bytes!("../tests/fixtures/earth_apollo17.jpg").to_vec();
diff --git a/sdk/src/utils/test.rs b/sdk/src/utils/test.rs
index 3e7ca639a..f79f036cb 100644
--- a/sdk/src/utils/test.rs
+++ b/sdk/src/utils/test.rs
@@ -20,7 +20,12 @@ use std::{
     path::PathBuf,
 };
 
-use c2pa_crypto::{cose::CertificateTrustPolicy, SigningAlg};
+use async_trait::async_trait;
+use c2pa_crypto::{
+    cose::{CertificateTrustPolicy, TimeStampStorage},
+    raw_signature::{AsyncRawSigner, RawSigner, RawSignerError, SigningAlg},
+    time_stamp::{AsyncTimeStampProvider, TimeStampError, TimeStampProvider},
+};
 use tempfile::TempDir;
 
 use crate::{
@@ -310,6 +315,37 @@ impl crate::Signer for TestGoodSigner {
     fn send_timestamp_request(&self, _message: &[u8]) -> Option<crate::error::Result<Vec<u8>>> {
         Some(Ok(Vec::new()))
     }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(self)
+    }
+}
+
+impl RawSigner for TestGoodSigner {
+    fn sign(&self, _data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+        Ok(b"not a valid signature".to_vec())
+    }
+
+    fn alg(&self) -> SigningAlg {
+        SigningAlg::Ps256
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(Vec::new())
+    }
+
+    fn reserve_size(&self) -> usize {
+        1024
+    }
+}
+
+impl TimeStampProvider for TestGoodSigner {
+    fn send_time_stamp_request(
+        &self,
+        _message: &[u8],
+    ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
+        Some(Ok(Vec::new()))
+    }
 }
 
 pub(crate) struct AsyncTestGoodSigner {}
@@ -339,6 +375,41 @@ impl AsyncSigner for AsyncTestGoodSigner {
     ) -> Option<crate::error::Result<Vec<u8>>> {
         Some(Ok(Vec::new()))
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(self)
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
+impl AsyncRawSigner for AsyncTestGoodSigner {
+    async fn sign(&self, _data: Vec<u8>) -> std::result::Result<Vec<u8>, RawSignerError> {
+        Ok(b"not a valid signature".to_vec())
+    }
+
+    fn alg(&self) -> SigningAlg {
+        SigningAlg::Ps256
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(Vec::new())
+    }
+
+    fn reserve_size(&self) -> usize {
+        1024
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
+impl AsyncTimeStampProvider for AsyncTestGoodSigner {
+    async fn send_time_stamp_request(
+        &self,
+        _message: &[u8],
+    ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
+        Some(Ok(Vec::new()))
+    }
 }
 
 struct TempRemoteSigner {}
@@ -352,7 +423,14 @@ impl crate::signer::RemoteSigner for TempRemoteSigner {
             let signer = crate::utils::test_signer::async_test_signer(SigningAlg::Ps256);
 
             // this would happen on some remote server
-            crate::cose_sign::cose_sign_async(&signer, claim_bytes, self.reserve_size()).await
+            // TEMPORARY: Assume v1 until we plumb things through further.
+            crate::cose_sign::cose_sign_async(
+                &signer,
+                claim_bytes,
+                self.reserve_size(),
+                TimeStampStorage::V1_sigTst,
+            )
+            .await
         }
         #[cfg(not(any(
             target_arch = "wasm32",
@@ -373,7 +451,14 @@ impl crate::signer::RemoteSigner for TempRemoteSigner {
         {
             let signer = crate::wasm::RsaWasmSignerAsync::new();
 
-            crate::cose_sign::cose_sign_async(&signer, claim_bytes, self.reserve_size()).await
+            // TEMPORARY: Assume V1 until we plumb more through.
+            crate::cose_sign::cose_sign_async(
+                &signer,
+                claim_bytes,
+                self.reserve_size(),
+                TimeStampStorage::V1_sigTst,
+            )
+            .await
         }
     }
 
@@ -425,7 +510,7 @@ impl WebCryptoSigner {
 
 #[cfg(target_arch = "wasm32")]
 #[async_trait::async_trait(?Send)]
-impl crate::signer::AsyncSigner for WebCryptoSigner {
+impl AsyncSigner for WebCryptoSigner {
     fn alg(&self) -> SigningAlg {
         self.signing_alg
     }
@@ -479,6 +564,10 @@ impl crate::signer::AsyncSigner for WebCryptoSigner {
     async fn send_timestamp_request(&self, _: &[u8]) -> Option<Result<Vec<u8>>> {
         None
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        unreachable!();
+    }
 }
 
 /// Create a [`RemoteSigner`] instance that can be used for testing purposes.
@@ -505,13 +594,27 @@ impl AsyncSigner for TempAsyncRemoteSigner {
             let signer = crate::utils::test_signer::async_test_signer(SigningAlg::Ps256);
 
             // this would happen on some remote server
-            crate::cose_sign::cose_sign_async(&signer, &claim_bytes, self.reserve_size()).await
+            // TEMPORARY: Assume V1 until we plumb through further.
+            crate::cose_sign::cose_sign_async(
+                &signer,
+                &claim_bytes,
+                AsyncSigner::reserve_size(self),
+                TimeStampStorage::V1_sigTst,
+            )
+            .await
         }
 
         #[cfg(target_arch = "wasm32")]
         {
             let signer = crate::wasm::rsa_wasm_signer::RsaWasmSignerAsync::new();
-            crate::cose_sign::cose_sign_async(&signer, &claim_bytes, self.reserve_size()).await
+            // TEMPORARY: Assume V1 until we plumb through further.
+            crate::cose_sign::cose_sign_async(
+                &signer,
+                &claim_bytes,
+                AsyncRawSigner::reserve_size(self),
+                TimeStampStorage::V1_sigTst,
+            )
+            .await
         }
 
         #[cfg(not(any(
@@ -554,6 +657,41 @@ impl AsyncSigner for TempAsyncRemoteSigner {
     ) -> Option<crate::error::Result<Vec<u8>>> {
         Some(Ok(Vec::new()))
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(self)
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl AsyncRawSigner for TempAsyncRemoteSigner {
+    async fn sign(&self, _claim_bytes: Vec<u8>) -> std::result::Result<Vec<u8>, RawSignerError> {
+        unreachable!("Should not be called");
+    }
+
+    fn alg(&self) -> SigningAlg {
+        SigningAlg::Ps256
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(Vec::new())
+    }
+
+    fn reserve_size(&self) -> usize {
+        10000
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl AsyncTimeStampProvider for TempAsyncRemoteSigner {
+    async fn send_time_stamp_request(
+        &self,
+        _message: &[u8],
+    ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
+        Some(Ok(Vec::new()))
+    }
 }
 
 /// Create a [`AsyncSigner`] that does it's own COSE handling for testing.
diff --git a/sdk/src/utils/test_signer.rs b/sdk/src/utils/test_signer.rs
index c9d32a99d..5f3885999 100644
--- a/sdk/src/utils/test_signer.rs
+++ b/sdk/src/utils/test_signer.rs
@@ -14,12 +14,9 @@
 #![allow(clippy::unwrap_used)] // This mod is only used in test code.
 
 use async_trait::async_trait;
-use c2pa_crypto::{
-    raw_signature::{
-        async_signer_from_cert_chain_and_private_key, signer_from_cert_chain_and_private_key,
-        AsyncRawSigner,
-    },
-    SigningAlg,
+use c2pa_crypto::raw_signature::{
+    async_signer_from_cert_chain_and_private_key, signer_from_cert_chain_and_private_key,
+    AsyncRawSigner, SigningAlg,
 };
 
 use crate::{signer::RawSignerWrapper, AsyncSigner, Result, Signer};
@@ -89,6 +86,8 @@ fn cert_chain_and_private_key_for_alg(alg: SigningAlg) -> (Vec<u8>, Vec<u8>) {
             include_bytes!("../../tests/fixtures/certs/ed25519.pub").to_vec(),
             include_bytes!("../../tests/fixtures/certs/ed25519.pem").to_vec(),
         ),
+
+        _ => unimplemented!("Unknown SigningAlg variant {alg:#?}"),
     }
 }
 
@@ -143,4 +142,8 @@ impl AsyncSigner for AsyncRawSignerWrapper {
             .await
             .map(|r| r.map_err(|e| e.into()))
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(&*self.0)
+    }
 }
diff --git a/sdk/src/wasm/rsa_wasm_signer.rs b/sdk/src/wasm/rsa_wasm_signer.rs
index 4e3320539..9d5802433 100644
--- a/sdk/src/wasm/rsa_wasm_signer.rs
+++ b/sdk/src/wasm/rsa_wasm_signer.rs
@@ -14,7 +14,10 @@
 use core::str;
 
 use async_trait::async_trait;
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::{
+    raw_signature::{AsyncRawSigner, RawSigner, RawSignerError, SigningAlg},
+    time_stamp::{AsyncTimeStampProvider, TimeStampError, TimeStampProvider},
+};
 use rsa::{
     pkcs8::DecodePrivateKey,
     pss::SigningKey,
@@ -119,6 +122,67 @@ impl Signer for RsaWasmSigner {
     fn ocsp_val(&self) -> Option<Vec<u8>> {
         None
     }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(self)
+    }
+}
+
+impl RawSigner for RsaWasmSigner {
+    fn sign(&self, data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+        let mut rng = rand::thread_rng();
+
+        match self.alg {
+            SigningAlg::Ps256 => {
+                let s = rsa::pss::SigningKey::<Sha256>::new(self.pkey.clone());
+
+                let sig = s.sign_with_rng(&mut rng, data);
+
+                Ok(sig.to_bytes().to_vec())
+            }
+            SigningAlg::Ps384 => {
+                let s = SigningKey::<Sha384>::new(self.pkey.clone());
+
+                let sig = s.sign_with_rng(&mut rng, data);
+
+                Ok(sig.to_bytes().to_vec())
+            }
+            SigningAlg::Ps512 => {
+                let s = SigningKey::<Sha512>::new(self.pkey.clone());
+
+                let sig = s.sign_with_rng(&mut rng, data);
+
+                Ok(sig.to_bytes().to_vec())
+            }
+            _ => {
+                return Err(RawSignerError::InternalError(
+                    "unsupported signature algorithm".to_string(),
+                ))
+            }
+        }
+    }
+
+    fn reserve_size(&self) -> usize {
+        1024 + self.certs_size + self.timestamp_size // the Cose_Sign1 contains complete certs and timestamps so account for size
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(self.signcerts.clone())
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.alg
+    }
+
+    fn ocsp_response(&self) -> Option<Vec<u8>> {
+        None
+    }
+}
+
+impl TimeStampProvider for RsaWasmSigner {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.tsa_url.clone()
+    }
 }
 
 // If "../../tests/fixtures/certs/rs256.pub" or "../../tests/fixtures/certs/rs256.pem") change
@@ -277,11 +341,11 @@ impl RsaWasmSignerAsync {
 #[async_trait(?Send)]
 impl AsyncSigner for RsaWasmSignerAsync {
     async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>> {
-        self.signer.sign(&data)
+        Signer::sign(&self.signer, &data)
     }
 
     fn alg(&self) -> SigningAlg {
-        self.signer.alg()
+        Signer::alg(&self.signer)
     }
 
     fn certs(&self) -> Result<Vec<Vec<u8>>> {
@@ -289,20 +353,55 @@ impl AsyncSigner for RsaWasmSignerAsync {
     }
 
     fn reserve_size(&self) -> usize {
-        self.signer.reserve_size()
+        Signer::reserve_size(&self.signer)
     }
 
     async fn send_timestamp_request(&self, _message: &[u8]) -> Option<Result<Vec<u8>>> {
         None
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(self)
+    }
 }
 
+#[async_trait(?Send)]
+impl AsyncRawSigner for RsaWasmSignerAsync {
+    async fn sign(&self, data: Vec<u8>) -> std::result::Result<Vec<u8>, RawSignerError> {
+        Signer::sign(&self.signer, &data).map_err(|e| RawSignerError::InternalError(e.to_string()))
+    }
+
+    fn alg(&self) -> SigningAlg {
+        Signer::alg(&self.signer)
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(self.signer.certs()?)
+    }
+
+    fn reserve_size(&self) -> usize {
+        Signer::reserve_size(&self.signer)
+    }
+}
+
+#[async_trait(?Send)]
+impl AsyncTimeStampProvider for RsaWasmSignerAsync {
+    async fn send_time_stamp_request(
+        &self,
+        _message: &[u8],
+    ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
+        None
+    }
+}
+
+unsafe impl Sync for RsaWasmSignerAsync {}
+
 #[allow(unused_imports)]
 #[allow(clippy::unwrap_used)]
 #[cfg(test)]
 mod tests {
     use asn1_rs::FromDer;
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     use rsa::{
         pss::{Signature, VerifyingKey},
         sha2::{Digest, Sha256},
@@ -324,9 +423,9 @@ mod tests {
 
         let data = b"some sample content to sign";
 
-        let sig = signer.sign(data).unwrap();
+        let sig = Signer::sign(&signer, data).unwrap();
         println!("signature len = {}", sig.len());
-        assert!(sig.len() <= signer.reserve_size());
+        assert!(sig.len() <= Signer::reserve_size(&signer));
 
         let sk = rsa::pss::SigningKey::<Sha256>::new(signer.pkey.clone());
         let vk = sk.verifying_key();
diff --git a/sdk/tests/common/test_signer.rs b/sdk/tests/common/test_signer.rs
index f2ee408f6..45d94dfcb 100644
--- a/sdk/tests/common/test_signer.rs
+++ b/sdk/tests/common/test_signer.rs
@@ -12,7 +12,7 @@
 // each license.
 
 use c2pa::CallbackSigner;
-use c2pa_crypto::{raw_signature::RawSignerError, SigningAlg};
+use c2pa_crypto::raw_signature::{RawSignerError, SigningAlg};
 
 const CERTS: &[u8] = include_bytes!("../../tests/fixtures/certs/ed25519.pub");
 const PRIVATE_KEY: &[u8] = include_bytes!("../../tests/fixtures/certs/ed25519.pem");
diff --git a/sdk/tests/integration.rs b/sdk/tests/integration.rs
index 8bef81553..e3661fab8 100644
--- a/sdk/tests/integration.rs
+++ b/sdk/tests/integration.rs
@@ -23,7 +23,7 @@ mod integration_1 {
         settings::load_settings_from_str,
         Builder, ClaimGeneratorInfo, Ingredient, Reader, Result, Signer,
     };
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     use tempfile::tempdir;
 
     //const GENERATOR: &str = "app";
diff --git a/sdk/tests/v2_api_integration.rs b/sdk/tests/v2_api_integration.rs
index 2db604071..7a64ae6d8 100644
--- a/sdk/tests/v2_api_integration.rs
+++ b/sdk/tests/v2_api_integration.rs
@@ -19,7 +19,7 @@ mod integration_v2 {
 
     use anyhow::Result;
     use c2pa::{Builder, CallbackSigner, Reader};
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     use serde_json::json;
 
     const PARENT_JSON: &str = r#"