diff --git a/.commitlintrc.yml b/.commitlintrc.yml
index a0b1e4587..09c1eb3e1 100644
--- a/.commitlintrc.yml
+++ b/.commitlintrc.yml
@@ -24,6 +24,7 @@ rules:
       - export_schema
       - make_test_images
       - sdk
+      - c2patool
 
   # Scope may be empty
   # (NOTE: Disabled for now while we work around
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b50356831..f087d0533 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,21 +4,7 @@
 version: 2
 updates:
   - package-ecosystem: "cargo"
-    directory: "sdk"
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: "update"
-
-  - package-ecosystem: "cargo"
-    directory: "export_schema"
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: "update"
-
-  - package-ecosystem: "cargo"
-    directory: "make_test_images"
+    directory: "/"
     schedule:
       interval: "daily"
     commit-message:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6ef578ca0..e85745af5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -31,7 +31,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [windows-latest, macos-latest, ubuntu-latest]
-        rust_version: [stable, 1.76.0]
+        rust_version: [stable, 1.81.0]
 
     steps:
       - name: Checkout repository
@@ -52,7 +52,7 @@ jobs:
       - name: Generate code coverage
         env:
           RUST_BACKTRACE: "1"
-        run: cargo llvm-cov --workspace --all-features --lcov --output-path lcov.info
+        run: cargo llvm-cov --lib --all-features --lcov --output-path lcov.info
 
       # Tokens aren't available for PRs originating from forks,
       # so we don't attempt to upload code coverage in that case.
@@ -62,7 +62,59 @@ jobs:
           github.event.pull_request.author_association == 'COLLABORATOR' ||
           github.event.pull_request.author_association == 'MEMBER' ||
           github.event.pull_request.user.login == 'dependabot[bot]'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: true
+          verbose: true
+
+  tests-cli:
+    name: Unit tests (c2patool)
+    if: |
+      github.event_name != 'pull_request' ||
+      github.event.pull_request.author_association == 'COLLABORATOR' ||
+      github.event.pull_request.author_association == 'MEMBER' ||
+      github.event.pull_request.user.login == 'dependabot[bot]' ||
+      contains(github.event.pull_request.labels.*.name, 'safe to test')
+
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [windows-latest, macos-latest, ubuntu-latest]
+        rust_version: [stable]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.rust_version }}
+          components: llvm-tools-preview
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install cargo-llvm-cov
+        uses: taiki-e/install-action@cargo-llvm-cov
+
+      - name: Generate code coverage
+        env:
+          RUST_BACKTRACE: "1"
+        run: cargo llvm-cov --bins --all-features --lcov --output-path lcov.info
+
+      # Tokens aren't available for PRs originating from forks,
+      # so we don't attempt to upload code coverage in that case.
+      - name: Upload code coverage results
+        if: |
+          github.event_name != 'pull_request' ||
+          github.event.pull_request.author_association == 'COLLABORATOR' ||
+          github.event.pull_request.author_association == 'MEMBER' ||
+          github.event.pull_request.user.login == 'dependabot[bot]'
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: true
@@ -117,12 +169,36 @@ jobs:
           github.event.pull_request.author_association == 'COLLABORATOR' ||
           github.event.pull_request.author_association == 'MEMBER' ||
           github.event.pull_request.user.login == 'dependabot[bot]'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: true
           verbose: true
 
+  cargo-check:
+    name: Default features build
+    if: |
+      github.event_name != 'pull_request' ||
+      github.event.pull_request.author_association == 'COLLABORATOR' ||
+      github.event.pull_request.author_association == 'MEMBER' ||
+      github.event.pull_request.user.login == 'dependabot[bot]' ||
+      contains(github.event.pull_request.labels.*.name, 'safe to test')
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+
+      - name: "`cargo check` with default features"
+        run: cargo check
+        
   tests-cross:
     name: Unit tests
     if: |
@@ -138,7 +214,7 @@ jobs:
       fail-fast: false
       matrix:
         target: [aarch64-unknown-linux-gnu]
-        rust_version: [stable, 1.76.0]
+        rust_version: [stable, 1.81.0]
 
     steps:
       - name: Checkout repository
@@ -292,7 +368,7 @@ jobs:
       - name: Install nightly Rust toolchain
         # Nightly is used here because the docs.rs build
         # uses nightly and we use doc_cfg features that are
-        # not in stable Rust as of this writing (Rust 1.76).
+        # not in stable Rust as of this writing (Rust 1.81).
         uses: dtolnay/rust-toolchain@nightly
 
       - name: Run cargo docs
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 5bcf246d7..d0df02853 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -147,9 +147,11 @@ jobs:
         echo Will add nightly suffix $NIGHTLY_SUFFIX
 
         sed -i "s/^version = \"\\(.*\\)\"/version = \"\\1$NIGHTLY_SUFFIX\"/" sdk/Cargo.toml
-
+        sed -i "s/path = \"..\/sdk\", version = \"\\(.*\\)\"/path = \"..\/sdk\", version = \"\\1$NIGHTLY_SUFFIX\"/" cli/Cargo.toml
+        
         cargo update -w
-        git add -f Cargo.lock
+        git add Cargo.lock
+        find . -name 'Cargo.toml' | xargs git add
 
         echo
         echo Proposed changes:
@@ -167,3 +169,50 @@ jobs:
         commit_user_name: Adobe CAI Team
         commit_user_email: noreply@adobe.com
         create_branch: true
+
+  # ---- TO DO: Figure out how to run this job but only when nightly-snapshot changes the branch. ----
+  # publish-nightly-binaries:
+  #   name: Publish c2patool nightly binaries
+  #   runs-on: ${{ matrix.os }}
+  #   needs: nightly-snapshot
+
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       os: [windows-latest, macos-latest, ubuntu-latest]
+  #       include:
+  #       - os: macos-latest
+  #         artifact_name: c2patool_mac_universal.zip
+  #       - os: ubuntu-latest
+  #         artifact_name: c2patool_linux_intel.tar.gz
+  #       - os: windows-latest
+  #         artifact_name: c2patool_win_intel.zip
+
+  #   steps:
+  #   - name: Checkout repository
+  #     uses: actions/checkout@v4
+  #     with:
+  #       ref: nightly
+
+  #   - name: Install Rust toolchain
+  #     uses: dtolnay/rust-toolchain@stable
+
+  #   - name: Cache Rust dependencies
+  #     uses: Swatinem/rust-cache@v2
+
+  #   - name: Run cargo check
+  #     run: cd cli && cargo check
+
+  #   - name: Run cargo test --all
+  #     run: cd cli && cargo test --all
+
+  #   - name: Build nightly release artifacts
+  #     run: cd cli && make release
+
+  #   - name: Upload build as artifact
+  #     uses: actions/upload-artifact@v3
+  #     with:
+  #       path: target/${{ matrix.artifact_name }}
+  #       name: ${{ matrix.artifact_name }}
+  #       retention-days: 15
+  #       if-no-files-found: error
diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml
index 1942ae6f6..f18696113 100644
--- a/.github/workflows/pr_title.yml
+++ b/.github/workflows/pr_title.yml
@@ -42,6 +42,7 @@ jobs:
           # these exact names:
           #
           #    * sdk (The primary C2PA Rust SDK)
+          #    * c2patool
           #    * export_schema
           #    * make_test_images
           #
@@ -90,6 +91,16 @@ jobs:
             exit 0;
           fi
 
+          if echo "$PR_TITLE" | grep -E '^update: update '; then
+            echo "Exception / OK: Dependabot update pattern"
+            exit 0;
+          fi
+
+          if echo "$PR_TITLE" | grep -E '^update: bump '; then
+            echo "Exception / OK: Dependabot update pattern"
+            exit 0;
+          fi
+
           echo "Installing commitlint-rs. Please wait 30-40 seconds ..."
           cargo install --quiet commitlint-rs
           set -e
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b171cd531..4a1789881 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,9 @@ jobs:
     name: Release-plz
     runs-on: ubuntu-latest
 
+    outputs:
+      c2patool-release-tag: ${{ steps.sniff-c2patool-release-tag.outputs.tag }}
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -25,7 +28,8 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
 
       - name: Run release-plz
-        uses: MarcoIeni/release-plz-action@v0.5.83
+        id: release-plz
+        uses: MarcoIeni/release-plz-action@v0.5.86
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}
           CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_SECRET }}
@@ -38,3 +42,81 @@ jobs:
             tail -n +2 |\
             sed 's/origin\///' |\
             xargs -I {} git push origin --delete {}
+  
+      - name: Identify c2patool release
+        id: sniff-c2patool-release-tag
+        run: |
+          echo tag=`git tag --contains HEAD | grep '^c2patool-'` >> "$GITHUB_OUTPUT" || true
+    
+  publish-c2patool-binaries:
+    name: Publish c2patool binaries
+    runs-on: ${{ matrix.os }}
+    needs: release-plz
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ macos-latest, ubuntu-latest, windows-latest ]
+        rust_version: [ stable ]
+        experimental: [ false ]
+        include:
+          - os: macos-latest
+            artifact_name: c2patool_mac_universal.zip
+            uploaded_asset_name: c2patool-${{ needs.release-plz.outputs.c2patool-release-tag }}-universal-apple-darwin.zip
+          - os: ubuntu-latest
+            artifact_name: c2patool_linux_intel.tar.gz
+            uploaded_asset_name: c2patool-${{ needs.release-plz.outputs.c2patool-release-tag }}-x86_64-unknown-linux-gnu.tar.gz
+          - os: windows-latest
+            artifact_name: c2patool_win_intel.zip
+            uploaded_asset_name: c2patool-${{ needs.release-plz.outputs.c2patool-release-tag }}-x86_64-pc-windows-msvc.zip
+
+    steps:
+      - name: Checkout repository
+        if: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        if: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.rust_version }}
+          components: llvm-tools-preview
+
+      - name: Install cargo-sbom
+        if: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+        uses: baptiste0928/cargo-install@v3
+        with:
+          crate: cargo-sbom
+          version: '0.9.1'
+
+      - name: Cache Rust dependencies
+        if: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+        uses: Swatinem/rust-cache@v2
+
+      - name: Run make release
+        if: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+        run: cd cli && make release
+
+      - name: Upload binary to GitHub
+        if: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+        uses: svenstaro/upload-release-action@v1-release
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: target/${{ matrix.artifact_name }}
+          asset_name: ${{ matrix.uploaded_asset_name }}
+          tag: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+          overwrite: true
+
+      - name: Generate SBOM
+        if: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+        run: cd cli && cargo sbom > c2patool.${{ matrix.os }}.sbom.json
+
+      - name: Upload SBOM to Github
+        if: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+        uses: svenstaro/upload-release-action@v1-release
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: cli/c2patool.${{ matrix.os }}.sbom.json
+          asset_name: c2patool-${{ needs.release-plz.outputs.c2patool-release-tag }}-sbom.json
+          tag: ${{ needs.release-plz.outputs.c2patool-release-tag }}
+          overwrite: true
diff --git a/.gitignore b/.gitignore
index d47269fa1..a43edfdfa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,5 @@
 /target/
 
-Cargo.lock
-
 **/*.rs.bk
 
 .DS_Store
@@ -11,3 +9,6 @@ Cargo.lock
 .vscode
 
 /semver-checks/target/
+
+# Unit test output lands here. TO DO: Fix
+cli/target
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d6ee3dd3a..f61183a91 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,35 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 Since version 0.36.2, the format of this changelog is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [0.40.0](https://github.com/contentauth/c2pa-rs/compare/c2pa-v0.39.0...c2pa-v0.40.0)
+_12 December 2024_
+
+### Added
+
+* Add `RawSigner` trait to `c2pa-crypto` (derived from `c2pa::Signer`) (#716)
+* Move time stamp code into c2pa-crypto (#696)
+* Adds ValidationState support (#701)
+* Introduce `DynamicAssertion` trait (#566)
+
+### Fixed
+
+* Compile `c2pa-crypto` with `cargo check` (#768)
+* Verbose assertions for `is_none()` (#704)
+* Remove `c2pa::Signer` dependency on `c2pa_crypto::TimeStampProvider` (#718)
+* Add support for MP3 without ID3 header (#652)
+* Treat Unicode-3.0 license as approved; unpin related dependencies (#693)
+* Remote manifest fetch test was not using full path (#675)
+* Fix #624 (edge cases when combining the box hashes) (#625)
+* Fix #672, Callback is unsound (#674)
+* Support "remote_manifest_fetch" verify setting (#667)
+
+### Updated dependencies
+
+* Bump chrono from 0.4.38 to 0.4.39 (#763)
+* Bump asn1-rs from 0.5.2 to 0.6.2 (#724)
+* Bump mockall requirement from 0.11.2 to 0.13.1 in /sdk (#685)
+* Update zip requirement from 0.6.6 to 2.2.1 in /sdk (#698)
+
 ## [0.39.0](https://github.com/contentauth/c2pa-rs/compare/c2pa-v0.38.0...c2pa-v0.39.0)
 _13 November 2024_
 
diff --git a/Cargo.lock b/Cargo.lock
new file mode 100644
index 000000000..dcc0bf0a8
--- /dev/null
+++ b/Cargo.lock
@@ -0,0 +1,4945 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "actix"
+version = "0.13.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de7fa236829ba0841304542f7614c42b80fca007455315c45c785ccfa873a85b"
+dependencies = [
+ "actix-macros",
+ "actix-rt",
+ "actix_derive",
+ "bitflags 2.6.0",
+ "bytes",
+ "crossbeam-channel",
+ "futures-core",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+ "log",
+ "once_cell",
+ "parking_lot",
+ "pin-project-lite",
+ "smallvec",
+ "tokio",
+ "tokio-util",
+]
+
+[[package]]
+name = "actix-macros"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb"
+dependencies = [
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "actix-rt"
+version = "2.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24eda4e2a6e042aa4e55ac438a2ae052d3b5da0ecf83d7411e1a368946925208"
+dependencies = [
+ "futures-core",
+ "tokio",
+]
+
+[[package]]
+name = "actix_derive"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6ac1e58cded18cb28ddc17143c4dea5345b3ad575e14f32f66e4054a56eb271"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "addr2line"
+version = "0.24.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler2"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627"
+
+[[package]]
+name = "ahash"
+version = "0.8.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e89da841a80418a9b391ebaea17f5c112ffaaa96f621d2c285b5174da76b9011"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "version_check",
+ "zerocopy 0.7.35",
+]
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "allocator-api2"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
+
+[[package]]
+name = "android-tzdata"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
+
+[[package]]
+name = "android_system_properties"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "anstream"
+version = "0.6.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9"
+
+[[package]]
+name = "anstyle-parse"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125"
+dependencies = [
+ "anstyle",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "anyhow"
+version = "1.0.94"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7"
+
+[[package]]
+name = "arbitrary"
+version = "1.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dde20b3d026af13f561bdd0f15edf01fc734f0dafcedbaf42bba506a9517f223"
+dependencies = [
+ "derive_arbitrary",
+]
+
+[[package]]
+name = "ascii-canvas"
+version = "3.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8824ecca2e851cec16968d54a01dd372ef8f95b244fb84b84e70128be347c3c6"
+dependencies = [
+ "term",
+]
+
+[[package]]
+name = "asn1-rs"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "assert-json-diff"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47e4f2b81832e72834d7518d8487a0396a28cc408186a2e8854c0f98011faf12"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "assert_cmd"
+version = "2.0.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc1835b7f27878de8525dc71410b5a31cdcc5f230aed5ba5df968e09c201b23d"
+dependencies = [
+ "anstyle",
+ "bstr",
+ "doc-comment",
+ "libc",
+ "predicates",
+ "predicates-core",
+ "predicates-tree",
+ "wait-timeout",
+]
+
+[[package]]
+name = "async-attributes"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a3203e79f4dd9bdda415ed03cf14dae5a2bf775c683a00f94e9cd1faf0f596e5"
+dependencies = [
+ "quote",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "async-channel"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81953c529336010edd6d8e358f886d9581267795c61b19475b71314bffa46d35"
+dependencies = [
+ "concurrent-queue",
+ "event-listener 2.5.3",
+ "futures-core",
+]
+
+[[package]]
+name = "async-channel"
+version = "2.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89b47800b0be77592da0afd425cc03468052844aff33b84e33cc696f64e77b6a"
+dependencies = [
+ "concurrent-queue",
+ "event-listener-strategy",
+ "futures-core",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "async-executor"
+version = "1.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30ca9a001c1e8ba5149f91a74362376cc6bc5b919d92d988668657bd570bdcec"
+dependencies = [
+ "async-task",
+ "concurrent-queue",
+ "fastrand",
+ "futures-lite",
+ "slab",
+]
+
+[[package]]
+name = "async-generic"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ddf3728566eefa873833159754f5732fb0951d3649e6e5b891cc70d56dd41673"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "async-global-executor"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c"
+dependencies = [
+ "async-channel 2.3.1",
+ "async-executor",
+ "async-io",
+ "async-lock",
+ "blocking",
+ "futures-lite",
+ "once_cell",
+]
+
+[[package]]
+name = "async-io"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43a2b323ccce0a1d90b449fd71f2a06ca7faa7c54c2751f06c9bd851fc061059"
+dependencies = [
+ "async-lock",
+ "cfg-if",
+ "concurrent-queue",
+ "futures-io",
+ "futures-lite",
+ "parking",
+ "polling",
+ "rustix",
+ "slab",
+ "tracing",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "async-lock"
+version = "3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff6e472cdea888a4bd64f342f09b3f50e1886d32afe8df3d663c01140b811b18"
+dependencies = [
+ "event-listener 5.3.1",
+ "event-listener-strategy",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "async-object-pool"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "333c456b97c3f2d50604e8b2624253b7f787208cb72eb75e64b0ad11b221652c"
+dependencies = [
+ "async-std",
+]
+
+[[package]]
+name = "async-process"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63255f1dc2381611000436537bbedfe83183faa303a5a0edaf191edef06526bb"
+dependencies = [
+ "async-channel 2.3.1",
+ "async-io",
+ "async-lock",
+ "async-signal",
+ "async-task",
+ "blocking",
+ "cfg-if",
+ "event-listener 5.3.1",
+ "futures-lite",
+ "rustix",
+ "tracing",
+]
+
+[[package]]
+name = "async-recursion"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b43422f69d8ff38f95f1b2bb76517c91589a924d1559a0e935d7c8ce0274c11"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "async-signal"
+version = "0.2.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "637e00349800c0bdf8bfc21ebbc0b6524abea702b0da4168ac00d070d0c0b9f3"
+dependencies = [
+ "async-io",
+ "async-lock",
+ "atomic-waker",
+ "cfg-if",
+ "futures-core",
+ "futures-io",
+ "rustix",
+ "signal-hook-registry",
+ "slab",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "async-std"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c634475f29802fde2b8f0b505b1bd00dfe4df7d4a000f0b36f7671197d5c3615"
+dependencies = [
+ "async-attributes",
+ "async-channel 1.9.0",
+ "async-global-executor",
+ "async-io",
+ "async-lock",
+ "async-process",
+ "crossbeam-utils",
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-lite",
+ "gloo-timers",
+ "kv-log-macro",
+ "log",
+ "memchr",
+ "once_cell",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+ "wasm-bindgen-futures",
+]
+
+[[package]]
+name = "async-task"
+version = "4.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b75356056920673b02621b35afd0f7dda9306d03c79a30f5c56c44cf256e3de"
+
+[[package]]
+name = "async-trait"
+version = "0.1.83"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "atomic-waker"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
+
+[[package]]
+name = "atree"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "132573478eb9ff973c6f75d0ed425ac12da77d266506483345f46743ecc83a98"
+
+[[package]]
+name = "autocfg"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26"
+
+[[package]]
+name = "backtrace"
+version = "0.3.74"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d82cb332cdfaed17ae235a638438ac4d4839913cc2af585c3c6746e8f8bee1a"
+dependencies = [
+ "addr2line",
+ "cfg-if",
+ "libc",
+ "miniz_oxide",
+ "object",
+ "rustc-demangle",
+ "windows-targets",
+]
+
+[[package]]
+name = "base16ct"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
+
+[[package]]
+name = "base64"
+version = "0.21.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"
+
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
+[[package]]
+name = "base64ct"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
+
+[[package]]
+name = "basic-cookies"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67bd8fd42c16bdb08688243dc5f0cc117a3ca9efeeaba3a345a18a6159ad96f7"
+dependencies = [
+ "lalrpop",
+ "lalrpop-util",
+ "regex",
+]
+
+[[package]]
+name = "bcder"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c627747a6774aab38beb35990d88309481378558875a41da1a4b2e373c906ef0"
+dependencies = [
+ "bytes",
+ "smallvec",
+]
+
+[[package]]
+name = "bit-set"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0700ddab506f33b20a03b13996eccd309a48e5ff77d0d95926aa0210fb4e95f1"
+dependencies = [
+ "bit-vec",
+]
+
+[[package]]
+name = "bit-vec"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
+
+[[package]]
+name = "bitflags"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+
+[[package]]
+name = "bitflags"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "bitvec"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bc2832c24239b0141d5674bb9174f9d68a8b5b3f2753311927c172ca46f7e9c"
+dependencies = [
+ "funty",
+ "radium",
+ "tap",
+ "wyz",
+]
+
+[[package]]
+name = "bitvec-nom2"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d988fcc40055ceaa85edc55875a08f8abd29018582647fd82ad6128dba14a5f0"
+dependencies = [
+ "bitvec",
+ "nom",
+]
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "blocking"
+version = "1.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "703f41c54fc768e63e091340b424302bb1c29ef4aa0c7f10fe849dfb114d29ea"
+dependencies = [
+ "async-channel 2.3.1",
+ "async-task",
+ "futures-io",
+ "futures-lite",
+ "piper",
+]
+
+[[package]]
+name = "bstr"
+version = "1.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "786a307d683a5bf92e6fd5fd69a7eb613751668d1d8d67d802846dfe367c62c8"
+dependencies = [
+ "memchr",
+ "regex-automata",
+ "serde",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c"
+
+[[package]]
+name = "bytemuck"
+version = "1.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b37c88a63ffd85d15b406896cc343916d7cf57838a847b3a6f2ca5d39a5695a"
+
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
+[[package]]
+name = "byteorder-lite"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f1fe948ff07f4bd06c30984e69f5b4899c516a3ef74f34df92a2df2ab535495"
+
+[[package]]
+name = "byteordered"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbf2cd9424f5ff404aba1959c835cbc448ee8b689b870a9981c76c0fd46280e6"
+dependencies = [
+ "byteorder",
+]
+
+[[package]]
+name = "bytes"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "325918d6fe32f23b19878fe4b34794ae41fc19ddbe53b10571a4874d44ffd39b"
+
+[[package]]
+name = "c2pa"
+version = "0.40.0"
+dependencies = [
+ "actix",
+ "anyhow",
+ "asn1-rs",
+ "async-generic",
+ "async-recursion",
+ "async-trait",
+ "atree",
+ "bcder",
+ "byteorder",
+ "byteordered",
+ "bytes",
+ "c2pa",
+ "c2pa-crypto",
+ "c2pa-status-tracker",
+ "chrono",
+ "ciborium",
+ "config",
+ "console_log",
+ "conv",
+ "coset",
+ "ed25519-dalek",
+ "extfmt",
+ "fast-xml",
+ "getrandom",
+ "glob",
+ "hex",
+ "id3",
+ "image 0.24.9",
+ "img-parts",
+ "jfifdump",
+ "js-sys",
+ "jumbf",
+ "lazy_static",
+ "log",
+ "lopdf",
+ "memchr",
+ "mockall",
+ "mp4",
+ "pem 3.0.4",
+ "png_pong",
+ "rand",
+ "rand_chacha",
+ "rand_core 0.9.0-beta.1",
+ "range-set",
+ "rasn",
+ "rasn-ocsp",
+ "rasn-pkix",
+ "riff",
+ "rsa",
+ "schemars",
+ "serde",
+ "serde-transcode",
+ "serde-wasm-bindgen",
+ "serde_bytes",
+ "serde_cbor",
+ "serde_derive",
+ "serde_json",
+ "serde_with",
+ "sha1",
+ "sha2",
+ "spki",
+ "tempfile",
+ "thiserror 2.0.8",
+ "tokio",
+ "treeline",
+ "ureq",
+ "url",
+ "uuid",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "wasm-bindgen-test",
+ "web-sys",
+ "x509-certificate",
+ "x509-parser",
+ "zip",
+]
+
+[[package]]
+name = "c2pa-crypto"
+version = "0.2.0"
+dependencies = [
+ "actix",
+ "asn1-rs",
+ "async-generic",
+ "async-trait",
+ "base64 0.22.1",
+ "bcder",
+ "bytes",
+ "c2pa-status-tracker",
+ "chrono",
+ "ciborium",
+ "const-hex",
+ "coset",
+ "ecdsa",
+ "ed25519-dalek",
+ "getrandom",
+ "hex",
+ "js-sys",
+ "nom",
+ "openssl",
+ "p256",
+ "p384",
+ "rand",
+ "rasn",
+ "rasn-ocsp",
+ "rasn-pkix",
+ "rsa",
+ "schemars",
+ "serde",
+ "serde_bytes",
+ "sha1",
+ "sha2",
+ "spki",
+ "thiserror 2.0.8",
+ "ureq",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "wasm-bindgen-test",
+ "web-sys",
+ "web-time",
+ "x509-certificate",
+ "x509-parser",
+]
+
+[[package]]
+name = "c2pa-status-tracker"
+version = "0.2.0"
+
+[[package]]
+name = "c2patool"
+version = "0.10.2"
+dependencies = [
+ "anyhow",
+ "assert_cmd",
+ "atree",
+ "c2pa",
+ "c2pa-crypto",
+ "clap",
+ "env_logger",
+ "glob",
+ "httpmock",
+ "log",
+ "mockall",
+ "openssl",
+ "pem 3.0.4",
+ "predicates",
+ "reqwest",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "tempfile",
+ "treeline",
+ "url",
+]
+
+[[package]]
+name = "cawg-identity"
+version = "0.1.1"
+
+[[package]]
+name = "cc"
+version = "1.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "27f657647bcff5394bf56c7317665bbf790a137a50eaaa5c6bfbb9e27a518f2d"
+dependencies = [
+ "shlex",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "chrono"
+version = "0.4.39"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e36cc9d416881d2e24f9a963be5fb1cd90966419ac844274161d10488b3e825"
+dependencies = [
+ "android-tzdata",
+ "iana-time-zone",
+ "js-sys",
+ "num-traits",
+ "serde",
+ "wasm-bindgen",
+ "windows-targets",
+]
+
+[[package]]
+name = "ciborium"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42e69ffd6f0917f5c029256a24d0161db17cea3997d185db0d35926308770f0e"
+dependencies = [
+ "ciborium-io",
+ "ciborium-ll",
+ "serde",
+]
+
+[[package]]
+name = "ciborium-io"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05afea1e0a06c9be33d539b876f1ce3692f4afea2cb41f740e7743225ed1c757"
+
+[[package]]
+name = "ciborium-ll"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57663b653d948a338bfb3eeba9bb2fd5fcfaecb9e199e87e1eda4d9e8b240fd9"
+dependencies = [
+ "ciborium-io",
+ "half 2.4.1",
+]
+
+[[package]]
+name = "clap"
+version = "4.5.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3135e7ec2ef7b10c6ed8950f0f792ed96ee093fa088608f1c76e569722700c84"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.5.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30582fc632330df2bd26877bde0c1f4470d57c582bbc070376afcd04d8cb4838"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ac6a0c7b1a9e9a5186361f67dfa1b88213572f427fb9ab038efb2bd8c582dab"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "clap_lex"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"
+
+[[package]]
+name = "color_quant"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d7b894f5411737b7867f4827955924d7c254fc9f4d91a6aad6b097804b1018b"
+
+[[package]]
+name = "colorchoice"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
+
+[[package]]
+name = "concurrent-queue"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ca0197aee26d1ae37445ee532fefce43251d24cc7c166799f4d46817f1d3973"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "config"
+version = "0.14.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68578f196d2a33ff61b27fae256c3164f65e36382648e30666dde05b8cc9dfdf"
+dependencies = [
+ "json5",
+ "nom",
+ "pathdiff",
+ "ron",
+ "rust-ini",
+ "serde",
+ "serde_json",
+ "toml",
+]
+
+[[package]]
+name = "console_log"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be8aed40e4edbf4d3b4431ab260b63fdc40f5780a4766824329ea0f1eefe3c0f"
+dependencies = [
+ "log",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "const-hex"
+version = "1.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b0485bab839b018a8f1723fc5391819fea5f8f0f32288ef8a735fd096b6160c"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "hex",
+ "proptest",
+ "serde",
+]
+
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
+[[package]]
+name = "const-random"
+version = "0.1.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87e00182fe74b066627d63b85fd550ac2998d4b0bd86bfed477a0ae4c7c71359"
+dependencies = [
+ "const-random-macro",
+]
+
+[[package]]
+name = "const-random-macro"
+version = "0.1.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9d839f2a20b0aee515dc581a6172f2321f96cab76c1a38a4c584a194955390e"
+dependencies = [
+ "getrandom",
+ "once_cell",
+ "tiny-keccak",
+]
+
+[[package]]
+name = "conv"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78ff10625fd0ac447827aa30ea8b861fead473bb60aeb73af6c1c58caf0d1299"
+dependencies = [
+ "custom_derive",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
+[[package]]
+name = "coset"
+version = "0.3.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f4c8cc80f631f8307b887faca24dcc3abc427cd0367f6eb6188f6e8f5b7ad8fb"
+dependencies = [
+ "ciborium",
+ "ciborium-io",
+]
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "16b80225097f2e5ae4e7179dd2266824648f3e2f49d9134d584b76389d31c4c3"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crc32fast"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "crossbeam-channel"
+version = "0.5.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33480d6946193aa8033910124896ca395333cae7e2d1113d1fef6c3272217df2"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-deque"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "613f8cc01fe9cf1a3eb3d7f488fd2fa8388403e97039e2f73692932e291a770d"
+dependencies = [
+ "crossbeam-epoch",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-epoch"
+version = "0.9.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
+
+[[package]]
+name = "crunchy"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7"
+
+[[package]]
+name = "crypto-bigint"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
+dependencies = [
+ "generic-array",
+ "rand_core 0.6.4",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "crypto-common"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "curve25519-dalek"
+version = "4.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "curve25519-dalek-derive",
+ "digest",
+ "fiat-crypto",
+ "rustc_version",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "curve25519-dalek-derive"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "custom_derive"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef8ae57c4978a2acd8b869ce6b9ca1dfe817bff704c220209fdef2c0b75a01b9"
+
+[[package]]
+name = "darling"
+version = "0.20.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f63b86c8a8826a49b8c21f08a2d07338eec8d900540f8630dc76284be802989"
+dependencies = [
+ "darling_core",
+ "darling_macro",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.20.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95133861a8032aaea082871032f5815eb9e98cef03fa916ab4500513994df9e5"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.20.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d336a2a514f6ccccaa3e09b02d41d35330c07ddf03a62165fcec10bb561c7806"
+dependencies = [
+ "darling_core",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "data-encoding"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8566979429cf69b49a5c740c60791108e86440e8be149bbea4fe54d2c32d6e2"
+
+[[package]]
+name = "der"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
+dependencies = [
+ "const-oid",
+ "pem-rfc7468",
+ "zeroize",
+]
+
+[[package]]
+name = "der-parser"
+version = "9.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
+[[package]]
+name = "deranged"
+version = "0.3.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
+dependencies = [
+ "powerfmt",
+ "serde",
+]
+
+[[package]]
+name = "derive_arbitrary"
+version = "1.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30542c1ad912e0e3d22a1935c290e12e8a29d704a420177a31faad4a601a0800"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "difflib"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6184e33543162437515c2e2b48714794e37845ec9851711914eec9d308f6ebe8"
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "const-oid",
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "dirs-next"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1"
+dependencies = [
+ "cfg-if",
+ "dirs-sys-next",
+]
+
+[[package]]
+name = "dirs-sys-next"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d"
+dependencies = [
+ "libc",
+ "redox_users",
+ "winapi",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "dlv-list"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "442039f5147480ba31067cb00ada1adae6892028e40e45fc5de7b7df6dcc1b5f"
+dependencies = [
+ "const-random",
+]
+
+[[package]]
+name = "doc-comment"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10"
+
+[[package]]
+name = "downcast"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1"
+
+[[package]]
+name = "dyn-clone"
+version = "1.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d6ef0072f8a535281e4876be788938b528e9a1d43900b82c2569af7da799125"
+
+[[package]]
+name = "ecdsa"
+version = "0.16.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
+dependencies = [
+ "der",
+ "digest",
+ "elliptic-curve",
+ "rfc6979",
+ "signature",
+ "spki",
+]
+
+[[package]]
+name = "ed25519"
+version = "2.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
+dependencies = [
+ "pkcs8",
+ "signature",
+]
+
+[[package]]
+name = "ed25519-dalek"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a3daa8e81a3963a60642bcc1f90a670680bd4a77535faa384e9d1c79d620871"
+dependencies = [
+ "curve25519-dalek",
+ "ed25519",
+ "serde",
+ "sha2",
+ "signature",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "either"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0"
+
+[[package]]
+name = "elliptic-curve"
+version = "0.13.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
+dependencies = [
+ "base16ct",
+ "crypto-bigint",
+ "digest",
+ "ff",
+ "generic-array",
+ "group",
+ "hkdf",
+ "pem-rfc7468",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sec1",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "ena"
+version = "0.14.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d248bdd43ce613d87415282f69b9bb99d947d290b10962dd6c56233312c2ad5"
+dependencies = [
+ "log",
+]
+
+[[package]]
+name = "encoding_rs"
+version = "0.8.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "env_filter"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4f2c92ceda6ceec50f43169f9ee8424fe2db276791afde7b2cd8bc084cb376ab"
+dependencies = [
+ "log",
+ "regex",
+]
+
+[[package]]
+name = "env_logger"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13fa619b91fb2381732789fc5de83b45675e882f66623b7d8cb4f643017018d"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "env_filter",
+ "humantime",
+ "log",
+]
+
+[[package]]
+name = "equivalent"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
+
+[[package]]
+name = "errno"
+version = "0.3.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d"
+dependencies = [
+ "libc",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "event-listener"
+version = "2.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
+
+[[package]]
+name = "event-listener"
+version = "5.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6032be9bd27023a771701cc49f9f053c751055f71efb2e0ae5c15809093675ba"
+dependencies = [
+ "concurrent-queue",
+ "parking",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "event-listener-strategy"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c3e4e0dd3673c1139bf041f3008816d9cf2946bbfac2945c09e523b8d7b05b2"
+dependencies = [
+ "event-listener 5.3.1",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "export_schema"
+version = "0.36.1"
+dependencies = [
+ "anyhow",
+ "c2pa",
+ "schemars",
+ "serde_json",
+]
+
+[[package]]
+name = "extfmt"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a48fe53466ab1f4ea6303bf9d7a0ca8060778590f09fd6c3304cc817aeb9935d"
+
+[[package]]
+name = "fast-xml"
+version = "0.23.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f7ffc2f9e1373cd82b4d4ce2f84f8162edd48e3932abeb19c06170b66dbbd6c"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "fastrand"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
+
+[[package]]
+name = "fdeflate"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e6853b52649d4ac5c0bd02320cddc5ba956bdb407c4b75a2c6b75bf51500f8c"
+dependencies = [
+ "simd-adler32",
+]
+
+[[package]]
+name = "ff"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
+dependencies = [
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "fiat-crypto"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
+
+[[package]]
+name = "fixedbitset"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80"
+
+[[package]]
+name = "flate2"
+version = "1.0.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c936bfdafb507ebbf50b8074c54fa31c5be9a1e7e5f467dd659697041407d07c"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide",
+]
+
+[[package]]
+name = "float-cmp"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "98de4bbd547a563b716d8dfa9aad1cb19bfab00f4fa09a6a4ed21dbcf44ce9c4"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
+dependencies = [
+ "percent-encoding",
+]
+
+[[package]]
+name = "fragile"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c2141d6d6c8512188a7891b4b01590a45f6dac67afb4f255c4124dbb86d4eaa"
+
+[[package]]
+name = "funty"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c"
+
+[[package]]
+name = "futures-channel"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+
+[[package]]
+name = "futures-io"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+
+[[package]]
+name = "futures-lite"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cef40d21ae2c515b51041df9ed313ed21e572df340ea58a922a0aefe7e8891a1"
+dependencies = [
+ "fastrand",
+ "futures-core",
+ "futures-io",
+ "parking",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "futures-macro"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "futures-sink"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+
+[[package]]
+name = "futures-task"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+
+[[package]]
+name = "futures-util"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+dependencies = [
+ "futures-core",
+ "futures-io",
+ "futures-macro",
+ "futures-sink",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+ "zeroize",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "wasi",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "gimli"
+version = "0.31.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
+
+[[package]]
+name = "glob"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+
+[[package]]
+name = "gloo-timers"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "group"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+dependencies = [
+ "ff",
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "h2"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ccae279728d634d083c00f6099cb58f01cc99c145b84b8be2f6c74618d79922e"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "http 1.2.0",
+ "indexmap 2.7.0",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "half"
+version = "1.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b43ede17f21864e81be2fa654110bf1e793774238d86ef8555c37e6519c0403"
+
+[[package]]
+name = "half"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6dd08c532ae367adf81c312a4580bc67f1d0fe8bc9c460520283f4c0ff277888"
+dependencies = [
+ "cfg-if",
+ "crunchy",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
+
+[[package]]
+name = "hashbrown"
+version = "0.14.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
+dependencies = [
+ "ahash",
+ "allocator-api2",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.15.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289"
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "hermit-abi"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+
+[[package]]
+name = "hkdf"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
+dependencies = [
+ "hmac",
+]
+
+[[package]]
+name = "hmac"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+dependencies = [
+ "digest",
+]
+
+[[package]]
+name = "http"
+version = "0.2.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "601cbb57e577e2f5ef5be8e7b83f0f63994f25aa94d673e54a92d5c516d101f1"
+dependencies = [
+ "bytes",
+ "fnv",
+ "itoa",
+]
+
+[[package]]
+name = "http"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f16ca2af56261c99fba8bac40a10251ce8188205a4c448fbb745a2e4daa76fea"
+dependencies = [
+ "bytes",
+ "fnv",
+ "itoa",
+]
+
+[[package]]
+name = "http-body"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7ceab25649e9960c0311ea418d17bee82c0dcec1bd053b5f9a66e265a693bed2"
+dependencies = [
+ "bytes",
+ "http 0.2.12",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "http-body"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
+dependencies = [
+ "bytes",
+ "http 1.2.0",
+]
+
+[[package]]
+name = "http-body-util"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "793429d76616a256bcb62c2a2ec2bed781c8307e797e2598c50010f2bee2544f"
+dependencies = [
+ "bytes",
+ "futures-util",
+ "http 1.2.0",
+ "http-body 1.0.1",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "httparse"
+version = "1.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d71d3574edd2771538b901e6549113b4006ece66150fb69c0fb6d9a2adae946"
+
+[[package]]
+name = "httpdate"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
+
+[[package]]
+name = "httpmock"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08ec9586ee0910472dec1a1f0f8acf52f0fdde93aea74d70d4a3107b4be0fd5b"
+dependencies = [
+ "assert-json-diff",
+ "async-object-pool",
+ "async-std",
+ "async-trait",
+ "base64 0.21.7",
+ "basic-cookies",
+ "crossbeam-utils",
+ "form_urlencoded",
+ "futures-util",
+ "hyper 0.14.31",
+ "lazy_static",
+ "levenshtein",
+ "log",
+ "regex",
+ "serde",
+ "serde_json",
+ "serde_regex",
+ "similar",
+ "tokio",
+ "url",
+]
+
+[[package]]
+name = "humantime"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
+
+[[package]]
+name = "hyper"
+version = "0.14.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c08302e8fa335b151b788c775ff56e7a03ae64ff85c548ee820fecb70356e85"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "http 0.2.12",
+ "http-body 0.4.6",
+ "httparse",
+ "httpdate",
+ "itoa",
+ "pin-project-lite",
+ "socket2",
+ "tokio",
+ "tower-service",
+ "tracing",
+ "want",
+]
+
+[[package]]
+name = "hyper"
+version = "1.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97818827ef4f364230e16705d4706e2897df2bb60617d6ca15d598025a3c481f"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-util",
+ "h2",
+ "http 1.2.0",
+ "http-body 1.0.1",
+ "httparse",
+ "itoa",
+ "pin-project-lite",
+ "smallvec",
+ "tokio",
+ "want",
+]
+
+[[package]]
+name = "hyper-rustls"
+version = "0.27.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08afdbb5c31130e3034af566421053ab03787c640246a446327f550d11bcb333"
+dependencies = [
+ "futures-util",
+ "http 1.2.0",
+ "hyper 1.5.1",
+ "hyper-util",
+ "rustls",
+ "rustls-pki-types",
+ "tokio",
+ "tokio-rustls",
+ "tower-service",
+]
+
+[[package]]
+name = "hyper-tls"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
+dependencies = [
+ "bytes",
+ "http-body-util",
+ "hyper 1.5.1",
+ "hyper-util",
+ "native-tls",
+ "tokio",
+ "tokio-native-tls",
+ "tower-service",
+]
+
+[[package]]
+name = "hyper-util"
+version = "0.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df2dcfbe0677734ab2f3ffa7fa7bfd4706bfdc1ef393f2ee30184aed67e631b4"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-util",
+ "http 1.2.0",
+ "http-body 1.0.1",
+ "hyper 1.5.1",
+ "pin-project-lite",
+ "socket2",
+ "tokio",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "iana-time-zone"
+version = "0.1.61"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "iana-time-zone-haiku",
+ "js-sys",
+ "wasm-bindgen",
+ "windows-core",
+]
+
+[[package]]
+name = "iana-time-zone-haiku"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "icu_collections"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locid"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locid_transform"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e"
+dependencies = [
+ "displaydoc",
+ "icu_locid",
+ "icu_locid_transform_data",
+ "icu_provider",
+ "tinystr",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locid_transform_data"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e"
+
+[[package]]
+name = "icu_normalizer"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f"
+dependencies = [
+ "displaydoc",
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "utf16_iter",
+ "utf8_iter",
+ "write16",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516"
+
+[[package]]
+name = "icu_properties"
+version = "1.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5"
+dependencies = [
+ "displaydoc",
+ "icu_collections",
+ "icu_locid_transform",
+ "icu_properties_data",
+ "icu_provider",
+ "tinystr",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569"
+
+[[package]]
+name = "icu_provider"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9"
+dependencies = [
+ "displaydoc",
+ "icu_locid",
+ "icu_provider_macros",
+ "stable_deref_trait",
+ "tinystr",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_provider_macros"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "id3"
+version = "1.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55f4e785f2c700217ee82a1c727c720449421742abd5fcb2f1df04e1244760e9"
+dependencies = [
+ "bitflags 2.6.0",
+ "byteorder",
+ "flate2",
+]
+
+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
+[[package]]
+name = "idna"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
+[[package]]
+name = "image"
+version = "0.24.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5690139d2f55868e080017335e4b94cb7414274c74f1669c84fb5feba2c9f69d"
+dependencies = [
+ "bytemuck",
+ "byteorder",
+ "color_quant",
+ "jpeg-decoder",
+ "num-traits",
+ "png",
+]
+
+[[package]]
+name = "image"
+version = "0.25.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd6f44aed642f18953a158afeb30206f4d50da59fbc66ecb53c66488de73563b"
+dependencies = [
+ "bytemuck",
+ "byteorder-lite",
+ "num-traits",
+ "png",
+ "zune-core",
+ "zune-jpeg",
+]
+
+[[package]]
+name = "img-parts"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8cd653b443fbb9271d937a4b2c1c7489af95c284a56f84d76bbd00eac857cb1c"
+dependencies = [
+ "bytes",
+ "crc32fast",
+ "miniz_oxide",
+]
+
+[[package]]
+name = "indexmap"
+version = "1.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99"
+dependencies = [
+ "autocfg",
+ "hashbrown 0.12.3",
+ "serde",
+]
+
+[[package]]
+name = "indexmap"
+version = "2.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.15.2",
+ "serde",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ddc24109865250148c2e0f3d25d4f0f479571723792d3802153c60922a4fb708"
+
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
+
+[[package]]
+name = "itertools"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1c173a5686ce8bfa551b3563d0c2170bf24ca44da99c7ca4bfdab5418c3fe57"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itertools"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
+
+[[package]]
+name = "jfifdump"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68cf72bc7b75b6615ffd06bfe6840f3c57e7e4ea615558a2a452f458ebf5551e"
+
+[[package]]
+name = "jpeg-decoder"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f5d4a7da358eff58addd2877a45865158f0d78c911d43a5784ceb7bbf52833b0"
+
+[[package]]
+name = "js-sys"
+version = "0.3.76"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6717b6b5b077764fb5966237269cb3c64edddde4b14ce42647430a78ced9e7b7"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "json5"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96b0db21af676c1ce64250b5f40f3ce2cf27e4e47cb91ed91eb6fe9350b430c1"
+dependencies = [
+ "pest",
+ "pest_derive",
+ "serde",
+]
+
+[[package]]
+name = "jumbf"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a32280817bc6e0dbd9aa2abfe52b8fe7405bebc33995649525ecc13ececc3b59"
+dependencies = [
+ "nom",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "kv-log-macro"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f"
+dependencies = [
+ "log",
+]
+
+[[package]]
+name = "lalrpop"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55cb077ad656299f160924eb2912aa147d7339ea7d69e1b5517326fdcec3c1ca"
+dependencies = [
+ "ascii-canvas",
+ "bit-set",
+ "ena",
+ "itertools 0.11.0",
+ "lalrpop-util",
+ "petgraph",
+ "pico-args",
+ "regex",
+ "regex-syntax",
+ "string_cache",
+ "term",
+ "tiny-keccak",
+ "unicode-xid",
+ "walkdir",
+]
+
+[[package]]
+name = "lalrpop-util"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "507460a910eb7b32ee961886ff48539633b788a36b65692b95f225b844c82553"
+dependencies = [
+ "regex-automata",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+dependencies = [
+ "spin 0.9.8",
+]
+
+[[package]]
+name = "levenshtein"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db13adb97ab515a3691f56e4dbab09283d0b86cb45abd991d8634a9d6f501760"
+
+[[package]]
+name = "libc"
+version = "0.2.168"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5aaeb2981e0606ca11d79718f8bb01164f1d6ed75080182d3abf017e6d244b6d"
+
+[[package]]
+name = "libm"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8355be11b20d696c8f18f6cc018c4e372165b1fa8126cef092399c9951984ffa"
+
+[[package]]
+name = "libredox"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
+dependencies = [
+ "bitflags 2.6.0",
+ "libc",
+]
+
+[[package]]
+name = "linked-hash-map"
+version = "0.5.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f"
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89"
+
+[[package]]
+name = "litemap"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ee93343901ab17bd981295f2cf0026d4ad018c7c31ba84549a4ddbb47a45104"
+
+[[package]]
+name = "lock_api"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17"
+dependencies = [
+ "autocfg",
+ "scopeguard",
+]
+
+[[package]]
+name = "log"
+version = "0.4.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
+dependencies = [
+ "value-bag",
+]
+
+[[package]]
+name = "lopdf"
+version = "0.31.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07c8e1b6184b1b32ea5f72f572ebdc40e5da1d2921fa469947ff7c480ad1f85a"
+dependencies = [
+ "chrono",
+ "encoding_rs",
+ "flate2",
+ "itoa",
+ "linked-hash-map",
+ "log",
+ "md5",
+ "nom",
+ "rayon",
+ "time",
+ "weezl",
+]
+
+[[package]]
+name = "make_test_images"
+version = "0.36.1"
+dependencies = [
+ "anyhow",
+ "c2pa",
+ "env_logger",
+ "image 0.25.5",
+ "log",
+ "memchr",
+ "nom",
+ "regex",
+ "serde",
+ "serde_json",
+ "tempfile",
+]
+
+[[package]]
+name = "md5"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771"
+
+[[package]]
+name = "memchr"
+version = "2.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
+
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+
+[[package]]
+name = "minicov"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f27fe9f1cc3c22e1687f9446c2083c4c5fc7f0bcf1c7a86bdbded14985895b4b"
+dependencies = [
+ "cc",
+ "walkdir",
+]
+
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1"
+dependencies = [
+ "adler2",
+ "simd-adler32",
+]
+
+[[package]]
+name = "mio"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
+dependencies = [
+ "libc",
+ "wasi",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "mockall"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "39a6bfcc6c8c7eed5ee98b9c3e33adc726054389233e201c95dab2d41a3839d2"
+dependencies = [
+ "cfg-if",
+ "downcast",
+ "fragile",
+ "mockall_derive",
+ "predicates",
+ "predicates-tree",
+]
+
+[[package]]
+name = "mockall_derive"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "25ca3004c2efe9011bd4e461bd8256445052b9615405b4f7ea43fc8ca5c20898"
+dependencies = [
+ "cfg-if",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "mp4"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9ef834d5ed55e494a2ae350220314dc4aacd1c43a9498b00e320e0ea352a5c3"
+dependencies = [
+ "byteorder",
+ "bytes",
+ "num-rational",
+ "serde",
+ "serde_json",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "native-tls"
+version = "0.2.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8614eb2c83d59d1c8cc974dd3f920198647674a0a035e1af1fa58707e317466"
+dependencies = [
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework",
+ "security-framework-sys",
+ "tempfile",
+]
+
+[[package]]
+name = "new_debug_unreachable"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "650eef8c711430f1a879fdd01d4745a7deea475becfb90269c06775983bbf086"
+
+[[package]]
+name = "nom"
+version = "7.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
+[[package]]
+name = "normalize-line-endings"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61807f77802ff30975e01f4f071c8ba10c022052f98b3294119f3e615d13e5be"
+
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-bigint-dig"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151"
+dependencies = [
+ "byteorder",
+ "lazy_static",
+ "libm",
+ "num-integer",
+ "num-iter",
+ "num-traits",
+ "rand",
+ "smallvec",
+ "zeroize",
+]
+
+[[package]]
+name = "num-conv"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+
+[[package]]
+name = "num-integer"
+version = "0.1.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-iter"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-rational"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824"
+dependencies = [
+ "num-bigint",
+ "num-integer",
+ "num-traits",
+ "serde",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+ "libm",
+]
+
+[[package]]
+name = "object"
+version = "0.36.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aedf0a2d09c573ed1d8d85b30c119153926a2b36dce0ab28322c09a117a4683e"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "oid-registry"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9"
+dependencies = [
+ "asn1-rs",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775"
+
+[[package]]
+name = "openssl"
+version = "0.10.68"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5"
+dependencies = [
+ "bitflags 2.6.0",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "openssl-probe"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
+
+[[package]]
+name = "openssl-src"
+version = "300.4.1+3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faa4eac4138c62414b5622d1b31c5c304f34b406b013c079c2bbc652fdd6678c"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.104"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741"
+dependencies = [
+ "cc",
+ "libc",
+ "openssl-src",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "ordered-multimap"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49203cdcae0030493bad186b28da2fa25645fa276a51b6fec8010d281e02ef79"
+dependencies = [
+ "dlv-list",
+ "hashbrown 0.14.5",
+]
+
+[[package]]
+name = "p256"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2",
+]
+
+[[package]]
+name = "p384"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2",
+]
+
+[[package]]
+name = "parking"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
+
+[[package]]
+name = "parking_lot"
+version = "0.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall",
+ "smallvec",
+ "windows-targets",
+]
+
+[[package]]
+name = "parsenic"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c695d2b8bcf1dd62a5173a9c43e6ebbe9261701c002f9b462fc9690c144bb61"
+dependencies = [
+ "traitful",
+]
+
+[[package]]
+name = "pathdiff"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df94ce210e5bc13cb6651479fa48d14f601d9858cfe0467f43ae157023b938d3"
+
+[[package]]
+name = "pem"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6b13fe415cdf3c8e44518e18a7c95a13431d9bdf6d15367d82b23c377fdd441a"
+dependencies = [
+ "base64 0.21.7",
+ "serde",
+]
+
+[[package]]
+name = "pem"
+version = "3.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae"
+dependencies = [
+ "base64 0.22.1",
+ "serde",
+]
+
+[[package]]
+name = "pem-rfc7468"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+dependencies = [
+ "base64ct",
+]
+
+[[package]]
+name = "percent-encoding"
+version = "2.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
+
+[[package]]
+name = "pest"
+version = "2.7.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b7cafe60d6cf8e62e1b9b2ea516a089c008945bb5a275416789e7db0bc199dc"
+dependencies = [
+ "memchr",
+ "thiserror 2.0.8",
+ "ucd-trie",
+]
+
+[[package]]
+name = "pest_derive"
+version = "2.7.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "816518421cfc6887a0d62bf441b6ffb4536fcc926395a69e1a85852d4363f57e"
+dependencies = [
+ "pest",
+ "pest_generator",
+]
+
+[[package]]
+name = "pest_generator"
+version = "2.7.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d1396fd3a870fc7838768d171b4616d5c91f6cc25e377b673d714567d99377b"
+dependencies = [
+ "pest",
+ "pest_meta",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "pest_meta"
+version = "2.7.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e1e58089ea25d717bfd31fb534e4f3afcc2cc569c70de3e239778991ea3b7dea"
+dependencies = [
+ "once_cell",
+ "pest",
+ "sha2",
+]
+
+[[package]]
+name = "petgraph"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
+dependencies = [
+ "fixedbitset",
+ "indexmap 2.7.0",
+]
+
+[[package]]
+name = "phf_shared"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6796ad771acdc0123d2a88dc428b5e38ef24456743ddb1744ed628f9815c096"
+dependencies = [
+ "siphasher",
+]
+
+[[package]]
+name = "pico-args"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5be167a7af36ee22fe3115051bc51f6e6c7054c9348e28deb4f49bd6f705a315"
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "915a1e146535de9163f3987b8944ed8cf49a18bb0056bcebcdcece385cece4ff"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "piper"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96c8c490f422ef9a4efd2cb5b42b76c8613d7e7dfc1caf667b8a3350a5acc066"
+dependencies = [
+ "atomic-waker",
+ "fastrand",
+ "futures-io",
+]
+
+[[package]]
+name = "pix"
+version = "0.13.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6574ffbea793ab0c9a9b09ae99831f1513fdd7732b12aca4c7182c46dc3bc9f"
+
+[[package]]
+name = "pkcs1"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
+dependencies = [
+ "der",
+ "pkcs8",
+ "spki",
+]
+
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der",
+ "spki",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2"
+
+[[package]]
+name = "png"
+version = "0.17.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b67582bd5b65bdff614270e2ea89a1cf15bef71245cc1e5f7ea126977144211d"
+dependencies = [
+ "bitflags 1.3.2",
+ "crc32fast",
+ "fdeflate",
+ "flate2",
+ "miniz_oxide",
+]
+
+[[package]]
+name = "png_pong"
+version = "0.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a767b8b17e388cb7f1e74cf3c2ebce14e6b7ae123fa27150889a353fd9eb981f"
+dependencies = [
+ "miniz_oxide",
+ "parsenic",
+ "pix",
+ "simd-adler32",
+ "traitful",
+]
+
+[[package]]
+name = "polling"
+version = "3.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a604568c3202727d1507653cb121dbd627a58684eb09a820fd746bee38b4442f"
+dependencies = [
+ "cfg-if",
+ "concurrent-queue",
+ "hermit-abi",
+ "pin-project-lite",
+ "rustix",
+ "tracing",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04"
+dependencies = [
+ "zerocopy 0.7.35",
+]
+
+[[package]]
+name = "precomputed-hash"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c"
+
+[[package]]
+name = "predicates"
+version = "3.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e9086cc7640c29a356d1a29fd134380bee9d8f79a17410aa76e7ad295f42c97"
+dependencies = [
+ "anstyle",
+ "difflib",
+ "float-cmp",
+ "normalize-line-endings",
+ "predicates-core",
+ "regex",
+]
+
+[[package]]
+name = "predicates-core"
+version = "1.0.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae8177bee8e75d6846599c6b9ff679ed51e882816914eec639944d7c9aa11931"
+
+[[package]]
+name = "predicates-tree"
+version = "1.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41b740d195ed3166cd147c8047ec98db0e22ec019eb8eeb76d343b795304fb13"
+dependencies = [
+ "predicates-core",
+ "termtree",
+]
+
+[[package]]
+name = "primeorder"
+version = "0.13.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
+dependencies = [
+ "elliptic-curve",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.92"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "proptest"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4c2511913b88df1637da85cc8d96ec8e43a3f8bb8ccb71ee1ac240d6f3df58d"
+dependencies = [
+ "bitflags 2.6.0",
+ "lazy_static",
+ "num-traits",
+ "rand",
+ "rand_chacha",
+ "rand_xorshift",
+ "regex-syntax",
+ "unarray",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "radium"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09"
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.0-beta.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a98fa0b8309344136abe6244130311e76997e546f76fae8054422a7539b43df7"
+dependencies = [
+ "zerocopy 0.8.13",
+]
+
+[[package]]
+name = "rand_xorshift"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d25bf25ec5ae4a3f1b92f929810509a2f53d7dca2f50b794ff57e3face536c8f"
+dependencies = [
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "range-set"
+version = "0.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "714bc4849c399f77ab82177e9b4f012e02f3a7d6191023e016334edde5b21050"
+dependencies = [
+ "num-traits",
+ "smallvec",
+]
+
+[[package]]
+name = "rasn"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f593394cad523914fcac9296bdb69701ad308589b3ea1e16d37b6f0c3cfad075"
+dependencies = [
+ "bitvec",
+ "bitvec-nom2",
+ "bytes",
+ "chrono",
+ "either",
+ "hashbrown 0.14.5",
+ "nom",
+ "num-bigint",
+ "num-integer",
+ "num-traits",
+ "once_cell",
+ "rasn-derive",
+ "serde_json",
+ "snafu",
+]
+
+[[package]]
+name = "rasn-derive"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f2c367bf1b9a9bc34d40b9c140b52d26b585d0c7755b18496ba061f50639082"
+dependencies = [
+ "proc-macro2",
+ "rasn-derive-impl",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "rasn-derive-impl"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a321099d2f0f08f0afb90e68a16015abea210d4734f7faf6b3497f29feb46a35"
+dependencies = [
+ "either",
+ "itertools 0.13.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+ "uuid",
+]
+
+[[package]]
+name = "rasn-ocsp"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fe8804910bee097437b7df967160127e250e59b4d497b450c89328cd796ee1f8"
+dependencies = [
+ "rasn",
+ "rasn-pkix",
+]
+
+[[package]]
+name = "rasn-pkix"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "884db2ae0da3a7239daaec802df74f3431062f85651c511e6c40b35a30282b82"
+dependencies = [
+ "rasn",
+]
+
+[[package]]
+name = "rayon"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b418a60154510ca1a002a752ca9714984e21e4241e804d32555251faf8b78ffa"
+dependencies = [
+ "either",
+ "rayon-core",
+]
+
+[[package]]
+name = "rayon-core"
+version = "1.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1465873a3dfdaa8ae7cb14b4383657caab0b3e8a0aa9ae8e04b044854c8dfce2"
+dependencies = [
+ "crossbeam-deque",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834"
+dependencies = [
+ "bitflags 2.6.0",
+]
+
+[[package]]
+name = "redox_users"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43"
+dependencies = [
+ "getrandom",
+ "libredox",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "regex"
+version = "1.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
+
+[[package]]
+name = "reqwest"
+version = "0.12.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a77c62af46e79de0a562e1a9849205ffcb7fc1238876e9bd743357570e04046f"
+dependencies = [
+ "base64 0.22.1",
+ "bytes",
+ "encoding_rs",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http 1.2.0",
+ "http-body 1.0.1",
+ "http-body-util",
+ "hyper 1.5.1",
+ "hyper-rustls",
+ "hyper-tls",
+ "hyper-util",
+ "ipnet",
+ "js-sys",
+ "log",
+ "mime",
+ "native-tls",
+ "once_cell",
+ "percent-encoding",
+ "pin-project-lite",
+ "rustls-pemfile",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "system-configuration",
+ "tokio",
+ "tokio-native-tls",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+ "windows-registry",
+]
+
+[[package]]
+name = "rfc6979"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
+dependencies = [
+ "hmac",
+ "subtle",
+]
+
+[[package]]
+name = "riff"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c601484456988d75017d86700d3743b949c21cdc7399f940c75e34680d185c5"
+
+[[package]]
+name = "ring"
+version = "0.16.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+dependencies = [
+ "cc",
+ "libc",
+ "once_cell",
+ "spin 0.5.2",
+ "untrusted 0.7.1",
+ "web-sys",
+ "winapi",
+]
+
+[[package]]
+name = "ring"
+version = "0.17.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom",
+ "libc",
+ "spin 0.9.8",
+ "untrusted 0.9.0",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "ron"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b91f7eff05f748767f183df4320a63d6936e9c6107d97c9e6bdd9784f4289c94"
+dependencies = [
+ "base64 0.21.7",
+ "bitflags 2.6.0",
+ "serde",
+ "serde_derive",
+]
+
+[[package]]
+name = "rsa"
+version = "0.9.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47c75d7c5c6b673e58bf54d8544a9f432e3a925b0e80f7cd3602ab5c50c55519"
+dependencies = [
+ "const-oid",
+ "digest",
+ "num-bigint-dig",
+ "num-integer",
+ "num-traits",
+ "pkcs1",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sha2",
+ "signature",
+ "spki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rust-ini"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e0698206bcb8882bf2a9ecb4c1e7785db57ff052297085a6efd4fe42302068a"
+dependencies = [
+ "cfg-if",
+ "ordered-multimap",
+]
+
+[[package]]
+name = "rustc-demangle"
+version = "0.1.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
+
+[[package]]
+name = "rustc_version"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom",
+]
+
+[[package]]
+name = "rustix"
+version = "0.38.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f93dc38ecbab2eb790ff964bb77fa94faf256fd3e73285fd7ba0903b76bedb85"
+dependencies = [
+ "bitflags 2.6.0",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "rustls"
+version = "0.23.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5065c3f250cbd332cd894be57c40fa52387247659b14a2d6041d121547903b1b"
+dependencies = [
+ "log",
+ "once_cell",
+ "ring 0.17.8",
+ "rustls-pki-types",
+ "rustls-webpki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-pemfile"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b"
+
+[[package]]
+name = "rustls-webpki"
+version = "0.102.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
+dependencies = [
+ "ring 0.17.8",
+ "rustls-pki-types",
+ "untrusted 0.9.0",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e819f2bc632f285be6d7cd36e25940d45b2391dd6d9b939e79de557f7014248"
+
+[[package]]
+name = "ryu"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
+
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "schannel"
+version = "0.1.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f29ebaa345f945cec9fbbc532eb307f0fdad8161f281b6369539c8d84876b3d"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "schemars"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09c024468a378b7e36765cd36702b7a90cc3cba11654f6685c8f233408e89e92"
+dependencies = [
+ "dyn-clone",
+ "schemars_derive",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars_derive"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1eee588578aff73f856ab961cd2f79e36bc45d7ded33a7562adba4667aecc0e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde_derive_internals",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "scoped-tls"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e1cf6437eb19a8f4a6cc0f7dca544973b0b78843adbfeb3683d1a94a0024a294"
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "sec1"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
+dependencies = [
+ "base16ct",
+ "der",
+ "generic-array",
+ "pkcs8",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "security-framework"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
+dependencies = [
+ "bitflags 2.6.0",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa39c7303dc58b5543c94d22c1766b0d31f2ee58306363ea622b10bbc075eaa2"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "semver"
+version = "1.0.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b"
+
+[[package]]
+name = "serde"
+version = "1.0.216"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b9781016e935a97e8beecf0c933758c97a5520d32930e460142b4cd80c6338e"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde-transcode"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "590c0e25c2a5bb6e85bf5c1bce768ceb86b316e7a01bdf07d2cb4ec2271990e2"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "serde-wasm-bindgen"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8302e169f0eddcc139c70f139d19d6467353af16f9fce27e8c30158036a1e16b"
+dependencies = [
+ "js-sys",
+ "serde",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "serde_bytes"
+version = "0.11.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "387cc504cb06bb40a96c8e04e951fe01854cf6bc921053c954e4a606d9675c6a"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "serde_cbor"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2bef2ebfde456fb76bbcf9f59315333decc4fda0b2b44b420243c11e0f5ec1f5"
+dependencies = [
+ "half 1.8.3",
+ "serde",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.216"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46f859dbbf73865c6627ed570e78961cd3ac92407a2d117204c49232485da55e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "serde_derive_internals"
+version = "0.29.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.133"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7fceb2473b9166b2294ef05efcb65a3db80803f0b03ef86a5fc88a2b85ee377"
+dependencies = [
+ "indexmap 2.7.0",
+ "itoa",
+ "memchr",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_regex"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8136f1a4ea815d7eac4101cfd0b16dc0cb5e1fe1b8609dfd728058656b7badf"
+dependencies = [
+ "regex",
+ "serde",
+]
+
+[[package]]
+name = "serde_spanned"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87607cb1398ed59d48732e575a4c28a7a8ebf2454b964fe3f224f2afc07909e1"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_with"
+version = "3.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e28bdad6db2b8340e449f7108f020b3b092e8583a9e3fb82713e1d4e71fe817"
+dependencies = [
+ "base64 0.22.1",
+ "chrono",
+ "hex",
+ "indexmap 1.9.3",
+ "indexmap 2.7.0",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "serde_with_macros",
+ "time",
+]
+
+[[package]]
+name = "serde_with_macros"
+version = "3.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d846214a9854ef724f3da161b426242d8de7c1fc7de2f89bb1efcb154dca79d"
+dependencies = [
+ "darling",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "signal-hook-registry"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a9e9e0b4211b72e7b8b6e85c807d36c212bdb33ea8587f7569562a84df5465b1"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "signature"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+dependencies = [
+ "digest",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "simd-adler32"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d66dc143e6b11c1eddc06d5c423cfc97062865baf299914ab64caa38182078fe"
+
+[[package]]
+name = "similar"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1de1d4f81173b03af4c0cbed3c898f6bff5b870e4a7f5d6f4057d62a7a4b686e"
+
+[[package]]
+name = "siphasher"
+version = "0.3.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38b58827f4464d87d377d175e90bf58eb00fd8716ff0a62f80356b5e61555d0d"
+
+[[package]]
+name = "slab"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "smallvec"
+version = "1.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67"
+
+[[package]]
+name = "snafu"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "223891c85e2a29c3fe8fb900c1fae5e69c2e42415e3177752e8718475efa5019"
+dependencies = [
+ "snafu-derive",
+]
+
+[[package]]
+name = "snafu-derive"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03c3c6b7927ffe7ecaa769ee0e3994da3b8cafc8f444578982c83ecb161af917"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "socket2"
+version = "0.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8"
+dependencies = [
+ "libc",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "spin"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+
+[[package]]
+name = "spin"
+version = "0.9.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+
+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+dependencies = [
+ "base64ct",
+ "der",
+]
+
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
+
+[[package]]
+name = "string_cache"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f91138e76242f575eb1d3b38b4f1362f10d3a43f47d182a5b359af488a02293b"
+dependencies = [
+ "new_debug_unreachable",
+ "once_cell",
+ "parking_lot",
+ "phf_shared",
+ "precomputed-hash",
+]
+
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.90"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "sync_wrapper"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+dependencies = [
+ "futures-core",
+]
+
+[[package]]
+name = "synstructure"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "system-configuration"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b"
+dependencies = [
+ "bitflags 2.6.0",
+ "core-foundation",
+ "system-configuration-sys",
+]
+
+[[package]]
+name = "system-configuration-sys"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "tap"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
+
+[[package]]
+name = "tempfile"
+version = "3.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28cce251fcbc87fac86a866eeb0d6c2d536fc16d06f184bb61aeae11aa4cee0c"
+dependencies = [
+ "cfg-if",
+ "fastrand",
+ "once_cell",
+ "rustix",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "term"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f"
+dependencies = [
+ "dirs-next",
+ "rustversion",
+ "winapi",
+]
+
+[[package]]
+name = "termtree"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3369f5ac52d5eb6ab48c6b4ffdc8efbcad6b89c765749064ba298f2c68a16a76"
+
+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl 1.0.69",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08f5383f3e0071702bf93ab5ee99b52d26936be9dedd9413067cbdcddcb6141a"
+dependencies = [
+ "thiserror-impl 2.0.8",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2f357fcec90b3caef6623a099691be676d033b40a058ac95d2a6ade6fa0c943"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "time"
+version = "0.3.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
+dependencies = [
+ "deranged",
+ "itoa",
+ "num-conv",
+ "powerfmt",
+ "serde",
+ "time-core",
+ "time-macros",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
+
+[[package]]
+name = "time-macros"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de"
+dependencies = [
+ "num-conv",
+ "time-core",
+]
+
+[[package]]
+name = "tiny-keccak"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237"
+dependencies = [
+ "crunchy",
+]
+
+[[package]]
+name = "tinystr"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
+[[package]]
+name = "tokio"
+version = "1.42.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551"
+dependencies = [
+ "backtrace",
+ "bytes",
+ "libc",
+ "mio",
+ "parking_lot",
+ "pin-project-lite",
+ "signal-hook-registry",
+ "socket2",
+ "tokio-macros",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "tokio-macros"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "tokio-native-tls"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
+dependencies = [
+ "native-tls",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-rustls"
+version = "0.26.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f6d0975eaace0cf0fcadee4e4aaa5da15b5c079146f2cffb67c113be122bf37"
+dependencies = [
+ "rustls",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-util"
+version = "0.7.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7fcaa8d55a2bdd6b83ace262b016eca0d79ee02818c5c1bcdf0305114081078"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "pin-project-lite",
+ "tokio",
+]
+
+[[package]]
+name = "toml"
+version = "0.8.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1ed1f98e3fdc28d6d910e6737ae6ab1a93bf1985935a1193e68f93eeb68d24e"
+dependencies = [
+ "serde",
+ "serde_spanned",
+ "toml_datetime",
+ "toml_edit",
+]
+
+[[package]]
+name = "toml_datetime"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0dd7358ecb8fc2f8d014bf86f6f638ce72ba252a2c3a2572f2a795f1d23efb41"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "toml_edit"
+version = "0.22.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ae48d6208a266e853d946088ed816055e556cc6028c5e8e2b84d9fa5dd7c7f5"
+dependencies = [
+ "indexmap 2.7.0",
+ "serde",
+ "serde_spanned",
+ "toml_datetime",
+ "winnow",
+]
+
+[[package]]
+name = "tower-service"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
+
+[[package]]
+name = "tracing"
+version = "0.1.41"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0"
+dependencies = [
+ "pin-project-lite",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.33"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c"
+dependencies = [
+ "once_cell",
+]
+
+[[package]]
+name = "traitful"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d856e22ead1fb79b9fc3cec63300086f680924f2f7b0e2701f6835a28b9c4425"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "treeline"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7f741b240f1a48843f9b8e0444fb55fb2a4ff67293b50a9179dfd5ea67f8d41"
+
+[[package]]
+name = "try-lock"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
+
+[[package]]
+name = "typenum"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+
+[[package]]
+name = "ucd-trie"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2896d95c02a80c6d6a5d6e953d479f5ddf2dfdb6a244441010e373ac0fb88971"
+
+[[package]]
+name = "unarray"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eaea85b334db583fe3274d12b4cd1880032beab409c0d774be044d4480ab9a94"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83"
+
+[[package]]
+name = "unicode-xid"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
+
+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
+[[package]]
+name = "ureq"
+version = "2.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02d1a66277ed75f640d608235660df48c8e3c19f3b4edb6a263315626cc3c01d"
+dependencies = [
+ "base64 0.22.1",
+ "flate2",
+ "log",
+ "once_cell",
+ "rustls",
+ "rustls-pki-types",
+ "url",
+ "webpki-roots",
+]
+
+[[package]]
+name = "url"
+version = "2.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+]
+
+[[package]]
+name = "utf16_iter"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246"
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
+[[package]]
+name = "uuid"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8c5f0a0af699448548ad1a2fbf920fb4bee257eae39953ba95cb84891a0446a"
+dependencies = [
+ "getrandom",
+ "serde",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "value-bag"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ef4c4aa54d5d05a279399bfa921ec387b7aba77caf7a682ae8d86785b8fdad2"
+
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "wait-timeout"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f200f5b12eb75f8c1ed65abd4b2db8a6e1b138a20de009dacee265a2498f3f6"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
+[[package]]
+name = "want"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
+dependencies = [
+ "try-lock",
+]
+
+[[package]]
+name = "wasi"
+version = "0.11.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a474f6281d1d70c17ae7aa6a613c87fce69a127e2624002df63dcb39d6cf6396"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79"
+dependencies = [
+ "bumpalo",
+ "log",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.49"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38176d9b44ea84e9184eff0bc34cc167ed044f816accfe5922e54d84cf48eca2"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "once_cell",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2cc6181fd9a7492eef6fef1f33961e3695e4579b9872a6f7c83aee556666d4fe"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30d7a95b763d3c45903ed6c81f156801839e5ee968bb07e534c44df0fcd330c2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.99"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "943aab3fdaaa029a6e0271b35ea10b72b943135afe9bffca82384098ad0e06a6"
+
+[[package]]
+name = "wasm-bindgen-test"
+version = "0.3.49"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d44563646eb934577f2772656c7ad5e9c90fac78aa8013d776fcdaf24625d"
+dependencies = [
+ "js-sys",
+ "minicov",
+ "scoped-tls",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "wasm-bindgen-test-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-test-macro"
+version = "0.3.49"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "54171416ce73aa0b9c377b51cc3cb542becee1cd678204812e8392e5b0e4a031"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "web-sys"
+version = "0.3.76"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04dd7223427d52553d3702c004d3b2fe07c148165faa56313cb00211e31c12bc"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "0.26.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d642ff16b7e79272ae451b7322067cdc17cadf68c23264be9d94a32319efe7e"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "weezl"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53a85b86a771b1c87058196170769dd264f66c0782acf1ae6cc51bfd64b39082"
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-util"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "windows-core"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-registry"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e400001bb720a623c1c69032f8e3e4cf09984deec740f007dd2b03ec864804b0"
+dependencies = [
+ "windows-result",
+ "windows-strings",
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-result"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d1043d8214f791817bab27572aaa8af63732e11bf84aa21a45a78d6c317ae0e"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4cd9b125c486025df0eabcb585e62173c6c9eddcec5d117d3b6e8c30e2ee4d10"
+dependencies = [
+ "windows-result",
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc",
+ "windows_i686_gnu",
+ "windows_i686_gnullvm",
+ "windows_i686_msvc",
+ "windows_x86_64_gnu",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+
+[[package]]
+name = "winnow"
+version = "0.6.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "36c1fec1a2bb5866f07c25f68c26e565c4c200aebb96d7e55710c19d3e8ac49b"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "write16"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936"
+
+[[package]]
+name = "writeable"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51"
+
+[[package]]
+name = "wyz"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05f360fc0b24296329c78fda852a1e9ae82de9cf7b27dae4b7f62f118f77b9ed"
+dependencies = [
+ "tap",
+]
+
+[[package]]
+name = "x509-certificate"
+version = "0.21.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e5d27c90840e84503cf44364de338794d5d5680bdd1da6272d13f80b0769ee0"
+dependencies = [
+ "bcder",
+ "bytes",
+ "chrono",
+ "der",
+ "hex",
+ "pem 2.0.1",
+ "ring 0.16.20",
+ "signature",
+ "spki",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "x509-parser"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69"
+dependencies = [
+ "asn1-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom",
+ "oid-registry",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
+[[package]]
+name = "yoke"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "120e6aef9aa629e3d4f52dc8cc43a015c7724194c97dfaf45180d2daf2b77f40"
+dependencies = [
+ "serde",
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+ "synstructure",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.7.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
+dependencies = [
+ "byteorder",
+ "zerocopy-derive 0.7.35",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.8.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67914ab451f3bfd2e69e5e9d2ef3858484e7074d63f204fd166ec391b54de21d"
+dependencies = [
+ "zerocopy-derive 0.8.13",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.7.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7988d73a4303ca289df03316bc490e934accf371af6bc745393cf3c2c5c4f25d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cff3ee08c995dee1859d998dea82f7374f2826091dd9cd47def953cae446cd2e"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "595eed982f7d355beb85837f651fa22e90b3c044842dc7f2c2842c086f295808"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+ "synstructure",
+]
+
+[[package]]
+name = "zeroize"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+
+[[package]]
+name = "zerovec"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.10.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
+[[package]]
+name = "zip"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "99d52293fc86ea7cf13971b3bb81eb21683636e7ae24c729cdaf1b7c4157a352"
+dependencies = [
+ "arbitrary",
+ "crc32fast",
+ "crossbeam-utils",
+ "displaydoc",
+ "indexmap 2.7.0",
+ "memchr",
+ "thiserror 2.0.8",
+]
+
+[[package]]
+name = "zune-core"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f423a2c17029964870cfaabb1f13dfab7d092a62a29a89264f4d36990ca414a"
+
+[[package]]
+name = "zune-jpeg"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "99a5bab8d7dedf81405c4bb1f2b83ea057643d9cb28778cea9eecddeedd2e028"
+dependencies = [
+ "zune-core",
+]
diff --git a/Cargo.toml b/Cargo.toml
index 3c7d613cb..f54a33c7f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,9 +3,15 @@ resolver = "2"
 
 members = [
     "cawg_identity",
+    "cli",
     "export_schema",
     "internal/crypto",
     "internal/status-tracker",
     "make_test_images",
     "sdk",
 ]
+
+[profile.release]
+strip = true  # Automatically strip symbols from the binary. 
+opt-level = 3
+lto = "thin"  # Link time optimization.
diff --git a/README.md b/README.md
index 3b8aadb1a..d39218f24 100644
--- a/README.md
+++ b/README.md
@@ -6,13 +6,19 @@
 
 The **[Coalition for Content Provenance and Authenticity](https://c2pa.org)** (C2PA) addresses the prevalence of misleading information online through the development of technical standards for certifying the source and history (or provenance) of media content. The C2PA Rust library is part of the [Content Authenticity Initiative](https://contentauthenticity.org) open-source SDK.
 
-For the best experience, read the docs on the [CAI Open Source SDK documentation website](https://opensource.contentauthenticity.org/docs/c2pa-node/).  Some additional documentation for this repository is also available on GitHub:
+For the best experience, read the docs on the [CAI Open Source SDK documentation website](https://opensource.contentauthenticity.org/docs/rust-sdk/).  Some additional documentation for this repository is also available on GitHub:
 
 - [Usage](docs/usage.md)
 - [Supported formats](docs/supported-formats.md)
 - [Release notes](docs/release-notes.md)
 - [Contributing to the project](docs/project-contributions.md)
 
+- [C2PA Tool](cli/README.md) documentation:
+  - [Using C2PA Tool](cli/docs/usage.md)
+  - [Manifest definition file](cli/docs/manifest.md)
+  - [Using an X.509 certificate](cli/docs/x_509.md)
+  - [Release notes](cli/docs/release-notes.md)
+
 </div>
 
 ## Key features
@@ -36,6 +42,10 @@ This is a beta release (version 0.x.x) of the project. The minor version number
 
 NOTE: The current release includes a new API that replaces old methods of reading and writing C2PA data, which are deprecated.  See the [release notes](docs/release-notes.md) for more information. 
 
+### Rust language requirement (MSRV)
+
+The `c2pa` crate requires Rust version 1.81.0 or newer. When a newer version of Rust becomes required, a new minor (0.x.0) version of this crate will be released.
+
 ### Contributions and feedback
 
 We welcome contributions to this project.  For information on contributing, providing feedback, and about ongoing work, see [Contributing](https://github.com/contentauth/c2pa-rs/blob/main/CONTRIBUTING.md).  For additional information on nightly builds and testing, see [Contributing to the project](docs/project-contributions.md).
diff --git a/cawg_identity/Cargo.toml b/cawg_identity/Cargo.toml
index 390dc76e5..86c6999d3 100644
--- a/cawg_identity/Cargo.toml
+++ b/cawg_identity/Cargo.toml
@@ -13,7 +13,7 @@ readme = "README.md"
 keywords = ["identity"]
 categories = ["api-bindings"]
 edition = "2021"
-rust-version = "1.76.0"
+rust-version = "1.81.0"
 exclude = ["tests/fixtures"]
 
 [package.metadata.docs.rs]
diff --git a/cli/CHANGELOG.md b/cli/CHANGELOG.md
new file mode 100644
index 000000000..d88e5c230
--- /dev/null
+++ b/cli/CHANGELOG.md
@@ -0,0 +1,287 @@
+# Changelog
+
+All changes to this project are documented in this file.  For a high-level summary of changes, see the [Release Notes](../docs/release-notes.md).
+
+This project adheres to [Semantic Versioning](https://semver.org), except that – as is typical in the Rust community – the minimum supported Rust version may be increased without a major version increase.
+
+Since version 0.10.0, the format of this changelog is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+## [0.10.2](https://github.com/contentauth/c2pa-rs/compare/c2patool-v0.10.1...c2patool-v0.10.2)
+_12 December 2024_
+
+### Fixed
+
+* No-op change to trigger new c2patool build
+* Update makefile for c2patool's new location in c2pa-rs workspace
+
+## [0.10.1](https://github.com/contentauth/c2pa-rs/compare/c2patool-v0.10.0...c2patool-v0.10.1)
+_12 December 2024_
+
+### Fixed
+
+* No-op change to trigger new c2patool release
+
+## [0.10.0](https://github.com/contentauth/c2pa-rs/compare/c2patool-v0.9.12...c2patool-v0.10.0)
+_12 December 2024_
+
+### Added
+
+* Updates c2patool to use only the new Builder/Reader API (contentauth/c2patool#297)
+
+### Documented
+
+* Update Contributing guide, misc minor edits (contentauth/c2patool#296)
+
+### Fixed
+
+* Compile `c2pa-crypto` with `cargo check` (#768)
+
+### Other
+
+* Move c2patool source code into c2pa-rs repo (#723)
+* Move profile settings to workspace Cargo.toml
+* Enlarged description of c2pa command-line behavior (contentauth/c2patool[#285](https://github.com/contentauth/c2pa-rs/pull/285))
+
+## 0.9.12
+_18 October 2024_
+
+* fix: Update c2pa-rs for RegionOfInterest support. ([contentauth/c2patool#269](https://github.com/contentauth/c2patool/pull/269))
+* Fix broken link that was causing os site workflow to fail ([contentauth/c2patool#266](https://github.com/contentauth/c2patool/pull/266))
+* Bump codecov/codecov-action from 3 to 4 ([contentauth/c2patool#242](https://github.com/contentauth/c2patool/pull/242))
+* chore: Run all CI jobs when user is dependabot[bot]
+* chore: Debug CI again
+* chore: Format for consistency with c2pa-rs CI workflow ([contentauth/c2patool#265](https://github.com/contentauth/c2patool/pull/265))
+* chore: Don't skip CI jobs for non-pull-request events
+* chore: Retry debug
+* chore: Debug action context
+* chore: Skip CodeCov upload for non-member PRs ([contentauth/c2patool#263](https://github.com/contentauth/c2patool/pull/263))
+* Bump EmbarkStudios/cargo-deny-action from 1 to 2 ([contentauth/c2patool#245](https://github.com/contentauth/c2patool/pull/245))
+* chore: Adjust conditions for running CI jobs ([contentauth/c2patool#261](https://github.com/contentauth/c2patool/pull/261))
+
+## 0.9.11
+_16 October 2024_
+
+* Merge hardening bug fixes ([contentauth/c2patool#260](https://github.com/contentauth/c2patool/pull/260))
+
+## 0.9.10
+_07 October 2024_
+
+* Update c2ptool to use latest c2pa-rs ([contentauth/c2patool#258](https://github.com/contentauth/c2patool/pull/258))
+
+## 0.9.9
+_17 September 2024_
+
+* Pull in latest bug fixes ([contentauth/c2patool#237](https://github.com/contentauth/c2patool/pull/237))
+* Document fragment subcommand ([contentauth/c2patool#236](https://github.com/contentauth/c2patool/pull/236))
+* Switch back to using `pull_request` instead of `pull_request_target` trigger
+* Bump actions/checkout from 3 to 4 ([contentauth/c2patool#243](https://github.com/contentauth/c2patool/pull/243))
+* Remove no-longer-maintained clippy-check action ([contentauth/c2patool#238](https://github.com/contentauth/c2patool/pull/238))
+
+## 0.9.8
+_30 August 2024_
+
+* Initial fragment support ([contentauth/c2patool#230](https://github.com/contentauth/c2patool/pull/230))
+* Add warning about accessing a private key directly ([contentauth/c2patool#218](https://github.com/contentauth/c2patool/pull/218))
+
+## 0.9.7
+_15 August 2024_
+
+* Update to latest c2pa SDK ([contentauth/c2patool#222](https://github.com/contentauth/c2patool/pull/222))
+* Remove rust toolchain version lock ([contentauth/c2patool#221](https://github.com/contentauth/c2patool/pull/221))
+* Update security guidance to link to SECURITY.md ([contentauth/c2patool#217](https://github.com/contentauth/c2patool/pull/217))
+
+## 0.9.6
+_30 July 2024_
+
+* Pull latest c2pa-rs bug fixes into c2patool ([contentauth/c2patool#212](https://github.com/contentauth/c2patool/pull/212))
+* only run tests/clippy if labeled ([contentauth/c2patool#205](https://github.com/contentauth/c2patool/pull/205))
+* Bump env_logger from 0.10.2 to 0.11.4 ([contentauth/c2patool#204](https://github.com/contentauth/c2patool/pull/204))
+* Updates cargo packages and cargo.deny file. ([contentauth/c2patool#200](https://github.com/contentauth/c2patool/pull/200))
+
+## 0.9.5
+_18 July 2024_
+
+* Update to lastest c2pa-rs ([contentauth/c2patool#197](https://github.com/contentauth/c2patool/pull/197))
+* added security.md ([contentauth/c2patool#196](https://github.com/contentauth/c2patool/pull/196))
+
+## 0.9.4
+_25 June 2024_
+
+* Update c2patool ([contentauth/c2patool#190](https://github.com/contentauth/c2patool/pull/190))
+* Match c2pa-rs minimum toolchain version and test in CI ([contentauth/c2patool#188](https://github.com/contentauth/c2patool/pull/188))
+* Document how to specify an icon ([contentauth/c2patool#182](https://github.com/contentauth/c2patool/pull/182))
+
+## 0.9.3
+_29 May 2024_
+
+* Remove binary modules ([contentauth/c2patool#179](https://github.com/contentauth/c2patool/pull/179))
+
+## 0.9.2
+_24 May 2024_
+
+* Remove integration tests for now due to extraneous binaries ([contentauth/c2patool#178](https://github.com/contentauth/c2patool/pull/178))
+
+## 0.9.1
+_22 May 2024_
+
+* Add better support for cargo-binstall ([contentauth/c2patool#177](https://github.com/contentauth/c2patool/pull/177))
+
+## 0.9.0
+_07 May 2024_
+
+* Integrate with c2pa-rs 0.32.0, various test case fixes. ([contentauth/c2patool#175](https://github.com/contentauth/c2patool/pull/175))
+* Add HTTP source option for trust config ([contentauth/c2patool#174](https://github.com/contentauth/c2patool/pull/174))
+
+## 0.8.2
+_28 March 2024_
+
+* fixed c2patool asset name ([contentauth/c2patool#171](https://github.com/contentauth/c2patool/pull/171))
+
+## 0.8.1
+_25 March 2024_
+
+* use c2pa-rs 0.31.1 for actions.changes support ([contentauth/c2patool#170](https://github.com/contentauth/c2patool/pull/170))
+
+## 0.8.0
+_20 March 2024_
+
+* allow clients to sign with a process outside of c2patool ([contentauth/c2patool#169](https://github.com/contentauth/c2patool/pull/169))
+* Add trust and verification options to c2pa_tool ([contentauth/c2patool#168](https://github.com/contentauth/c2patool/pull/168))
+* adds version to c2patool artifact names ([contentauth/c2patool#158](https://github.com/contentauth/c2patool/pull/158))
+
+## 0.7.0
+_22 November 2023_
+
+* updates to c2pa-rs v0.28.2 ([contentauth/c2patool#153](https://github.com/contentauth/c2patool/pull/153))
+* Update to c2pa-rs 0.28.1
+
+## 0.6.2
+_05 October 2023_
+
+* update to c2pa 0.27.1 ([contentauth/c2patool#146](https://github.com/contentauth/c2patool/pull/146))
+* Merge branch 'main' of https://github.com/contentauth/c2patool
+* Add Do not train example
+* Upgrade to c2pa-rs 0.26.0 ([contentauth/c2patool#143](https://github.com/contentauth/c2patool/pull/143))
+* Fix issue with docusaurus styling and fix broken links ([contentauth/c2patool#138](https://github.com/contentauth/c2patool/pull/138))
+* Updates to c2pa-rs 0.25.1 ([contentauth/c2patool#128](https://github.com/contentauth/c2patool/pull/128))
+* Fix windows release ([contentauth/c2patool#132](https://github.com/contentauth/c2patool/pull/132))
+
+## 0.6.1
+_24 July 2023_
+
+* use compress-archive instead of tar ([contentauth/c2patool#130](https://github.com/contentauth/c2patool/pull/130))
+
+## 0.6.0
+_22 June 2023_
+
+* update to c2pa-rs 0.24.0 ([contentauth/c2patool#127](https://github.com/contentauth/c2patool/pull/127))
+
+## 0.5.4
+_13 June 2023_
+
+* integrate c2pa 23.0 bump version ([contentauth/c2patool#126](https://github.com/contentauth/c2patool/pull/126))
+* Merge branch 'main' of https://github.com/contentauth/c2patool
+* c2pa-rs 23.0 + updated test
+* Update README.md ([contentauth/c2patool#124](https://github.com/contentauth/c2patool/pull/124))
+
+## 0.5.3
+_04 May 2023_
+
+* Parent Ingredient JSON ([contentauth/c2patool#123](https://github.com/contentauth/c2patool/pull/123))
+
+## 0.5.2
+_19 April 2023_
+
+* Ingredient thumbnails, extension cleanup, toolkit update ([contentauth/c2patool#120](https://github.com/contentauth/c2patool/pull/120))
+
+## 0.5.1
+_10 April 2023_
+
+* Update README.md ([contentauth/c2patool#118](https://github.com/contentauth/c2patool/pull/118))
+* Update expired sample certs ([contentauth/c2patool#113](https://github.com/contentauth/c2patool/pull/113))
+
+## 0.5.0
+_28 March 2023_
+
+* New ingredient support and c2pa file formats ([contentauth/c2patool#111](https://github.com/contentauth/c2patool/pull/111))
+* Leverage new Manifest & Ingredient, add Ingredient creation. ([contentauth/c2patool#107](https://github.com/contentauth/c2patool/pull/107))
+
+## 0.4.0
+_01 March 2023_
+
+* Add --certs and --tree options ([contentauth/c2patool#106](https://github.com/contentauth/c2patool/pull/106))
+* update to cp2pa 0.17.0 ([contentauth/c2patool#105](https://github.com/contentauth/c2patool/pull/105))
+* Update for Clippy in Rust 1.67 ([contentauth/c2patool#101](https://github.com/contentauth/c2patool/pull/101))
+
+## 0.3.9
+_06 December 2022_
+
+* update to c2pa-rs 0.16.0
+* allows clients to output manifest report to specified directory ([contentauth/c2patool#91](https://github.com/contentauth/c2patool/pull/91))
+
+## 0.3.8
+_09 November 2022_
+
+* Bump c2pa from 0.13.2 to 0.15.0 ([contentauth/c2patool#87](https://github.com/contentauth/c2patool/pull/87))
+* Build infrastructure improvements ([contentauth/c2patool#85](https://github.com/contentauth/c2patool/pull/85))
+* Fix new Clippy warning in Rust 1.65 ([contentauth/c2patool#84](https://github.com/contentauth/c2patool/pull/84))
+* Readme updates ([contentauth/c2patool#62](https://github.com/contentauth/c2patool/pull/62))
+
+## 0.3.7
+_22 September 2022_
+
+* Treat a source asset with a manifest store as a default parent ([contentauth/c2patool#76](https://github.com/contentauth/c2patool/pull/76))
+* Fetch remote manifests for --info ([contentauth/c2patool#75](https://github.com/contentauth/c2patool/pull/75))
+
+## 0.3.6
+_16 September 2022_
+
+* Update Cargo.lock when publishing crate ([contentauth/c2patool#71](https://github.com/contentauth/c2patool/pull/71))
+* [IGNORE] update readme --info ([contentauth/c2patool#70](https://github.com/contentauth/c2patool/pull/70))
+* Update Cargo.lock to 0.3.5
+
+## 0.3.5
+_15 September 2022_
+
+* Upgrade cpufeatures to non-yanked version ([contentauth/c2patool#68](https://github.com/contentauth/c2patool/pull/68))
+* Add --info option  ([contentauth/c2patool#65](https://github.com/contentauth/c2patool/pull/65))
+* Updated publish workflow to upload binaries to GitHub ([contentauth/c2patool#58](https://github.com/contentauth/c2patool/pull/58))
+* Fix Make release script & update readme ([contentauth/c2patool#55](https://github.com/contentauth/c2patool/pull/55))
+* (Some version history omitted as we worked on some release process issues)
+
+## 0.3.0
+_18 August 2022_
+
+* Rework c2patool parameters ([contentauth/c2patool#53](https://github.com/contentauth/c2patool/pull/53))
+* Update to 0.11.0 c2pa-rs ([contentauth/c2patool#38](https://github.com/contentauth/c2patool/pull/38))
+* Remove Homebrew, Git installation methods, and add "update" wording ([contentauth/c2patool#33](https://github.com/contentauth/c2patool/pull/33))
+
+## 0.2.1
+_29 June 2022_
+
+* Add BMFF support for video & etc ([contentauth/c2patool#25](https://github.com/contentauth/c2patool/pull/25))
+
+## 0.2.0
+_28 June 2022_
+
+* Upgrade to c2pa Rust SDK version 0.6.0 ([contentauth/c2patool#24](https://github.com/contentauth/c2patool/pull/24))
+* Fix an error in the README documentation ([contentauth/c2patool#23](https://github.com/contentauth/c2patool/pull/23))
+* Display help if there are no arguments on the command line ([contentauth/c2patool#21](https://github.com/contentauth/c2patool/pull/21))
+* Bump anyhow from 1.0.57 to 1.0.58 ([contentauth/c2patool#17](https://github.com/contentauth/c2patool/pull/17))
+* Updates examples to use ta_url instead of ta ([contentauth/c2patool#15](https://github.com/contentauth/c2patool/pull/15))
+
+## 0.1.3
+_17 June 2022_
+
+* Update to latest c2pa Rust SDK ([contentauth/c2patool#12](https://github.com/contentauth/c2patool/pull/12))
+* Add built-in default certs to make getting started easier ([contentauth/c2patool#9](https://github.com/contentauth/c2patool/pull/9))
+
+## 0.1.2
+_10 June 2022_
+
+* Update crate's description field
+
+## 0.1.1
+_10 June 2022_
+
+* Initial public release
diff --git a/cli/Cargo.toml b/cli/Cargo.toml
new file mode 100644
index 000000000..4a9b6f8db
--- /dev/null
+++ b/cli/Cargo.toml
@@ -0,0 +1,52 @@
+[package]
+name = "c2patool"
+default-run = "c2patool"
+
+version = "0.10.2"
+
+description = "Tool for displaying and creating C2PA manifests."
+authors = [
+    "Gavin Peacock <gpeacock@adobe.com>",
+    "Maurice Fisher <mfisher@adobe.com>",
+]
+license = "MIT OR Apache-2.0"
+documentation = "https://opensource.contentauthenticity.org/docs/c2patool"
+readme = "README.md"
+keywords = ["c2pa", "xmp", "metadata"]
+edition = "2018"
+homepage = "https://contentauthenticity.org"
+repository = "https://github.com/contentauth/c2pa-rs/tree/main/cli"
+
+[dependencies]
+anyhow = "1.0"
+atree = "0.5.2"
+c2pa = { path = "../sdk", version = "0.40.0", features = [
+	"fetch_remote_manifests",
+	"file_io",
+	"add_thumbnails",
+	"pdf",
+	"unstable_api",
+] }
+c2pa-crypto = { path = "../internal/crypto", version = "0.2.0" }
+clap = { version = "4.5.10", features = ["derive", "env"] }
+env_logger = "0.11.4"
+glob = "0.3.1"
+log = "0.4"
+serde = { version = "1.0", features = ["derive"] }
+serde_derive = "1.0"
+serde_json = "1.0"
+tempfile = "3.3"
+treeline = "0.1.0"
+pem = "3.0.3"
+openssl = { version = "0.10.61", features = ["vendored"] }
+reqwest = { version = "0.12.4", features = ["blocking"] }
+url = "2.5.0"
+
+[dev-dependencies]
+assert_cmd = "2.0.14"
+httpmock = "0.7.0"
+predicates = "3.1"
+mockall = "0.13.0"
+
+[package.metadata.binstall]
+# Use defaults
diff --git a/cli/Makefile b/cli/Makefile
new file mode 100644
index 000000000..b73138f22
--- /dev/null
+++ b/cli/Makefile
@@ -0,0 +1,72 @@
+# Makefile to aid with local development and testing
+# This is not required for automated builds
+
+ifeq ($(OS),Windows_NT)
+	PLATFORM := win
+else
+	UNAME := $(shell uname)
+    ifeq ($(UNAME),Linux)
+        PLATFORM := linux
+    endif
+    ifeq ($(UNAME),Darwin)
+        PLATFORM := mac
+    endif
+endif
+
+check-format:
+	cargo +nightly fmt -- --check
+
+clippy:
+	cargo clippy --all-features --all-targets -- -D warnings
+
+test-local:
+	cargo test --all-features
+
+# Full local validation, build and test all features including wasm
+# Run this before pushing a PR to pre-validate
+test: check-format clippy test-local
+
+fmt: 
+	cargo +nightly fmt
+
+# Creates a folder wtih c2patool bin, samples and readme
+c2patool-package:
+	rm -rf ../target/c2patool*
+	mkdir -p ../target/c2patool
+	mkdir -p ../target/c2patool/sample
+	cp ../target/release/c2patool ../target/c2patool/c2patool
+	cp README.md ../target/c2patool/README.md
+	cp sample/* ../target/c2patool/sample
+	cp CHANGELOG.md ../target/c2patool/CHANGELOG.md
+
+# These are for building the c2patool release bin on various platforms
+build-release-win:
+	cargo build --release
+
+build-release-mac-arm:
+	rustup target add aarch64-apple-darwin
+	MACOSX_DEPLOYMENT_TARGET=11.1 cargo build --target=aarch64-apple-darwin --release
+
+build-release-mac-x86:
+	rustup target add x86_64-apple-darwin
+	MACOSX_DEPLOYMENT_TARGET=10.15 cargo build --target=x86_64-apple-darwin --release
+
+build-release-mac-universal: build-release-mac-arm build-release-mac-x86
+	lipo -create -output ../target/release/c2patool ../target/aarch64-apple-darwin/release/c2patool ../target/x86_64-apple-darwin/release/c2patool
+
+build-release-linux:
+	cargo build --release
+
+# Builds and packages a zip for c2patool for each platform
+ifeq ($(PLATFORM), mac)
+release: build-release-mac-universal c2patool-package
+	cd ../target && zip -r c2patool_mac_universal.zip c2patool && cd ..
+endif
+ifeq ($(PLATFORM), win)
+release: build-release-win c2patool-package
+	cd ../target && 7z a -r c2patool_win_intel.zip c2patool && cd ..
+endif
+ifeq ($(PLATFORM), linux)
+release: build-release-linux c2patool-package
+	cd ../target && tar -czvf c2patool_linux_intel.tar.gz c2patool && cd ..
+endif
diff --git a/cli/README.md b/cli/README.md
new file mode 100644
index 000000000..d48b6efaf
--- /dev/null
+++ b/cli/README.md
@@ -0,0 +1,78 @@
+# C2PA command line tool
+
+C2PA Tool, `c2patool`, is a command line tool for working with C2PA [manifests](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_manifests) and media assets (audio, image or video files).
+
+Use the tool on a file in one of the [supported formats](https://github.com/contentauth/c2pa-rs/blob/main/docs/supported-formats.md) to:
+
+- Read a summary JSON report of C2PA manifests.
+- Read a low-level report of C2PA manifest data.
+- Add a C2PA manifest to the file.
+
+For a simple example of calling c2patool from a Node.js server application, see the [c2pa-service-example](https://github.com/contentauth/c2patool-service-example) repository.
+
+<div style={{display: 'none'}}>
+
+**Additional documentation**:
+
+- [Using C2PA Tool](./docs/usage.md)
+- [Manifest definition file](./docs/manifest.md)
+- [Using an X.509 certificate](./docs/x_509.md)
+- [Release notes](./docs/release-notes.md)
+- [Contributing to the project](./docs/project-contributions.md)
+
+</div>
+
+## Installation
+
+There are two ways to install C2PA Tool:
+- [Using a pre-built binary executable](#installing-a-pre-built-binary): This is the quickest way to install the tool.  If you just want to try C2PA Tool quickly, use this method.
+- [Using Cargo Binstall](#using-cargo-binstall), a low-complexity way to install Rust binaries.  This method is preferable for long-term use. If you know you want to use C2PA Tool for development, use this method.
+
+**NOTE:** If you want to contribute to the C2PA Tool project itself, or if a pre-built binary is not available for your system, see [Contributing to the project](./docs/project-contributions.md).
+
+### Installing a pre-built binary
+
+The quickest way to install the tool is to use the binary executable builds.  If you just want to try C2PA Tool quickly:
+
+1. Go to the [Releases page](https://github.com/contentauth/c2pa-rs/releases). 
+1. Under the latest **c2patool** release, click **Assets**.
+1. Download the archive for your operating system (Linux, macOS, or Windows).
+1. Copy the executable file to a location on your `PATH`.
+
+Confirm that you can run the tool by entering a command such as:
+```
+c2patool -h
+```
+
+NOTE: You also may want to get some of the example files provided in the repository `sample` directory.   To do so, clone the repository with `git clone https://github.com/contentauth/c2pa-rs.git`.
+
+### Using Cargo Binstall
+
+Installing C2PA Tool using Cargo [Binstall](https://github.com/cargo-bins/cargo-binstall?tab=readme-ov-file) is recommended because it makes it easier to:
+- Automatically select the correct installation package for your platform/architecture.
+- Update the tool when a new version is released.
+- Maintain, since you don't have to manually keep track of random binaries on your system.
+- Integrate into CI or other scripting environments.
+
+Additionally, using Binstall enables you to automate code signing to ensure package integrity.
+
+#### Process
+
+**PREREQUISITE:** Install [Rust](https://www.rust-lang.org/tools/install).
+
+To install by using Binstall:
+
+1. Install `cargo-binstall` by following the [quick install method](https://github.com/cargo-bins/cargo-binstall?tab=readme-ov-file#quickly) for your OS, or by building from source by running `cargo install cargo-binstall`
+2. Run `cargo binstall c2patool`.
+
+#### Upgrading
+
+To ensure you have the latest version, enter this command:
+
+```
+c2patool -V
+```
+
+The tool will display the version installed. Compare the version number displayed with the latest release version shown in the [repository releases page](https://github.com/contentauth/c2pa-rs/releases). 
+
+If you need to upgrade, simply run `cargo binstall c2patool` again, or use [cargo-update](https://github.com/nabijaczleweli/cargo-update).
diff --git a/cli/docs/.gitkeep b/cli/docs/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/cli/docs/manifest.md b/cli/docs/manifest.md
new file mode 100644
index 000000000..95d6a1a17
--- /dev/null
+++ b/cli/docs/manifest.md
@@ -0,0 +1,85 @@
+# Manifest definition file
+
+C2PA Tool reads a manifest definition JSON file with a `.json` extension. This file defines a single manifest to be added to an asset's manifest store.
+In the manifest definition file, file paths are relative to the location of the file unless you specify a `base_path` field.
+
+## JSON format
+
+The C2PA specification describes a manifest that has a binary structure in JPEG universal metadata box format (JUMBF).  However, C2PA Tool works with a JSON manifest structure that's easier to understand and work with.  It's a declarative language for representing and creating a manifest in binary format. For more information on the JSON manifest, see [Working with manifests](https://opensource.contentauthenticity.org/docs/manifest/understanding-manifest).
+
+See also:
+
+* <a href="https://opensource.contentauthenticity.org/docs/manifest/manifest-ref" target="_self">Manifest store reference</a>
+* <a href="https://opensource.contentauthenticity.org/docs/manifest/manifest-json-schema" target="_self">Manifest store schema</a>
+* <a href="https://github.com/contentauth/c2pa-rs/blob/main/cli/schemas/manifest-definition.json" target="_self">Manifest definition schema</a>
+* <a href="https://github.com/contentauth/c2pa-rs/blob/main/cli/schemas/ingredient.json" target="_self">Ingredient schema</a>
+
+## Adding a claim generator icon
+
+You can specify an icon to be displayed by tools such as [Verify](https://contentcredentials.org/verify) to indicate the signer of the manifest.
+
+To do this, add a `claim_generator_info` property to the manifest definition. The `claim_generator_info.icon` property contains information on the icon:
+- `icon.format` specifies the MIME type of the icon file.  SVG format is preferred, but you can also use PNG or JPEG formats. 
+- `icon.identifier` specifies the name of the icon file.
+
+For example:
+
+```json
+"claim_generator_info": [
+	{
+		"name": "My App",
+		"version": "0.1.0",
+		"icon": {
+			"format": "image/svg+xml",
+			"identifier": "logo.svg"
+		}
+	}
+],
+```
+
+To add the icon using C2PA Tool, make sure the icon file and the manifest definition file  are in the same directory where you are running `c2patool`. Then, you can add the icon by using a command like this:
+
+```shell
+c2patool image_to_sign.jpg -m manifest.json -o signed_with_icon.jpg
+```
+
+NOTE: The [Verify](https://contentcredentials.org/verify) tool will not display an icon for a signing certificate that is not on the temporary certificate list, such as the C2PA Tool test certificate.
+
+## Example
+
+The example below is a snippet of a manifest definition that inserts a `CreativeWork` author assertion. This example uses the default testing certificates in the [sample folder](https://github.com/contentauth/c2pa-rs/tree/main/cli/sample) that are also built into the `c2patool` binary.
+
+**NOTE**:  When you don't specify a key or certificate in the manifest `private_key` and `sign_cert` fields, the tool will use the built-in key and cert. You'll see a warning message, since they are meant for development purposes only. For actual use, provide a permanent key and certificate in the manifest definition or environment variables; see [Creating and using an X.509 certificate](x_509.md). 
+
+The following manifest properties are specific to c2patool and used for signing manifests:
+
+- `alg`: Signing algorithm to use. See [Creating and using an X.509 certificate](x_509.md) for possible values. Default: `es256`.
+- `private_key`: Private key to use. Default: `es256_private.key`
+- `sign_cert`: Signing certificate to use. Default: `es256_certs.pem`
+- `ta_url`:  Time Authority URL for getting a time-stamp (for example, `http://timestamp.digicert.com`). A time-stamp provides a way to confirm that the manifest was signed when the certificate was valid, even if the certificate has since expired. Howver, the Time Authority URL requires a live online connection for confirmation, which may not always be available.
+
+```json
+{
+    "alg": "es256",
+    "private_key": "es256_private.key",
+    "sign_cert": "es256_certs.pem",
+    "ta_url": "http://timestamp.digicert.com",
+
+    "claim_generator": "TestApp",
+    "assertions": [
+        {
+            "label": "stds.schema-org.CreativeWork",
+            "data": {
+                "@context": "https://schema.org",
+                "@type": "CreativeWork",
+                "author": [
+                    {
+                        "@type": "Person",
+                        "name": "Joe Bloggs"
+                    }
+                ]
+            }
+        }
+    ]
+}
+```
diff --git a/cli/docs/nightly-builds/README.md b/cli/docs/nightly-builds/README.md
new file mode 100644
index 000000000..a045d1338
--- /dev/null
+++ b/cli/docs/nightly-builds/README.md
@@ -0,0 +1,32 @@
+# About c2patool nightly builds
+
+Interim binaries are generated every day around 0530 UTC (i.e. overnight for our US-based team) and are available for roughly two weeks thereafter. These can be helpful for testing purposes.
+
+## Finding nightly builds
+
+Start by clicking on the [Actions](https://github.com/contentauth/c2patool/actions) tab for the repo and then click on the ["Nightly build" entry on the left side](https://github.com/contentauth/c2patool/actions/workflows/nightly.yml).
+
+In this screen, you'll see a history of recent nightly builds, something like this:
+
+![Nightly build runs](./nightly-build-runs.png)
+
+Click on the build description (for example, "Use v2 of rust-cache" in this list). That will lead to a summary screen similar to the following:
+
+![Nightly build summary](./nightly-build-summary.png)
+
+In the **"Artifacts"** section at the bottom are archives containing the `c2patool` binary and relevant sample files.
+
+Note that each build contains a unique build number. If you file a bug against a nightly version, we would very much appreciate it if you would include that version ID:
+
+```
+$ c2patool --version
+c2patool 0.6.2-nightly+2023-08-29-24601f5
+```
+
+This build number contains the date of the nightly version and the commit ID (from `main` branch) that was built.
+
+## Important notes about nightly builds
+
+* CAI team members may occasionally trigger "nightly" builds at other times of the day if there are particularly interesting changes that we need to test.
+* Nightly builds of `c2patool` are built with the latest available nightly build of `c2pa-rs`. Typically this is a snapshot of `c2pa-rs` taken at 0500 UTC (i.e. very shortly before the corresponding `c2patool` build).
+* This repo contains a `nightly` branch which contains the code for the latest build that was triggered (typically the Cargo.toml and Cargo.lock changes). This branch is force-pushed by the nightly build process; you should not rely on its contents and should not target this build for any pull requests.
diff --git a/cli/docs/nightly-builds/nightly-build-runs.png b/cli/docs/nightly-builds/nightly-build-runs.png
new file mode 100644
index 000000000..824f61a84
Binary files /dev/null and b/cli/docs/nightly-builds/nightly-build-runs.png differ
diff --git a/cli/docs/nightly-builds/nightly-build-summary.png b/cli/docs/nightly-builds/nightly-build-summary.png
new file mode 100644
index 000000000..caa784d84
Binary files /dev/null and b/cli/docs/nightly-builds/nightly-build-summary.png differ
diff --git a/cli/docs/project-contributions.md b/cli/docs/project-contributions.md
new file mode 100644
index 000000000..940e80cf5
--- /dev/null
+++ b/cli/docs/project-contributions.md
@@ -0,0 +1,23 @@
+# Contributing
+
+The information in this page is primarily for those who wish to contribute to the c2patool project itself, rather than those who simply wish to use it as a tool.  For general contribution guidelines, see [CONTRIBUTING.md](../CONTRIBUTING.md).
+
+## Building from source
+
+To build the project from source, enter these commands:
+
+```shell
+cargo install c2patool
+```
+
+To build the tool on a Windows machine, you need to install the [7zip](https://www.7-zip.org/) tool.
+
+NOTE: If you encounter errors installing, you may need to update your Rust installation by entering this command:
+
+```
+rustup update
+```
+
+## Nightly builds
+
+Interim binaries are generated every day around 05:30 UTC (overnight for our US-based team) and are available for roughly two weeks thereafter. These can be helpful for testing purposes. For more information, see the documentation on [nightly builds](https://github.com/contentauth/c2patool/tree/main/docs/nightly-builds/README.md).
diff --git a/cli/docs/release-notes.md b/cli/docs/release-notes.md
new file mode 100644
index 000000000..9dec0b442
--- /dev/null
+++ b/cli/docs/release-notes.md
@@ -0,0 +1,74 @@
+# C2PA Tool release notes 
+
+This page highlights noteworthy changes in each release of the `c2patool` CLI.
+
+Refer to the [CHANGELOG](https://github.com/contentauth/c2pa-rs/blob/main/cli/CHANGELOG.md) for detailed Git changes.
+
+## 0.9.x
+
+* Update c2pa-rs for RegionOfInterest support. ([#269](https://github.com/contentauth/c2patool/pull/269))
+* Fix broken link that was causing os site workflow to fail ([#266](https://github.com/contentauth/c2patool/pull/266))
+* Document fragment subcommand ([#236](https://github.com/contentauth/c2patool/pull/236))
+* Initial fragment support ([#230](https://github.com/contentauth/c2patool/pull/230))
+* Add warning about accessing a private key directly ([#218](https://github.com/contentauth/c2patool/pull/218))
+* Update c2patool with c2pa-rs fixes ([#190](https://github.com/contentauth/c2patool/pull/190)):
+    - Merkle trees with empty proofs
+    - Support for missing metadata for Claims object
+    - OCSP fixes
+* Document how to specify an icon ([#182](https://github.com/contentauth/c2patool/pull/182))
+* Add better support for cargo-binstall ([#177](https://github.com/contentauth/c2patool/pull/177))
+* Add HTTP source option for trust config ([#174](https://github.com/contentauth/c2patool/pull/174))
+
+## 0.8.x
+
+* fixed c2patool asset name ([#171](https://github.com/contentauth/c2patool/pull/171))
+* Allow clients to sign with a process outside of c2patool ([#169](https://github.com/contentauth/c2patool/pull/169))
+* Add trust and verification options to c2pa_tool ([#168](https://github.com/contentauth/c2patool/pull/168))
+* Add version to c2patool artifact names ([#158](https://github.com/contentauth/c2patool/pull/158))
+
+## 0.7.x
+
+* Update to c2pa-rs v0.28.2 ([#153](https://github.com/contentauth/c2patool/pull/153))
+* Fix windows release ([#132](https://github.com/contentauth/c2patool/pull/132))
+* Use compress-archive instead of tar ([#130](https://github.com/contentauth/c2patool/pull/130))
+
+## 0.6.0
+
+* Validates 1.3 signatures but will not generate them.
+* Supports other 1.3 features such as actions v2 and ingredients v2.
+* Supports adding `claim_generator_info` to a manifest.
+* Icons for `claim_generator_info` can be added as resource references.
+* The SDK will create v2 actions or ingredients if required, but defaults to v1.
+
+## 0.5.4
+
+NOTE: This release introduced a 1.3 required change in signature format that is not compatible with previous verify code.
+We want to give some time for developers to integrate 1.3 validation before using 1.3 signatures.
+Please avoid using 0.5.4 and update to 0.6.0 which can validate the new format but does not create it.
+
+## 0.5.3
+
+* Fixes a bug where ingredient thumbnails were not generated.
+* You can now pass an `ingredient.json` file or folder using the command line `--parent` option. If a folder is passed as an ingredient, the tool will look for an ingredient.json fle in that folder.
+* Fixes `--parent` is no longer relative to the `--manifest` path
+
+## 0.5.2
+
+* Removes manifest preview feature
+* Tests for similar extensions
+* Adds `.svg` support
+
+## 0.5.1
+
+* Updates the sample certs which had expired
+* Updates to the README for 0.5.0 changes
+
+## 0.5.0
+
+* Adds support for many new file formats, see [supported file formats](https://opensource.contentauthenticity.org/docs/c2patool/#supported-file-formats).
+* Manifests and Ingredients can read and write thumbnail and c2pa resource files.
+* Adds `-i/--ingredient` option to generate an ingredient report or folder.
+* Changes to Manifest Definition:
+    * `ingredients` now requires JSON Ingredient definitions.
+	* `ingredient_paths` accepts file paths, including JSON Ingredient definitions.
+    * `base_path` no longer supported. File paths are relative to the containing JSON file.
diff --git a/cli/docs/usage.md b/cli/docs/usage.md
new file mode 100644
index 000000000..de99e8f7f
--- /dev/null
+++ b/cli/docs/usage.md
@@ -0,0 +1,292 @@
+# Using C2PA Tool
+
+C2PA Tool's command-line syntax is:
+
+```
+c2patool [OPTIONS] <PATH> [COMMAND]
+```
+
+Where:
+- `OPTIONS` is one or more of the command-line options described in following table.
+- `<PATH>` is the (relative or absolute) file path to the asset to read or embed a manifest into.
+- `[COMMAND]` is one of the optional subcommands: `trust`, `fragment`, or `help`.
+
+By default, c2patool writes a JSON representation of C2PA manifests found in the asset to the standard output. 
+
+## Subcommands
+
+The tool supports the following subcommands:
+- `trust` [configures trust support](#configuring-trust-support) for certificates on a "known certificate list." With this subcommand, several additional options are available.
+- `fragment` [adds a manifest to fragmented BMFF content](#adding-a-manifest-to-fragmented-bmff-content).  With this subcommand, one additional option is available.
+- `help` displays command line help information.
+
+## Options
+
+The following options are available with any (or no) subcommand.  Additional options are available with each subcommand.
+
+| CLI&nbsp;option&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Short version | Argument | Description |
+|-----|----|----|----|
+| `--certs` | | N/A | Extract a certificate chain to standard output (stdout). |
+| `--config` | `-c` | `<config>` | Specify a manifest definition as a JSON string. See [Providing a manifest definition on the command line](#providing-a-manifest-definition-on-the-command-line). |
+| `--detailed` | `-d` | N/A | Display detailed C2PA-formatted manifest data. See [Displaying a detailed manifest report](#detailed-manifest-report). |
+| `--force` | `-f` | N/A | Force overwriting output file. See [Forced overwrite](#forced-overwrite). |
+| `--help` | `-h` | N/A | Display CLI help information. |
+| `--info` |  | N/A | Display brief information about the file. |
+| `--ingredient` | `-i` | N/A | Create an Ingredient definition in --output folder. |
+| `--output` | `-o` | `<output_file>` | Path to output folder or file. See [Adding a manifest to an asset file](#adding-a-manifest-to-an-asset-file). |
+| `--manifest` | `-m` | `<manifest_file>` | Specify a manifest file to add to an asset file. See [Adding a manifest to an asset file](#adding-a-manifest-to-an-asset-file).
+| `--no_signing_verify` | None | N/A |  Do not validate the signature after signing an asset, which speeds up signing. See [Speeding up signing](#speeding-up-signing) |
+| `--parent` | `-p` | `<parent_file>` | Path to parent file. See [Specifying a parent file](#specifying-a-parent-file). |
+| `--remote` | `-r` | `<manifest_url>` | URL for remote manifest available over HTTP. See [Generating a remote manifest](#generating-a-remote-manifest)| N/A? |
+| `--reserve-size` | N/A | Only valid with `--signer-path` argument. The amount of memory to reserve for signing. Default: 20000. For more information, see CLI help. |
+| `--sidecar` | `-s` | N/A | Put manifest in external "sidecar" file with `.c2pa` extension. See [Generating an external manifest](#generating-an-external-manifest). |
+| `--signer-path` | N/A | Specify path to command-line executable for signing.  See [Signing claim bytes with your own signer](#signing-claim-bytes-with-your-own-signer). |
+| `--tree` | | N/A | Create a tree diagram of the manifest store. |
+| `--version` | `-V` | N/A | Display version information. |
+
+## Displaying manifest data
+
+To display the manifest associated with an asset file, provide the path to the file as the argument; for example:
+
+```shell
+c2patool sample/C.jpg
+```
+
+The tool displays the manifest JSON to standard output (stdout).
+
+Use the `--output` argument to write the contents of the manifest, (including the manifest's assertion and ingredient thumbnails) to the specified directory.
+
+```shell
+c2patool sample/C.jpg --output ./report
+```
+
+### Detailed manifest report
+
+Use the `-d` option to display a detailed report describing the internal C2PA format of manifests contained in the asset; for example, using one of the example images in the `sample` directory:
+
+```shell
+c2patool sample/C.jpg -d
+```
+
+By default, the tool displays the detailed report to standard output (stdout). If you specify an output folder, the tool saves it to a file named `detailed.json` in that folder.
+
+### Displaying an information report
+
+Use the `--info` option to print a high-level report about the asset file and related C2PA data.
+For a cloud manifest the tool displays the URL to the manifest.
+Displays the size of the manifest store and number of manifests.
+It will report if the manifest validated or show any errors encountered in validation.
+
+
+```shell
+c2patool sample/C.jpg --info
+```
+
+The tool displays the report to standard output (stdout).
+
+## Creating an ingredient from a file
+
+The `--ingredient` option creates an ingredient report.  When used with the `--output` folder, it extracts or creates a thumbnail image and a binary `.c2pa` manifest store containing the C2PA data from the file. The JSON ingredient this produces can be added to a manifest definition to carry the full history and validation record of that asset into a newly-created manifest.
+
+Provide the path to the file as the argument; for example:
+
+```shell
+c2patool sample/C.jpg --ingredient --output ./ingredient
+```
+
+## Adding a manifest to an asset file
+
+Use the `--manifest` / `-m` option to add the C2PA manifest definition file specified in the argument to the asset file to be signed. Specify the output file as the argument to the `--output` / `-o` option. The output extension type must match the source. The tool will not convert between file types. For example:
+
+```shell
+c2patool sample/image.jpg -m sample/test.json -o signed_image.jpg
+```
+
+The tool generates a new manifest using the values given in the file and displays the manifest store to standard output (stdout).
+
+CAUTION: If the output file is the same as the source file, the tool will overwrite the source file.
+
+If the manifest definition file has `private_key` and `sign_cert` fields, then the tool signs the manifest using the private key and certificate they specify, respectively.  Otherwise, the tool uses the built-in test certificate and key, which is suitable ONLY for development and testing.  You can also specify the private key and certificate using environment variables; for more information, see [Creating and using an X.509 certificate](x_509.md). 
+
+**WARNING**: Accessing the private key and signing certificate directly like this is fine during development, but doing so in production may be insecure. Instead use a Key Management Service (KMS) or a hardware security module (HSM) to access the certificate and key; for example as show in the [C2PA Python Example](https://github.com/contentauth/c2pa-python-example).
+
+### Specifying a parent file
+
+A _parent file_ represents the state of the image before the current edits were made.
+
+Specify a parent file as the argument to the `--parent` / `-p` option; for example:
+
+```shell
+c2patool sample/image.jpg -m sample/test.json -p sample/c.jpg -o signed_image.jpg
+```
+
+You can pass an ingredient generated with the `--ingredient` option by giving the folder or ingredient JSON file.
+
+```shell
+c2patool sample/C.jpg --ingredient --output ./ingredient
+
+c2patool sample/image.jpg -m sample/test.json -p ./ingredient -o signed_image.jpg
+```
+
+### Forced overwrite
+
+The tool will return an error if the output file already exists. Use the `--force` / `-f` option to force overwriting the output file. For example:
+
+```shell
+c2patool sample/image.jpg -m sample/test.json -f -o signed_image.jpg
+```
+
+## Generating an external manifest
+
+Use the `--sidecar` / `-s` option to put the manifest in an external sidecar file in the same location as the output file. The manifest will have the same output filename but with a `.c2pa` extension. The tool will copy the output file but the original will be untouched.
+
+```shell
+c2patool sample/image.jpg -s -m sample/test.json -o signed_image.jpg
+```
+## Generating a remote manifest
+
+Use the `--remote` / `-r` option to place an HTTP reference to the manifest in the output file. The manifest is returned as an external sidecar file in the same location as the output file with the same filename but with a `.c2pa` extension. Place the manifest at the location specified by the `-r` option. When using remote manifests the remote URL should be publicly accessible to be most useful to users. When verifying an asset, remote manifests are automatically fetched.
+
+```shell
+c2patool sample/image.jpg -r http://my_server/myasset.c2pa -m sample/test.json -o signed_image.jpg
+```
+
+In the example above, the tool will embed the URL `http://my_server/myasset.c2pa` in `signed_image.jpg` then fetch the manifest from that URL and save it to `signed_image.c2pa`.
+
+If you use both the `-s` and `-r` options, the tool embeds a manifest in the output file and also adds the remote reference.
+
+## Signing claim bytes with your own signer
+
+When generating a manifest, if the private key is not accessible on the system on which you are running the tool, use the `--signer-path` argument to specify the path to an executable that performs signing. 
+This executable receives the claim bytes (the bytes to be signed) from standard input (`stdin`) and outputs the signature bytes to standard output (`stdout`). 
+ 
+ For example, the following command signs the asset's claim bytes by using an executable named `custom-signer`:
+
+```shell
+c2patool sample/image.jpg            \
+    --manifest sample/test.json      \
+    --output sample/signed-image.jpg \
+    --signer-path ./custom-signer    \
+    --reserve-size 20248             \
+    -f
+```
+
+For information on calculating the value of the `--reserve-size` argument, see `c2patool --help`.
+
+## Providing a manifest definition on the command line
+
+To provide the manifest definition in a command line argument instead of a file, use the `--config` / `-c` option.
+
+For example, the following command adds a custom assertion called "org.contentauth.test".
+
+```shell
+c2patool sample/image.jpg \
+  -c '{"assertions": \
+    [{"label": "org.contentauth.test", \
+      "data": {"my_key": "whatever I want"}}]}'
+```
+
+## Speeding up signing
+
+By default, `c2patool` validates the signature immediately after signing a manifest. To disable this and speed up the validation process, use the `--no_signing_verify` option.
+
+## Configuring trust support
+
+Enable trust support by using the `trust` subcommand, as follows:
+
+```
+c2patool [path] trust [OPTIONS]
+```
+
+When the `trust` subcommand is supplied, should c2patool encounter a problem with validating any of the claims in the asset, its JSON output will contain a `validation_status` field whose value is an array of objects, each describing a validation problem.
+
+### Additional options
+
+Several additional CLI options are available with the `trust` sub-command to specify the location of files containing the trust anchors list or known certificate list, as described in the following table. You can also use environment variables to specify these values.
+
+<div class="trust-table" markdown="1">
+
+| Option | Environment variable | Description |
+| ------ | -------------------- | ----------- | 
+| `--trust_anchors` | `C2PATOOL_TRUST_ANCHORS` | URL or relative path to a file containing a list of trust anchors (in PEM format) used to validate the manifest certificate chain. To be valid, the manifest certificate chain must lead to a certificate on the trust list. All certificates in the trust anchor list must have the [Basic Constraints extension](https://docs.digicert.com/en/iot-trust-manager/certificate-templates/create-json-formatted-certificate-templates/extensions/basic-constraints.html) and the CA attribute of this extension must be `True`.  |
+| `--allowed_list` | `C2PATOOL_ALLOWED_LIST` | URL or relative path to a file containing a list of end-entity certificates (in PEM format) to trust. These certificates are used to sign the manifest. Supersedes the `trust_anchors` setting. The list must NOT contain certificates with the [Basic Constraints extension](https://docs.digicert.com/en/iot-trust-manager/certificate-templates/create-json-formatted-certificate-templates/extensions/basic-constraints.html) with the CA attribute `True`. |
+| `--trust_config` | `C2PATOOL_TRUST_CONFIG` | URL or relative path to a file containing the allowed set of custom certificate extended key usages (EKUs). Each entry in the list is an object identifiers in [OID dot notation](http://www.oid-info.com/#oid) format.  |
+
+</div>
+
+For example:
+
+```shell
+c2patool sample/C.jpg trust \
+  --allowed_list sample/allowed_list.pem \
+  --trust_config sample/store.cfg
+```
+
+Another example with URL argument values:
+
+```shell
+c2patool sample/C.jpg trust \
+  --trust_anchors https://server.com/anchors.pem \
+  --trust_config https://server.com/store.cfg
+```
+
+### Using the Verify known certificate list
+
+**IMPORTANT:** The C2PA intends to publish an official trust list. Until that time, the [C2PA Verify tool uses a temporary known certificate list](https://opensource.contentauthenticity.org/docs/verify-known-cert-list). These lists are subject to change, and will be deprecated when C2PA publishes its trust list.
+
+To configure C2PA tool to use the Verify temporary known certificate list, set the following environment variables on your system:
+
+```shell
+export C2PATOOL_TRUST_ANCHORS='https://contentcredentials.org/trust/anchors.pem'
+export C2PATOOL_ALLOWED_LIST='https://contentcredentials.org/trust/allowed.sha256.txt'
+export C2PATOOL_TRUST_CONFIG='https://contentcredentials.org/trust/store.cfg'
+```
+
+**Note:** When these environment variables are set, C2PA Tool will make several HTTP requests each time it  runs. Since these lists may change without notice (and the allowed list may change quite often), check these lists frequently to stay in sync with the Verify site. However, when performing bulk operations, you may want to cache these files locally to avoid a large number of network calls that might affect performance.
+
+You can then run:
+
+```shell
+c2patool sample/C.jpg trust
+```
+
+You can also specify these values as CLI arguments instead:
+
+```shell
+c2patool sample/C.jpg trust \
+  --trust_anchors='https://contentcredentials.org/trust/anchors.pem' \
+  --allowed_list='https://contentcredentials.org/trust/allowed.sha256.txt' \
+  --trust_config='https://contentcredentials.org/trust/store.cfg'
+```
+
+**Note:** This sample image should show a `signingCredential.untrusted` validation status since the test signing certificate used to sign them is not contained on the trust lists above.
+
+## Adding a manifest to fragmented BMFF content
+
+The ISO base media file format (BMFF) is a container file format that defines a structure for files that contain time-based multimedia data such as video and audio.
+
+Add a manifest to a fragmented BMFF file by using the `fragment` subcommand, as follows:
+
+```
+c2patool <PATH | PATTERN> fragment [--fragments_glob]
+```
+
+Where `<PATTERN>` is a [glob pattern](https://en.wikipedia.org/wiki/Glob_(programming)).
+
+For example, to add manifest to a video file:
+
+```
+c2patool -m test2.json -o  /1080p_out \
+  /Downloads/1080p/avc1/init.mp4 \ 
+  fragment --fragments_glob "seg-*[0-9].m4s"
+```
+
+Or to verify a manifest and fragments:
+```
+c2patool  /Downloads/1080p_out/avc1/init.mp4 \
+  fragment --fragments_glob "seg-*[0-9].m4s"
+```
+
+### Additional option
+
+The `--fragments_glob` option is only available with the `fragment` subcommand and specifies the glob pattern to find the fragments of the asset. The path is automatically set to be the same as the "init" segment, so the pattern must match only segment file names, not full paths.
\ No newline at end of file
diff --git a/cli/docs/x_509.md b/cli/docs/x_509.md
new file mode 100644
index 000000000..7b6e12203
--- /dev/null
+++ b/cli/docs/x_509.md
@@ -0,0 +1,31 @@
+# Using an X.509 certificate
+
+The c2patool uses some custom properties in the manifest definition file for signing:
+
+- `private_key`: Path to the private key file.
+- `sign_cert`: Path to the signing certificate file.
+- `alg`: Algorithm to use, if not the default ES256.
+
+Both the private key and signing certificate must be in PEM (privacy-enhanced mail) format. The signing certificate must contain a PEM certificate chain starting with the end-entity certificate used to sign the claim ending with the intermediate certificate before the root CA certificate. 
+
+If the manifest definition file doesn't include the `sign_cert` and `private_key` properties, c2patool uses a built-in certificate and private key.  An example certifcate and private key file are also provided in the [c2patool repo sample folder](https://github.com/contentauth/c2pa-rs/tree/main/cli/sample). 
+
+If you are using a signing algorithm other than the default `es256`, specify it in the manifest definition field `alg` with one of the following values:
+
+- `ps256`
+- `ps384`
+- `ps512`
+- `es256`
+- `es384`
+- `es512`
+- `ed25519`
+
+The specified algorithm must be compatible with the values of private key and signing certificate.  For more information, see [Signing manfiests](https://opensource.contentauthenticity.org/docs/signing-manifests).
+
+Instead of specifying the values in manifest definition file properties, you can put the values of the key and cert chain in two environment variables: `C2PA_PRIVATE_KEY` for the private key and `C2PA_SIGN_CERT` for the public certificates. For example, to sign with ES256 signatures using the content of a private key file and certificate file:
+
+```shell
+set C2PA_PRIVATE_KEY=$(cat my_es256_private_key)
+set C2PA_SIGN_CERT=$(cat my_es256_certs)
+```
+
diff --git a/cli/sample/C.jpg b/cli/sample/C.jpg
new file mode 100644
index 000000000..03934522a
Binary files /dev/null and b/cli/sample/C.jpg differ
diff --git a/cli/sample/allowed_list.pem b/cli/sample/allowed_list.pem
new file mode 100644
index 000000000..6183f7ed7
--- /dev/null
+++ b/cli/sample/allowed_list.pem
@@ -0,0 +1,92 @@
+-----BEGIN CERTIFICATE-----
+MIIChzCCAi6gAwIBAgIUcCTmJHYF8dZfG0d1UdT6/LXtkeYwCgYIKoZIzj0EAwIw
+gYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29tZXdoZXJl
+MScwJQYDVQQKDB5DMlBBIFRlc3QgSW50ZXJtZWRpYXRlIFJvb3QgQ0ExGTAXBgNV
+BAsMEEZPUiBURVNUSU5HX09OTFkxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAe
+Fw0yMjA2MTAxODQ2NDBaFw0zMDA4MjYxODQ2NDBaMIGAMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNvbWV3aGVyZTEfMB0GA1UECgwWQzJQQSBU
+ZXN0IFNpZ25pbmcgQ2VydDEZMBcGA1UECwwQRk9SIFRFU1RJTkdfT05MWTEUMBIG
+A1UEAwwLQzJQQSBTaWduZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQPaL6R
+kAkYkKU4+IryBSYxJM3h77sFiMrbvbI8fG7w2Bbl9otNG/cch3DAw5rGAPV7NWky
+l3QGuV/wt0MrAPDoo3gwdjAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsG
+AQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUFznP0y83joiNOCedQkxT
+tAMyNcowHwYDVR0jBBgwFoAUDnyNcma/osnlAJTvtW6A4rYOL2swCgYIKoZIzj0E
+AwIDRwAwRAIgOY/2szXjslg/MyJFZ2y7OH8giPYTsvS7UPRP9GI9NgICIDQPMKrE
+LQUJEtipZ0TqvI/4mieoyRCeIiQtyuS0LACz
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGsDCCBGSgAwIBAgIUfj5imtzP59mXEBNbWkgFaXLfgZkwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNv
+bWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0ZSBSb290IENB
+MRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9JbnRlcm1lZGlh
+dGUgQ0EwHhcNMjIwNjEwMTg0NjI4WhcNMzAwODI2MTg0NjI4WjCBgDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUxHzAdBgNVBAoM
+FkMyUEEgVGVzdCBTaWduaW5nIENlcnQxGTAXBgNVBAsMEEZPUiBURVNUSU5HX09O
+TFkxFDASBgNVBAMMC0MyUEEgU2lnbmVyMIICVjBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAD
+ggIPADCCAgoCggIBAOtiNSWBpKkHL78khDYV2HTYkVUmTu5dgn20GiUjOjWhAyWK
+5uZL+iuHWmHUOq0xqC39R+hyaMkcIAUf/XcJRK40Jh1s2kJ4+kCk7+RB1n1xeZeJ
+jrKhJ7zCDhH6eFVqO9Om3phcpZyKt01yDkhfIP95GzCILuPm5lLKYI3P0FmpC8zl
+5ctevgG1TXJcX8bNU6fsHmmw0rBrVXUOR+N1MOFO/h++mxIhhLW601XrgYu6lDQD
+IDOc/IxwzEp8+SAzL3v6NStBEYIq2d+alUgEUAOM8EzZsungs0dovMPGcfw7COsG
+4xrdmLHExRau4E1g1ANfh2QsYdraNMtS/wcpI1PG6BkqUQ4zlMoO/CI2nZ5oninb
+uL9x/UJt+a6VvHA0e4bTIcJJVq3/t69mpZtNe6WqDfGU+KLZ5HJSBNSW9KyWxSAU
+FuDFAMtKZRZmTBonKHSjYlYtT+/WN7n/LgFJ2EYxPeFcGGPrVqRTw38g0QA8cyFe
+wHfQBZUiSKdvMRB1zmIj+9nmYsh8ganJzuPaUgsGNVKoOJZHq+Ya3ewBjwslR91k
+QtEGq43PRCvx4Vf+qiXeMCzK+L1Gg0v+jt80grz+y8Ch5/EkxitaH/ei/HRJGyvD
+Zu7vrV6fbWLfWysBoFStHWirQcocYDGsFm9hh7bwM+W0qvNB/hbRQ0xfrMI9AgMB
+AAGjeDB2MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwQwDgYD
+VR0PAQH/BAQDAgbAMB0GA1UdDgQWBBQ3KHUtnyxDJcV9ncAu37sql3aF7jAfBgNV
+HSMEGDAWgBQMMoDK5ZZtTx/7+QsB1qnlDNwA4jBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAD
+ggIBAAmBZubOjnCXIYmg2l1pDYH+XIyp5feayZz6Nhgz6xB7CouNgvcjkYW7EaqN
+RuEkAJWJC68OnjMwwe6tXWQC4ifMKbVg8aj/IRaVAqkEL/MRQ89LnL9F9AGxeugJ
+ulYtpqzFOJUKCPxcXGEoPyqjY7uMdTS14JzluKUwtiQZAm4tcwh/ZdRkt69i3wRq
+VxIY2TK0ncvr4N9cX1ylO6m+GxufseFSO0NwEMxjonJcvsxFwjB8eFUhE0yH3pdD
+gqE2zYfv9kjYkFGngtOqbCe2ixRM5oj9qoS+aKVdOi9m/gObcJkSW9JYAJD2GHLO
+yLpGWRhg4xnn1s7n2W9pWB7+txNR7aqkrUNhZQdznNVdWRGOale4uHJRSPZAetQT
+oYoVAyIX1ba1L/GRo52mOOT67AJhmIVVJJFVvMvvJeQ8ktW8GlxYjG9HHbRpE0S1
+Hv7FhOg0vEAqyrKcYn5JWYGAvEr0VqUqBPz3/QZ8gbmJwXinnUku1QZbGZUIFFIS
+3MDaPXMWmp2KuNMxJXHE1CfaiD7yn2plMV5QZakde3+Kfo6qv2GISK+WYhnGZAY/
+LxtEOqwVrQpDQVJ5jgR/RKPIsOobdboR/aTVjlp7OOfvLxFUvD66zOiVa96fAsfw
+ltU2Cp0uWdQKSLoktmQWLYgEe3QOqvgLDeYP2ScAdm+S+lHV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGkTCCBEWgAwIBAgIUeTn90WGAkw2fOJHBNX6EhnB7FZ4wQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
+IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MjZa
+Fw0zMDA4MjcxODQ2MjZaMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQ
+BgNVBAcMCVNvbWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0
+ZSBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9J
+bnRlcm1lZGlhdGUgQ0EwggJWMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIB
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIAOCAg8AMIICCgKC
+AgEAqlafkrMkDom4SFHQBGwqODnuj+xi7IoCxADsKs9rDjvEB7qK2cj/d7sGhp4B
+vCTu6I+2xUmfz+yvJ/72+HnQvoUGInPp8Rbvb1T3LcfyDcY4WHqJouKNGa4T4ZVN
+u3HdgbaD/S3BSHmBJZvZ6YH0pWDntbNra1WR0KfCsA+jccPfCI3NTVCjEnFlTSdH
+UasJLnh9tMvefk1QDUp3mNd3x7X1FWIZquXOgHxDNVS+GDDWfSN20dwyIDvotleN
+5bOTQb3Pzgg0D/ZxKb/1oiRgIJffTfROITnU0Mk3gUwLzeQHaXwKDR4DIVst7Git
+A4yIIq8xXDvyKlYde6eRY1JV/H0RExTxRgCcXKQrNrUmIPoFSuz05TadQ93A0Anr
+EaPJOaY20mJlHa6bLSecFa/yW1hSf/oNKkjqtIGNV8k6fOfdO6j/ZkxRUI19IcqY
+Ly/IewMFOuowJPay8LCoM0xqI7/yj1gvfkyjl6wHuJ32e17kj1wnmUbg/nvmjvp5
+sPZjIpIXJmeEm2qwvwOtBJN8EFSI4emeIO2NVtQS51RRonazWNuHRKf/hpCXsJpI
+snZhH3mEqQAwKuobDhL+9pNnRag8ssCGLZmLGB0XfSFufMp5/gQyZYj4Q6wUh/OI
+O/1ZYTtQPlnHLyFBVImGlCxvMiDuh2ue7lYyrNuNwDKXMI8CAwEAAaNjMGEwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFAwygMrllm1P
+H/v5CwHWqeUM3ADiMB8GA1UdIwQYMBaAFEVvG+J0LmYCLXksOfn6Mk2UKxlQMEEG
+CSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIBBQChHDAaBgkqhkiG9w0BAQgwDQYJ
+YIZIAWUDBAIBBQCiAwIBIAOCAgEAqkYEUJP1BJLY55B7NWThZ31CiTiEnAUyR3O6
+F2MBWfXMrYEAIG3+vzQpLbbAh2u/3W4tzDiLr9uS7KA9z6ruwUODgACMAHZ7kfT/
+Ze3XSmhezYVZm3c4b/F0K/d92GDAzjgldBiKIkVqTrRSrMyjCyyJ+kR4VOWz8EoF
+vdwvrd0SP+1l9V5ThlmHzQ3cXT1pMpCjj+bw1z7ScZjYdAotOk74jjRXF5Y0HYra
+bGh6tl0sn6WXsYZK27LuQ/iPJrXLVqt/+BKHYtqD73+6dh8PqXG1oXO9KoEOwJpt
+8R9IwGoAj37hFpvZm2ThZ6TKXM0+HpByZamExoCiL2mQWRbKWPSyJjFwXjLScWSB
+IJg1eY45+a3AOwhuSE34alhwooH2qDEuGK7KW1W5V/02jtsbYc2upEfkMzd2AaJb
+2ALDGCwa4Gg6IkEadNBdXvNewG1dFDPOgPiJM9gTGeXMELO9sBpoOvZsoVj2wbVC
++5FFnqm40bPy0zeR99CGjgZBMr4siCLRJybBD8sX6sE0WSx896Q0PlRdS4Wniu+Y
+8QCS293tAyD7tWztko5mdVGfcYYfa2UnHqKlDZOpdMq/rjzXtPVREq+dRKld3KLy
+oqiZiY7ceUPTraAQ3pK535dcX3XA7p9RsGztyl7jma6HO2WmO9a6rGR2xCqW5/g9
+wvq03sA=
+-----END CERTIFICATE-----
diff --git a/cli/sample/es256_certs.pem b/cli/sample/es256_certs.pem
new file mode 100644
index 000000000..f24c51cd2
--- /dev/null
+++ b/cli/sample/es256_certs.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIChzCCAi6gAwIBAgIUcCTmJHYF8dZfG0d1UdT6/LXtkeYwCgYIKoZIzj0EAwIw
+gYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29tZXdoZXJl
+MScwJQYDVQQKDB5DMlBBIFRlc3QgSW50ZXJtZWRpYXRlIFJvb3QgQ0ExGTAXBgNV
+BAsMEEZPUiBURVNUSU5HX09OTFkxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAe
+Fw0yMjA2MTAxODQ2NDBaFw0zMDA4MjYxODQ2NDBaMIGAMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNvbWV3aGVyZTEfMB0GA1UECgwWQzJQQSBU
+ZXN0IFNpZ25pbmcgQ2VydDEZMBcGA1UECwwQRk9SIFRFU1RJTkdfT05MWTEUMBIG
+A1UEAwwLQzJQQSBTaWduZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQPaL6R
+kAkYkKU4+IryBSYxJM3h77sFiMrbvbI8fG7w2Bbl9otNG/cch3DAw5rGAPV7NWky
+l3QGuV/wt0MrAPDoo3gwdjAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsG
+AQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUFznP0y83joiNOCedQkxT
+tAMyNcowHwYDVR0jBBgwFoAUDnyNcma/osnlAJTvtW6A4rYOL2swCgYIKoZIzj0E
+AwIDRwAwRAIgOY/2szXjslg/MyJFZ2y7OH8giPYTsvS7UPRP9GI9NgICIDQPMKrE
+LQUJEtipZ0TqvI/4mieoyRCeIiQtyuS0LACz
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICajCCAg+gAwIBAgIUfXDXHH+6GtA2QEBX2IvJ2YnGMnUwCgYIKoZIzj0EAwIw
+dzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUx
+GjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElO
+R19PTkxZMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMDYxMDE4NDY0MFoXDTMwMDgy
+NzE4NDY0MFowgYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJ
+U29tZXdoZXJlMScwJQYDVQQKDB5DMlBBIFRlc3QgSW50ZXJtZWRpYXRlIFJvb3Qg
+Q0ExGTAXBgNVBAsMEEZPUiBURVNUSU5HX09OTFkxGDAWBgNVBAMMD0ludGVybWVk
+aWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHllI4O7a0EkpTYAWfPM
+D6Rnfk9iqhEmCQKMOR6J47Rvh2GGjUw4CS+aLT89ySukPTnzGsMQ4jK9d3V4Aq4Q
+LsOjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQW
+BBQOfI1yZr+iyeUAlO+1boDitg4vazAfBgNVHSMEGDAWgBRembiG4Xgb2VcVWnUA
+UrYpDsuojDAKBggqhkjOPQQDAgNJADBGAiEAtdZ3+05CzFo90fWeZ4woeJcNQC4B
+84Ill3YeZVvR8ZECIQDVRdha1xEDKuNTAManY0zthSosfXcvLnZui1A/y/DYeg==
+-----END CERTIFICATE-----
+
diff --git a/cli/sample/es256_private.key b/cli/sample/es256_private.key
new file mode 100644
index 000000000..5e59fcc5e
--- /dev/null
+++ b/cli/sample/es256_private.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfNJBsaRLSeHizv0m
+GL+gcn78QmtfLSm+n+qG9veC2W2hRANCAAQPaL6RkAkYkKU4+IryBSYxJM3h77sF
+iMrbvbI8fG7w2Bbl9otNG/cch3DAw5rGAPV7NWkyl3QGuV/wt0MrAPDo
+-----END PRIVATE KEY-----
diff --git a/cli/sample/image.jpg b/cli/sample/image.jpg
new file mode 100644
index 000000000..be277a89a
Binary files /dev/null and b/cli/sample/image.jpg differ
diff --git a/cli/sample/ps256.pem b/cli/sample/ps256.pem
new file mode 100644
index 000000000..ed4c7318d
--- /dev/null
+++ b/cli/sample/ps256.pem
@@ -0,0 +1,53 @@
+-----BEGIN PRIVATE KEY-----
+MIIJdwIBADBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZI
+hvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAEggktMIIJKQIBAAKCAgEA62I1JYGk
+qQcvvySENhXYdNiRVSZO7l2CfbQaJSM6NaEDJYrm5kv6K4daYdQ6rTGoLf1H6HJo
+yRwgBR/9dwlErjQmHWzaQnj6QKTv5EHWfXF5l4mOsqEnvMIOEfp4VWo706bemFyl
+nIq3TXIOSF8g/3kbMIgu4+bmUspgjc/QWakLzOXly16+AbVNclxfxs1Tp+weabDS
+sGtVdQ5H43Uw4U7+H76bEiGEtbrTVeuBi7qUNAMgM5z8jHDMSnz5IDMve/o1K0ER
+girZ35qVSARQA4zwTNmy6eCzR2i8w8Zx/DsI6wbjGt2YscTFFq7gTWDUA1+HZCxh
+2to0y1L/BykjU8boGSpRDjOUyg78IjadnmieKdu4v3H9Qm35rpW8cDR7htMhwklW
+rf+3r2alm017paoN8ZT4otnkclIE1Jb0rJbFIBQW4MUAy0plFmZMGicodKNiVi1P
+79Y3uf8uAUnYRjE94VwYY+tWpFPDfyDRADxzIV7Ad9AFlSJIp28xEHXOYiP72eZi
+yHyBqcnO49pSCwY1Uqg4lker5hrd7AGPCyVH3WRC0Qarjc9EK/HhV/6qJd4wLMr4
+vUaDS/6O3zSCvP7LwKHn8STGK1of96L8dEkbK8Nm7u+tXp9tYt9bKwGgVK0daKtB
+yhxgMawWb2GHtvAz5bSq80H+FtFDTF+swj0CAwEAAQKCAgAcfZAaQJVqIiUM2UIp
+e75t8jKxIEhogKgFSBHsEdX/XMRRPH1TPboDn8f4VGRfx0Vof6I/B+4X/ZAAns0i
+pdwKy+QbJqxKZHNB9NTWh4OLPntttKgxheEV71Udpvf+urOQHEAQKBKhnoauWJJS
+/zSyx3lbh/hI/I8/USCbuZ4p5BS6Ec+dLJQKB+ReZcDwArVP+3v45f6yfONknjxk
+UzB97P5EYGFLsgPqrTjcSvusqoI6w3AX3zYQV6zajULoO1nRg0kBOciBPWeOsZrF
+E0SOEXaajrUhquF4ULycY74zPgAH1pcRjuXnCn6ijrs2knRHDj6IiPi1MTk3rQ2S
+U8/jHhyTmHgfMN45RS4d+aeDTTJ7brnpsNQeDCua9nyo9G6CyPQtox93L8EyjsM6
++sI7KzMl4HwKzA7BwkAKIG+h08QqjpNSRoYSkhwapjTX6Izowi8kH4ss0rLVEQYh
+EyjNQYfT+joqFa5pF1pNcmlC24258CLTZHMc/WGq2uD8PzSukbCoIYBBXVEJdiVB
+2sTFpUpQt1wK5PgKLoPVAwD+jwkdsIvvE/1uhLkLSX42w/boEKYGl1kvhx5smAwM
+k7Fiy8YVkniQNHrJ7RFxFG8cfGI/RKl0H09JQUQONh/ERTQ7HNC41UFlQVuW4mG+
++62+EYL580ee8mikUL5XpWSbIQKCAQEA+3fQu899ET2BgzViKvWkyYLs3FRtkvtg
+MUBbMiW+J5cbaWYwN8wHA0lj+xLvInCuE/6Lqe4YOwVilaIBFGl0yXjk9UI2teZX
+HFBmkhhY6UnIAHHlyV2el8Mf2Zf2zy4aEfFn4ZdXhMdYkrWyhBBv/r4zKWAUpknA
+g7dO15Dq0oOpu/4h2TmGGj4nKKH35Q9dXqRjNVKoXNxtJjmVrV6Az0TScys4taIu
+Y0a+7I/+Ms/d+ZshNIQx6ViLdsBU0TLvhnukVO9ExPyyhAFFviS5unISTnzTN3pN
+a06l0h/d2WsFvlWEDdZrpAIfPk3ITVl0mv7XpY1LUVtTlXWhBAjWTQKCAQEA76Av
+Obvgt8v1m/sO/a7A8c+nAWGxOlw76aJLj1ywHG63LGJd9IaHD8glkOs4S3g+VEuN
+G8qFMhRluaY/PFO7wCGCFFR7yRfu/IFCNL63NVsXGYsLseQCRxl05KG8iEFe7JzE
+isfoiPIvgeJiI5yF0rSLIxHRzLmKidwpaKBJxtNy/h1Rvj4xNnDsr8WJkzqxlvq9
+Z6zY/P99IhS1YEZ/6TuDEfUfyC+EsPxw9PCGiTyxumY+IVSEpDdMk7oPT0m4Oson
+ORp5D1D0RDR5UxhGoqVNc0cPOL41Bi/DSmNrVSW6CwIfpEUX/tXDGr4zZrW2z75k
+EpUzkKvXDXBsEHxzsQKCAQEA8D2ogjUZJCZhnAudLLOfahEV3u0d/eUAIi18sq0S
+PNqFCq3g9P2L2Zz80rplEb8a3+k4XvEj3wcnBxNN+sVBGNXRz2ohwKg9osRBKePu
+1XlyhNJLmJRDVnPI8uXWmlpN98Rs3T3sE+MrAIZr9PWLOZFWaXnsYG1naa7vuMwv
+O00kFIEWr2PgdSPZ31zV6tVB+5ALY78DMCw6buFm2MnHP71dXT/2nrhBnwDQmEp8
+rOigBb4p+/UrheXc32eh4HbMFOv8tFQenB9bIPfiPGTzt2cRjEB+vaqvWgw6KUPe
+e79eLleeoGWwUnDgjnJbIWKMHyPGu9gAE8qvUMOfP659pQKCAQBU0AFnEdRruUjp
+OGcJ6vxnmfOmTYmI+nRKMSNFTq0Woyk6EGbo0WSkdVa2gEqgi6Kj+0mqeHfETevj
+VbA0Df759eIwh+Z4Onxf6vAf8xCtVdxLMielguo7eAsjkQtFvr12SdZWuILZVb7y
+3cmWiSPke/pzIy96ooEiYkZVvcXfFaAxyPbRuvl4J2fenrAe6DtLENxRAaCbi2Ii
+2emIdet4BZRSmsvw8sCoU/E3AJrdoBnXu7Bp45w+80OrVcNtcM5AIKTZVUFb5m9O
+ZLQ8cO8vSgqrro74qnniAq3AeofWz0+V7d59KedgTxCLOp6+z7owtVZ+LUje/7NS
+EmRtQV9BAoIBAQDHRD0FCBb8AqZgN5nxjZGNUpLwD09cOfc3PfKtz0U/2PvMKV2e
+ElgAhiwMhOZoHIHnmDmWzqu37lj7gICyeSQyiA3jHSMDHGloOJLCIfKAiZO8gf0O
+w0ptBYvTaMJH/XlVHREoVPxQVnf4Ro87cNCCJ8XjLfzHwnWWCFUxdjqS1kgwb2bs
+dTR8UN2kzXVYL3bi0lUrrIu6uAebzNw/qy29oJ+xhl0g9GVJdNCmr6uX5go+8z0Q
+gDSDvQ6OrLvVYh4nKbM1QcwDZYQCBpd4H+0ZHnUeEpDA7jer4Yzvp9EF9RGZWvc+
+G/dZR0Qj3j0T5F9GX719XpmzYbVFKIKPTsKF
+-----END PRIVATE KEY-----
diff --git a/cli/sample/ps256.pub b/cli/sample/ps256.pub
new file mode 100644
index 000000000..9e6aa6ce4
--- /dev/null
+++ b/cli/sample/ps256.pub
@@ -0,0 +1,113 @@
+-----BEGIN CERTIFICATE-----
+MIIGsDCCBGSgAwIBAgIUfj5imtzP59mXEBNbWkgFaXLfgZkwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNv
+bWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0ZSBSb290IENB
+MRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9JbnRlcm1lZGlh
+dGUgQ0EwHhcNMjIwNjEwMTg0NjI4WhcNMzAwODI2MTg0NjI4WjCBgDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUxHzAdBgNVBAoM
+FkMyUEEgVGVzdCBTaWduaW5nIENlcnQxGTAXBgNVBAsMEEZPUiBURVNUSU5HX09O
+TFkxFDASBgNVBAMMC0MyUEEgU2lnbmVyMIICVjBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAD
+ggIPADCCAgoCggIBAOtiNSWBpKkHL78khDYV2HTYkVUmTu5dgn20GiUjOjWhAyWK
+5uZL+iuHWmHUOq0xqC39R+hyaMkcIAUf/XcJRK40Jh1s2kJ4+kCk7+RB1n1xeZeJ
+jrKhJ7zCDhH6eFVqO9Om3phcpZyKt01yDkhfIP95GzCILuPm5lLKYI3P0FmpC8zl
+5ctevgG1TXJcX8bNU6fsHmmw0rBrVXUOR+N1MOFO/h++mxIhhLW601XrgYu6lDQD
+IDOc/IxwzEp8+SAzL3v6NStBEYIq2d+alUgEUAOM8EzZsungs0dovMPGcfw7COsG
+4xrdmLHExRau4E1g1ANfh2QsYdraNMtS/wcpI1PG6BkqUQ4zlMoO/CI2nZ5oninb
+uL9x/UJt+a6VvHA0e4bTIcJJVq3/t69mpZtNe6WqDfGU+KLZ5HJSBNSW9KyWxSAU
+FuDFAMtKZRZmTBonKHSjYlYtT+/WN7n/LgFJ2EYxPeFcGGPrVqRTw38g0QA8cyFe
+wHfQBZUiSKdvMRB1zmIj+9nmYsh8ganJzuPaUgsGNVKoOJZHq+Ya3ewBjwslR91k
+QtEGq43PRCvx4Vf+qiXeMCzK+L1Gg0v+jt80grz+y8Ch5/EkxitaH/ei/HRJGyvD
+Zu7vrV6fbWLfWysBoFStHWirQcocYDGsFm9hh7bwM+W0qvNB/hbRQ0xfrMI9AgMB
+AAGjeDB2MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwQwDgYD
+VR0PAQH/BAQDAgbAMB0GA1UdDgQWBBQ3KHUtnyxDJcV9ncAu37sql3aF7jAfBgNV
+HSMEGDAWgBQMMoDK5ZZtTx/7+QsB1qnlDNwA4jBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAD
+ggIBAAmBZubOjnCXIYmg2l1pDYH+XIyp5feayZz6Nhgz6xB7CouNgvcjkYW7EaqN
+RuEkAJWJC68OnjMwwe6tXWQC4ifMKbVg8aj/IRaVAqkEL/MRQ89LnL9F9AGxeugJ
+ulYtpqzFOJUKCPxcXGEoPyqjY7uMdTS14JzluKUwtiQZAm4tcwh/ZdRkt69i3wRq
+VxIY2TK0ncvr4N9cX1ylO6m+GxufseFSO0NwEMxjonJcvsxFwjB8eFUhE0yH3pdD
+gqE2zYfv9kjYkFGngtOqbCe2ixRM5oj9qoS+aKVdOi9m/gObcJkSW9JYAJD2GHLO
+yLpGWRhg4xnn1s7n2W9pWB7+txNR7aqkrUNhZQdznNVdWRGOale4uHJRSPZAetQT
+oYoVAyIX1ba1L/GRo52mOOT67AJhmIVVJJFVvMvvJeQ8ktW8GlxYjG9HHbRpE0S1
+Hv7FhOg0vEAqyrKcYn5JWYGAvEr0VqUqBPz3/QZ8gbmJwXinnUku1QZbGZUIFFIS
+3MDaPXMWmp2KuNMxJXHE1CfaiD7yn2plMV5QZakde3+Kfo6qv2GISK+WYhnGZAY/
+LxtEOqwVrQpDQVJ5jgR/RKPIsOobdboR/aTVjlp7OOfvLxFUvD66zOiVa96fAsfw
+ltU2Cp0uWdQKSLoktmQWLYgEe3QOqvgLDeYP2ScAdm+S+lHV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGkTCCBEWgAwIBAgIUeTn90WGAkw2fOJHBNX6EhnB7FZ4wQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
+IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MjZa
+Fw0zMDA4MjcxODQ2MjZaMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQ
+BgNVBAcMCVNvbWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0
+ZSBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9J
+bnRlcm1lZGlhdGUgQ0EwggJWMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIB
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIAOCAg8AMIICCgKC
+AgEAqlafkrMkDom4SFHQBGwqODnuj+xi7IoCxADsKs9rDjvEB7qK2cj/d7sGhp4B
+vCTu6I+2xUmfz+yvJ/72+HnQvoUGInPp8Rbvb1T3LcfyDcY4WHqJouKNGa4T4ZVN
+u3HdgbaD/S3BSHmBJZvZ6YH0pWDntbNra1WR0KfCsA+jccPfCI3NTVCjEnFlTSdH
+UasJLnh9tMvefk1QDUp3mNd3x7X1FWIZquXOgHxDNVS+GDDWfSN20dwyIDvotleN
+5bOTQb3Pzgg0D/ZxKb/1oiRgIJffTfROITnU0Mk3gUwLzeQHaXwKDR4DIVst7Git
+A4yIIq8xXDvyKlYde6eRY1JV/H0RExTxRgCcXKQrNrUmIPoFSuz05TadQ93A0Anr
+EaPJOaY20mJlHa6bLSecFa/yW1hSf/oNKkjqtIGNV8k6fOfdO6j/ZkxRUI19IcqY
+Ly/IewMFOuowJPay8LCoM0xqI7/yj1gvfkyjl6wHuJ32e17kj1wnmUbg/nvmjvp5
+sPZjIpIXJmeEm2qwvwOtBJN8EFSI4emeIO2NVtQS51RRonazWNuHRKf/hpCXsJpI
+snZhH3mEqQAwKuobDhL+9pNnRag8ssCGLZmLGB0XfSFufMp5/gQyZYj4Q6wUh/OI
+O/1ZYTtQPlnHLyFBVImGlCxvMiDuh2ue7lYyrNuNwDKXMI8CAwEAAaNjMGEwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFAwygMrllm1P
+H/v5CwHWqeUM3ADiMB8GA1UdIwQYMBaAFEVvG+J0LmYCLXksOfn6Mk2UKxlQMEEG
+CSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIBBQChHDAaBgkqhkiG9w0BAQgwDQYJ
+YIZIAWUDBAIBBQCiAwIBIAOCAgEAqkYEUJP1BJLY55B7NWThZ31CiTiEnAUyR3O6
+F2MBWfXMrYEAIG3+vzQpLbbAh2u/3W4tzDiLr9uS7KA9z6ruwUODgACMAHZ7kfT/
+Ze3XSmhezYVZm3c4b/F0K/d92GDAzjgldBiKIkVqTrRSrMyjCyyJ+kR4VOWz8EoF
+vdwvrd0SP+1l9V5ThlmHzQ3cXT1pMpCjj+bw1z7ScZjYdAotOk74jjRXF5Y0HYra
+bGh6tl0sn6WXsYZK27LuQ/iPJrXLVqt/+BKHYtqD73+6dh8PqXG1oXO9KoEOwJpt
+8R9IwGoAj37hFpvZm2ThZ6TKXM0+HpByZamExoCiL2mQWRbKWPSyJjFwXjLScWSB
+IJg1eY45+a3AOwhuSE34alhwooH2qDEuGK7KW1W5V/02jtsbYc2upEfkMzd2AaJb
+2ALDGCwa4Gg6IkEadNBdXvNewG1dFDPOgPiJM9gTGeXMELO9sBpoOvZsoVj2wbVC
++5FFnqm40bPy0zeR99CGjgZBMr4siCLRJybBD8sX6sE0WSx896Q0PlRdS4Wniu+Y
+8QCS293tAyD7tWztko5mdVGfcYYfa2UnHqKlDZOpdMq/rjzXtPVREq+dRKld3KLy
+oqiZiY7ceUPTraAQ3pK535dcX3XA7p9RsGztyl7jma6HO2WmO9a6rGR2xCqW5/g9
+wvq03sA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGezCCBC+gAwIBAgIUDAG5+sfGspprX+hlkn1SuB2f5VQwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
+IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MjVa
+Fw0zMjA2MDcxODQ2MjVaMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG
+A1UEBwwJU29tZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcG
+A1UECwwQRk9SIFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTCCAlYwQQYJ
+KoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglg
+hkgBZQMEAgEFAKIDAgEgA4ICDwAwggIKAoICAQC4q3t327HRHDs7Y9NR+ZqernwU
+bZ1EiEBR8vKTZ9StXmSfkzgSnvVfsFanvrKuZvFIWq909t/gH2z0klI2ZtChwLi6
+TFYXQjzQt+x5CpRcdWnB9zfUhOpdUHAhRd03Q14H2MyAiI98mqcVreQOiLDydlhP
+Dla7Ign4PqedXBH+NwUCEcbQIEr2LvkZ5fzX1GzBtqymClT/Gqz75VO7zM1oV4gq
+ElFHLsTLgzv5PR7pydcHauoTvFWhZNgz5s3olXJDKG/n3h0M3vIsjn11OXkcwq99
+Ne5Nm9At2tC1w0Huu4iVdyTLNLIAfM368ookf7CJeNrVJuYdERwLwICpetYvOnid
+VTLSDt/YK131pR32XCkzGnrIuuYBm/k6IYgNoWqUhojGJai6o5hI1odAzFIWr9T0
+sa9f66P6RKl4SUqa/9A/uSS8Bx1gSbTPBruOVm6IKMbRZkSNN/O8dgDa1OftYCHD
+blCCQh9DtOSh6jlp9I6iOUruLls7d4wPDrstPefi0PuwsfWAg4NzBtQ3uGdzl/lm
+yusq6g94FVVq4RXHN/4QJcitE9VPpzVuP41aKWVRM3X/q11IH80rtaEQt54QMJwi
+sIv4eEYW3TYY9iQtq7Q7H9mcz60ClJGYQJvd1DR7lA9LtUrnQJIjNY9v6OuHVXEX
+EFoDH0viraraHozMdwIDAQABo2MwYTAdBgNVHQ4EFgQURW8b4nQuZgIteSw5+foy
+TZQrGVAwHwYDVR0jBBgwFoAURW8b4nQuZgIteSw5+foyTZQrGVAwDwYDVR0TAQH/
+BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgB
+ZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4ICAQBB
+WnUOG/EeQoisgC964H5+ns4SDIYFOsNeksJM3WAd0yG2L3CEjUksUYugQzB5hgh4
+BpsxOajrkKIRxXN97hgvoWwbA7aySGHLgfqH1vsGibOlA5tvRQX0WoQ+GMnuliVM
+pLjpHdYE2148DfgaDyIlGnHpc4gcXl7YHDYcvTN9NV5Y4P4x/2W/Lh11NC/VOSM9
+aT+jnFE7s7VoiRVfMN2iWssh2aihecdE9rs2w+Wt/E/sCrVClCQ1xaAO1+i4+mBS
+a7hW+9lrQKSx2bN9c8K/CyXgAcUtutcIh5rgLm2UWOaB9It3iw0NVaxwyAgWXC9F
+qYJsnia4D3AP0TJL4PbpNUaA4f2H76NODtynMfEoXSoG3TYYpOYKZ65lZy3mb26w
+fvBfrlASJMClqdiEFHfGhP/dTAZ9eC2cf40iY3ta84qSJybSYnqst8Vb/Gn+dYI9
+qQm0yVHtJtvkbZtgBK5Vg6f5q7I7DhVINQJUVlWzRo6/Vx+/VBz5tC5aVDdqtBAs
+q6ZcYS50ECvK/oGnVxjpeOafGvaV2UroZoGy7p7bEoJhqOPrW2yZ4JVNp9K6CCRg
+zR6jFN/gUe42P1lIOfcjLZAM1GHixtjP5gLAp6sJS8X05O8xQRBtnOsEwNLj5w0y
+MAdtwAzT/Vfv7b08qfx4FfQPFmtjvdu4s82gNatxSA==
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/cli/sample/store.cfg b/cli/sample/store.cfg
new file mode 100644
index 000000000..93415a535
--- /dev/null
+++ b/cli/sample/store.cfg
@@ -0,0 +1,9 @@
+
+//id-kp-emailProtection 
+1.3.6.1.5.5.7.3.4
+//id-kp-documentSigning 
+1.3.6.1.5.5.7.3.36
+//id-kp-timeStamping 
+1.3.6.1.5.5.7.3.8
+//id-kp-OCSPSigning 
+1.3.6.1.5.5.7.3.9
\ No newline at end of file
diff --git a/cli/sample/test.json b/cli/sample/test.json
new file mode 100644
index 000000000..879b56761
--- /dev/null
+++ b/cli/sample/test.json
@@ -0,0 +1,48 @@
+{
+  "alg": "ps256",
+  "private_key": "ps256.pem",
+  "sign_cert": "ps256.pub",
+  "ta_url": "http://timestamp.digicert.com",
+  "claim_generator": "TestApp",
+  "title": "My Title",
+  "assertions": [
+    {
+      "label": "stds.schema-org.CreativeWork",
+      "data": {
+        "@context": "https://schema.org",
+        "@type": "CreativeWork",
+        "author": [
+          {
+            "@type": "Person",
+            "name": "Joe Bloggs"
+          }
+        ]
+      }
+    },
+    {
+      "label": "c2pa.actions",
+      "data": {
+        "actions": [
+          {
+            "action": "c2pa.opened"
+          }
+        ],
+        "metadata": {
+          "reviewRatings": [
+            {
+              "code": "c2pa.unknown",
+              "explanation": "Something untracked happened",
+              "value": 4
+            }
+          ]
+        }
+      }
+    },
+    {
+      "label": "my.assertion",
+      "data": {
+        "any_tag": "whatever I want"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/cli/sample/trust_anchors.pem b/cli/sample/trust_anchors.pem
new file mode 100644
index 000000000..7ad0efb6b
--- /dev/null
+++ b/cli/sample/trust_anchors.pem
@@ -0,0 +1,54 @@
+-----BEGIN CERTIFICATE-----
+MIICUzCCAfmgAwIBAgIUdmkq4byvgk2FSnddHqB2yjoD68gwCgYIKoZIzj0EAwIw
+dzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUx
+GjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElO
+R19PTkxZMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMDYxMDE4NDY0MFoXDTMyMDYw
+NzE4NDY0MFowdzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlT
+b21ld2hlcmUxGjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBG
+T1IgVEVTVElOR19PTkxZMRAwDgYDVQQDDAdSb290IENBMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEre/KpcWwGEHt+mD4xso3xotRnRx2IEsMoYwVIKI7iEJrDEye
+PcvJuBywA0qiMw2yvAvGOzW/fqUTu1jABrFIk6NjMGEwHQYDVR0OBBYEFF6ZuIbh
+eBvZVxVadQBStikOy6iMMB8GA1UdIwQYMBaAFF6ZuIbheBvZVxVadQBStikOy6iM
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0gA
+MEUCIHBC1xLwkCWSGhVXFlSnQBx9cGZivXzCbt8BuwRqPSUoAiEAteZQDk685yh9
+jgOTkp4H8oAmM1As+qlkRK2b+CHAQ3k=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGezCCBC+gAwIBAgIUDAG5+sfGspprX+hlkn1SuB2f5VQwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
+IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MjVa
+Fw0zMjA2MDcxODQ2MjVaMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG
+A1UEBwwJU29tZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcG
+A1UECwwQRk9SIFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTCCAlYwQQYJ
+KoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglg
+hkgBZQMEAgEFAKIDAgEgA4ICDwAwggIKAoICAQC4q3t327HRHDs7Y9NR+ZqernwU
+bZ1EiEBR8vKTZ9StXmSfkzgSnvVfsFanvrKuZvFIWq909t/gH2z0klI2ZtChwLi6
+TFYXQjzQt+x5CpRcdWnB9zfUhOpdUHAhRd03Q14H2MyAiI98mqcVreQOiLDydlhP
+Dla7Ign4PqedXBH+NwUCEcbQIEr2LvkZ5fzX1GzBtqymClT/Gqz75VO7zM1oV4gq
+ElFHLsTLgzv5PR7pydcHauoTvFWhZNgz5s3olXJDKG/n3h0M3vIsjn11OXkcwq99
+Ne5Nm9At2tC1w0Huu4iVdyTLNLIAfM368ookf7CJeNrVJuYdERwLwICpetYvOnid
+VTLSDt/YK131pR32XCkzGnrIuuYBm/k6IYgNoWqUhojGJai6o5hI1odAzFIWr9T0
+sa9f66P6RKl4SUqa/9A/uSS8Bx1gSbTPBruOVm6IKMbRZkSNN/O8dgDa1OftYCHD
+blCCQh9DtOSh6jlp9I6iOUruLls7d4wPDrstPefi0PuwsfWAg4NzBtQ3uGdzl/lm
+yusq6g94FVVq4RXHN/4QJcitE9VPpzVuP41aKWVRM3X/q11IH80rtaEQt54QMJwi
+sIv4eEYW3TYY9iQtq7Q7H9mcz60ClJGYQJvd1DR7lA9LtUrnQJIjNY9v6OuHVXEX
+EFoDH0viraraHozMdwIDAQABo2MwYTAdBgNVHQ4EFgQURW8b4nQuZgIteSw5+foy
+TZQrGVAwHwYDVR0jBBgwFoAURW8b4nQuZgIteSw5+foyTZQrGVAwDwYDVR0TAQH/
+BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgB
+ZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4ICAQBB
+WnUOG/EeQoisgC964H5+ns4SDIYFOsNeksJM3WAd0yG2L3CEjUksUYugQzB5hgh4
+BpsxOajrkKIRxXN97hgvoWwbA7aySGHLgfqH1vsGibOlA5tvRQX0WoQ+GMnuliVM
+pLjpHdYE2148DfgaDyIlGnHpc4gcXl7YHDYcvTN9NV5Y4P4x/2W/Lh11NC/VOSM9
+aT+jnFE7s7VoiRVfMN2iWssh2aihecdE9rs2w+Wt/E/sCrVClCQ1xaAO1+i4+mBS
+a7hW+9lrQKSx2bN9c8K/CyXgAcUtutcIh5rgLm2UWOaB9It3iw0NVaxwyAgWXC9F
+qYJsnia4D3AP0TJL4PbpNUaA4f2H76NODtynMfEoXSoG3TYYpOYKZ65lZy3mb26w
+fvBfrlASJMClqdiEFHfGhP/dTAZ9eC2cf40iY3ta84qSJybSYnqst8Vb/Gn+dYI9
+qQm0yVHtJtvkbZtgBK5Vg6f5q7I7DhVINQJUVlWzRo6/Vx+/VBz5tC5aVDdqtBAs
+q6ZcYS50ECvK/oGnVxjpeOafGvaV2UroZoGy7p7bEoJhqOPrW2yZ4JVNp9K6CCRg
+zR6jFN/gUe42P1lIOfcjLZAM1GHixtjP5gLAp6sJS8X05O8xQRBtnOsEwNLj5w0y
+MAdtwAzT/Vfv7b08qfx4FfQPFmtjvdu4s82gNatxSA==
+-----END CERTIFICATE-----
+
+
diff --git a/cli/schemas/ingredient.json b/cli/schemas/ingredient.json
new file mode 100644
index 000000000..8ad144dec
--- /dev/null
+++ b/cli/schemas/ingredient.json
@@ -0,0 +1,72 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema",
+    "$id": "http://ns.adobe.com/c2patool/ingredient-definition/v1",
+    "type": "object",
+    "description": "Definition format for an ingredient created with c2patool",
+    "examples": [
+        {
+            "title": "C.jpg",
+            "format": "image/jpeg",
+            "instance_id": "xmp:iid:01712cdc-26b8-4902-ad53-1cdbd5370b1b",
+            "relationship": "componentOf",
+            "thumbnail": {
+                "format": "image/jpeg",
+                "identifier": "thumb.jpg"
+            },
+            "active_manifest": "manifest.c2pa"
+        }
+    ],
+    "required": [
+        "title"
+    ],
+    "properties": {
+        "title": {
+            "type": "string",
+            "description": "A human-readable string to be displayed as the title for this Ingredient (generally the file name of the asset)."
+        },
+        "format": {
+            "type": "string",
+            "description": "The MIME content type of the associated ingredient"
+        },
+        "instance_id": {
+            "type": "string",
+            "description": "A unique identifier for the ingredient instance. Often from `xmpMM:InstanceID` in XMP metadata"
+        },
+        "document_id": {
+            "type": "string",
+            "description": "Optionally a copy from `xmpMM:DocumentID` in XMP metadata"
+        },
+        "relationship": {
+            "type": "string",
+            "description": "Either `componentOf`(default) or `parentOf`"
+        },
+        "provenance": {
+            "type": "string",
+            "description": "URI to the associated C2PA manifest. My echo `dcterms:provenance` in XMP metadata."
+        },
+        "hash": {
+            "type": "string",
+            "description": "A hash value of the asset at import, used to deduplicate ingredients"
+        },
+        "thumbnail": {
+            "type": "object",
+            "format": "ResourceReference",
+            "description": "Identifies a thumbnail file with `format` holding MIME type, and `identifier` with a path to the file (relative to Ingredient definition)"
+        },
+        "active_manifest": {
+            "type": "string",
+            "description": "Manifest label of for the most recently added manifest in the manifest store"
+        },
+        "validation_status": {
+            "type": "object",
+            "format": "ValidationStatus",
+            "description": "Validation status record for any issues related to this ingredient or its validation"
+        },
+        "manifest_data": {
+            "type": "object",
+            "format": "ResourceRef",
+            "description": "Identifies a c2pa file the extracted manifest store from an asset with `format` holding MIME type, and `identifier` with a path to the .c2pa file (relative to Ingredient definition)"
+        }
+    },
+    "additionalProperties": false
+}
\ No newline at end of file
diff --git a/cli/schemas/manifest-definition.json b/cli/schemas/manifest-definition.json
new file mode 100644
index 000000000..57eee661c
--- /dev/null
+++ b/cli/schemas/manifest-definition.json
@@ -0,0 +1,103 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema",
+    "$id": "http://ns.adobe.com/c2patool/claim-definition/v1",
+    "type": "object",
+    "description": "Definition format for claim created with c2patool",
+    "examples": [
+        {
+            "alg": "es256",
+            "private_key": "es256_private.key",
+            "sign_cert": "es256_certs.pem",
+            "ta_url": "http://timestamp.digicert.com",
+            "vendor": "myvendor",
+            "claim_generator": "MyApp/0.1",
+            "thumbnail": {
+                "identifier": "thumb.jpg",
+                "format": "image/jpeg"
+            },
+            "ingredients": [
+                {
+                    "title": "A.jpg",
+                    "instanceId": "12345",
+                    "thumbnail": {
+                        "identifier": "A_thumb.jpg",
+                        "format": "image/jpeg"
+                    },
+                    "relationship": "parentOf"
+                }
+            ],
+            "ingredient_paths": [
+                "C.jpg"
+            ],
+            "assertions": [
+                {
+                    "label": "my.assertion",
+                    "data": {
+                        "any_tag": "whatever I want"
+                    }
+                }
+            ]
+        }
+    ],
+    "required": [
+        "assertions"
+    ],
+    "properties": {
+        "vendor": {
+            "type": "string",
+            "description": "Typically an Internet domain name (without the TLD) for the vendor (i.e. `adobe`, `nytimes`). If provided this will be used as a prefix on generated manifest labels."
+        },
+        "claim_generator": {
+            "type": "string",
+            "description": "A UserAgent string that will let a user know what software/hardware/system produced this Manifest - names should not contain spaces (defaults to c2patool)."
+        },
+        "title": {
+            "type": "string",
+            "description": "A human-readable string to be displayed as the title for this Manifest (defaults to the name of the file this manifest was embedded in)."
+        },
+        "credentials": {
+            "type": "object",
+            "description": "An array of W3C verifiable credentials objects defined in the c2pa assertion specification. Section 7."
+        },
+        "thumbnail": {
+            "type": "object",
+            "format": "JSON resource definition",
+            "description": "An object with an identifier field with a file path, and a format with the mime type of that file."
+        },
+        "ingredients": {
+            "type": "array",
+            "format": "Array of JSON ingredients, such as those produced with the --ingredient option",
+            "description": "Ingredients that were used to modify the asset referenced by this Manifest (if any)."
+        },
+        "ingredient_paths": {
+            "type": "array",
+            "format": "Array of local file system paths",
+            "description": "File paths to assets that were used to modify the asset referenced by this Manifest (if any). This may be a JSON Ingredient definition file."
+        },
+        "assertions": {
+            "type": "object",
+            "description": "Objects with label, and data - standard c2pa labels must match values as defined in the c2pa assertion specification."
+        },
+        "alg": {
+            "type": "string",
+            "format": "Local file system path",
+            "description": "Signing algorithm: one of [ ps256 | ps384 | ps512 | es256 | es384 | es512 | ed25519]. Defaults to es256."
+        },
+        "ta_url": {
+            "type": "string",
+            "format": "http URL",
+            "description": "A URL to an RFC3161 compliant Time Stamp Authority. If missing there will no secure timestamp."
+        },
+        "private_key": {
+            "type": "string",
+            "format": "Local file system path",
+            "description": "File path to a private key file."
+        },
+        "sign_cert": {
+            "type": "string",
+            "format": "Local file system path",
+            "description": "File path to signing cert file."
+        }
+    },
+    "additionalProperties": false
+}
\ No newline at end of file
diff --git a/cli/src/callback_signer.rs b/cli/src/callback_signer.rs
new file mode 100644
index 000000000..b07ef6290
--- /dev/null
+++ b/cli/src/callback_signer.rs
@@ -0,0 +1,405 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use std::{
+    io::Write,
+    path::PathBuf,
+    process::{Command, Stdio},
+};
+
+use anyhow::{bail, Context};
+use c2pa::{Error, Signer, SigningAlg};
+use c2pa_crypto::{
+    raw_signature::{RawSigner, RawSignerError},
+    time_stamp::TimeStampProvider,
+};
+
+use crate::signer::SignConfig;
+
+/// A struct that implements [SignCallback]. This struct will call out to the client provided
+/// external signer to get the signed bytes for the asset.
+pub(crate) struct ExternalProcessRunner {
+    config: CallbackSignerConfig,
+    signer_path: PathBuf,
+}
+
+impl ExternalProcessRunner {
+    pub fn new(config: CallbackSignerConfig, signer_path: PathBuf) -> Self {
+        Self {
+            config,
+            signer_path,
+        }
+    }
+}
+
+impl SignCallback for ExternalProcessRunner {
+    /// Runs the client-provided [Command], passing to it, via stdin, the bytes to be signed. We
+    /// also pass the `reserve-size`, `sign-cert`, and `alg` as CLI arguments to the [Command].
+    fn sign(&self, bytes: &[u8]) -> anyhow::Result<Vec<u8>> {
+        let sign_cert = self
+            .config
+            .sign_cert_path
+            .as_os_str()
+            .to_str()
+            .context("Unable to read sign_certs. Is the sign_cert path valid?")?;
+
+        // Spawn external process provided by the `c2patool` client.
+        let mut child = Command::new(&self.signer_path)
+            .stdin(Stdio::piped())
+            .stdout(Stdio::piped())
+            .stderr(Stdio::piped())
+            .args(["--reserve-size", &self.config.reserve_size.to_string()])
+            .args(["--alg", &format!("{}", &self.config.alg)])
+            .args(["--sign-cert", sign_cert])
+            .spawn()
+            .context(format!("Failed to run command at {:?}", self.signer_path))?;
+
+        // Write claim bytes to spawned processes' `stdin`.
+        child
+            .stdin
+            .take()
+            .context("Failed to access `stdin` of external process")?
+            .write_all(bytes)
+            .context("Failed to write data to the provided external process")?;
+
+        let output = child
+            .wait_with_output()
+            .context(format!("Failed to read stdout from {:?}", self.signer_path))?;
+
+        if !output.status.success() {
+            bail!(format!(
+                "User supplied signer process failed. It's stderr output was: \n{}",
+                String::from_utf8(output.stderr).unwrap_or_default()
+            ));
+        }
+
+        let bytes = output.stdout;
+        if bytes.is_empty() {
+            bail!("User supplied process succeeded, but the external process did not write signature bytes to stdout");
+        }
+
+        Ok(bytes)
+    }
+}
+
+/// A config containing the required values for signing an asset with an external command.
+#[derive(Clone, Debug)]
+pub(crate) struct CallbackSignerConfig {
+    /// Signing algorithm to use - must match the associated certs
+    ///
+    /// Must be one of [ ps256 | ps384 | ps51024 | es256 | es384 | es51024 | ed25519 ]
+    pub alg: SigningAlg,
+    /// A path to a file containing the signing cert required for signing
+    pub sign_cert_path: PathBuf,
+    /// Size of the claim bytes.
+    pub reserve_size: usize,
+    pub tsa_url: Option<String>,
+}
+
+impl CallbackSignerConfig {
+    /// Constructs a new [CallbackSignerConfig] using a manifest sign config, the name of an
+    /// external process, and the reserve_size.
+    pub fn new(sign_config: &SignConfig, reserve_size: usize) -> anyhow::Result<Self> {
+        let alg = sign_config
+            .alg
+            .clone()
+            .and_then(|alg| alg.parse::<SigningAlg>().ok())
+            .context("Invalid signing algorithm provided")?;
+
+        let sign_cert_path = sign_config
+            .sign_cert
+            .clone()
+            .context("Unable to load the provided sign_cert_path")?;
+
+        Ok(CallbackSignerConfig {
+            alg,
+            sign_cert_path,
+            reserve_size,
+            tsa_url: sign_config.ta_url.clone(),
+        })
+    }
+}
+
+#[cfg_attr(test, mockall::automock)]
+pub(crate) trait SignCallback {
+    /// Method which will be called with the `data` to be signed. Implementors
+    /// should return the signed bytes as an [anyhow::Result].
+    fn sign(&self, data: &[u8]) -> anyhow::Result<Vec<u8>>;
+}
+
+/// A [Signer] implementation that allows clients to provide their own function
+/// to sign the manifest bytes.
+pub(crate) struct CallbackSigner<'a> {
+    callback: Box<dyn SignCallback + 'a>,
+    config: CallbackSignerConfig,
+}
+
+impl<'a> CallbackSigner<'a> {
+    pub fn new(callback: Box<impl SignCallback + 'a>, config: CallbackSignerConfig) -> Self {
+        Self { callback, config }
+    }
+}
+
+impl Signer for CallbackSigner<'_> {
+    fn sign(&self, data: &[u8]) -> c2pa::Result<Vec<u8>> {
+        self.callback.sign(data).map_err(|e| {
+            eprintln!("Unable to embed signature into asset. {}", e);
+            Error::EmbeddingError
+        })
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.config.alg
+    }
+
+    fn certs(&self) -> c2pa::Result<Vec<Vec<u8>>> {
+        let cert_contents = std::fs::read(&self.config.sign_cert_path)
+            .map_err(|_| Error::FileNotFound(format!("{:?}", self.config.sign_cert_path)))?;
+
+        let mut pems = pem::parse_many(cert_contents).map_err(|_| Error::CoseInvalidCert)?;
+        // [pem::parse_many] returns an empty vector if you supply invalid contents, like json, for example.
+        // Check here if the pems vector is empty.
+        if pems.is_empty() {
+            return Err(Error::CoseInvalidCert);
+        }
+
+        let sign_cert = pems
+            .drain(..)
+            .map(|p| p.into_contents())
+            .collect::<Vec<Vec<u8>>>();
+
+        Ok(sign_cert)
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.config.reserve_size
+    }
+
+    fn time_authority_url(&self) -> Option<String> {
+        self.config.tsa_url.clone()
+    }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(self)
+    }
+}
+
+impl RawSigner for CallbackSigner<'_> {
+    fn sign(&self, data: &[u8]) -> Result<Vec<u8>, RawSignerError> {
+        self.callback.sign(data).map_err(|e| {
+            eprintln!("Unable to embed signature into asset. {}", e);
+            RawSignerError::InternalError(e.to_string())
+        })
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.config.alg
+    }
+
+    fn cert_chain(&self) -> Result<Vec<Vec<u8>>, RawSignerError> {
+        let cert_contents = std::fs::read(&self.config.sign_cert_path)?;
+
+        let mut pems = pem::parse_many(cert_contents).map_err(|_| Error::CoseInvalidCert)?;
+        // [pem::parse_many] returns an empty vector if you supply invalid contents, like json, for example.
+        // Check here if the pems vector is empty.
+        if pems.is_empty() {
+            return Err(RawSignerError::InvalidSigningCredentials(
+                "no certificates provided".to_string(),
+            ));
+        }
+
+        let sign_cert = pems
+            .drain(..)
+            .map(|p| p.into_contents())
+            .collect::<Vec<Vec<u8>>>();
+
+        Ok(sign_cert)
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.config.reserve_size
+    }
+}
+
+impl TimeStampProvider for CallbackSigner<'_> {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.config.tsa_url.clone()
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use anyhow::anyhow;
+
+    use super::*;
+
+    #[test]
+    fn test_signing_succeeds_returns_bytes() {
+        let mut sign_cert_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        sign_cert_path.push("sample/es256_certs.pem");
+
+        let sign_config = SignConfig {
+            alg: Some(SigningAlg::Es256.to_string()),
+            sign_cert: Some(sign_cert_path),
+            ..Default::default()
+        };
+
+        let result = vec![1, 2, 3];
+        let expected = result.clone();
+
+        let mut mock_callback_signer = MockSignCallback::default();
+        mock_callback_signer
+            .expect_sign()
+            .returning(move |_| Ok(result.clone()));
+
+        let config = CallbackSignerConfig::new(&sign_config, 1024).unwrap();
+        let callback = Box::new(mock_callback_signer);
+        let signer = CallbackSigner::new(callback, config);
+
+        assert_eq!(Signer::sign(&signer, &[]).unwrap(), expected);
+    }
+
+    #[test]
+    fn test_signing_succeeds_returns_error_embedding() {
+        let mut sign_cert_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        sign_cert_path.push("sample/es256_certs.pem");
+
+        let sign_config = SignConfig {
+            alg: Some(SigningAlg::Es256.to_string()),
+            sign_cert: Some(sign_cert_path),
+            ..Default::default()
+        };
+
+        let mut mock_callback_signer = MockSignCallback::default();
+        mock_callback_signer
+            .expect_sign()
+            .returning(|_| Err(anyhow!("")));
+
+        let config = CallbackSignerConfig::new(&sign_config, 1024).unwrap();
+        let callback = Box::new(mock_callback_signer);
+        let signer = CallbackSigner::new(callback, config);
+
+        assert!(matches!(
+            Signer::sign(&signer, &[]),
+            Err(Error::EmbeddingError)
+        ));
+    }
+
+    #[test]
+    fn test_sign_config_to_external_sign_config_fails() {
+        let sign_config = SignConfig::default();
+        assert!(CallbackSignerConfig::new(&sign_config, 1024).is_err());
+    }
+
+    #[test]
+    fn test_sign_config_to_external_sign_config_fails_with_invalid_signing_alg() {
+        let sign_config = SignConfig {
+            alg: Some("invalid_signing_alg".to_owned()),
+            ..Default::default()
+        };
+
+        let result = CallbackSignerConfig::new(&sign_config, 1024);
+        let error = result.err().unwrap();
+        assert_eq!(format!("{error}"), "Invalid signing algorithm provided")
+    }
+
+    #[test]
+    fn test_sign_config_to_external_sign_config_fails_with_missing_sign_certs() {
+        let sign_config = SignConfig {
+            alg: Some(SigningAlg::Es256.to_string()),
+            sign_cert: None,
+            ..Default::default()
+        };
+
+        let result = CallbackSignerConfig::new(&sign_config, 1024);
+        let error = result.err().unwrap();
+        assert_eq!(
+            format!("{error}"),
+            "Unable to load the provided sign_cert_path"
+        )
+    }
+
+    #[test]
+    fn test_try_from_succeeds_for_valid_sign_config() {
+        let mut sign_cert_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        sign_cert_path.push("sample/es256_certs.pem");
+
+        let expected_alg = SigningAlg::Es256;
+        let sign_config = SignConfig {
+            alg: Some(expected_alg.to_string()),
+            sign_cert: Some(sign_cert_path),
+            ..Default::default()
+        };
+
+        let expected_reserve_size = 10248;
+        let esc = CallbackSignerConfig::new(&sign_config, expected_reserve_size).unwrap();
+        let callback = Box::<MockSignCallback>::default();
+        let signer = CallbackSigner::new(callback, esc);
+
+        assert_eq!(Signer::alg(&signer), expected_alg);
+        assert_eq!(Signer::reserve_size(&signer), expected_reserve_size);
+    }
+
+    #[test]
+    fn test_callback_signer_error_file_not_found() {
+        let mut sign_cert_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        sign_cert_path.push("sample/NOT-HERE");
+
+        let sign_config = SignConfig {
+            alg: Some(SigningAlg::Es256.to_string()),
+            sign_cert: Some(sign_cert_path),
+            ..Default::default()
+        };
+
+        let config = CallbackSignerConfig::new(&sign_config, 10248).unwrap();
+        let callback = Box::<MockSignCallback>::default();
+        let signer = CallbackSigner::new(callback, config);
+
+        assert!(matches!(signer.certs(), Err(Error::FileNotFound(_))));
+    }
+
+    #[test]
+    fn test_callback_signer_error_invalid_cert() {
+        let mut sign_cert_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        sign_cert_path.push("sample/test.json");
+
+        let sign_config = SignConfig {
+            alg: Some(SigningAlg::Es256.to_string()),
+            sign_cert: Some(sign_cert_path),
+            ..Default::default()
+        };
+
+        let config = CallbackSignerConfig::new(&sign_config, 1024).unwrap();
+        let callback = Box::<MockSignCallback>::default();
+        let signer = CallbackSigner::new(callback, config);
+
+        assert!(matches!(signer.certs(), Err(Error::CoseInvalidCert)));
+    }
+
+    #[test]
+    fn test_callback_signer_valid_sign_certs() {
+        let mut sign_cert_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        sign_cert_path.push("sample/es256_certs.pem");
+
+        let sign_config = SignConfig {
+            alg: Some(SigningAlg::Es256.to_string()),
+            sign_cert: Some(sign_cert_path),
+            ..Default::default()
+        };
+
+        let config = CallbackSignerConfig::new(&sign_config, 1024).unwrap();
+        let callback = Box::<MockSignCallback>::default();
+        let signer = CallbackSigner::new(callback, config);
+
+        assert_eq!(signer.certs().unwrap().len(), 2);
+    }
+}
diff --git a/cli/src/info.rs b/cli/src/info.rs
new file mode 100644
index 000000000..c0f85f65b
--- /dev/null
+++ b/cli/src/info.rs
@@ -0,0 +1,91 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use std::{io::Cursor, path::Path};
+
+use anyhow::Result;
+use c2pa::{IngredientOptions, Reader};
+
+/// Display additional C2PA information about the asset (not JSON formatted).
+pub fn info(path: &Path) -> Result<()> {
+    struct Options {}
+    impl IngredientOptions for Options {
+        fn thumbnail(&self, _path: &Path) -> Option<(String, Vec<u8>)> {
+            None
+        }
+    }
+    let ingredient = c2pa::Ingredient::from_file_with_options(path, &Options {})?;
+    println!("Information for {}", ingredient.title().unwrap_or_default());
+    let mut is_cloud_manifest = false;
+    //println!("instanceID = {}", ingredient.instance_id());
+    if let Some(provenance) = ingredient.provenance() {
+        is_cloud_manifest = !provenance.starts_with("self#jumbf=");
+        if is_cloud_manifest {
+            println!("Cloud URL = {provenance}");
+        } else {
+            println!("Provenance URI = {provenance}");
+        }
+    }
+
+    let file_size = std::fs::metadata(path).unwrap().len();
+    if let Some(manifest_data) = ingredient.manifest_data() {
+        if is_cloud_manifest {
+            println!(
+                "Remote manifest store size = {} (file size = {})",
+                manifest_data.len(),
+                file_size
+            );
+        } else {
+            println!(
+                "Manifest store size = {} ({:.2}% of file size {})",
+                manifest_data.len(),
+                (manifest_data.len() as f64 / file_size as f64) * 100f64,
+                file_size
+            );
+        }
+        if let Some(validation_status) = ingredient.validation_status() {
+            println!("Validation issues:");
+            for status in validation_status {
+                println!("   {}", status.code());
+            }
+        } else {
+            println!("Validated");
+        }
+        let reader = Reader::from_stream("c2pa", Cursor::new(manifest_data.into_owned()))?;
+
+        let manifests: Vec<_> = reader.iter_manifests().collect();
+        match manifests.len() {
+            0 => println!("No manifests"),
+            1 => println!("One manifest"),
+            n => println!("{n} manifests"),
+        }
+    } else if is_cloud_manifest {
+        println!("Unable to fetch cloud manifest. (file size = {file_size})");
+    } else {
+        println!("No C2PA Manifests. (file size = {file_size})");
+    }
+    Ok(())
+}
+
+#[cfg(test)]
+pub mod tests {
+    #![allow(clippy::expect_used)]
+
+    use super::*;
+
+    #[test]
+    fn test_manifest_config() {
+        const SOURCE_PATH: &str = "tests/fixtures/C.jpg";
+
+        info(&std::path::PathBuf::from(SOURCE_PATH)).expect("info");
+    }
+}
diff --git a/cli/src/main.rs b/cli/src/main.rs
new file mode 100644
index 000000000..9f973b533
--- /dev/null
+++ b/cli/src/main.rs
@@ -0,0 +1,734 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+#![doc = include_str!("../README.md")]
+
+/// Tool to display and create C2PA manifests
+///
+/// A file path to an asset must be provided. If only the path
+/// is given, this will generate a summary report of any claims
+/// in that file. If a manifest definition JSON file is specified,
+/// the claim will be added to any existing claims.
+use std::{
+    fs::{create_dir_all, remove_dir_all, File},
+    io::Write,
+    path::{Path, PathBuf},
+    str::FromStr,
+};
+
+use anyhow::{anyhow, bail, Context, Result};
+use c2pa::{Builder, ClaimGeneratorInfo, Error, Ingredient, ManifestDefinition, Reader, Signer};
+use clap::{Parser, Subcommand};
+use log::debug;
+use serde::Deserialize;
+use signer::SignConfig;
+use url::Url;
+
+use crate::{
+    callback_signer::{CallbackSigner, CallbackSignerConfig, ExternalProcessRunner},
+    info::info,
+};
+
+mod info;
+mod tree;
+
+mod callback_signer;
+mod signer;
+
+/// Tool for displaying and creating C2PA manifests.
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None, arg_required_else_help(true))]
+struct CliArgs {
+    /// Path to manifest definition JSON file.
+    #[clap(short, long, requires = "output")]
+    manifest: Option<PathBuf>,
+
+    /// Path to output file or folder.
+    #[clap(short, long)]
+    output: Option<PathBuf>,
+
+    /// Path to a parent file.
+    #[clap(short, long)]
+    parent: Option<PathBuf>,
+
+    /// Manifest definition passed as a JSON string.
+    #[clap(short, long, conflicts_with = "manifest")]
+    config: Option<String>,
+
+    /// Display detailed C2PA-formatted manifest data.
+    #[clap(short, long)]
+    detailed: bool,
+
+    /// Force overwrite of output if it already exists.
+    #[clap(short, long)]
+    force: bool,
+
+    /// The path to an asset to examine or embed a manifest into.
+    path: PathBuf,
+
+    /// Embed remote URL manifest reference.
+    #[clap(short, long)]
+    remote: Option<String>,
+
+    /// Generate a sidecar (.c2pa) manifest
+    #[clap(short, long)]
+    sidecar: bool,
+
+    /// Write ingredient report and assets to a folder.
+    #[clap(short, long)]
+    ingredient: bool,
+
+    /// Create a tree diagram of the manifest store.
+    #[clap(long)]
+    tree: bool,
+
+    /// Extract certificate chain.
+    #[clap(long = "certs")]
+    cert_chain: bool,
+
+    /// Do not perform validation of signature after signing
+    #[clap(long = "no_signing_verify")]
+    no_signing_verify: bool,
+
+    #[command(subcommand)]
+    command: Option<Commands>,
+
+    /// Show manifest size, XMP url and other stats.
+    #[clap(long)]
+    info: bool,
+
+    /// Path to an executable that will sign the claim bytes.
+    #[clap(long)]
+    signer_path: Option<PathBuf>,
+
+    /// To be used with the [callback_signer] argument. This value should at least: size of CoseSign1 CBOR +
+    /// the size of certificate chain provided in the manifest definition's `sign_cert` field + the size of the
+    /// signature of the Time Stamp Authority response. A typical size of CoseSign1 CBOR is in the 1-2K range. If
+    /// the reserve size is too small an error will be returned during signing.
+    /// For example:
+    ///
+    /// The reserve-size can be calculated like this if you aren't including a `tsa_url` key in
+    /// your manifest description:
+    ///
+    ///     1024 + sign_cert.len()
+    ///
+    /// Or, if you are including a `tsa_url` in your manifest definition, you will calculate the
+    /// reserve size like this:
+    ///
+    ///     1024 + sign_cert.len() + tsa_signature_response.len()
+    ///
+    /// Note:
+    /// We'll default the `reserve-size` to a value of 20_000, if no value is provided. This
+    /// will probably leave extra `0`s of unused space. Please specify a reserve-size if possible.
+    #[clap(long, default_value("20000"))]
+    reserve_size: usize,
+}
+
+#[derive(Clone, Debug)]
+enum TrustResource {
+    File(PathBuf),
+    Url(Url),
+}
+
+fn parse_resource_string(s: &str) -> Result<TrustResource> {
+    if let Ok(url) = s.parse::<Url>() {
+        Ok(TrustResource::Url(url))
+    } else {
+        let p = PathBuf::from_str(s)?;
+
+        Ok(TrustResource::File(p))
+    }
+}
+
+// We only construct one per invocation, not worth shrinking this.
+#[allow(clippy::large_enum_variant)]
+#[derive(Debug, Subcommand)]
+#[allow(clippy::large_enum_variant)]
+enum Commands {
+    /// Sub-command to configure trust store options, "trust --help for more details"
+    Trust {
+        /// URL or path to file containing list of trust anchors in PEM format
+        #[arg(long = "trust_anchors", env="C2PATOOL_TRUST_ANCHORS", value_parser = parse_resource_string)]
+        trust_anchors: Option<TrustResource>,
+
+        /// URL or path to file containing specific manifest signing certificates in PEM format to implicitly trust
+        #[arg(long = "allowed_list", env="C2PATOOL_ALLOWED_LIST", value_parser = parse_resource_string)]
+        allowed_list: Option<TrustResource>,
+
+        /// URL or path to file containing configured EKUs in Oid dot notation
+        #[arg(long = "trust_config", env="C2PATOOL_TRUST_CONFIG", value_parser = parse_resource_string)]
+        trust_config: Option<TrustResource>,
+    },
+    /// Sub-command to add manifest to fragmented BMFF content
+    ///
+    /// The init path can be a glob to process entire directories of content, for example:
+    ///
+    /// c2patool -m test2.json -o /my_output_folder "/my_renditions/**/my_init.mp4" fragment --fragments_glob "myfile_abc*[0-9].m4s"
+    ///
+    /// Note: the glob patterns are quoted to prevent shell expansion.
+    Fragment {
+        /// Glob pattern to find the fragments of the asset. The path is automatically set to be the same as
+        /// the init segment.
+        ///
+        /// The fragments_glob pattern should only match fragment file names not the full paths (e.g. "myfile_abc*[0-9].m4s"
+        /// to match [myfile_abc1.m4s, myfile_abc2180.m4s, ...] )
+        #[arg(long = "fragments_glob", verbatim_doc_comment)]
+        fragments_glob: Option<PathBuf>,
+    },
+}
+
+#[derive(Debug, Default, Deserialize)]
+// Add fields that are not part of the standard Manifest
+struct ManifestDef {
+    #[serde(flatten)]
+    manifest: ManifestDefinition,
+    // allows adding ingredients with file paths
+    ingredient_paths: Option<Vec<PathBuf>>,
+}
+
+// convert certain errors to output messages
+fn special_errs(e: c2pa::Error) -> anyhow::Error {
+    match e {
+        Error::JumbfNotFound => anyhow!("No claim found"),
+        Error::FileNotFound(name) => anyhow!("File not found: {}", name),
+        Error::UnsupportedType => anyhow!("Unsupported file type"),
+        Error::PrereleaseError => anyhow!("Prerelease claim found"),
+        _ => e.into(),
+    }
+}
+
+// normalize extensions so we can compare them
+fn ext_normal(path: &Path) -> String {
+    let ext = path
+        .extension()
+        .unwrap_or_default()
+        .to_str()
+        .unwrap_or_default()
+        .to_lowercase();
+    match ext.as_str() {
+        "jpeg" => "jpg".to_string(),
+        "tiff" => "tif".to_string(),
+        _ => ext,
+    }
+}
+
+// loads an ingredient, allowing for a folder or json ingredient
+fn load_ingredient(path: &Path) -> Result<Ingredient> {
+    // if the path is a folder, look for ingredient.json
+    let mut path_buf = PathBuf::from(path);
+    let path = if path.is_dir() {
+        path_buf = path_buf.join("ingredient.json");
+        path_buf.as_path()
+    } else {
+        path
+    };
+    if path.extension() == Some(std::ffi::OsStr::new("json")) {
+        let json = std::fs::read_to_string(path)?;
+        let mut ingredient: Ingredient = serde_json::from_slice(json.as_bytes())?;
+        if let Some(base) = path.parent() {
+            ingredient.resources_mut().set_base_path(base);
+        }
+        Ok(ingredient)
+    } else {
+        Ok(Ingredient::from_file(path)?)
+    }
+}
+
+fn load_trust_resource(resource: &TrustResource) -> Result<String> {
+    match resource {
+        TrustResource::File(path) => {
+            let data = std::fs::read_to_string(path)
+                .with_context(|| format!("Failed to read trust resource from path: {:?}", path))?;
+
+            Ok(data)
+        }
+        TrustResource::Url(url) => {
+            let data = reqwest::blocking::get(url.to_string())?
+                .text()
+                .with_context(|| format!("Failed to read trust resource from URL: {}", url))?;
+
+            Ok(data)
+        }
+    }
+}
+
+fn configure_sdk(args: &CliArgs) -> Result<()> {
+    const TA: &str = r#"{"trust": { "trust_anchors": replacement_val } }"#;
+    const AL: &str = r#"{"trust": { "allowed_list": replacement_val } }"#;
+    const TC: &str = r#"{"trust": { "trust_config": replacement_val } }"#;
+    const VS: &str = r#"{"verify": { "verify_after_sign": replacement_val } }"#;
+
+    let mut enable_trust_checks = false;
+
+    if let Some(Commands::Trust {
+        trust_anchors,
+        allowed_list,
+        trust_config,
+    }) = &args.command
+    {
+        if let Some(trust_list) = &trust_anchors {
+            let data = load_trust_resource(trust_list)?;
+            debug!("Using trust anchors from {:?}", trust_list);
+            let replacement_val = serde_json::Value::String(data).to_string(); // escape string
+            let setting = TA.replace("replacement_val", &replacement_val);
+
+            c2pa::settings::load_settings_from_str(&setting, "json")?;
+
+            enable_trust_checks = true;
+        }
+
+        if let Some(allowed_list) = &allowed_list {
+            let data = load_trust_resource(allowed_list)?;
+            debug!("Using allowed list from {:?}", allowed_list);
+            let replacement_val = serde_json::Value::String(data).to_string(); // escape string
+            let setting = AL.replace("replacement_val", &replacement_val);
+
+            c2pa::settings::load_settings_from_str(&setting, "json")?;
+
+            enable_trust_checks = true;
+        }
+
+        if let Some(trust_config) = &trust_config {
+            let data = load_trust_resource(trust_config)?;
+            debug!("Using trust config from {:?}", trust_config);
+            let replacement_val = serde_json::Value::String(data).to_string(); // escape string
+            let setting = TC.replace("replacement_val", &replacement_val);
+
+            c2pa::settings::load_settings_from_str(&setting, "json")?;
+
+            enable_trust_checks = true;
+        }
+    }
+
+    // if any trust setting is provided enable the trust checks
+    if enable_trust_checks {
+        c2pa::settings::load_settings_from_str(r#"{"verify": { "verify_trust": true} }"#, "json")?;
+    } else {
+        c2pa::settings::load_settings_from_str(r#"{"verify": { "verify_trust": false} }"#, "json")?;
+    }
+
+    // enable or disable verification after signing
+    {
+        let replacement_val = serde_json::Value::Bool(!args.no_signing_verify).to_string();
+        let setting = VS.replace("replacement_val", &replacement_val);
+
+        c2pa::settings::load_settings_from_str(&setting, "json")?;
+    }
+
+    Ok(())
+}
+
+fn sign_fragmented(
+    builder: &mut Builder,
+    signer: &dyn Signer,
+    init_pattern: &Path,
+    frag_pattern: &PathBuf,
+    output_path: &Path,
+) -> Result<()> {
+    // search folders for init segments
+    let ip = init_pattern.to_str().ok_or(c2pa::Error::OtherError(
+        "could not parse source pattern".into(),
+    ))?;
+    let inits = glob::glob(ip).context("could not process glob pattern")?;
+    let mut count = 0;
+    for init in inits {
+        match init {
+            Ok(p) => {
+                let mut fragments = Vec::new();
+                let init_dir = p.parent().context("init segment had no parent dir")?;
+                let seg_glob = init_dir.join(frag_pattern); // segment match pattern
+
+                // grab the fragments that go with this init segment
+                let seg_glob_str = seg_glob.to_str().context("fragment path not valid")?;
+                let seg_paths = glob::glob(seg_glob_str).context("fragment glob not valid")?;
+                for seg in seg_paths {
+                    match seg {
+                        Ok(f) => fragments.push(f),
+                        Err(_) => return Err(anyhow!("fragment path not valid")),
+                    }
+                }
+
+                println!("Adding manifest to: {:?}", p);
+                let new_output_path =
+                    output_path.join(init_dir.file_name().context("invalid file name")?);
+                builder.sign_fragmented_files(signer, &p, &fragments, &new_output_path)?;
+
+                count += 1;
+            }
+            Err(_) => bail!("bad path to init segment"),
+        }
+    }
+    if count == 0 {
+        println!("No files matching pattern: {}", ip);
+    }
+    Ok(())
+}
+
+fn verify_fragmented(init_pattern: &Path, frag_pattern: &Path) -> Result<Vec<Reader>> {
+    let mut readers = Vec::new();
+
+    let ip = init_pattern
+        .to_str()
+        .context("could not parse source pattern")?;
+    let inits = glob::glob(ip).context("could not process glob pattern")?;
+    let mut count = 0;
+
+    // search folders for init segments
+    for init in inits {
+        match init {
+            Ok(p) => {
+                let mut fragments = Vec::new();
+                let init_dir = p.parent().context("init segment had no parent dir")?;
+                let seg_glob = init_dir.join(frag_pattern); // segment match pattern
+
+                // grab the fragments that go with this init segment
+                let seg_glob_str = seg_glob.to_str().context("fragment path not valid")?;
+                let seg_paths = glob::glob(seg_glob_str).context("fragment glob not valid")?;
+                for seg in seg_paths {
+                    match seg {
+                        Ok(f) => fragments.push(f),
+                        Err(_) => return Err(anyhow!("fragment path not valid")),
+                    }
+                }
+
+                println!("Verifying manifest: {:?}", p);
+                let reader = Reader::from_fragmented_files(p, &fragments)?;
+                if let Some(vs) = reader.validation_status() {
+                    if let Some(e) = vs.iter().find(|v| !v.passed()) {
+                        eprintln!("Error validating segments: {:?}", e);
+                        return Ok(readers);
+                    }
+                }
+
+                readers.push(reader);
+
+                count += 1;
+            }
+            Err(_) => bail!("bad path to init segment"),
+        }
+    }
+
+    if count == 0 {
+        println!("No files matching pattern: {}", ip);
+    }
+
+    Ok(readers)
+}
+
+fn main() -> Result<()> {
+    let args = CliArgs::parse();
+
+    // set RUST_LOG=debug to get detailed debug logging
+    if std::env::var("RUST_LOG").is_err() {
+        std::env::set_var("RUST_LOG", "error");
+    }
+    env_logger::init();
+
+    let path = &args.path;
+
+    if args.info {
+        return info(path);
+    }
+
+    if args.cert_chain {
+        let reader = Reader::from_file(path).map_err(special_errs)?;
+        if let Some(manifest) = reader.active_manifest() {
+            if let Some(si) = manifest.signature_info() {
+                println!("{}", si.cert_chain());
+                // todo: add ocsp validation info
+                return Ok(());
+            }
+        }
+        bail!("No certificate chain found");
+    }
+
+    if args.tree {
+        println!("{}", tree::tree(path)?);
+        return Ok(());
+    }
+
+    let is_fragment = matches!(
+        &args.command,
+        Some(Commands::Fragment { fragments_glob: _ })
+    );
+
+    // configure the SDK
+    configure_sdk(&args).context("Could not configure c2pa-rs")?;
+
+    // Remove manifest needs to also remove XMP provenance
+    // if args.remove_manifest {
+    //     match args.output {
+    //         Some(output) => {
+    //             if output.exists() && !args.force {
+    //                 bail!("Output already exists, use -f/force to force write");
+    //             }
+    //             if path != &output {
+    //                 std::fs::copy(path, &output)?;
+    //             }
+    //             Manifest::remove_manifest(&output)?
+    //         },
+    //         None => {
+    //             bail!("The -o/--output argument is required for this operation");
+    //         }
+    //     }
+    //     return Ok(());
+    // }
+
+    // if we have a manifest config, process it
+    if args.manifest.is_some() || args.config.is_some() {
+        // read the json from file or config, and get base path if from file
+        let (json, base_path) = match args.manifest.as_deref() {
+            Some(manifest_path) => {
+                let base_path = std::fs::canonicalize(manifest_path)?
+                    .parent()
+                    .map(|p| p.to_path_buf());
+                (std::fs::read_to_string(manifest_path)?, base_path)
+            }
+            None => (
+                args.config.unwrap_or_default(),
+                std::env::current_dir().ok(),
+            ),
+        };
+
+        // read the signing information from the manifest definition
+        let mut sign_config = SignConfig::from_json(&json)?;
+
+        // read the manifest information
+        let manifest_def: ManifestDef = serde_json::from_slice(json.as_bytes())?;
+        let mut builder = Builder::from_json(&json)?;
+        let mut manifest = manifest_def.manifest;
+
+        // add claim_tool generator so we know this was created using this tool
+        let mut tool_generator = ClaimGeneratorInfo::new(env!("CARGO_PKG_NAME"));
+        tool_generator.set_version(env!("CARGO_PKG_VERSION"));
+        if !manifest.claim_generator_info.is_empty()
+            || manifest.claim_generator_info[0].name == "c2pa-rs"
+        {
+            manifest.claim_generator_info = vec![tool_generator];
+        } else {
+            manifest.claim_generator_info.insert(1, tool_generator);
+        }
+        println!("claim generator {:?}", manifest.claim_generator_info);
+        // set manifest base path before ingredients so ingredients can override it
+        if let Some(base) = base_path.as_ref() {
+            builder.base_path = Some(base.clone());
+            sign_config.set_base_path(base);
+        }
+
+        // Add any ingredients specified as file paths
+        if let Some(paths) = manifest_def.ingredient_paths {
+            for mut path in paths {
+                // ingredient paths are relative to the manifest path
+                if let Some(base) = &base_path {
+                    if !(path.is_absolute()) {
+                        path = base.join(&path)
+                    }
+                }
+                let ingredient = load_ingredient(&path)?;
+                builder.add_ingredient(ingredient);
+            }
+        }
+
+        if let Some(parent_path) = args.parent {
+            let mut ingredient = load_ingredient(&parent_path)?;
+            ingredient.set_is_parent();
+            builder.add_ingredient(ingredient);
+        }
+
+        // If the source file has a manifest store, and no parent is specified treat the source as a parent.
+        // note: This could be treated as an update manifest eventually since the image is the same
+        let has_parent = builder.definition.ingredients.iter().any(|i| i.is_parent());
+        if !has_parent && !is_fragment {
+            let mut source_ingredient = Ingredient::from_file(&args.path)?;
+            if source_ingredient.manifest_data().is_some() {
+                source_ingredient.set_is_parent();
+                builder.add_ingredient(source_ingredient);
+            }
+        }
+
+        if let Some(remote) = args.remote {
+            if args.sidecar {
+                builder.set_no_embed(true);
+                builder.set_remote_url(remote);
+            } else {
+                builder.set_remote_url(remote);
+            }
+        } else if args.sidecar {
+            builder.set_no_embed(true);
+        }
+
+        let signer = if let Some(signer_process_name) = args.signer_path {
+            let cb_config = CallbackSignerConfig::new(&sign_config, args.reserve_size)?;
+
+            let process_runner = Box::new(ExternalProcessRunner::new(
+                cb_config.clone(),
+                signer_process_name,
+            ));
+            let signer = CallbackSigner::new(process_runner, cb_config);
+
+            Box::new(signer)
+        } else {
+            sign_config.signer()?
+        };
+
+        if let Some(output) = args.output {
+            // fragmented embedding
+            if let Some(Commands::Fragment { fragments_glob }) = &args.command {
+                if output.exists() && !output.is_dir() {
+                    bail!("Output cannot point to existing file, must be a directory");
+                }
+
+                if let Some(fg) = &fragments_glob {
+                    return sign_fragmented(&mut builder, signer.as_ref(), &args.path, fg, &output);
+                } else {
+                    bail!("fragments_glob must be set");
+                }
+            } else {
+                if ext_normal(&output) != ext_normal(&args.path) {
+                    bail!("Output type must match source type");
+                }
+                if output.exists() && !args.force {
+                    bail!("Output already exists, use -f/force to force write");
+                }
+
+                if output.file_name().is_none() {
+                    bail!("Missing filename on output");
+                }
+                if output.extension().is_none() {
+                    bail!("Missing extension output");
+                }
+
+                #[allow(deprecated)] // todo: remove when we can
+                builder
+                    .sign_file(signer.as_ref(), &args.path, &output)
+                    .context("embedding manifest")?;
+
+                // generate a report on the output file
+                let reader = Reader::from_file(&output).map_err(special_errs)?;
+                if args.detailed {
+                    println!("{:#?}", reader);
+                } else {
+                    println!("{}", reader)
+                }
+            }
+        } else {
+            bail!("Output path required with manifest definition")
+        }
+    } else if args.parent.is_some() || args.sidecar || args.remote.is_some() {
+        bail!("Manifest definition required with these options or flags")
+    } else if let Some(output) = args.output {
+        if output.is_file() || output.extension().is_some() {
+            bail!("Output must be a folder for this option.")
+        }
+        if output.exists() {
+            if args.force {
+                remove_dir_all(&output)?;
+            } else {
+                bail!("Output already exists, use -f/force to force write");
+            }
+        }
+        create_dir_all(&output)?;
+        if args.ingredient {
+            let report = Ingredient::from_file_with_folder(&args.path, &output)
+                .map_err(special_errs)?
+                .to_string();
+            File::create(output.join("ingredient.json"))?.write_all(&report.into_bytes())?;
+            println!("Ingredient report written to the directory {:?}", &output);
+        } else {
+            let reader = Reader::from_file(&args.path).map_err(special_errs)?;
+            reader.to_folder(&output)?;
+            let report = reader.to_string();
+            if args.detailed {
+                // for a detailed report first call the above to generate the thumbnails
+                // then call this to add the detailed report
+                let detailed = format!(
+                    "{:#?}",
+                    Reader::from_file(&args.path).map_err(special_errs)?
+                );
+                File::create(output.join("detailed.json"))?.write_all(&detailed.into_bytes())?;
+            }
+            File::create(output.join("manifest_store.json"))?.write_all(&report.into_bytes())?;
+            println!("Manifest report written to the directory {:?}", &output);
+        }
+    } else if args.ingredient {
+        println!(
+            "{}",
+            Ingredient::from_file(&args.path).map_err(special_errs)?
+        )
+    } else if args.detailed {
+        println!(
+            "{:#?}",
+            Reader::from_file(&args.path).map_err(special_errs)?
+        )
+    } else if let Some(Commands::Fragment {
+        fragments_glob: Some(fg),
+    }) = &args.command
+    {
+        let stores = verify_fragmented(&args.path, fg)?;
+        if stores.len() == 1 {
+            println!("{}", stores[0]);
+        } else {
+            println!("{} Init manifests validated", stores.len());
+        }
+    } else {
+        println!("{}", Reader::from_file(&args.path).map_err(special_errs)?)
+    }
+
+    Ok(())
+}
+
+#[cfg(test)]
+pub mod tests {
+    #![allow(clippy::unwrap_used)]
+
+    use super::*;
+
+    const CONFIG: &str = r#"{
+        "alg": "es256",
+        "private_key": "es256_private.key",
+        "sign_cert": "es256_certs.pem",
+        "ta_url": "http://timestamp.digicert.com",
+        "assertions": [
+            {
+                "label": "org.contentauth.test",
+                 "data": {"my_key": "whatever I want"}
+            }
+        ]
+    }"#;
+
+    #[test]
+    fn test_manifest_config() {
+        const SOURCE_PATH: &str = "tests/fixtures/earth_apollo17.jpg";
+        const OUTPUT_PATH: &str = "target/tmp/unit_out.jpg";
+        create_dir_all("target/tmp").expect("create_dir");
+        std::fs::remove_file(OUTPUT_PATH).ok(); // remove output file if it exists
+        let mut builder = Builder::from_json(CONFIG).expect("from_json");
+
+        let signer = SignConfig::from_json(CONFIG)
+            .unwrap()
+            .set_base_path("sample")
+            .signer()
+            .expect("get_signer");
+
+        #[allow(deprecated)] // todo: remove when we can
+        let _result = builder
+            .sign_file(signer.as_ref(), SOURCE_PATH, OUTPUT_PATH)
+            .expect("embed");
+
+        let ms = Reader::from_file(OUTPUT_PATH)
+            .expect("from_file")
+            .to_string();
+        println!("{}", ms);
+        //let ms = report_from_path(&OUTPUT_PATH, false).expect("report_from_path");
+        assert!(ms.contains("my_key"));
+    }
+}
diff --git a/cli/src/signer.rs b/cli/src/signer.rs
new file mode 100644
index 000000000..339ed4cc6
--- /dev/null
+++ b/cli/src/signer.rs
@@ -0,0 +1,151 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use std::{
+    env,
+    path::{Path, PathBuf},
+};
+
+use anyhow::{Context, Result};
+use c2pa::{create_signer, Signer, SigningAlg};
+use serde::Deserialize;
+
+// Pull in default certs so the binary can self config
+const DEFAULT_CERTS: &[u8] = include_bytes!("../sample/es256_certs.pem");
+const DEFAULT_KEY: &[u8] = include_bytes!("../sample/es256_private.key");
+
+pub fn get_ta_url() -> Option<String> {
+    std::env::var("C2PA_TA_URL").ok()
+}
+#[derive(Debug, Default, Deserialize)]
+pub struct SignConfig {
+    /// Signing algorithm to use - must match the associated certs
+    ///
+    /// Must be one of [ ps256 | ps384 | ps512 | es256 | es384 | es512 | ed25519 ]
+    /// Defaults to es256
+    pub alg: Option<String>,
+    /// A path to a file containing the private key required for signing
+    pub private_key: Option<PathBuf>,
+    /// A path to a file containing the signing cert required for signing
+    pub sign_cert: Option<PathBuf>,
+    /// A Url to a Time Authority to use when signing the manifest
+    pub ta_url: Option<String>,
+}
+
+impl SignConfig {
+    pub fn from_json(json: &str) -> Result<Self> {
+        serde_json::from_str(json).context("reading manifest configuration")
+    }
+
+    // set a base for all non-absolute paths
+    pub fn set_base_path<P: AsRef<Path>>(&mut self, base: P) -> &Self {
+        if let Some(path) = self.private_key.as_ref() {
+            if !path.is_absolute() {
+                self.private_key = Some(base.as_ref().join(path));
+            }
+        }
+        if let Some(path) = self.sign_cert.as_ref() {
+            if !path.is_absolute() {
+                self.sign_cert = Some(base.as_ref().join(path));
+            }
+        }
+        self
+    }
+
+    pub fn signer(&self) -> Result<Box<dyn Signer>> {
+        let alg = self.alg.as_deref().unwrap_or("es256").to_lowercase();
+        let alg: SigningAlg = alg.parse().map_err(|_| c2pa::Error::UnsupportedType)?;
+        let tsa_url = self.ta_url.clone().or_else(get_ta_url);
+
+        let mut private_key = None;
+        let mut sign_cert = None;
+
+        if let Some(path) = self.private_key.as_deref() {
+            private_key =
+                Some(std::fs::read(path).context(format!("Reading private key: {:?}", &path))?);
+        }
+
+        if private_key.is_none() {
+            if let Ok(key) = env::var("C2PA_PRIVATE_KEY") {
+                private_key = Some(key.as_bytes().to_vec());
+            }
+        };
+
+        if let Some(path) = self.sign_cert.as_deref() {
+            sign_cert =
+                Some(std::fs::read(path).context(format!("Reading sign cert: {:?}", &path))?);
+        }
+
+        if sign_cert.is_none() {
+            if let Ok(cert) = env::var("C2PA_SIGN_CERT") {
+                sign_cert = Some(cert.as_bytes().to_vec());
+            }
+        };
+
+        if let Some(private_key) = private_key {
+            if let Some(sign_cert) = sign_cert {
+                let signer = create_signer::from_keys(&sign_cert, &private_key, alg, tsa_url)
+                    .context("Invalid certification data")?;
+                return Ok(signer);
+            }
+        }
+
+        eprintln!(
+            "\n\n-----------\n\n\
+            Note: Using default private key and signing certificate. This is only valid for development.\n\
+            A permanent key and cert should be provided in the manifest definition or in the environment variables.\n");
+
+        let signer = create_signer::from_keys(DEFAULT_CERTS, DEFAULT_KEY, alg, tsa_url)
+            .context("Invalid certification data")?;
+
+        Ok(signer)
+    }
+}
+
+#[cfg(test)]
+pub mod tests {
+    #![allow(clippy::unwrap_used)]
+
+    use super::*;
+    const CONFIG: &str = r#"{    
+        "alg": "es256",
+        "private_key": "es256_private.key",
+        "sign_cert": "es256_certs.pem",
+        "ta_url": "http://timestamp.digicert.com"
+    }"#;
+
+    #[test]
+    fn test_sign_config() {
+        let mut sign_config = SignConfig::from_json(CONFIG).expect("from_json");
+        sign_config.set_base_path("sample");
+
+        let signer = sign_config.signer().expect("get signer");
+        assert_eq!(signer.alg(), SigningAlg::Es256);
+    }
+
+    #[test]
+    fn test_sign_default() {
+        let sign_config = SignConfig::default();
+
+        let signer = sign_config.signer().expect("get signer");
+        assert_eq!(signer.alg(), SigningAlg::Es256);
+    }
+
+    #[test]
+    fn test_sign_from() {
+        let sign_config = SignConfig::default();
+
+        let signer = sign_config.signer().expect("get signer");
+        assert_eq!(signer.alg(), SigningAlg::Es256);
+    }
+}
diff --git a/cli/src/tree.rs b/cli/src/tree.rs
new file mode 100644
index 000000000..d0e58b206
--- /dev/null
+++ b/cli/src/tree.rs
@@ -0,0 +1,107 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use std::path::Path;
+
+use atree::{Arena, Token};
+use c2pa::{Reader, Result};
+use treeline::Tree;
+
+fn populate_node(
+    tree: &mut Arena<String>,
+    reader: &Reader,
+    manifest_label: &str,
+    current_token: &Token,
+    name_only: bool,
+) -> Result<()> {
+    if let Some(manifest) = reader.get_manifest(manifest_label) {
+        for assertion in manifest.assertions().iter() {
+            let label = assertion.label_with_instance();
+            current_token.append(tree, format!("Assertion:{label}"));
+        }
+
+        for ingredient in manifest.ingredients().iter() {
+            let title = ingredient.title().unwrap_or("Untitled");
+            if let Some(label) = ingredient.active_manifest() {
+                // create new node
+                let data = if name_only {
+                    format!("{}_{}", title, label)
+                } else {
+                    format!("Asset:{}, Manifest:{}", title, label)
+                };
+
+                let new_token = current_token.append(tree, data);
+
+                populate_node(tree, reader, label, &new_token, name_only)?;
+            } else {
+                let data = if name_only {
+                    title.to_string()
+                } else {
+                    format!("Asset:{title}")
+                };
+                current_token.append(tree, data);
+            }
+        }
+    }
+    Ok(())
+}
+
+fn walk_tree(tree: &Arena<String>, token: &Token) -> Tree<String> {
+    let result = token.children_tokens(tree).fold(
+        Tree::root(tree[*token].data.clone()),
+        |mut root, entry_token| {
+            if entry_token.is_leaf(tree) {
+                root.push(Tree::root(tree[entry_token].data.clone()));
+            } else {
+                root.push(walk_tree(tree, &entry_token));
+            }
+            root
+        },
+    );
+
+    result
+}
+
+/// Prints tree view of manifest store
+pub fn tree<P: AsRef<Path>>(path: P) -> Result<String> {
+    let os_filename = path
+        .as_ref()
+        .file_name()
+        .ok_or_else(|| crate::Error::BadParam("bad filename".to_string()))?;
+    let asset_name = os_filename.to_string_lossy().into_owned();
+
+    let reader = Reader::from_file(path)?;
+
+    // walk through the manifests and show the contents
+    Ok(if let Some(manifest_label) = reader.active_label() {
+        let data = format!("Asset:{}, Manifest:{}", asset_name, manifest_label);
+        let (mut tree, root_token) = Arena::with_data(data);
+        populate_node(&mut tree, &reader, manifest_label, &root_token, false)?;
+        // print tree
+        format!("Tree View:\n {}", walk_tree(&tree, &root_token))
+    } else {
+        format!("Tree View:\n Asset:{asset_name}")
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_tree() -> Result<()> {
+        let result = tree("tests/fixtures/C.jpg")?;
+        assert!(result.contains("Tree View:"));
+        assert!(result.contains("Assertion:c2pa.actions"));
+        Ok(())
+    }
+}
diff --git a/cli/tests/fixtures/C.jpg b/cli/tests/fixtures/C.jpg
new file mode 100644
index 000000000..0a0c6dc8f
Binary files /dev/null and b/cli/tests/fixtures/C.jpg differ
diff --git a/cli/tests/fixtures/do_not_train.json b/cli/tests/fixtures/do_not_train.json
new file mode 100644
index 000000000..8897867d5
--- /dev/null
+++ b/cli/tests/fixtures/do_not_train.json
@@ -0,0 +1,23 @@
+{
+    "ta_url": "http://timestamp.digicert.com",
+    
+    "claim_generator": "TestApp/0.0.1",
+    "claim_generator_info": [{
+        "name": "Test App",
+        "version": "0.0.1"
+    }],
+    "assertions": [
+        {
+            "label": "c2pa.training-mining",
+            "data": {
+                "entries": {
+                    "c2pa.ai_generative_training": { "use": "notAllowed" },
+                    "c2pa.ai_inference": { "use": "notAllowed" },
+                    "c2pa.ai_training": { "use": "notAllowed" },
+                    "c2pa.data_mining": { "use": "notAllowed" }
+                }
+            }
+        }
+    ]
+}
+        
\ No newline at end of file
diff --git a/cli/tests/fixtures/earth_apollo17.jpg b/cli/tests/fixtures/earth_apollo17.jpg
new file mode 100644
index 000000000..4d7ec6a53
Binary files /dev/null and b/cli/tests/fixtures/earth_apollo17.jpg differ
diff --git a/cli/tests/fixtures/ingredient/ingredient.json b/cli/tests/fixtures/ingredient/ingredient.json
new file mode 100644
index 000000000..320a9629a
--- /dev/null
+++ b/cli/tests/fixtures/ingredient/ingredient.json
@@ -0,0 +1,10 @@
+{
+    "title": "test ingredient",
+    "format": "image/jpeg",
+    "instance_id": "xmp:iid:a60dfda7-0606-42db-a4f0-398ab4fb79cf",
+    "thumbnail": {
+      "format": "image/png",
+      "identifier": "../libpng-test.png"
+    },
+    "relationship": "componentOf"
+  }
\ No newline at end of file
diff --git a/cli/tests/fixtures/ingredient_test.json b/cli/tests/fixtures/ingredient_test.json
new file mode 100644
index 000000000..8484e22e0
--- /dev/null
+++ b/cli/tests/fixtures/ingredient_test.json
@@ -0,0 +1,132 @@
+{
+    "ta_url": "http://timestamp.digicert.com",
+    
+    "claim_generator": "TestApp",
+    "claim_generator_info": [{
+        "name": "Test App",
+        "version": "0.0.1",
+        "icon": {
+            "format": "image/png",
+            "identifier": "libpng-test.png"
+        }
+    }],
+    "thumbnail": {
+        "format": "image/jpeg",
+        "identifier": "earth_apollo17.jpg"
+    },
+    "assertions": [
+        {
+            "label": "c2pa.actions",
+            "data": {
+                "actions": [
+                    {
+                        "action": "c2pa.created",
+                        "instanceId": "xmp.iid:7b57930e-2f23-47fc-affe-0400d70b738d",
+                        "digitalSourceType": "http://cv.iptc.org/newscodes/digitalsourcetype/algorithmicMedia",
+                        "softwareAgent": {
+                            "name": "TestApp",
+                            "version": "1.0",
+                            "something": "else"
+                        }
+                    },
+                    {
+                        "action": "c2pa.opened",
+                        "instanceId": "xmp.iid:7b57930e-2f23-47fc-affe-0400d70b738d",
+                        "parameters": {
+                            "description": "import"
+                        },
+                        "digitalSourceType": "http://cv.iptc.org/newscodes/digitalsourcetype/algorithmicMedia",
+                        "softwareAgent": {
+                            "name": "TestApp",
+                            "version": "1.0",
+                            "icon": {
+                                "format": "image/svg+xml",
+                                "identifier": "sample1.svg"
+                            },
+                            "something": "else"
+                        },
+                        "changes": [
+                            {
+                                "region" : [
+                                    {
+                                        "type" : "temporal",
+                                        "time" : {}
+                                    },
+                                    {
+                                        "type" : "identified",
+                                        "item" : {
+                                        "identifier" : "https://bioportal.bioontology.org/ontologies/FMA",
+                                        "value" : "lips"
+                                        }
+                                    }
+                                ],
+                                "description": "lip synced area"
+                            }
+                        ]
+                    },
+                    {
+                        "action" : "c2pa.edited",
+                        "digitalSourceType": "http://cv.iptc.org/newscodes/digitalsourcetype/minorHumanEdits",
+                        "changes" : [
+                            {
+                                "region" : [
+                                    {
+                                        "type" : "identified",
+                                        "item" : {
+                                            "identifier" : "track_id",
+                                            "value" : "transcript"
+                                        }
+                                    }
+                                ]
+                            }
+                        ]
+                    }
+                ]
+            }
+        },
+        {
+            "label": "stds.schema-org.CreativeWork",
+            "data": {
+                "@context": "https://schema.org",
+                "@type": "CreativeWork",
+                "author": [
+                    {
+                        "@type": "Person",
+                        "name": "Joe Bloggs"
+                    }
+                ]
+            },
+            "kind": "Json"
+        },
+        {
+            "label": "cawg.training-mining",
+            "data": {
+                "entries": {
+                    "c2pa.ai_training" : {
+                        "use" : "allowed"
+                    },
+                    "c2pa.ai_generative_training" : {
+                        "use" : "notAllowed"
+                    }
+                }
+            }
+        }
+    ],
+    "ingredients": [
+        {
+            "title": "earth_apollo17.jpg",
+            "format": "image/jpeg",
+            "document_id": "adobe:docid:photoshop:e1c344db-c371-ef45-a4fe-9b5ba6346544",
+            "instance_id": "xmp.iid:9867c3b4-465e-42e4-8064-76c0c0fe3d16",
+            "thumbnail": {
+              "format": "image/jpeg",
+              "identifier": "verify.jpeg"
+            },
+            "relationship": "componentOf"
+        }
+    ],
+    "ingredient_paths": [
+        "C.jpg", "ingredient/ingredient.json"
+    ]
+}
+
diff --git a/cli/tests/fixtures/libpng-test.png b/cli/tests/fixtures/libpng-test.png
new file mode 100644
index 000000000..c4af2adab
Binary files /dev/null and b/cli/tests/fixtures/libpng-test.png differ
diff --git a/cli/tests/fixtures/sample1.svg b/cli/tests/fixtures/sample1.svg
new file mode 100644
index 000000000..8e3d77b77
--- /dev/null
+++ b/cli/tests/fixtures/sample1.svg
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg  PUBLIC '-//W3C//DTD SVG 1.1//EN'  'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>
+<svg enable-background="new 0 0 2014 1674.641" version="1.1" viewBox="0 0 2014 1674.641" xml:space="preserve" xmlns="http://www.w3.org/2000/svg">
+		<path d="m44.883 1173.3c0 169.58 92.136 317.37 229.08 396.59v-793.53c-136.94 79.216-229.08 227.37-229.08 396.94z"/>
+		<path d="m1496.5 173.21c-338.54-181.18-640.46-181.19-978.98 0-115.34 61.726-232.1 201.31-232.1 348.66v1048h125.99v-1048c0-100.78 121.24-229.18 225.54-272.38 280.15-116.04 460-116.04 740.11 0 104.3 43.203 225.54 171.6 225.54 272.38v1048h125.99v-1048c0-147.36-116.76-286.94-232.1-348.66z"/>
+		<path d="m1740 776.38v793.53c136.94-79.214 229.08-227 229.08-396.59 1e-3 -169.57-92.133-317.73-229.08-396.94z"/>
+		<path d="m541.72 709.03h-70.645c-27.201 0-49.252 22.051-49.252 49.253v829.79c0 27.201 22.05 49.252 49.252 49.252h70.645c27.201 0 49.252-22.051 49.252-49.252v-829.79c0-27.202-22.05-49.253-49.252-49.253z"/>
+		<path d="m1542 709.03h-70.646c-27.2 0-49.252 22.051-49.252 49.253v829.79c0 27.201 22.052 49.252 49.252 49.252h70.646c27.2 0 49.252-22.051 49.252-49.252v-829.79c-1e-3 -27.202-22.052-49.253-49.252-49.253z"/>
+		<path d="m595.97 1132.8c4.322-0.219 8.643-0.184 12.965 0 0.197 4.557 3.624 24.404 4.471 95.602 0 1.438 0.298 2.849 0.728 4.225 0.691 13.2-0.668 21.337 0.868 26.298 0.386 12.904 0.053 25.834 0.158 38.746h10.467c10.735-37.493 8.785-86.788 9.941-115.01 1.07-3.103 0.614-6.426 0.868-9.634 0.615-2.041 1.597-9.992 1.753-11.519 0.368 0.377 1.113 1.131 1.481 1.508 0.079 4.827 0.295 5.098 2.007 12.833 0.342 0 1.034-9e-3 1.376-9e-3 0.421-1.771 0.877-3.515 1.315-5.277l0.657-9e-3c0.202 4.611-0.719 9.38 0.684 13.859 0.491 4.374-0.508 8.889 0.85 13.149 0.114 1.683 0.175 3.357 0.263 5.049 0.552-0.92 1.122-1.85 1.692-2.77 0.052-13.129 0.408 0.674 0.894-17.479 0.307 0.552 0.92 1.657 1.227 2.209 0.316 0.018 0.938 0.044 1.245 0.061 2.638-11.892 2.56-18.294 3.647-51.86 8.152-0.21 16.314-0.263 24.466 0.044 0.018 2.314-0.018 4.681 0.78 6.89 0.677 13.255 1.433 10.704 2.016 18.926 1.554 2.913 2.279 3.212 5.295 20.714 0.394 0 1.183 0 1.578 9e-3 0.454-9.931 0.998-1.96 0.964-13.184l0.868 9e-3c0.096 3.734-0.561 7.609 0.684 11.229 0.298 3.498-0.307 7.127 0.868 10.519 0.307 3.498-0.307 7.135 0.877 10.519 0.307 3.498-0.307 7.127 0.877 10.519 0.368 3.787-0.394 7.714 0.868 11.387 0.438 4.085-0.465 8.319 0.877 12.281 0.298 3.498-0.298 7.127 0.868 10.519 0.949 15.108 1.515 17.226 2.858 21.626 0.421-0.412 1.262-1.227 1.692-1.639-0.187-3.823 0.79-9.648 3.98-14.937 0.701 1.157 1.411 2.332 2.13 3.498 0.018 0.412 0.053 1.236 0.07 1.648 0.894 1.657 1.815 3.357 3.261 4.629 0.52-4.824 0.271-3.677 1.525-8.757 0.155-0.87 1.114-8.042 1.552-15.709 1.21-3.691 0.491-7.609 0.85-11.405 1.341-3.962 0.43-8.196 0.877-12.272 0 0 6.76-64.946 7.004-68.375 1.008-2.77 0.728-5.742 0.728-8.617 1.727 0 3.471 0 5.225-9e-3 0 3.173-0.377 6.443 0.701 9.494 0.152 3.522 0.148 41.365 1.753 46.478 0.447 4.076-0.473 8.31 0.877 12.272 0.289 3.498-0.281 7.118 0.85 10.51 0.612 11.986 0.925 9.898 2.016 17.383 0.43 0.403 1.289 1.21 1.718 1.613 0.386-0.395 1.157-1.175 1.543-1.569 1.113-3.427 2.27-6.908 2.06-10.572 0.351 0.377 1.043 1.122 1.394 1.49 0.307 0.982 0.631 1.972 0.982 2.954 9e-3 0.824 0.035 1.648 0.07 2.472 0.736 0.912 1.499 1.841 2.279 2.744 1.695-6.242 1.537-5.465 2.367-9.923 0.394-0.377 1.175-1.122 1.569-1.499-0.026 1.455-0.035 2.928-0.044 4.392 0.43 0.386 1.28 1.148 1.709 1.534 2.593-15.316 1.515-32.185 4.646-59.933h0.517c0.257 2.44 0.455 5.251 2.656 12.053 0.04 1.752 2.071 29.42 6.46 44.391 0.377-0.386 1.131-1.166 1.508-1.56 2.511-20.088 0.17 17.604 5.33-78.561l0.622 9e-3c0.403 1.569 0.842 3.13 1.28 4.699 0.395-0.377 1.175-1.148 1.569-1.534 0.153-5.981 0.067-4.293 1.201-9.362 6.539-0.281 13.079-0.289 19.627-0.018 1.093 6.281 3.062 17.853 3.831 24.948 0.403-0.377 1.219-1.14 1.631-1.525 0.133-3.59 1.852-14.417 2.919-17.453 0.377 0.377 1.14 1.122 1.516 1.499-0.034 12.962 0.097 3.675 0.947 13.657 0.421 9e-3 1.253 9e-3 1.674 9e-3 0-1.762 9e-3 -3.524 0.026-5.277h1.718c0.237 4.602-0.701 9.371 0.71 13.85 0.386 3.787-0.412 7.732 0.877 11.405 0.298 3.498-0.298 7.127 0.859 10.519 0.455 8.447 1.972 19.645 2.595 21.906-0.347 7.057 9.094 35.294 9.888 54.043 0.429-0.395 1.28-1.192 1.709-1.587 0.061-1.42 0.14-2.84 0.263-4.252 0.885-2.831 0.675-5.829 0.85-8.748 1.131-3.401 0.561-7.022 0.859-10.519 1.166-3.393 0.561-7.022 0.876-10.519 1.157-3.392 0.57-7.022 0.877-10.528 0.697-2.038 1.719-16.578 1.78-17.532 0.086-0.331 0.978-5.454 1.788-8.924 2.042-3.033 3.515-6.399 5.26-9.599 0.324 0.368 0.964 1.122 1.289 1.499 2.896 10.614 5.277 40.7 5.277 40.701 1.101 16.794 2.417 23.952 2.866 28.779 0.412 0.394 1.245 1.175 1.657 1.569 0.071-0.869 8.706-77.968 8.959-86.556 0.561-1.779 1.105-3.559 1.727-5.312 0.412 0.394 1.227 1.183 1.639 1.578 9e-3 0.57 0.017 1.701 0.017 2.27 0.403 0 1.219-9e-3 1.622-9e-3 1.24-7.203 1.236-3.14 2.121-13.342 1.017-3.41 0.5-7.013 0.798-10.51 0.666-1.929 0.745-3.971 0.85-5.987 1.981-0.017 3.98-0.017 5.987-0.061 0.738 15.014 3.226 81.388 5.452 98.881 2.794-5.344 3.327-18.194 3.313-23.046 0.526 0.92 1.061 1.841 1.604 2.779 1.005 8.595 1.291 4.766 1.955 12.124 0.412-0.386 1.236-1.166 1.657-1.56 0.07-1.131 0.167-2.253 0.29-3.375 3.077-10.573 4.023-80.044 5.303-85.767 11.203-0.333 22.415-0.307 33.618-0.026 2.519 9.333-0.185 1.64 3.165 10.651 1.008-0.035 2.025-0.07 3.059-0.105 3.706 11.86 4.661 36.592 6.136 41.086 0.237 3.743-0.228 7.618 1.324 11.159 1.832-0.973 3.532-4.164 5.768-2.27 0.311 1.769 1.139 5.743 1.674 7.74 0.096 1.99 0.052 4.006 0.342 5.987 0.955 1.779 3.182 1.078 4.839 1.35 2.515 9.18 4.175 17.629 4.865 22.318 3.942-2.424 4.424-5.052 6.049-11.527 1.105-1.981 2.621-3.682 4.252-5.251-9e-3 -1.131-9e-3 -2.262 9e-3 -3.384 0.386 0.377 1.149 1.131 1.534 1.508 0.333 1.797 0.754 3.577 1.21 5.365 0.359-0.386 1.087-1.166 1.446-1.552 0.649-2.376 1.403-4.716 2.183-7.048 0.316 0.377 0.947 1.148 1.262 1.525 1.645 7.111 0.322 3.568 2.06 21.065 0.429-0.395 1.271-1.175 1.692-1.56 0.026-1.999 0.07-3.997 0.21-5.987 1.481-4.83 0.263-9.949 0.868-14.902 1.639-6.285 0.123-12.877 0.877-19.285 1.683-7.451 0.07-15.218 0.877-22.792 1.674-7.451 0.07-15.227 0.868-22.8 1.219-3.62 0.596-7.495 0.684-11.229h4.979c2.486 11.696-0.075 13.584 1.867 20.004 0.438 4.076-0.456 8.31 0.859 12.281 0.71 13.915 2.152 15.948 2.875 21.74 0.403 0.395 1.201 1.192 1.604 1.587 2.183-6.047-0.403-11.103 3.024-22.283 0.316 0 0.964-9e-3 1.289-9e-3 0.07 1.339 1.748 15.516 3.112 20.688 3.189-6.785 3.21-47.072 3.2-54.051 9.432-0.307 18.882-0.272 28.323 0.026 0.079 1.105 0.202 2.297 0.833 3.27 1.219-0.359 1.613-2.13 1.201-3.226 0.684 0 2.042 0.017 2.726 0.017 0.193 1.701 0.421 3.401 0.912 5.049 0.745 6.11-0.754 12.422 0.877 18.417 0.622 4.944-0.64 10.081 0.885 14.902 0.438 4.076-0.464 8.31 0.859 12.272 0.587 5.786-0.649 11.747 1.157 17.392 0.342 0.359 1.017 1.087 1.35 1.455 0.973-1.806 2.025-3.576 3.296-5.207 2.899 9.94 3.548 20.233 4.146 30.129 2.753-4.301 1.495-7.983 6.198-43.26 1.07-1.122 2.156-2.227 3.261-3.331 1.546-13.203 1.281-18.245 4.804-28.139 0.719 1.183 1.42 2.384 2.139 3.594 6.049 34.545 2.934 63.483 10.432 89.607-0.114 5.067 1.359 9.993 1.052 15.06-0.079 2.016 0.035 4.059 0.719 5.978 0.359 6.487 0.088 12.991 0.131 19.496-0.026 3.813 1.113 7.53 1.017 11.361h1.639c0.973-2.533 1.026-5.233 0.991-7.898-0.096-2.682 0.728-5.26 0.842-7.907 0.149-3.305-0.272-6.627 0.342-9.897 1.052-4.874 0.254-9.879 0.719-14.806 1.306-3.962 0.421-8.188 0.859-12.264 1.069-3.103 0.631-6.426 0.885-9.634 0.71-2.034 0.736-4.199 0.763-6.329 0.535-0.92 1.087-1.841 1.657-2.753 9e-3 0.693 9e-3 2.078 9e-3 2.77 0.421 0.394 1.254 1.192 1.674 1.595 1.881-6.653 1.973-16.337 2.025-17.208 1.324-3.962 0.421-8.188 0.868-12.273 1.508-4.821 0.263-9.949 0.885-14.902 1.534-5.119 0.21-10.537 0.868-15.779 1.438-4.777 0.43-9.836 0.684-14.736l0.579 9e-3c4.58 20.94-1.764 21.194 8.003 57.654 0.035 3.743 0.315 7.477 1.14 11.133 0.771 1.227 1.56 2.446 2.375 3.664 2.187-18.959 0.397-16.093 1.254-24.413 1.525-5.119 0.228-10.537 0.876-15.779 1.525-5.119 0.219-10.537 0.876-15.779 1.482-5.155 0.351-10.607 0.728-15.884 3.781-1.853 5.985-19.261 6.241-23.449 11.896-0.298 23.809-0.289 35.704 0 0.018 2.314-0.044 4.69 0.789 6.899 1.385 15.795 1.043 17.456 1.034 20.679 0.438-0.386 1.297-1.14 1.727-1.525 0.313-2.188-1e-3 -0.959 1.21-4.953h1.157c7.495 34.264 1.885 96.567 10.537 107.57 4.66-9.896 5.508-48.83 5.75-50.764 0.339-1.036 7.792-66.458 7.846-67.323h0.719c0.315 5.479-0.815 11.133 0.701 16.48 0.219 3.217-0.175 6.522 0.833 9.634 0.096 1.35 0.175 2.709 0.263 4.076 1.113 1.78 2.262 3.55 3.349 5.356 0.07 1.85 0.202 3.717 0.806 5.487 0.237 3.208-0.21 6.539 0.877 9.643 0.438 4.076-0.456 8.301 0.868 12.264 0.64 5.233-0.666 10.659 0.868 15.779 0.666 5.531-0.693 11.238 0.877 16.656 0.617 10.342-0.612 22.781 0.868 27.175 0.123 1.99 0.167 3.989 0.21 5.987 0.429 0.394 1.28 1.183 1.7 1.578 3.526-23.595 3.006-33.165 5.417-44.234l0.526 0.026c2.215 9.395 0.757 4.828 3.042 12.623 0.377-0.377 1.14-1.14 1.517-1.516 2.464-9.857 5.395-72.486 5.408-73.354l0.71 9e-3c0.044 0.447 0.131 1.341 0.167 1.779 0.605-0.018 1.814-0.07 2.411-0.088 2.367 8.449 6.032 43.591 6.075 43.725 0.517 4.348-1.026 10.134 3.296 12.982 12.367-46.276 9.589-65.188 12.904-92.683 11.51-0.228 23.028-0.228 34.547-0.018 0.316 1.131 0.649 2.253 1.008 3.375 0 1e-3 5.242 57.934 5.242 57.935 2.528 35.686-1.458 8.139 4.62 49.809 0.412 0.395 1.227 1.175 1.639 1.56 0.117-0.869 4.225-26.319 4.576-34.135 3.883 7.547 1.348 7.067 5.198 13.465 0.955-0.395 1.964-0.64 3.016-0.745 0.631 0.833 1.245 1.701 1.832 2.604 0.465 0.044 1.394 0.131 1.859 0.175 0.631-1.087 1.262-2.165 1.92-3.243 1.331-5.87 3.349-16.952 3.752-22.327l0.71 0.018c0.324 6.355-0.877 12.877 0.666 19.11 0.64 5.242-0.666 10.659 0.885 15.788 0.281 3.498-0.272 7.109 0.842 10.511 0.105 1.525 0.175 3.059 0.263 4.593h1.683c0.03-0.868 2.321-25.659 4.655-35.354 0.359 0.368 1.069 1.113 1.42 1.481 0.018 2.183 0.026 4.409 0.763 6.496 0.184 2.928-0.088 5.943 0.894 8.766 0.257 4.097-0.504 3.463 2.165 21.81 1.771-3.524 1.604-7.469 1.744-11.299 1.411-4.55 0.307-9.362 0.868-14.026 1.604-5.996 0.149-12.299 0.877-18.409 1.63-6.285 0.114-12.877 0.868-19.285 1.587-5.698 0.158-11.711 0.868-17.532 1.56-6.399 0.324-13.114 0.693-19.645 0.429-0.377 1.28-1.14 1.709-1.525-0.026 2.393-0.105 4.856 0.728 7.153 0.193 2.919-0.096 5.943 0.885 8.757 0.456 4.076-0.473 8.319 0.877 12.281 0.447 4.076-0.473 8.31 0.877 12.264 0.368 3.796-0.386 7.723 0.868 11.405 1.036 17.235 1.642 16.652 2.972 21.792 0.43 0.438 1.297 1.306 1.727 1.736 0.815-1.21 1.63-2.419 2.446-3.638 2.923-13.017 5.323-15.63 6.426-33.039 1.186-4.545 6.856-57.745 6.873-58.619 13.114-0.333 26.237-0.298 39.351 0-0.07 25.539-0.242 25.33 0.701 27.92 0.701 5.83-0.737 11.843 0.868 17.541 0.622 4.944-0.64 10.072 0.885 14.902 0.491 4.374-0.517 8.898 0.859 13.158 0.545 12.053 0.783 6.687 1.964 16.629 1.858 1.052 3.901 1.981 5.076 3.892 10.959-1.859 6.983-29.405 13.724-64.092v-42.917c-0.174-0.927-0.341-1.93-0.488-3.102-0.544-0.947-1.069-1.885-1.578-2.823-3.578-19.889-0.465-3.857-2.901-38.229-0.302-0.87-2.483-19.751-2.542-20.46-0.701-0.894-1.359-1.788-2.051-2.665-2.62 8.857-4.816 32.1-4.97 37.869-0.885-1.192-1.736-2.411-2.56-3.62v-1.63c-0.991-1.744-1.946-3.489-2.928-5.216-0.438 0.517-1.306 1.543-1.745 2.06-0.955 0-1.885-9e-3 -2.796-9e-3 -0.71-0.71-1.394-1.42-2.069-2.13-0.827-5.187-0.922-3.934-1.999-19.093-1.271-3.673-0.465-7.609-0.877-11.405-1.201-3.384-0.535-7.013-0.877-10.51-0.824-2.7-0.728-5.54-1.166-8.293-0.21-0.359-0.622-1.078-0.833-1.438-0.622-3.147-0.456-6.373-0.631-9.555-1.056-2.973-1.705-15.787-1.762-16.656-1.704-4.872-1.165-33.567-5.321-44.54l-0.377 9e-3c-0.237 0.579-0.701 1.736-0.938 2.323-0.401 3.921-11.044 109.35-11.711 112.52l-0.71 9e-3c-0.251-7.498 9e-3 -3.82-1.201-9.651h-1.236c-1.98 7.546-1.844 6.61-2.121 9.073-0.254 0.622-0.771 1.867-1.026 2.481-1.078-0.421-2.121-0.85-3.156-1.271-3.451 12.972-2.154 26.149-5.549 58.154-5.163 0.21-10.326 0.272-15.472 9e-3 -2.367-4.585 0.263-10.046-1.674-14.788-5.048-49.685-2.675-22.48-9.038-64.474-0.368 0.368-1.096 1.104-1.464 1.473-3.2 24.397-3.796 53.375-3.866 54.244-0.902 2.444-0.812 2.981-0.71 23.546-4.628 0.21-9.257 0.202-13.877 9e-3 -0.062-1.098-0.753-10.145-3.41-19.96-1.609-6.088-2.241-34.338-5.531-45.399-0.386 0.403-1.157 1.218-1.543 1.622 0 2e-3 -2.428 17.821-2.428 17.821-1.87 7.96-2.043 7.751-2.209 12.123-0.894 1.359-1.823 2.682-2.779 3.989-1.026-0.78-2.016-1.552-3.024-2.297-4.94 16.27-1.404 25.036-3.831 32.049-1.745 9e-3 -3.48 0.018-5.198 0.07-0.149-4.059 0.605-8.249-0.693-12.176-0.596-4.664 0.579-9.494-0.877-14.026-0.543-4.365 0.509-8.897-0.868-13.149-0.245-2.98-0.219-5.97-0.184-8.959h-0.798c-0.097 1.525-0.175 3.051-0.281 4.585-1.043 3.042-0.675 6.285-0.666 9.441h-0.885c-0.454-35.146-2.288-72.71-9.792-140.65-0.693-1.175-1.359-2.332-2.043-3.489-1.043 1.411-2.042 2.84-2.954 4.33-0.744 4.308-0.526 3.106-1.56 7.153-3.447 12.335-8.898 66.727-8.898 66.727-0.359 3.498 0.307 7.135-0.877 10.519-2.297 22.912 0.443 23.804-2.604 35.932-0.184 2.639-0.044 5.347-0.894 7.89-0.228 3.051-0.158 6.101-0.368 9.152-1.499 4.83-0.237 9.949-0.877 14.902-1.569 5.409-0.167 11.124-0.877 16.647-0.517 1.683-0.728 3.427-0.912 5.172-6.645 0.202-13.289 0.254-19.925-0.044 0.064-10.529-0.526-4.443-0.973-12.334l-0.701 9e-3c-0.965 7.442-1.078 2.9-0.973 12.272-1.183-9e-3 -2.349-9e-3 -3.506 0 0.078-9.359-1.521-16.3-2.042-19.811-3.15 1.808-4.963 16.633-5.119 19.899-5.987 0.254-11.974 0.228-17.953-0.035-2.68-8.301 0.155-12.807-1.885-20.022-0.649-4.944 0.631-10.072-0.877-14.902-0.28-3.629-0.088-7.276-0.35-10.905-0.735-2.102-1.517-17.095-2.06-19.715-1.139-4.529-1.144-4.594-1.289-6.811-0.833-1.219-1.674-2.428-2.533-3.62-0.026-0.394-0.088-1.192-0.114-1.587-1.131-2.095-2.358-4.129-3.813-6.005-0.894 0.955-1.762 1.911-2.63 2.875-0.491 0-1.473-9e-3 -1.964-9e-3 -0.281 0.579-0.833 1.744-1.113 2.323-0.044 2.393 0.018 4.839-0.78 7.127-0.517 8.012 0.14 16.051-0.359 24.054-1.709 4.69 0.307 9.827-1.403 14.517-0.175 2.288-0.202 4.585-0.193 6.881-0.43 0.377-1.297 1.131-1.727 1.516 9e-3 -2.682 0.245-5.453-0.71-8.012-0.596-4.655 0.57-9.485-0.877-14.026-0.438-5.382 0.079-10.782-0.359-16.165-1.587-5.698-0.149-11.712-0.876-17.532-1.394-4.251-0.333-8.784-0.868-13.149-0.903-2.358-0.754-4.909-0.728-7.381-0.429-0.368-1.297-1.122-1.727-1.49-0.272 4.699 0.71 9.564-0.701 14.131-0.421 3.787 0.385 7.723-0.877 11.396-0.552 4.366 0.526 8.898-0.877 13.149-0.368 4.506 0.018 9.029-0.35 13.535-1.438 4.769-0.421 9.818-0.701 14.709h-0.868c-9e-3 -2.867 0.289-5.829-0.71-8.573-0.245-3.34-0.123-6.688-0.351-10.028-1.349-3.85-2.513-33.865-5.347-39.938-4.096 0.324-4.685-1.352-7.083-16.191-0.859-3.445-0.482-7.022-0.675-10.528-5.99-19.969-5.779-31.074-8.74-43.006-0.412 0.377-1.236 1.14-1.648 1.516-4.042 68.84-13.256 161-13.438 161.87-6.241 0.263-12.483 0.281-18.724-0.018-2.084-7.236 0.044-0.063-2.472-11.072-1.704 1.184-2.333 2.852-3.27 11.072-6.54 0.281-13.088 0.272-19.627 0.035-0.289-0.605-0.859-1.815-1.148-2.419-0.438-5.567 0.754-11.308-0.745-16.752-0.657-4.953 0.623-10.081-0.885-14.902-0.316-3.918-0.044-7.863-0.351-11.781-1.175-3.384-0.543-7.013-0.868-10.519-1.201-3.375-0.543-7.013-0.877-10.519-1.105-3.094-0.622-6.426-0.885-9.634-0.991-2.823-0.675-5.838-0.885-8.766-0.64-1.823-0.737-3.752-0.807-5.654-0.412-0.377-1.236-1.122-1.648-1.49-0.023 1.517 0.6 9.192-2.016 20.118-2.092-3.749-2.373-11.288-2.568-14.727-0.728-2.095-0.719-4.33-0.728-6.513-0.412-0.377-1.236-1.122-1.648-1.49-0.017 2.384 0.105 4.839-0.745 7.118-1.625 13.049-1.923 57.246-2.113 60.871-1.254 3.524 9e-3 7.513-2.086 10.808-3.055-13.191-3.982-41.883-4.041-42.752-0.195-0.562-2.542-23.345-2.577-24.352h-0.684c-0.074 0.87-1.059 13.181-1.639 14.709-0.324 3.927-0.052 7.863-0.359 11.79-1.806 5.26 0.403 10.993-1.403 16.261-0.333 4.444-0.14 8.906-0.175 13.359l-0.85-0.026c-9e-3 -2.402-0.035-4.804-0.21-7.197-1.955-6.715 0.561-13.929-1.394-20.644-0.421-5.093 0.061-10.212-0.359-15.297-1.534-5.119-0.202-10.546-0.877-15.779-1.341-3.962-0.386-8.196-0.868-12.272-1.473-4.856-0.368-10.02-0.745-15.007-0.281-0.587-0.85-1.753-1.131-2.332l-0.342-0.026c-2.383 6.384-1.846 9.872-4.725 15.043-1.087-0.053-2.156-0.097-3.217-0.14-0.297 2.566-0.568 6.574-3.226 12.614-1.078-0.456-2.139-0.912-3.173-1.385-0.903 1.043-1.753 2.121-2.568 3.226-1.541 14.346-1.612 25.276-6.522 59.863-0.64 1.394-1.613 2.568-2.902 3.384-0.643-9.977-2.268-14.232-2.901-20.381-0.395-0.368-1.192-1.113-1.587-1.482-3.995 25.967-3.614 31.519-5.628 38.86l-0.526 9e-3c-5.004-29.024-4.245-32.066-6.592-40.692-1.964 0.307-3.165 1.56-3.463 3.506-1.455 1.648-2.858 3.34-4.068 5.172-0.113 0.869-5.441 26.261-5.242 38.194-7.206 0.316-14.42 0.281-21.626 0-1.59-6.96-1.588-22.528-4.032-40.043-2.449 4.247-1.567 9.163-3.401 17.199h-0.622c-0.096-1.999-0.167-4.024-0.798-5.943-0.193-2.463-0.228-4.935-0.403-7.398-0.214-0.596-2.541-21.185-2.551-21.389-0.342-0.368-1.034-1.096-1.376-1.464-2.624 7.092-1.98 15.125-3.936 40.762-0.943 2.679-1.212 14.307-2.463 18.251l-0.579-9e-3c-0.263-0.587-0.797-1.762-1.069-2.349-0.044-2.393 0.018-4.839-0.798-7.127-0.482-4.076 0.456-8.31-0.877-12.264-0.543-4.374 0.526-8.906-0.876-13.149-0.272-3.629-0.088-7.276-0.351-10.905-2.209-6.347 1.236-13.623-2.226-19.618-1.659 10.114-0.922 6.007-1.289 12.115-1.324 3.962-0.395 8.196-0.868 12.272-1.648 4.401 0.228 9.24-1.394 13.64-0.263 3.27-0.202 6.557-0.184 9.835l-0.859 9e-3c0-2.7 9e-3 -5.409-0.202-8.091 0 0-1.894-14.814-3.559-26.64-1.025 2.161-2.494 6.353-3.419 11.457-0.71 1.201-1.42 2.411-2.148 3.603-3.406-7.194-4.001-15.55-4.295-17.699-5.625-12.505-4.562-25.342-7.67-33.671h-0.403c-3.503 9.782 0.435 1.884-6.005 38.317-0.184 0.359-0.552 1.087-0.728 1.446-0.324 1.727-0.57 3.463-0.841 5.198-0.947 3.717-0.395 7.583-0.719 11.361-1.289 3.664-0.473 7.6-0.885 11.396-0.594 1.9-1.634 10.122-1.718 10.993-1.122 0.745-2.244 1.473-3.349 2.218-0.386 5.626 0.13 1.269-1.175 7.714-3.953 0.175-7.907 0.175-11.852 0.044-0.105-2.051-0.158-4.129-0.842-6.075-0.412-3.796 0.395-7.732-0.885-11.396-0.333-3.498 0.307-7.127-0.859-10.51-0.491-6.548 0.123-13.123-0.368-19.671 0 0-5.516-54.514-8.845-67.306h-1.473c0.015 4.792-0.944 14.581-1.595 16.463-0.351 3.498 0.307 7.136-0.877 10.519-0.491 4.076 0.465 8.31-0.877 12.272-0.491 4.076 0.456 8.31-0.877 12.272-0.28 3.629-0.079 7.276-0.35 10.905-1.262 3.673-0.465 7.609-0.868 11.396-1.289 3.664-0.473 7.6-0.877 11.396-1.289 3.664-0.482 7.6-0.877 11.387-1.429 4.243-0.351 8.784-0.894 13.149-0.517 1.683-0.728 3.427-0.912 5.163-3.629 0.123-7.249 0.123-10.861 9e-3 -0.359-1.131-0.719-2.253-1.078-3.357-0.554-15.475 0.663-21.354-0.815-25.474-0.498-7.528-0.096-59.18-5.654-78.719-6.429-1.051-3.223-11.691-7.057-21.424l-0.438 0.018c-4.443 43.319-2.365 60.076-3.857 78.211-1.63 4.401 0.21 9.231-1.385 13.64-0.184 2.463-0.219 4.935-0.395 7.399-0.666 2.007-0.736 4.138-0.824 6.241-0.245 0.64-0.745 1.928-0.99 2.568-0.351-0.359-1.061-1.096-1.411-1.455-0.134-6.652-0.225-0.761-1.166-13-1.403-3.839 0.079-8.056-1.359-11.887-0.342-4.436-0.149-8.897-0.184-13.342h-1.622c-0.042 0.869-1.142 13.049-1.709 14.709-0.246 3.34-0.114 6.688-0.351 10.028-1.402 4.243-0.342 8.775-0.877 13.14-1.473 4.541-0.281 9.371-0.885 14.026-0.999 2.761-0.728 5.724-0.71 8.599-0.438-9e-3 -1.297-9e-3 -1.736-0.018-0.091-1.768-2.814-61.555-2.814-61.555-0.038-0.109-5.456-50.812-6.908-56.26-0.359 0.386-1.078 1.148-1.446 1.534-1.054 4.726-0.995 2.579-1.157 9.371-0.298-0.026-0.885-0.07-1.183-0.096-0.938-1.324-1.928-2.612-2.919-3.892-2.823 14.314-4.439 36.549-5.97 44.873-0.184 0.359-0.552 1.078-0.736 1.438-0.281 1.359-0.526 2.735-0.754 4.103h-0.657c0.028-7.733-1.59-17.163-2.849-24.896-0.517 0.877-1.026 1.762-1.516 2.647-0.018 2.972 0.315 6.049-0.71 8.906-0.605 4.655 0.561 9.485-0.876 14.026-0.754 6.11 0.71 12.404-0.868 18.409-0.131 1.63-0.202 3.279-0.254 4.918-0.544 0.938-1.087 1.876-1.613 2.814-0.987 9.186-0.327-1.6-1.14 11.931-1.245 3.673-0.473 7.6-0.859 11.396-1.201 3.34-0.657 6.934-0.701 10.397-6.732 0.254-13.456 0.298-20.179 9e-3 -0.044-3.471 0.473-7.057-0.684-10.405-0.649-4.944 0.622-10.072-0.885-14.894-0.307-3.927-0.052-7.863-0.351-11.782-1.613-5.996-0.149-12.316-0.868-18.435-1.339-5.048-0.518-5.014-3.603-14.981-1.154-4.75-0.731-4.479-2.621-9.59-0.351 0.368-1.069 1.105-1.429 1.473-3.59 28.719-2.637 24.356-5.26 29.112-0.601 4.918-1.642 5.918-2.831 13-0.71 1.183-1.403 2.358-2.113 3.533-0.281-0.684-0.833-2.051-1.113-2.735-0.247-4.495-0.408-4.871-1.166-8.196-0.386 0-1.175 0-1.569-9e-3 -0.044 1.359-0.105 2.717-0.158 4.076-3.067-6.436-0.91-7.799-1.823-18.286-1.446-4.541-0.272-9.371-0.868-14.026-1.026-2.849-0.71-5.908-0.745-8.871-0.289-0.587-0.868-1.744-1.166-2.332h-0.473c-0.83 6.893-1.628 7.466-1.876 15.209-0.421-0.377-1.262-1.131-1.683-1.499-9e-3 -2.306-0.035-4.602-0.193-6.89-1.183-3.384-0.535-7.013-0.877-10.51-1.192-3.384-0.535-7.022-0.868-10.519-1.201-3.384-0.543-7.022-0.885-10.519 0 0-3.515-26.665-3.515-26.666-0.324-0.368-0.982-1.096-1.306-1.455-2.09 10.391-0.875 47.421-5.628 75.94-0.395-0.377-1.175-1.122-1.56-1.499-2.507-9.819-2.672-28.963-2.717-29.831-0.561-0.894-1.113-1.788-1.657-2.682-0.07 2.13-0.053 4.313-0.806 6.347-0.412 3.787 0.395 7.723-0.859 11.396-0.71 5.531 0.675 11.247-0.877 16.656-0.473 5.961 0.096 11.957-0.368 17.918-1.613 5.996-0.123 12.299-0.877 18.409-1.446 4.532-0.281 9.362-0.868 14.017-1.096 3.051-0.701 6.32-0.701 9.485h-5.251c-0.333-5.488 0.78-11.133-0.701-16.489-0.719-5.531 0.692-11.256-0.885-16.656-0.543-4.365 0.508-8.898-0.868-13.149-0.219-3.051-0.158-6.11-0.368-9.152-0.622-2.007-0.771-4.103-0.947-6.171-3.738-17.029-1.37-12.706-7.022-45.645-4.711-15.28-4.495-46.356-6.978-58.128-0.324-0.359-0.964-1.096-1.28-1.464-0.28 1.481-0.544 2.972-0.85 4.444-0.085 0.868-3.823 36.378-5.198 42.901-1.571 7.218-1.593 19.441-2.788 22.87-0.351 3.498 0.307 7.127-0.877 10.51-0.491 4.076 0.465 8.31-0.877 12.272-0.596 4.655 0.579 9.485-0.877 14.026-0.342 4.216-9e-3 8.451-0.351 12.658-1.464 4.541-0.272 9.371-0.885 14.026-0.561 1.727-0.719 3.533-0.868 5.33-0.368-0.351-1.105-1.052-1.473-1.411-3.32 19.616-1.334 18.132-1.867 29.296-13.421 0.193-26.842 0.28-40.254-0.018-0.494-1.729-3.729-21.553-4.655-33.583-1.297-3.559-0.026-7.46-1.359-11.01-0.193-2.761-0.184-5.523-0.368-8.275-1.578-5.707-0.14-11.711-0.877-17.532-0.529-1.612-1.765-12.284-1.858-13.158-1.105-4.006-0.342-8.188-0.763-12.264-1.657-6.566-0.105-13.465-0.885-20.162-1.639-6.566-0.105-13.465-0.877-20.162-1.613-5.987-0.131-12.29-0.877-18.4-1.455-4.541-0.28-9.371-0.868-14.026-0.85-2.288-0.763-4.742-0.789-7.127-0.281-0.587-0.824-1.753-1.096-2.332h-0.403c-0.551 5.654-1.974 21.699-6.867 143.01v84.684c1.97-18.939 4.281-41.148 4.281-41.149 0.855-2.511 0.714-5.184 0.706-7.788z"/>
+</svg>
diff --git a/cli/tests/fixtures/trust/anchors.pem b/cli/tests/fixtures/trust/anchors.pem
new file mode 100644
index 000000000..9e6aa6ce4
--- /dev/null
+++ b/cli/tests/fixtures/trust/anchors.pem
@@ -0,0 +1,113 @@
+-----BEGIN CERTIFICATE-----
+MIIGsDCCBGSgAwIBAgIUfj5imtzP59mXEBNbWkgFaXLfgZkwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNv
+bWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0ZSBSb290IENB
+MRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9JbnRlcm1lZGlh
+dGUgQ0EwHhcNMjIwNjEwMTg0NjI4WhcNMzAwODI2MTg0NjI4WjCBgDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUxHzAdBgNVBAoM
+FkMyUEEgVGVzdCBTaWduaW5nIENlcnQxGTAXBgNVBAsMEEZPUiBURVNUSU5HX09O
+TFkxFDASBgNVBAMMC0MyUEEgU2lnbmVyMIICVjBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAD
+ggIPADCCAgoCggIBAOtiNSWBpKkHL78khDYV2HTYkVUmTu5dgn20GiUjOjWhAyWK
+5uZL+iuHWmHUOq0xqC39R+hyaMkcIAUf/XcJRK40Jh1s2kJ4+kCk7+RB1n1xeZeJ
+jrKhJ7zCDhH6eFVqO9Om3phcpZyKt01yDkhfIP95GzCILuPm5lLKYI3P0FmpC8zl
+5ctevgG1TXJcX8bNU6fsHmmw0rBrVXUOR+N1MOFO/h++mxIhhLW601XrgYu6lDQD
+IDOc/IxwzEp8+SAzL3v6NStBEYIq2d+alUgEUAOM8EzZsungs0dovMPGcfw7COsG
+4xrdmLHExRau4E1g1ANfh2QsYdraNMtS/wcpI1PG6BkqUQ4zlMoO/CI2nZ5oninb
+uL9x/UJt+a6VvHA0e4bTIcJJVq3/t69mpZtNe6WqDfGU+KLZ5HJSBNSW9KyWxSAU
+FuDFAMtKZRZmTBonKHSjYlYtT+/WN7n/LgFJ2EYxPeFcGGPrVqRTw38g0QA8cyFe
+wHfQBZUiSKdvMRB1zmIj+9nmYsh8ganJzuPaUgsGNVKoOJZHq+Ya3ewBjwslR91k
+QtEGq43PRCvx4Vf+qiXeMCzK+L1Gg0v+jt80grz+y8Ch5/EkxitaH/ei/HRJGyvD
+Zu7vrV6fbWLfWysBoFStHWirQcocYDGsFm9hh7bwM+W0qvNB/hbRQ0xfrMI9AgMB
+AAGjeDB2MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwQwDgYD
+VR0PAQH/BAQDAgbAMB0GA1UdDgQWBBQ3KHUtnyxDJcV9ncAu37sql3aF7jAfBgNV
+HSMEGDAWgBQMMoDK5ZZtTx/7+QsB1qnlDNwA4jBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAD
+ggIBAAmBZubOjnCXIYmg2l1pDYH+XIyp5feayZz6Nhgz6xB7CouNgvcjkYW7EaqN
+RuEkAJWJC68OnjMwwe6tXWQC4ifMKbVg8aj/IRaVAqkEL/MRQ89LnL9F9AGxeugJ
+ulYtpqzFOJUKCPxcXGEoPyqjY7uMdTS14JzluKUwtiQZAm4tcwh/ZdRkt69i3wRq
+VxIY2TK0ncvr4N9cX1ylO6m+GxufseFSO0NwEMxjonJcvsxFwjB8eFUhE0yH3pdD
+gqE2zYfv9kjYkFGngtOqbCe2ixRM5oj9qoS+aKVdOi9m/gObcJkSW9JYAJD2GHLO
+yLpGWRhg4xnn1s7n2W9pWB7+txNR7aqkrUNhZQdznNVdWRGOale4uHJRSPZAetQT
+oYoVAyIX1ba1L/GRo52mOOT67AJhmIVVJJFVvMvvJeQ8ktW8GlxYjG9HHbRpE0S1
+Hv7FhOg0vEAqyrKcYn5JWYGAvEr0VqUqBPz3/QZ8gbmJwXinnUku1QZbGZUIFFIS
+3MDaPXMWmp2KuNMxJXHE1CfaiD7yn2plMV5QZakde3+Kfo6qv2GISK+WYhnGZAY/
+LxtEOqwVrQpDQVJ5jgR/RKPIsOobdboR/aTVjlp7OOfvLxFUvD66zOiVa96fAsfw
+ltU2Cp0uWdQKSLoktmQWLYgEe3QOqvgLDeYP2ScAdm+S+lHV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGkTCCBEWgAwIBAgIUeTn90WGAkw2fOJHBNX6EhnB7FZ4wQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
+IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MjZa
+Fw0zMDA4MjcxODQ2MjZaMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQ
+BgNVBAcMCVNvbWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0
+ZSBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9J
+bnRlcm1lZGlhdGUgQ0EwggJWMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIB
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIAOCAg8AMIICCgKC
+AgEAqlafkrMkDom4SFHQBGwqODnuj+xi7IoCxADsKs9rDjvEB7qK2cj/d7sGhp4B
+vCTu6I+2xUmfz+yvJ/72+HnQvoUGInPp8Rbvb1T3LcfyDcY4WHqJouKNGa4T4ZVN
+u3HdgbaD/S3BSHmBJZvZ6YH0pWDntbNra1WR0KfCsA+jccPfCI3NTVCjEnFlTSdH
+UasJLnh9tMvefk1QDUp3mNd3x7X1FWIZquXOgHxDNVS+GDDWfSN20dwyIDvotleN
+5bOTQb3Pzgg0D/ZxKb/1oiRgIJffTfROITnU0Mk3gUwLzeQHaXwKDR4DIVst7Git
+A4yIIq8xXDvyKlYde6eRY1JV/H0RExTxRgCcXKQrNrUmIPoFSuz05TadQ93A0Anr
+EaPJOaY20mJlHa6bLSecFa/yW1hSf/oNKkjqtIGNV8k6fOfdO6j/ZkxRUI19IcqY
+Ly/IewMFOuowJPay8LCoM0xqI7/yj1gvfkyjl6wHuJ32e17kj1wnmUbg/nvmjvp5
+sPZjIpIXJmeEm2qwvwOtBJN8EFSI4emeIO2NVtQS51RRonazWNuHRKf/hpCXsJpI
+snZhH3mEqQAwKuobDhL+9pNnRag8ssCGLZmLGB0XfSFufMp5/gQyZYj4Q6wUh/OI
+O/1ZYTtQPlnHLyFBVImGlCxvMiDuh2ue7lYyrNuNwDKXMI8CAwEAAaNjMGEwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFAwygMrllm1P
+H/v5CwHWqeUM3ADiMB8GA1UdIwQYMBaAFEVvG+J0LmYCLXksOfn6Mk2UKxlQMEEG
+CSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIBBQChHDAaBgkqhkiG9w0BAQgwDQYJ
+YIZIAWUDBAIBBQCiAwIBIAOCAgEAqkYEUJP1BJLY55B7NWThZ31CiTiEnAUyR3O6
+F2MBWfXMrYEAIG3+vzQpLbbAh2u/3W4tzDiLr9uS7KA9z6ruwUODgACMAHZ7kfT/
+Ze3XSmhezYVZm3c4b/F0K/d92GDAzjgldBiKIkVqTrRSrMyjCyyJ+kR4VOWz8EoF
+vdwvrd0SP+1l9V5ThlmHzQ3cXT1pMpCjj+bw1z7ScZjYdAotOk74jjRXF5Y0HYra
+bGh6tl0sn6WXsYZK27LuQ/iPJrXLVqt/+BKHYtqD73+6dh8PqXG1oXO9KoEOwJpt
+8R9IwGoAj37hFpvZm2ThZ6TKXM0+HpByZamExoCiL2mQWRbKWPSyJjFwXjLScWSB
+IJg1eY45+a3AOwhuSE34alhwooH2qDEuGK7KW1W5V/02jtsbYc2upEfkMzd2AaJb
+2ALDGCwa4Gg6IkEadNBdXvNewG1dFDPOgPiJM9gTGeXMELO9sBpoOvZsoVj2wbVC
++5FFnqm40bPy0zeR99CGjgZBMr4siCLRJybBD8sX6sE0WSx896Q0PlRdS4Wniu+Y
+8QCS293tAyD7tWztko5mdVGfcYYfa2UnHqKlDZOpdMq/rjzXtPVREq+dRKld3KLy
+oqiZiY7ceUPTraAQ3pK535dcX3XA7p9RsGztyl7jma6HO2WmO9a6rGR2xCqW5/g9
+wvq03sA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGezCCBC+gAwIBAgIUDAG5+sfGspprX+hlkn1SuB2f5VQwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
+IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MjVa
+Fw0zMjA2MDcxODQ2MjVaMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG
+A1UEBwwJU29tZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcG
+A1UECwwQRk9SIFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTCCAlYwQQYJ
+KoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglg
+hkgBZQMEAgEFAKIDAgEgA4ICDwAwggIKAoICAQC4q3t327HRHDs7Y9NR+ZqernwU
+bZ1EiEBR8vKTZ9StXmSfkzgSnvVfsFanvrKuZvFIWq909t/gH2z0klI2ZtChwLi6
+TFYXQjzQt+x5CpRcdWnB9zfUhOpdUHAhRd03Q14H2MyAiI98mqcVreQOiLDydlhP
+Dla7Ign4PqedXBH+NwUCEcbQIEr2LvkZ5fzX1GzBtqymClT/Gqz75VO7zM1oV4gq
+ElFHLsTLgzv5PR7pydcHauoTvFWhZNgz5s3olXJDKG/n3h0M3vIsjn11OXkcwq99
+Ne5Nm9At2tC1w0Huu4iVdyTLNLIAfM368ookf7CJeNrVJuYdERwLwICpetYvOnid
+VTLSDt/YK131pR32XCkzGnrIuuYBm/k6IYgNoWqUhojGJai6o5hI1odAzFIWr9T0
+sa9f66P6RKl4SUqa/9A/uSS8Bx1gSbTPBruOVm6IKMbRZkSNN/O8dgDa1OftYCHD
+blCCQh9DtOSh6jlp9I6iOUruLls7d4wPDrstPefi0PuwsfWAg4NzBtQ3uGdzl/lm
+yusq6g94FVVq4RXHN/4QJcitE9VPpzVuP41aKWVRM3X/q11IH80rtaEQt54QMJwi
+sIv4eEYW3TYY9iQtq7Q7H9mcz60ClJGYQJvd1DR7lA9LtUrnQJIjNY9v6OuHVXEX
+EFoDH0viraraHozMdwIDAQABo2MwYTAdBgNVHQ4EFgQURW8b4nQuZgIteSw5+foy
+TZQrGVAwHwYDVR0jBBgwFoAURW8b4nQuZgIteSw5+foyTZQrGVAwDwYDVR0TAQH/
+BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgB
+ZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4ICAQBB
+WnUOG/EeQoisgC964H5+ns4SDIYFOsNeksJM3WAd0yG2L3CEjUksUYugQzB5hgh4
+BpsxOajrkKIRxXN97hgvoWwbA7aySGHLgfqH1vsGibOlA5tvRQX0WoQ+GMnuliVM
+pLjpHdYE2148DfgaDyIlGnHpc4gcXl7YHDYcvTN9NV5Y4P4x/2W/Lh11NC/VOSM9
+aT+jnFE7s7VoiRVfMN2iWssh2aihecdE9rs2w+Wt/E/sCrVClCQ1xaAO1+i4+mBS
+a7hW+9lrQKSx2bN9c8K/CyXgAcUtutcIh5rgLm2UWOaB9It3iw0NVaxwyAgWXC9F
+qYJsnia4D3AP0TJL4PbpNUaA4f2H76NODtynMfEoXSoG3TYYpOYKZ65lZy3mb26w
+fvBfrlASJMClqdiEFHfGhP/dTAZ9eC2cf40iY3ta84qSJybSYnqst8Vb/Gn+dYI9
+qQm0yVHtJtvkbZtgBK5Vg6f5q7I7DhVINQJUVlWzRo6/Vx+/VBz5tC5aVDdqtBAs
+q6ZcYS50ECvK/oGnVxjpeOafGvaV2UroZoGy7p7bEoJhqOPrW2yZ4JVNp9K6CCRg
+zR6jFN/gUe42P1lIOfcjLZAM1GHixtjP5gLAp6sJS8X05O8xQRBtnOsEwNLj5w0y
+MAdtwAzT/Vfv7b08qfx4FfQPFmtjvdu4s82gNatxSA==
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/cli/tests/fixtures/trust/no-match.pem b/cli/tests/fixtures/trust/no-match.pem
new file mode 100644
index 000000000..d0cb9426d
--- /dev/null
+++ b/cli/tests/fixtures/trust/no-match.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICSDCCAfqgAwIBAgIUb+aBTX1CsjJ1iuMJ9kRudz/7qEcwBQYDK2VwMIGMMQsw
+CQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNvbWV3aGVyZTEnMCUG
+A1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0ZSBSb290IENBMRkwFwYDVQQLDBBG
+T1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9JbnRlcm1lZGlhdGUgQ0EwHhcNMjIw
+NjEwMTg0NjQxWhcNMzAwODI2MTg0NjQxWjCBgDELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUxHzAdBgNVBAoMFkMyUEEgVGVzdCBT
+aWduaW5nIENlcnQxGTAXBgNVBAsMEEZPUiBURVNUSU5HX09OTFkxFDASBgNVBAMM
+C0MyUEEgU2lnbmVyMCowBQYDK2VwAyEAMp5+0e83nNgQhdhBW8Rshkjy90sa1A9J
+IzkItcDqCuKjeDB2MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUH
+AwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBTuLrYRqW4wu6yjIK1/iW8ud7dm
+kTAfBgNVHSMEGDAWgBRXTAfC/JxQvRlk/bCbdPMDbsSfqTAFBgMrZXADQQB2R6vb
+I+X8CTRC54j3NTvsUj454G1/bdzbiHVgl3n+ShOAJ85FJigE7Eoav7SeXeVnNjc8
+QZ1UrJGwgBBEP84G
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/sdk/src/openssl/store.cfg b/cli/tests/fixtures/trust/store.cfg
similarity index 78%
rename from sdk/src/openssl/store.cfg
rename to cli/tests/fixtures/trust/store.cfg
index bf49a13ed..d968ab695 100644
--- a/sdk/src/openssl/store.cfg
+++ b/cli/tests/fixtures/trust/store.cfg
@@ -1,4 +1,3 @@
-
 //id-kp-emailProtection 
 1.3.6.1.5.5.7.3.4
 //id-kp-documentSigning 
@@ -7,5 +6,3 @@
 1.3.6.1.5.5.7.3.8
 //id-kp-OCSPSigning 
 1.3.6.1.5.5.7.3.9
-// MS C2PA Signing
-1.3.6.1.4.1.311.76.59.1.9
\ No newline at end of file
diff --git a/cli/tests/fixtures/verify.jpeg b/cli/tests/fixtures/verify.jpeg
new file mode 100644
index 000000000..044290ad2
Binary files /dev/null and b/cli/tests/fixtures/verify.jpeg differ
diff --git a/cli/tests/integration.rs b/cli/tests/integration.rs
new file mode 100644
index 000000000..9d9d45027
--- /dev/null
+++ b/cli/tests/integration.rs
@@ -0,0 +1,201 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use std::{error::Error, fs, path::PathBuf, process::Command};
+
+// Add methods on commands
+use assert_cmd::prelude::*;
+use httpmock::{prelude::*, Mock};
+use predicate::str;
+use predicates::prelude::*;
+
+const TEST_IMAGE_WITH_MANIFEST: &str = "C.jpg"; // save for manifest tests
+
+fn fixture_path(name: &str) -> PathBuf {
+    let mut path = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+    path.push("tests/fixtures");
+    path.push(name);
+    fs::canonicalize(path).expect("canonicalize")
+}
+
+#[test]
+// c2patool tests/fixtures/C.jpg trust --trust_anchors=tests/fixtures/trust/anchors.pem --trust_config=tests/fixtures/trust/store.cfg
+fn tool_load_trust_settings_from_file_trusted() -> Result<(), Box<dyn Error>> {
+    Command::cargo_bin("c2patool")?
+        .arg(fixture_path(TEST_IMAGE_WITH_MANIFEST))
+        .arg("trust")
+        .arg("--trust_anchors")
+        .arg(fixture_path("trust/anchors.pem"))
+        .arg("--trust_config")
+        .arg(fixture_path("trust/store.cfg"))
+        .assert()
+        .success()
+        .stdout(str::contains("C2PA Test Signing Cert"))
+        .stdout(str::contains("signingCredential.untrusted").not());
+    Ok(())
+}
+
+#[test]
+// c2patool tests/fixtures/C.jpg trust --trust_anchors=tests/fixtures/trust/no-match.pem --trust_config=tests/fixtures/trust/store.cfg
+fn tool_load_trust_settings_from_file_untrusted() -> Result<(), Box<dyn Error>> {
+    Command::cargo_bin("c2patool")?
+        .arg(fixture_path(TEST_IMAGE_WITH_MANIFEST))
+        .arg("trust")
+        .arg("--trust_anchors")
+        .arg(fixture_path("trust/no-match.pem"))
+        .arg("--trust_config")
+        .arg(fixture_path("trust/store.cfg"))
+        .assert()
+        .success()
+        .stdout(str::contains("C2PA Test Signing Cert"))
+        .stdout(str::contains("signingCredential.untrusted"));
+    Ok(())
+}
+
+fn create_mock_server<'a>(
+    server: &'a MockServer,
+    anchor_source: &str,
+    config_source: &str,
+) -> Vec<Mock<'a>> {
+    let anchor_path = fixture_path(anchor_source).to_str().unwrap().to_owned();
+    let trust_mock = server.mock(|when, then| {
+        when.method(GET).path("/trust/anchors.pem");
+        then.status(200)
+            .header("content-type", "text/plain")
+            .body_from_file(anchor_path);
+    });
+    let config_path = fixture_path(config_source).to_str().unwrap().to_owned();
+    let config_mock = server.mock(|when, then| {
+        when.method(GET).path("/trust/store.cfg");
+        then.status(200)
+            .header("content-type", "text/plain")
+            .body_from_file(config_path);
+    });
+
+    vec![trust_mock, config_mock]
+}
+
+#[test]
+fn tool_load_trust_settings_from_url_arg_trusted() -> Result<(), Box<dyn Error>> {
+    let server = MockServer::start();
+    let mocks = create_mock_server(&server, "trust/anchors.pem", "trust/store.cfg");
+
+    // Test flags
+    Command::cargo_bin("c2patool")?
+        .arg(fixture_path(TEST_IMAGE_WITH_MANIFEST))
+        .arg("trust")
+        .arg("--trust_anchors")
+        .arg(server.url("/trust/anchors.pem"))
+        .arg("--trust_config")
+        .arg(server.url("/trust/store.cfg"))
+        .assert()
+        .success()
+        .stdout(str::contains("C2PA Test Signing Cert"))
+        .stdout(str::contains("signingCredential.untrusted").not());
+
+    mocks.iter().for_each(|m| m.assert());
+
+    Ok(())
+}
+
+#[test]
+fn tool_load_trust_settings_from_url_arg_untrusted() -> Result<(), Box<dyn Error>> {
+    let server = MockServer::start();
+    let mocks = create_mock_server(&server, "trust/no-match.pem", "trust/store.cfg");
+
+    Command::cargo_bin("c2patool")?
+        .arg(fixture_path(TEST_IMAGE_WITH_MANIFEST))
+        .arg("trust")
+        .arg("--trust_anchors")
+        .arg(server.url("/trust/anchors.pem"))
+        .arg("--trust_config")
+        .arg(server.url("/trust/store.cfg"))
+        .assert()
+        .success()
+        .stdout(str::contains("C2PA Test Signing Cert"))
+        .stdout(str::contains("signingCredential.untrusted"));
+
+    mocks.iter().for_each(|m| m.assert());
+
+    Ok(())
+}
+
+#[test]
+fn tool_load_trust_settings_from_url_env_trusted() -> Result<(), Box<dyn Error>> {
+    let server = MockServer::start();
+    let mocks = create_mock_server(&server, "trust/anchors.pem", "trust/store.cfg");
+
+    // Test flags
+    Command::cargo_bin("c2patool")?
+        .arg(fixture_path(TEST_IMAGE_WITH_MANIFEST))
+        .arg("trust")
+        .env("C2PATOOL_TRUST_ANCHORS", server.url("/trust/anchors.pem"))
+        .env("C2PATOOL_TRUST_CONFIG", server.url("/trust/store.cfg"))
+        .assert()
+        .success()
+        .stdout(str::contains("C2PA Test Signing Cert"))
+        .stdout(str::contains("signingCredential.untrusted").not());
+
+    mocks.iter().for_each(|m| m.assert());
+
+    Ok(())
+}
+
+#[test]
+fn tool_load_trust_settings_from_url_env_untrusted() -> Result<(), Box<dyn Error>> {
+    let server = MockServer::start();
+    let mocks = create_mock_server(&server, "trust/no-match.pem", "trust/store.cfg");
+
+    // Test flags
+    Command::cargo_bin("c2patool")?
+        .arg(fixture_path(TEST_IMAGE_WITH_MANIFEST))
+        .arg("trust")
+        .env("C2PATOOL_TRUST_ANCHORS", server.url("/trust/anchors.pem"))
+        .env("C2PATOOL_TRUST_CONFIG", server.url("/trust/store.cfg"))
+        .assert()
+        .success()
+        .stdout(str::contains("C2PA Test Signing Cert"))
+        .stdout(str::contains("signingCredential.untrusted"));
+
+    mocks.iter().for_each(|m| m.assert());
+
+    Ok(())
+}
+
+#[test]
+// c2patool tests/fixtures/C.jpg --tree
+fn tool_tree() -> Result<(), Box<dyn Error>> {
+    Command::cargo_bin("c2patool")?
+        .arg(fixture_path(TEST_IMAGE_WITH_MANIFEST))
+        .arg("--tree")
+        .assert()
+        .success()
+        .stdout(str::contains("Asset:C.jpg, Manifest:contentauth:urn:uuid:"))
+        .stdout(str::contains("Assertion:c2pa.actions"));
+    Ok(())
+}
+
+#[test]
+// c2patool tests/fixtures/C.jpg --info
+fn tool_info() -> Result<(), Box<dyn Error>> {
+    Command::cargo_bin("c2patool")?
+        .arg(fixture_path(TEST_IMAGE_WITH_MANIFEST))
+        .arg("--info")
+        .assert()
+        .success()
+        .stdout(str::contains(
+            "Provenance URI = self#jumbf=/c2pa/contentauth:urn:uuid:",
+        ))
+        .stdout(str::contains("Manifest store size = 51217"));
+    Ok(())
+}
diff --git a/deny.toml b/deny.toml
index 08d44c878..c69a9bf7d 100644
--- a/deny.toml
+++ b/deny.toml
@@ -14,15 +14,14 @@ targets = [
 
 [advisories]
 yanked = "deny"
-
 ignore = [
   "RUSTSEC-2021-0127", # serde_cbor
-  "RUSTSEC-2023-0071", # rsa Marvin Attack: (https://jira.corp.adobe.com/browse/CAI-5104),
-  "RUSTSEC-2024-0384", # instant (https://github.com/contentauth/c2pa-rs/issues/663)
+  "RUSTSEC-2023-0071", # rsa Marvin Attack: (https://jira.corp.adobe.com/browse/CAI-5104)
+  "RUSTSEC-2024-0399", # tokio-rustls server: https://rustsec.org/advisories/RUSTSEC-2024-0399
 ]
 
 [bans]
-multiple-versions = "allow"
+multiple-versions = "allow" # "deny" # TODO: Re-enable when possible.
 
 [licenses]
 allow = [
@@ -34,8 +33,8 @@ allow = [
   "LicenseRef-ring",
   "MIT",
   "MPL-2.0",
-  "Unicode-DFS-2016",
   "Unicode-3.0",
+  "Unicode-DFS-2016",
   "Zlib",
 ]
 confidence-threshold = 0.9
diff --git a/docs/usage.md b/docs/usage.md
index 417857ed5..be2a0a177 100644
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -11,7 +11,7 @@ The C2PA Rust library has been tested on the following operating systems:
 
 ## Requirements
 
-The C2PA Rust library requires **Rust version 1.76.0** or newer.
+The C2PA Rust library requires **Rust version 1.81.0** or newer.
 
 To use the library, add this to your `Cargo.toml`:
 
@@ -42,7 +42,6 @@ The Rust library crate provides the following capabilities:
 * `no_interleaved_io` forces fully-synchronous I/O; otherwise, the library uses threaded I/O for some operations to improve performance.
 * `fetch_remote_manifests` enables the verification step to retrieve externally referenced manifest stores.  External manifests are only fetched if there is no embedded manifest store and no locally adjacent .c2pa manifest store file of the same name.
 * `json_schema` is used by `make schema` to produce a JSON schema document that represents the `ManifestStore` data structures.
-* `psxxx_ocsp_stapling_experimental` enables a demonstration feature that attempts to fetch the OCSP data from the OCSP responders listed in the manifest signing certificate.  The response becomes part of the manifest and is used to prove the certificate was not revoked at the time of signing.  This is only implemented for PS256, PS384 and PS512 signatures and is intended as a demonstration.
 * `openssl_ffi_mutex` prevents multiple threads from accessing the C OpenSSL library simultaneously. (This library is not re-entrant.) In a multi-threaded process (such as Cargo's test runner), this can lead to unpredictable behavior.
 
 ### New API
diff --git a/export_schema/Cargo.toml b/export_schema/Cargo.toml
index f5baf9e3b..47795c8fc 100644
--- a/export_schema/Cargo.toml
+++ b/export_schema/Cargo.toml
@@ -4,10 +4,10 @@ version = "0.36.1"
 authors = ["Dave Kozma <dkozma@adobe.com>"]
 license = "MIT OR Apache-2.0"
 edition = "2018"
-rust-version = "1.76.0"
+rust-version = "1.81.0"
 
 [dependencies]
 anyhow = "1.0.40"
-c2pa = { path = "../sdk", features = ["json_schema", "unstable_api"] }
+c2pa = { path = "../sdk", default-features = false, features = ["json_schema", "unstable_api"] }
 schemars = "0.8.21"
 serde_json = "1.0.117"
diff --git a/internal/crypto/CHANGELOG.md b/internal/crypto/CHANGELOG.md
index 9fd3291d8..a0b4346d4 100644
--- a/internal/crypto/CHANGELOG.md
+++ b/internal/crypto/CHANGELOG.md
@@ -6,6 +6,25 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 The format of this changelog is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [0.2.0](https://github.com/contentauth/c2pa-rs/compare/c2pa-crypto-v0.1.2...c2pa-crypto-v0.2.0)
+_12 December 2024_
+
+### Added
+
+* Add `RawSigner` trait to `c2pa-crypto` (derived from `c2pa::Signer`) (#716)
+* Move time stamp code into c2pa-crypto (#696)
+
+### Fixed
+
+* Compile `c2pa-crypto` with `cargo check` (#768)
+* Verbose assertions for `is_none()` (#704)
+* Remove `c2pa::Signer` dependency on `c2pa_crypto::TimeStampProvider` (#718)
+* Treat Unicode-3.0 license as approved; unpin related dependencies (#693)
+
+### Updated dependencies
+
+* Bump chrono from 0.4.38 to 0.4.39 (#763)
+
 ## [0.1.2](https://github.com/contentauth/c2pa-rs/compare/c2pa-crypto-v0.1.1...c2pa-crypto-v0.1.2)
 _24 October 2024_
 
diff --git a/internal/crypto/Cargo.toml b/internal/crypto/Cargo.toml
index 5936705aa..a98bdc982 100644
--- a/internal/crypto/Cargo.toml
+++ b/internal/crypto/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "c2pa-crypto"
-version = "0.1.2"
+version = "0.2.0"
 description = "Cryptography internals for c2pa-rs crate"
 authors = [
     "Maurice Fisher <mfisher@adobe.com>",
@@ -18,7 +18,7 @@ readme = "README.md"
 keywords = ["metadata"]
 categories = ["api-bindings"]
 edition = "2021"
-rust-version = "1.76.0"
+rust-version = "1.81.0"
 exclude = ["tests/fixtures"]
 
 [package.metadata.docs.rs]
@@ -30,22 +30,30 @@ json_schema = ["dep:schemars"]
 openssl = ["dep:openssl"]
 
 [dependencies]
+asn1-rs = "0.6.2"
 async-generic = "1.1"
 async-trait = "0.1.77"
 base64 = "0.22.1"
 bcder = "0.7.3"
 bytes = "1.7.2"
-c2pa-status-tracker = { path = "../status-tracker", version = "0.1.0" }
+c2pa-status-tracker = { path = "../status-tracker", version = "0.2.0" }
+ciborium = "0.2.2"
+const-hex = "1.14"
+coset = "0.3.1"
 getrandom = { version = "0.2.7", features = ["js"] }
 hex = "0.4.3"
+nom = "7.1.3"
 rand = "0.8.5"
-rasn = "0.18.0"
-rasn-ocsp = "0.18.0"
-rasn-pkix = "0.18.0"
+rasn = "0.22.0"
+rasn-ocsp = "0.22.0"
+rasn-pkix = "0.22.0"
 schemars = { version = "0.8.21", optional = true }
 serde = { version = "1.0.197", features = ["derive"] }
+serde_bytes = "0.11.5"
 sha1 = "0.10.6"
-thiserror = "1.0.61"
+sha2 = "0.10.6"
+thiserror = "2.0.8"
+web-time = "1.1"
 x509-certificate = "0.21.0"
 x509-parser = "0.16.0"
 
@@ -58,19 +66,19 @@ url = "2.5.3"
 normal = ["openssl"] # TEMPORARY: Remove after openssl transition complete.
 
 [dependencies.chrono]
-version = "0.4.38"
+version = "0.4.39"
 default-features = false
 features = ["wasmbind"]
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies.chrono]
-version = "0.4.38"
+version = "0.4.39"
 default-features = false
 features = ["now", "wasmbind"]
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 async-trait = { version = "0.1.77" }
 ecdsa = "0.16.9"
-ed25519-dalek = "2.1.1"
+ed25519-dalek = { version = "2.1.1", features = ["alloc", "digest", "pem", "pkcs8"] }
 p256 = "0.13.2"
 p384 = "0.13.0"
 rsa = { version = "0.9.6", features = ["sha2"] }
@@ -85,11 +93,13 @@ web-sys = { version = "0.3.58", features = [
     "Window",
     "WorkerGlobalScope",
 ] }
-web-time = "1.1"
 
 [target.'cfg(all(target_arch = "wasm32", not(target_os = "wasi")))'.dependencies]
 getrandom = { version = "0.2.7", features = ["js"] }
 js-sys = "0.3.58"
 
+[target.'cfg(not(target_arch = "wasm32"))'.dev-dependencies]
+actix = "0.13.1"
+
 [target.'cfg(target_arch = "wasm32")'.dev-dependencies]
 wasm-bindgen-test = "0.3.31"
diff --git a/internal/crypto/src/asn1/rfc3161.rs b/internal/crypto/src/asn1/rfc3161.rs
index 03b89ffc3..789ee7c6e 100644
--- a/internal/crypto/src/asn1/rfc3161.rs
+++ b/internal/crypto/src/asn1/rfc3161.rs
@@ -24,11 +24,6 @@ use crate::asn1::{rfc4210::PkiFreeText, rfc5652::ContentInfo};
 /// 1.2.840.113549.1.9.16.1.4
 pub const OID_CONTENT_TYPE_TST_INFO: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 4]);
 
-/// id-aa-timeStampToken
-///
-/// 1.2.840.113549.1.9.16.2.14
-pub const OID_TIME_STAMP_TOKEN: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 2, 14]);
-
 /// A time-stamp request.
 ///
 /// ```ASN.1
@@ -53,6 +48,7 @@ pub struct TimeStampReq {
 }
 
 impl TimeStampReq {
+    #[allow(dead_code)] // not used on all platforms
     pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
         cons.take_sequence(|cons| {
             let version = Integer::take_from(cons)?;
@@ -149,17 +145,6 @@ impl TimeStampResp {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            self.status.encode_ref(),
-            if let Some(time_stamp_token) = &self.time_stamp_token {
-                Some(time_stamp_token)
-            } else {
-                None
-            },
-        ))
-    }
 }
 
 /// PKI status info
@@ -191,16 +176,6 @@ impl PkiStatusInfo {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            self.status.encode(),
-            self.status_string
-                .as_ref()
-                .map(|status_string| status_string.encode_ref()),
-            self.fail_info.as_ref().map(|fail_info| fail_info.encode()),
-        ))
-    }
 }
 
 /// PKI status.
diff --git a/internal/crypto/src/asn1/rfc3281.rs b/internal/crypto/src/asn1/rfc3281.rs
index 8b0505cb8..180088b27 100644
--- a/internal/crypto/src/asn1/rfc3281.rs
+++ b/internal/crypto/src/asn1/rfc3281.rs
@@ -79,6 +79,7 @@ impl AttributeCertificateInfo {
 }
 
 #[derive(Clone, Copy, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum AttCertVersion {
     V2 = 1,
 }
@@ -104,6 +105,7 @@ pub struct Holder {
 }
 
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum DigestedObjectType {
     PublicKey = 0,
     PublicKeyCert = 1,
@@ -142,6 +144,7 @@ pub struct ObjectDigestInfo {
 /// }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum AttCertIssuer {
     V1Form(GeneralNames),
     V2Form(Box<V2Form>),
diff --git a/internal/crypto/src/asn1/rfc4210.rs b/internal/crypto/src/asn1/rfc4210.rs
index 39022baaa..93dc3719d 100644
--- a/internal/crypto/src/asn1/rfc4210.rs
+++ b/internal/crypto/src/asn1/rfc4210.rs
@@ -8,7 +8,6 @@
 
 use bcder::{
     decode::{Constructed, DecodeError, Source},
-    encode::{self, Values},
     Tag, Utf8String,
 };
 
@@ -27,10 +26,6 @@ impl PkiFreeText {
         cons.take_opt_sequence(|cons| Self::from_sequence(cons))
     }
 
-    pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_sequence(|cons| Self::from_sequence(cons))
-    }
-
     pub fn from_sequence<S: Source>(
         cons: &mut Constructed<S>,
     ) -> Result<Self, DecodeError<S::Error>> {
@@ -44,8 +39,4 @@ impl PkiFreeText {
 
         Ok(Self(res))
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence(encode::slice(&self.0, |x| x.clone().encode()))
-    }
 }
diff --git a/internal/crypto/src/asn1/rfc5652.rs b/internal/crypto/src/asn1/rfc5652.rs
index 5032f15e8..ba8883d1b 100644
--- a/internal/crypto/src/asn1/rfc5652.rs
+++ b/internal/crypto/src/asn1/rfc5652.rs
@@ -29,43 +29,11 @@ use x509_certificate::{asn1time::*, rfc3280::*, rfc5280::*, rfc5652::*};
 
 use crate::asn1::rfc3281::AttributeCertificate;
 
-/// The data content type.
-///
-/// `id-data` in the specification.
-///
-/// 1.2.840.113549.1.7.1
-pub const OID_ID_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 1]);
-
 /// The signed-data content type.
 ///
 /// 1.2.840.113549.1.7.2
 pub const OID_ID_SIGNED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 2]);
 
-/// Enveloped data content type.
-///
-/// 1.2.840.113549.1.7.3
-pub const OID_ENVELOPE_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 3]);
-
-/// Digested-data content type.
-///
-/// 1.2.840.113549.1.7.5
-pub const OID_DIGESTED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 5]);
-
-/// Encrypted-data content type.
-///
-/// 1.2.840.113549.1.7.6
-pub const OID_ENCRYPTED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 6]);
-
-/// Authenticated-data content type.
-///
-/// 1.2.840.113549.1.9.16.1.2
-pub const OID_AUTHENTICATED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 2]);
-
-/// Identifies the content-type attribute.
-///
-/// 1.2.840.113549.1.9.3
-pub const OID_CONTENT_TYPE: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 3]);
-
 /// Identifies the message-digest attribute.
 ///
 /// 1.2.840.113549.1.9.4
@@ -76,11 +44,6 @@ pub const OID_MESSAGE_DIGEST: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9,
 /// 1.2.840.113549.1.9.5
 pub const OID_SIGNING_TIME: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 5]);
 
-/// Identifies the countersignature attribute.
-///
-/// 1.2.840.113549.1.9.6
-pub const OID_COUNTER_SIGNATURE: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 6]);
-
 /// Content info.
 ///
 /// ```ASN.1
@@ -158,23 +121,6 @@ pub struct SignedData {
 }
 
 impl SignedData {
-    /// Attempt to decode BER encoded bytes to a parsed data structure.
-    pub fn decode_ber(data: &[u8]) -> Result<Self, DecodeError<std::convert::Infallible>> {
-        Constructed::decode(data, bcder::Mode::Ber, Self::decode)
-    }
-
-    pub fn decode<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_sequence(|cons| {
-            let oid = Oid::take_from(cons)?;
-
-            if oid != OID_ID_SIGNED_DATA {
-                return Err(cons.content_err("expected signed data OID"));
-            }
-
-            cons.take_constructed_if(Tag::CTX_0, Self::take_from)
-        })
-    }
-
     pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
         cons.take_sequence(|cons| {
             let version = CmsVersion::take_from(cons)?;
@@ -197,25 +143,6 @@ impl SignedData {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            OID_ID_SIGNED_DATA.encode_ref(),
-            encode::sequence_as(
-                Tag::CTX_0,
-                encode::sequence((
-                    self.version.encode(),
-                    self.digest_algorithms.encode_ref(),
-                    self.content_info.encode_ref(),
-                    self.certificates
-                        .as_ref()
-                        .map(|certs| certs.encode_ref_as(Tag::CTX_0)),
-                    // TODO crls.
-                    self.signer_infos.encode_ref(),
-                )),
-            ),
-        ))
-    }
 }
 
 /// Digest algorithm identifiers.
@@ -252,10 +179,6 @@ impl DigestAlgorithmIdentifiers {
             Ok(Self(identifiers))
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::set(&self.0)
-    }
 }
 
 pub type DigestAlgorithmIdentifier = AlgorithmIdentifier;
@@ -294,10 +217,6 @@ impl SignerInfos {
             Ok(Self(infos))
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::set(&self.0)
-    }
 }
 
 /// Encapsulated content info.
@@ -343,15 +262,6 @@ impl EncapsulatedContentInfo {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            self.content_type.encode_ref(),
-            self.content
-                .as_ref()
-                .map(|content| encode::sequence_as(Tag::CTX_0, content.encode_ref())),
-        ))
-    }
 }
 
 /// Per-signer information.
@@ -647,10 +557,6 @@ impl DerefMut for SignedAttributes {
 }
 
 impl SignedAttributes {
-    pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_set(|cons| Self::take_from_set(cons))
-    }
-
     pub fn take_from_set<S: Source>(
         cons: &mut Constructed<S>,
     ) -> Result<Self, DecodeError<S::Error>> {
@@ -759,10 +665,6 @@ impl DerefMut for UnsignedAttributes {
 }
 
 impl UnsignedAttributes {
-    pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_set(|cons| Self::take_from_set(cons))
-    }
-
     pub fn take_from_set<S: Source>(
         cons: &mut Constructed<S>,
     ) -> Result<Self, DecodeError<S::Error>> {
@@ -846,6 +748,8 @@ pub type UnprotectedAttributes = Vec<Attribute>;
 ///   ori [4] OtherRecipientInfo }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
+#[allow(clippy::enum_variant_names)]
 pub enum RecipientInfo {
     KeyTransRecipientInfo(KeyTransRecipientInfo),
     KeyAgreeRecipientInfo(KeyAgreeRecipientInfo),
@@ -881,6 +785,7 @@ pub struct KeyTransRecipientInfo {
 ///   subjectKeyIdentifier [0] SubjectKeyIdentifier }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum RecipientIdentifier {
     IssuerAndSerialNumber(IssuerAndSerialNumber),
     SubjectKeyIdentifier(SubjectKeyIdentifier),
@@ -914,6 +819,7 @@ pub struct KeyAgreeRecipientInfo {
 ///   originatorKey [1] OriginatorPublicKey }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum OriginatorIdentifierOrKey {
     IssuerAndSerialNumber(IssuerAndSerialNumber),
     SubjectKeyIdentifier(SubjectKeyIdentifier),
@@ -957,6 +863,7 @@ pub struct RecipientEncryptedKey {
 ///   rKeyId [0] IMPLICIT RecipientKeyIdentifier }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum KeyAgreeRecipientIdentifier {
     IssuerAndSerialNumber(IssuerAndSerialNumber),
     RKeyId(RecipientKeyIdentifier),
@@ -1135,6 +1042,7 @@ impl RevocationInfoChoices {
 ///   other [1] IMPLICIT OtherRevocationInfoFormat }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum RevocationInfoChoice {
     Crl(Box<CertificateList>),
     Other(OtherRevocationInfoFormat),
@@ -1268,10 +1176,6 @@ impl CertificateSet {
 
         Ok(Self(certs))
     }
-
-    pub fn encode_ref_as(&self, tag: Tag) -> impl Values + '_ {
-        encode::set_as(tag, &self.0)
-    }
 }
 
 /// Issuer and serial number.
@@ -1372,10 +1276,6 @@ pub struct OtherKeyAttribute {
 
 pub type ContentType = Oid;
 
-pub type MessageDigest = OctetString;
-
-pub type SigningTime = Time;
-
 /// Time variant.
 ///
 /// ```ASN.1
@@ -1416,6 +1316,4 @@ impl From<Time> for chrono::DateTime<chrono::Utc> {
     }
 }
 
-pub type CounterSignature = SignerInfo;
-
 pub type AttributeCertificateV2 = AttributeCertificate;
diff --git a/internal/crypto/src/cose/certificate_profile.rs b/internal/crypto/src/cose/certificate_profile.rs
new file mode 100644
index 000000000..e011295e6
--- /dev/null
+++ b/internal/crypto/src/cose/certificate_profile.rs
@@ -0,0 +1,517 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use asn1_rs::{Any, Class, FromDer, Header, Tag};
+use c2pa_status_tracker::{log_item, validation_codes::*, StatusTracker};
+use chrono::{DateTime, Utc};
+use thiserror::Error;
+use web_time::SystemTime;
+use x509_certificate::asn1time::GeneralizedTime;
+use x509_parser::{
+    certificate::{BasicExtension, X509Certificate},
+    der_parser::{ber::parse_ber_sequence, oid},
+    extensions::ParsedExtension,
+    oid_registry::Oid,
+    x509::{AlgorithmIdentifier, X509Version},
+};
+
+use crate::{asn1::rfc3161::TstInfo, cose::CertificateTrustPolicy};
+
+/// Verify that an X.509 certificate meets the requirements stated in [§14.5.1,
+/// Certificate Profiles].
+///
+/// [§14.5.1, Certificate Profiles]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_certificate_profiles
+pub fn check_certificate_profile(
+    certificate_der: &[u8],
+    ctp: &CertificateTrustPolicy,
+    validation_log: &mut impl StatusTracker,
+    _tst_info_opt: Option<&TstInfo>,
+) -> Result<(), CertificateProfileError> {
+    let (_rem, signcert) = X509Certificate::from_der(certificate_der).map_err(|_err| {
+        log_item!(
+            "Cose_Sign1",
+            "certificate could not be parsed",
+            "check_cert_alg"
+        )
+        .validation_status(SIGNING_CREDENTIAL_INVALID)
+        .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+        CertificateProfileError::InvalidCertificate
+    })?;
+
+    // Version shall be v3 as per RFC 5280, section 4.1.2.1.
+    if signcert.version() != X509Version::V3 {
+        log_item!(
+            "Cose_Sign1",
+            "certificate version incorrect",
+            "check_cert_alg"
+        )
+        .validation_status(SIGNING_CREDENTIAL_INVALID)
+        .failure_no_throw(
+            validation_log,
+            CertificateProfileError::InvalidCertificateVersion,
+        );
+
+        return Err(CertificateProfileError::InvalidCertificateVersion);
+    }
+
+    // Was the certificate valid at time of signing?
+    if let Some(tst_info) = _tst_info_opt {
+        // A valid time stamp was associated with this signature: Ensure that the
+        // timestamp was valid at that time.
+        let signing_time = generalized_time_to_datetime(tst_info.gen_time.clone());
+        if !signcert.validity().is_valid_at(
+            x509_parser::time::ASN1Time::from_timestamp(signing_time.timestamp())
+                .map_err(|_| CertificateProfileError::InvalidCertificate)?,
+        ) {
+            log_item!("Cose_Sign1", "certificate expired", "check_cert_alg")
+                .validation_status(SIGNING_CREDENTIAL_EXPIRED)
+                .failure_no_throw(
+                    validation_log,
+                    CertificateProfileError::CertificateNotValidAtTime,
+                );
+
+            return Err(CertificateProfileError::CertificateNotValidAtTime);
+        }
+    } else {
+        // No valid time stamp was associated with this signature: Ensure that the
+        // timestamp is valid now.
+        let Ok(now) = SystemTime::now().duration_since(web_time::UNIX_EPOCH) else {
+            return Err(CertificateProfileError::InternalError(
+                "system time invalid",
+            ));
+        };
+
+        if !signcert.validity().is_valid_at(
+            x509_parser::time::ASN1Time::from_timestamp(now.as_secs() as i64)
+                .map_err(|_| CertificateProfileError::InvalidCertificate)?,
+        ) {
+            log_item!("Cose_Sign1", "certificate expired", "check_cert_alg")
+                .validation_status(SIGNING_CREDENTIAL_EXPIRED)
+                .failure_no_throw(
+                    validation_log,
+                    CertificateProfileError::CertificateNotValidAtTime,
+                );
+
+            return Err(CertificateProfileError::CertificateNotValidAtTime);
+        }
+    }
+
+    let cert_alg = &signcert.signature_algorithm.algorithm;
+
+    // Certificate must be signed with one of the following algorithms.
+    if !(*cert_alg == SHA256_WITH_RSAENCRYPTION_OID
+        || *cert_alg == SHA384_WITH_RSAENCRYPTION_OID
+        || *cert_alg == SHA512_WITH_RSAENCRYPTION_OID
+        || *cert_alg == ECDSA_WITH_SHA256_OID
+        || *cert_alg == ECDSA_WITH_SHA384_OID
+        || *cert_alg == ECDSA_WITH_SHA512_OID
+        || *cert_alg == RSASSA_PSS_OID
+        || *cert_alg == ED25519_OID)
+    {
+        log_item!(
+            "Cose_Sign1",
+            "certificate algorithm not supported",
+            "check_cert_alg"
+        )
+        .validation_status(SIGNING_CREDENTIAL_INVALID)
+        .failure_no_throw(
+            validation_log,
+            CertificateProfileError::UnsupportedAlgorithm,
+        );
+
+        return Err(CertificateProfileError::UnsupportedAlgorithm);
+    }
+
+    // Verify RSA_PSS parameters.
+    if *cert_alg == RSASSA_PSS_OID {
+        if let Some(parameters) = &signcert.signature_algorithm.parameters {
+            let seq = parameters
+                .as_sequence()
+                .map_err(|_err| CertificateProfileError::InvalidCertificate)?;
+
+            let (_i, (ha_alg, mgf_ai)) = seq
+                .parse(|i| {
+                    let (i, h) = <Header as asn1_rs::FromDer>::from_der(i)?;
+                    if h.class() != Class::ContextSpecific || h.tag() != Tag(0) {
+                        return Err(nom::Err::Error(asn1_rs::Error::BerValueError));
+                    }
+
+                    let (i, ha_alg) = AlgorithmIdentifier::from_der(i)
+                        .map_err(|_| nom::Err::Error(asn1_rs::Error::BerValueError))?;
+
+                    let (i, h) = <Header as asn1_rs::FromDer>::from_der(i)?;
+                    if h.class() != Class::ContextSpecific || h.tag() != Tag(1) {
+                        return Err(nom::Err::Error(asn1_rs::Error::BerValueError));
+                    }
+
+                    let (i, mgf_ai) = AlgorithmIdentifier::from_der(i)
+                        .map_err(|_| nom::Err::Error(asn1_rs::Error::BerValueError))?;
+
+                    // Ignore anything that follows these two parameters.
+
+                    Ok((i, (ha_alg, mgf_ai)))
+                })
+                .map_err(|_| CertificateProfileError::InvalidCertificate)?;
+
+            let mgf_ai_parameters = mgf_ai
+                .parameters
+                .ok_or(CertificateProfileError::InvalidCertificate)?;
+            let mgf_ai_parameters = mgf_ai_parameters
+                .as_sequence()
+                .map_err(|_| CertificateProfileError::InvalidCertificate)?;
+
+            let (_i, mgf_ai_params_algorithm) =
+                <Any as asn1_rs::FromDer>::from_der(&mgf_ai_parameters.content)
+                    .map_err(|_| CertificateProfileError::InvalidCertificate)?;
+
+            let mgf_ai_params_algorithm = mgf_ai_params_algorithm
+                .as_oid()
+                .map_err(|_| CertificateProfileError::InvalidCertificate)?;
+
+            if ha_alg.algorithm.to_id_string() != mgf_ai_params_algorithm.to_id_string() {
+                log_item!(
+                    "Cose_Sign1",
+                    "certificate algorithm error",
+                    "check_cert_alg"
+                )
+                .validation_status(SIGNING_CREDENTIAL_INVALID)
+                .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+                return Err(CertificateProfileError::InvalidCertificate);
+            }
+
+            // check for one of the mandatory types
+            if !(ha_alg.algorithm == SHA256_OID
+                || ha_alg.algorithm == SHA384_OID
+                || ha_alg.algorithm == SHA512_OID)
+            {
+                log_item!(
+                    "Cose_Sign1",
+                    "certificate hash algorithm not supported",
+                    "check_cert_alg"
+                )
+                .validation_status(SIGNING_CREDENTIAL_INVALID)
+                .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+                return Err(CertificateProfileError::InvalidCertificate);
+            }
+        } else {
+            log_item!(
+                "Cose_Sign1",
+                "certificate missing algorithm parameters",
+                "check_cert_alg"
+            )
+            .validation_status(SIGNING_CREDENTIAL_INVALID)
+            .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+            return Err(CertificateProfileError::InvalidCertificate);
+        }
+    }
+
+    // CHeck curves for SPKI EC algorithms.
+    let pk = signcert.public_key();
+    let skpi_alg = &pk.algorithm;
+
+    if skpi_alg.algorithm == EC_PUBLICKEY_OID {
+        if let Some(parameters) = &skpi_alg.parameters {
+            let named_curve_oid = parameters
+                .as_oid()
+                .map_err(|_err| CertificateProfileError::InvalidCertificate)?;
+
+            // Must be one of these named curves.
+            if !(named_curve_oid == PRIME256V1_OID
+                || named_curve_oid == SECP384R1_OID
+                || named_curve_oid == SECP521R1_OID)
+            {
+                log_item!(
+                    "Cose_Sign1",
+                    "certificate unsupported EC curve",
+                    "check_cert_alg"
+                )
+                .validation_status(SIGNING_CREDENTIAL_INVALID)
+                .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+                return Err(CertificateProfileError::InvalidCertificate);
+            }
+        } else {
+            return Err(CertificateProfileError::InvalidCertificate);
+        }
+    }
+
+    // Check modulus minimum length for RSA & PSS algorithms.
+    if skpi_alg.algorithm == RSA_OID || skpi_alg.algorithm == RSASSA_PSS_OID {
+        let (_, skpi_ber) = parse_ber_sequence(&pk.subject_public_key.data)
+            .map_err(|_err| CertificateProfileError::InvalidCertificate)?;
+
+        let seq = skpi_ber
+            .as_sequence()
+            .map_err(|_err| CertificateProfileError::InvalidCertificate)?;
+        if seq.len() < 2 {
+            return Err(CertificateProfileError::InvalidCertificate);
+        }
+
+        let modulus = seq[0]
+            .as_bigint()
+            .map_err(|_| CertificateProfileError::InvalidCertificate)?;
+
+        if modulus.bits() < 2048 {
+            log_item!(
+                "Cose_Sign1",
+                "certificate key length too short",
+                "check_cert_alg"
+            )
+            .validation_status(SIGNING_CREDENTIAL_INVALID)
+            .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+            return Err(CertificateProfileError::InvalidCertificate);
+        }
+    }
+
+    let tbscert = &signcert.tbs_certificate;
+
+    // Disallow self-signed certificates.
+    if tbscert.is_ca() && tbscert.issuer() == tbscert.subject() {
+        log_item!(
+            "Cose_Sign1",
+            "certificate issuer and subject cannot be the same (self-signed disallowed)",
+            "check_cert_alg"
+        )
+        .validation_status(SIGNING_CREDENTIAL_INVALID)
+        .failure_no_throw(
+            validation_log,
+            CertificateProfileError::SelfSignedCertificate,
+        );
+
+        return Err(CertificateProfileError::SelfSignedCertificate);
+    }
+
+    // Disallow unique IDs.
+    if signcert.issuer_uid.is_some() || signcert.subject_uid.is_some() {
+        log_item!(
+            "Cose_Sign1",
+            "certificate issuer/subject unique ids are not allowed",
+            "check_cert_alg"
+        )
+        .validation_status(SIGNING_CREDENTIAL_INVALID)
+        .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+        return Err(CertificateProfileError::InvalidCertificate);
+    }
+
+    let mut aki_good = false;
+    let mut ski_good = false;
+    let mut key_usage_good = false;
+    let mut handled_all_critical = true;
+    let extended_key_usage_good = match tbscert
+        .extended_key_usage()
+        .map_err(|_| CertificateProfileError::InvalidCertificate)?
+    {
+        Some(BasicExtension { value: eku, .. }) => {
+            if eku.any {
+                log_item!(
+                    "Cose_Sign1",
+                    "certificate 'any' EKU not allowed",
+                    "check_cert_alg"
+                )
+                .validation_status(SIGNING_CREDENTIAL_INVALID)
+                .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+                return Err(CertificateProfileError::InvalidCertificate);
+            }
+
+            if ctp.has_allowed_eku(eku).is_none() {
+                log_item!(
+                    "Cose_Sign1",
+                    "certificate missing required EKU",
+                    "check_cert_alg"
+                )
+                .validation_status(SIGNING_CREDENTIAL_INVALID)
+                .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+                return Err(CertificateProfileError::InvalidCertificate);
+            }
+
+            // one or the other || either of these two, and no others field
+            if (eku.ocsp_signing && eku.time_stamping)
+                || ((eku.ocsp_signing ^ eku.time_stamping)
+                    && (eku.client_auth
+                        | eku.code_signing
+                        | eku.email_protection
+                        | eku.server_auth
+                        | !eku.other.is_empty()))
+            {
+                log_item!(
+                    "Cose_Sign1",
+                    "certificate invalid set of EKUs",
+                    "check_cert_alg"
+                )
+                .validation_status(SIGNING_CREDENTIAL_INVALID)
+                .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+                return Err(CertificateProfileError::InvalidCertificate);
+            }
+
+            true
+        }
+
+        None => tbscert.is_ca(), // if is not ca it must be present
+    };
+
+    // Populate needed extension info.
+    for e in signcert.extensions() {
+        match e.parsed_extension() {
+            ParsedExtension::AuthorityKeyIdentifier(_aki) => {
+                aki_good = true;
+            }
+            ParsedExtension::SubjectKeyIdentifier(_spki) => {
+                ski_good = true;
+            }
+            ParsedExtension::KeyUsage(ku) => {
+                if ku.digital_signature() {
+                    if ku.key_cert_sign() && !tbscert.is_ca() {
+                        log_item!(
+                            "Cose_Sign1",
+                            "certificate missing digitalSignature EKU",
+                            "check_cert_alg"
+                        )
+                        .validation_status(SIGNING_CREDENTIAL_INVALID)
+                        .failure_no_throw(
+                            validation_log,
+                            CertificateProfileError::InvalidCertificate,
+                        );
+
+                        return Err(CertificateProfileError::InvalidCertificate);
+                    }
+                    key_usage_good = true;
+                }
+                if ku.key_cert_sign() || ku.non_repudiation() {
+                    key_usage_good = true;
+                }
+
+                // TO DO: warn if not marked critical.
+                // if !e.critical { // warn here somehow}
+            }
+
+            ParsedExtension::CertificatePolicies(_) => (),
+            ParsedExtension::PolicyMappings(_) => (),
+            ParsedExtension::SubjectAlternativeName(_) => (),
+            ParsedExtension::BasicConstraints(_) => (),
+            ParsedExtension::NameConstraints(_) => (),
+            ParsedExtension::PolicyConstraints(_) => (),
+            ParsedExtension::ExtendedKeyUsage(_) => (),
+            ParsedExtension::CRLDistributionPoints(_) => (),
+            ParsedExtension::InhibitAnyPolicy(_) => (),
+            ParsedExtension::AuthorityInfoAccess(_) => (),
+            ParsedExtension::NSCertType(_) => (),
+            ParsedExtension::CRLNumber(_) => (),
+            ParsedExtension::ReasonCode(_) => (),
+            ParsedExtension::InvalidityDate(_) => (),
+
+            ParsedExtension::Unparsed => {
+                if e.critical {
+                    // Unhandled critical extension.
+                    handled_all_critical = false;
+                }
+            }
+
+            _ => {
+                if e.critical {
+                    // Unhandled critical extension.
+                    handled_all_critical = false;
+                }
+            }
+        }
+    }
+
+    // If cert is a CA must have valid SubjectKeyIdentifier.
+    ski_good = if tbscert.is_ca() { ski_good } else { true };
+
+    // Check all flags.
+    if aki_good && ski_good && key_usage_good && extended_key_usage_good && handled_all_critical {
+        Ok(())
+    } else {
+        log_item!(
+            "Cose_Sign1",
+            "certificate params incorrect",
+            "check_cert_alg"
+        )
+        .validation_status(SIGNING_CREDENTIAL_INVALID)
+        .failure_no_throw(validation_log, CertificateProfileError::InvalidCertificate);
+
+        Err(CertificateProfileError::InvalidCertificate)
+    }
+}
+
+/// Describes errors that can be identified when checking a certificate's
+/// profile.
+#[derive(Debug, Eq, Error, PartialEq)]
+#[non_exhaustive]
+pub enum CertificateProfileError {
+    /// The certificate (or certificate chain) that was presented is invalid.
+    ///
+    /// This often occurs when the data presented isn't a valid X.509
+    /// certificate in DER format.
+    #[error("the certificate is invalid")]
+    InvalidCertificate,
+
+    /// The certificate must be a version 3 certificate per [RFC 5280, section
+    /// 4.1.2.1].
+    ///
+    /// [RFC 5280, section 4.1.2.1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.1
+    #[error("the certificate must be a `v3` certificate")]
+    InvalidCertificateVersion,
+
+    /// The certificate was used outside of its period of validity.
+    #[error("the certificate was not valid at time of signing")]
+    CertificateNotValidAtTime,
+
+    /// The certificate was signed with an unsupported algorithm.
+    #[error("the certificate was signed with an unsupported algorithm")]
+    UnsupportedAlgorithm,
+
+    /// The certificate contains an invalid extended key usage (EKU) value.
+    #[error("the certificate contains an invalid extended key usage (EKU) value")]
+    InvalidEku,
+
+    /// The certificate was signed by the same entity as the certificate itself.
+    #[error("the certificate was self-signed")]
+    SelfSignedCertificate,
+
+    /// An unexpected internal error occured while requesting the time stamp
+    /// response.
+    #[error("internal error ({0})")]
+    InternalError(&'static str),
+}
+
+fn generalized_time_to_datetime(gt: GeneralizedTime) -> DateTime<Utc> {
+    gt.into()
+}
+
+const RSA_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .1);
+const EC_PUBLICKEY_OID: Oid<'static> = oid!(1.2.840 .10045 .2 .1);
+const RSASSA_PSS_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .10);
+
+const ECDSA_WITH_SHA256_OID: Oid<'static> = oid!(1.2.840 .10045 .4 .3 .2);
+const ECDSA_WITH_SHA384_OID: Oid<'static> = oid!(1.2.840 .10045 .4 .3 .3);
+const ECDSA_WITH_SHA512_OID: Oid<'static> = oid!(1.2.840 .10045 .4 .3 .4);
+const SHA256_WITH_RSAENCRYPTION_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .11);
+const SHA384_WITH_RSAENCRYPTION_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .12);
+const SHA512_WITH_RSAENCRYPTION_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .13);
+const ED25519_OID: Oid<'static> = oid!(1.3.101 .112);
+const SHA256_OID: Oid<'static> = oid!(2.16.840 .1 .101 .3 .4 .2 .1);
+const SHA384_OID: Oid<'static> = oid!(2.16.840 .1 .101 .3 .4 .2 .2);
+const SHA512_OID: Oid<'static> = oid!(2.16.840 .1 .101 .3 .4 .2 .3);
+const SECP521R1_OID: Oid<'static> = oid!(1.3.132 .0 .35);
+const SECP384R1_OID: Oid<'static> = oid!(1.3.132 .0 .34);
+const PRIME256V1_OID: Oid<'static> = oid!(1.2.840 .10045 .3 .1 .7);
diff --git a/internal/crypto/src/cose/certificate_trust_policy.rs b/internal/crypto/src/cose/certificate_trust_policy.rs
new file mode 100644
index 000000000..30e668b45
--- /dev/null
+++ b/internal/crypto/src/cose/certificate_trust_policy.rs
@@ -0,0 +1,406 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+#![allow(clippy::doc_lazy_continuation)] // Clippy and rustfmt aren't agreeing at the moment. :-(
+
+use std::{collections::HashSet, error::Error, fmt, io::BufRead, str::FromStr};
+
+use asn1_rs::{oid, Oid};
+use async_generic::async_generic;
+use thiserror::Error;
+use x509_parser::{extensions::ExtendedKeyUsage, pem::Pem};
+
+use crate::{base64, hash::sha256};
+
+/// A `CertificateTrustPolicy` is configured with information about trust
+/// anchors, privately-accepted end-entity certificates, and allowed EKUs. It
+/// can be used to evaluate a signing certificate against those policies.
+#[derive(Debug)]
+pub struct CertificateTrustPolicy {
+    /// Trust anchors (root X.509 certificates) in DER format.
+    trust_anchor_ders: Vec<Vec<u8>>,
+
+    /// Base-64 encoded SHA-256 hash of end-entity certificates (root X.509
+    /// certificates) in DER format.
+    end_entity_cert_set: HashSet<String>,
+
+    /// Additional extended key usage (EKU) OIDs.
+    additional_ekus: HashSet<String>,
+}
+
+impl Default for CertificateTrustPolicy {
+    fn default() -> Self {
+        let mut this = CertificateTrustPolicy {
+            trust_anchor_ders: vec![],
+            end_entity_cert_set: HashSet::default(),
+            additional_ekus: HashSet::default(),
+        };
+
+        this.add_valid_ekus(include_bytes!("./valid_eku_oids.cfg"));
+
+        // In testing configs, also add debug/trust anchors.
+        #[cfg(test)]
+        {
+            let _ = this.add_trust_anchors(include_bytes!(
+                "../tests/fixtures/raw_signature/test_cert_root_bundle.pem"
+            ));
+        }
+
+        this
+    }
+}
+
+impl CertificateTrustPolicy {
+    /// Create a new certificate acceptance policy with no preconfigured trust
+    /// roots.
+    ///
+    /// Use [`default()`] if you want a typical built-in configuration.
+    ///
+    /// [`default()`]: Self::default()
+    pub fn new() -> Self {
+        CertificateTrustPolicy {
+            trust_anchor_ders: vec![],
+            end_entity_cert_set: HashSet::default(),
+            additional_ekus: HashSet::default(),
+        }
+    }
+
+    /// Evaluate a certificate against the trust policy described by this
+    /// struct.
+    ///
+    /// Returns `Ok(())` if the certificate appears on the end-entity
+    /// certificate list or has a valid chain to one of the trust anchors that
+    /// was provided and that it has a valid extended key usage (EKU).
+    ///
+    /// If `signing_time_epoch` is provided, evaluates the signing time (which
+    /// must be in Unix seconds since the epoch) against the certificate's
+    /// period of validity.
+    #[allow(unused)] // parameters may be unused in some cases
+    #[async_generic]
+    pub fn check_certificate_trust(
+        &self,
+        chain_der: &[Vec<u8>],
+        end_entity_cert_der: &[u8],
+        signing_time_epoch: Option<i64>,
+    ) -> Result<(), CertificateTrustError> {
+        // First check to see if the certificate appears in the allowed set of
+        // end-entity certificates.
+        let cert_hash = base64_sha256_cert_der(end_entity_cert_der);
+        if self.end_entity_cert_set.contains(&cert_hash) {
+            return Ok(());
+        }
+
+        if _async {
+            #[cfg(target_arch = "wasm32")]
+            {
+                return crate::webcrypto::check_certificate_trust::check_certificate_trust(
+                    self,
+                    chain_der,
+                    end_entity_cert_der,
+                    signing_time_epoch,
+                )
+                .await;
+            }
+        }
+
+        #[cfg(feature = "openssl")]
+        {
+            return crate::openssl::check_certificate_trust::check_certificate_trust(
+                self,
+                chain_der,
+                end_entity_cert_der,
+                signing_time_epoch,
+            );
+        }
+
+        Err(CertificateTrustError::InternalError(
+            "no implementation for certificate evaluation available",
+        ))
+    }
+
+    /// Add trust anchors (root X.509 certificates) that shall be accepted when
+    /// verifying COSE signatures.
+    ///
+    /// From [§14.4.1, C2PA Signers], of the C2PA Technical Specification:
+    ///
+    /// > A validator shall maintain the following lists for C2PA signers:
+    /// >
+    /// > * The list of X.509 certificate trust anchors provided by the C2PA
+    /// > (i.e., the C2PA Trust List).
+    /// > * A list of additional X.509 certificate trust anchors.
+    /// > * ~~A list of accepted Extended Key Usage (EKU) values.~~ _(not
+    /// > relevant for this API)_
+    /// >
+    /// > NOTE: Some of these lists can be empty.
+    /// >
+    /// > In addition to the list of trust anchors provided in the C2PA Trust
+    /// > List, a validator should allow a user to configure additional trust
+    /// > anchor stores, and should provide default options or offer lists
+    /// > maintained by external parties that the user may opt into to populate
+    /// > the validator’s trust anchor store for C2PA signers.
+    ///
+    /// This function reads zero or more X.509 root certificates in PEM format
+    /// and configures the trust handler to accept certificates that chain up to
+    /// these trust anchors.
+    ///
+    /// [§14.4.1, C2PA Signers]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_c2pa_signers
+    pub fn add_trust_anchors(
+        &mut self,
+        trust_anchor_pems: &[u8],
+    ) -> Result<(), InvalidCertificateError> {
+        for maybe_pem in Pem::iter_from_buffer(trust_anchor_pems) {
+            // NOTE: The `x509_parser::pem::Pem` struct's `contents` field contains the
+            // decoded PEM content, which is expected to be in DER format.
+            match maybe_pem {
+                Ok(pem) => self.trust_anchor_ders.push(pem.contents),
+                Err(e) => {
+                    return Err(InvalidCertificateError(e.to_string()));
+                }
+            }
+        }
+
+        Ok(())
+    }
+
+    /// Add individual end-entity credentials that shall be accepted when
+    /// verifying COSE signatures.
+    ///
+    /// From [§14.4.3, Private Credential Storage], of the C2PA Technical
+    /// Specification:
+    ///
+    /// > A validator may also allow the user to create and maintain a private
+    /// > credential store of signing credentials. This store is intended as an
+    /// > "address book" of credentials they have chosen to trust based on an
+    /// > out-of-band relationship. If present, the private credential store
+    /// > shall only apply to validating signed C2PA manifests, and shall not
+    /// > apply to validating time-stamps. If present, the private credential
+    /// > store shall only allow trust in signer certificates directly; entries
+    /// > in the private credential store cannot issue credentials and shall not
+    /// > be included as trust anchors during validation.
+    ///
+    /// This function reads zero or more X.509 end-entity certificates in PEM
+    /// format and configures the trust handler to accept those specific
+    /// certificates, regardless of how they may or may not chain up to other
+    /// trust anchors.
+    ///
+    /// As an optimization, this function also accepts standalone lines (outside
+    /// of the X.509 PEM blocks). Each such line must contain a Base-64 encoded
+    /// SHA_256 hash value over the value of a PEM certificate.
+    ///
+    /// Lines that match neither format (PEM or hash) are ignored.
+    ///
+    /// [§14.4.3, Private Credential Storage]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_private_credential_storage
+    pub fn add_end_entity_credentials(
+        &mut self,
+        end_entity_cert_pems: &[u8],
+    ) -> Result<(), InvalidCertificateError> {
+        let mut inside_pem_block = false;
+
+        for line in end_entity_cert_pems.lines().map_while(Result::ok) {
+            if line.contains("-----BEGIN") {
+                inside_pem_block = true;
+            }
+            if line.contains("-----END") {
+                inside_pem_block = false;
+            }
+            if !inside_pem_block && line.len() == 44 && base64::decode(&line).is_ok() {
+                self.end_entity_cert_set.insert(line);
+            }
+        }
+
+        for maybe_pem in Pem::iter_from_buffer(end_entity_cert_pems) {
+            // NOTE: The `x509_parser::pem::Pem` struct's `contents` field contains the
+            // decoded PEM content, which is expected to be in DER format.
+            match maybe_pem {
+                Ok(pem) => {
+                    self.end_entity_cert_set
+                        .insert(base64_sha256_cert_der(&pem.contents));
+                }
+                Err(e) => {
+                    return Err(InvalidCertificateError(e.to_string()));
+                }
+            }
+        }
+
+        Ok(())
+    }
+
+    /// Add extended key usage (EKU) values that shall be accepted when
+    /// verifying COSE signatures.
+    ///
+    /// From [§14.4.1, C2PA Signers], of the C2PA Technical Specification:
+    ///
+    /// > A validator shall maintain the following lists for C2PA signers:
+    /// >
+    /// > * ~~The list of X.509 certificate trust anchors provided by the C2PA
+    /// > (i.e., the C2PA Trust List).~~ _(not relevant for this API)_
+    /// > * ~~A list of additional X.509 certificate trust anchors.~~ _(not
+    /// > relevant for this API)_
+    /// > * A list of accepted Extended Key Usage (EKU) values.
+    /// >
+    /// > NOTE: Some of these lists can be empty.
+    ///
+    /// This function reads zero or more EKU object identifiers (OIDs) in
+    /// dotted-decimal notation (one per line) and configures the trust handler
+    /// to accept certificates that are issued with one of those EKUs.
+    ///
+    /// IMPORTANT: The trust configuration will always accept the default set of
+    /// OIDs descfibed in the C2PA Technical Specification.
+    ///
+    /// This function will quietly ignore any invalid input, such as a non-UTF8
+    /// input or lines within the input such as comments or blank lines that can
+    /// not be parsed as OIDs.
+    ///
+    /// [§14.4.1, C2PA Signers]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_c2pa_signers
+    pub fn add_valid_ekus(&mut self, eku_oids: &[u8]) {
+        let Ok(eku_oids) = std::str::from_utf8(eku_oids) else {
+            return;
+        };
+
+        for line in eku_oids.lines() {
+            if let Ok(_oid) = Oid::from_str(line) {
+                self.additional_ekus.insert(line.to_string());
+            }
+        }
+    }
+
+    /// Remove all trust anchors, private credentials, and EKUs previously
+    /// configured.
+    pub fn clear(&mut self) {
+        self.trust_anchor_ders.clear();
+        self.end_entity_cert_set.clear();
+        self.additional_ekus.clear();
+    }
+
+    /// Return an iterator over the trust anchors.
+    ///
+    /// Each anchor will be returned in DER format.
+    pub(crate) fn trust_anchor_ders(&self) -> impl Iterator<Item = &'_ Vec<u8>> {
+        self.trust_anchor_ders.iter()
+    }
+
+    /// Return `true` if the EKU OID is allowed.
+    pub(crate) fn has_allowed_eku<'a>(&self, eku: &'a ExtendedKeyUsage) -> Option<Oid<'a>> {
+        if eku.email_protection {
+            return Some(EMAIL_PROTECTION_OID.clone());
+        }
+
+        if eku.time_stamping {
+            return Some(TIMESTAMPING_OID.clone());
+        }
+
+        if eku.ocsp_signing {
+            return Some(OCSP_SIGNING_OID.clone());
+        }
+
+        // TO REVIEW: Earlier implementation used the last match; this one uses the
+        // first. Does that make a difference?
+
+        for extra_oid in eku.other.iter().as_ref() {
+            let extra_oid_str = extra_oid.to_string();
+            if self.additional_ekus.contains(&extra_oid_str) {
+                return Some(extra_oid.clone());
+            }
+        }
+
+        None
+    }
+}
+
+fn base64_sha256_cert_der(cert_der: &[u8]) -> String {
+    let cert_sha256 = sha256(cert_der);
+    base64::encode(&cert_sha256)
+}
+
+/// Describes errors that can be identified when evaluating a certificate's
+/// trust.
+#[derive(Debug, Eq, Error, PartialEq)]
+#[non_exhaustive]
+pub enum CertificateTrustError {
+    /// The certificate does not appear on any trust list that has been
+    /// configured.
+    ///
+    /// A certificate can be approved either by adding one or more trust anchors
+    /// via a call to [`CertificateTrustPolicy::add_trust_anchors`] or by
+    /// adding one or more end-entity certificates via
+    /// [`CertificateTrustPolicy::add_end_entity_credentials`].
+    ///
+    /// If the certificate that was presented doesn't match either of these
+    /// conditions, this error will be returned.
+    #[error("the certificate is not trusted")]
+    CertificateNotTrusted,
+
+    /// The certificate contains an invalid extended key usage (EKU) value.
+    #[error("the certificate contains an invalid extended key usage (EKU) value")]
+    InvalidEku,
+
+    /// An error was reported by the OpenSSL native code.
+    ///
+    /// NOTE: We do not directly capture the OpenSSL error itself because it
+    /// lacks an Eq implementation. Instead we capture the error description.
+    #[cfg(feature = "openssl")]
+    #[error("an error was reported by OpenSSL native code: {0}")]
+    OpenSslError(String),
+
+    /// The OpenSSL native code mutex could not be acquired.
+    #[cfg(feature = "openssl")]
+    #[error(transparent)]
+    OpenSslMutexUnavailable(#[from] crate::openssl::OpenSslMutexUnavailable),
+
+    /// The certificate (or certificate chain) that was presented is invalid.
+    #[error("the certificate or certificate chain is invalid")]
+    InvalidCertificate,
+
+    /// An unexpected internal error occured while requesting the time stamp
+    /// response.
+    #[error("internal error ({0})")]
+    InternalError(&'static str),
+}
+
+#[cfg(feature = "openssl")]
+impl From<openssl::error::ErrorStack> for CertificateTrustError {
+    fn from(err: openssl::error::ErrorStack) -> Self {
+        Self::OpenSslError(err.to_string())
+    }
+}
+
+#[cfg(target_arch = "wasm32")]
+impl From<crate::webcrypto::WasmCryptoError> for CertificateTrustError {
+    fn from(err: crate::webcrypto::WasmCryptoError) -> Self {
+        match err {
+            crate::webcrypto::WasmCryptoError::UnknownContext => {
+                Self::InternalError("unknown WASM context")
+            }
+            crate::webcrypto::WasmCryptoError::NoCryptoAvailable => {
+                Self::InternalError("WASM crypto unavailable")
+            }
+        }
+    }
+}
+
+/// This error can occur when adding certificates to a
+/// [`CertificateTrustPolicy`].
+#[derive(Debug, Eq, PartialEq)]
+pub struct InvalidCertificateError(pub(crate) String);
+
+impl fmt::Display for InvalidCertificateError {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "Unable to parse certificate list: {}", self.0)
+    }
+}
+
+impl Error for InvalidCertificateError {}
+
+static EMAIL_PROTECTION_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .4);
+static TIMESTAMPING_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .8);
+static OCSP_SIGNING_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .9);
diff --git a/internal/crypto/src/cose/error.rs b/internal/crypto/src/cose/error.rs
new file mode 100644
index 000000000..40710feaa
--- /dev/null
+++ b/internal/crypto/src/cose/error.rs
@@ -0,0 +1,85 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use thiserror::Error;
+
+use crate::{
+    cose::{CertificateProfileError, CertificateTrustError},
+    raw_signature::{RawSignatureValidationError, RawSignerError},
+    time_stamp::TimeStampError,
+};
+
+/// Describes errors that can occur when processing or generating [COSE]
+/// signatures.
+///
+/// [COSE]: https://datatracker.ietf.org/doc/rfc9052/
+#[derive(Debug, Error)]
+pub enum CoseError {
+    /// No signing certificate chain was found.
+    #[error("missing signing certificate chain")]
+    MissingSigningCertificateChain,
+
+    /// Signing certificates appeared in both protected and unprotected headers.
+    #[error("multiple signing certificate chains detected")]
+    MultipleSigningCertificateChains,
+
+    /// No time stamp token found.
+    #[error("no time stamp token found in sigTst or sigTst2 header")]
+    NoTimeStampToken,
+
+    /// Unsupported signing algorithm found.
+    #[error("the certificate was signed using an unsupported signature algorithm")]
+    UnsupportedSigningAlgorithm,
+
+    /// Could not parse ECDSA signature.
+    #[error("could not parse ECDSA signature")]
+    InvalidEcdsaSignature,
+
+    /// An error occurred while parsing CBOR.
+    #[error("error while parsing CBOR ({0})")]
+    CborParsingError(String),
+
+    /// An error occurred while generating CBOR.
+    #[error("error while generating CBOR ({0})")]
+    CborGenerationError(String),
+
+    /// An error occurred while parsing a time stamp.
+    #[error(transparent)]
+    TimeStampError(#[from] TimeStampError),
+
+    /// The signing certificate(s) did not match the required certificate
+    /// profile.
+    #[error(transparent)]
+    CertificateProfileError(#[from] CertificateProfileError),
+
+    /// The signing certificate(s) did not match the required trust policy.
+    #[error(transparent)]
+    CertificateTrustError(#[from] CertificateTrustError),
+
+    /// The box size provided for the signature is too small.
+    #[error("the signature box is too small")]
+    BoxSizeTooSmall,
+
+    /// An error occurred when generating the underlying raw signature.
+    #[error(transparent)]
+    RawSignerError(#[from] RawSignerError),
+
+    /// An error occurred when interpreting the underlying raw signature.
+    #[error(transparent)]
+    RawSignatureValidationError(#[from] RawSignatureValidationError),
+
+    /// An unexpected internal error occured while requesting the time stamp
+    /// response.
+    #[error("internal error ({0})")]
+    InternalError(String),
+}
diff --git a/internal/crypto/src/cose/mod.rs b/internal/crypto/src/cose/mod.rs
new file mode 100644
index 000000000..3d5751bcb
--- /dev/null
+++ b/internal/crypto/src/cose/mod.rs
@@ -0,0 +1,54 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+//! This module provides functions for working with [COSE] signatures.
+//!
+//! [COSE]: https://datatracker.ietf.org/doc/rfc9052/
+
+mod certificate_trust_policy;
+pub use certificate_trust_policy::{
+    CertificateTrustError, CertificateTrustPolicy, InvalidCertificateError,
+};
+
+mod certificate_profile;
+pub use certificate_profile::{check_certificate_profile, CertificateProfileError};
+
+mod error;
+pub use error::CoseError;
+
+mod ocsp;
+pub use ocsp::{check_ocsp_status, check_ocsp_status_async, OcspFetchPolicy};
+
+mod sign;
+pub use sign::{sign, sign_async};
+
+mod sign1;
+pub use sign1::{
+    cert_chain_from_sign1, parse_cose_sign1, signing_alg_from_sign1, signing_time_from_sign1,
+    signing_time_from_sign1_async,
+};
+
+mod sigtst;
+pub(crate) use sigtst::{
+    add_sigtst_header, add_sigtst_header_async, validate_cose_tst_info,
+    validate_cose_tst_info_async,
+};
+
+mod time_stamp_storage;
+pub use time_stamp_storage::TimeStampStorage;
+
+mod validation_info;
+pub use validation_info::ValidationInfo;
+
+mod verifier;
+pub use verifier::Verifier;
diff --git a/internal/crypto/src/cose/ocsp.rs b/internal/crypto/src/cose/ocsp.rs
new file mode 100644
index 000000000..fa43f545c
--- /dev/null
+++ b/internal/crypto/src/cose/ocsp.rs
@@ -0,0 +1,188 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use async_generic::async_generic;
+use c2pa_status_tracker::StatusTracker;
+use chrono::{DateTime, Utc};
+use ciborium::value::Value;
+use coset::{CoseSign1, Label};
+
+use crate::{
+    cose::{
+        check_certificate_profile, validate_cose_tst_info, validate_cose_tst_info_async,
+        CertificateTrustPolicy, CoseError,
+    },
+    ocsp::OcspResponse,
+};
+
+/// Given a COSE signature, extract the OCSP data and validate the status of
+/// that report.
+#[async_generic]
+pub fn check_ocsp_status(
+    sign1: &CoseSign1,
+    data: &[u8],
+    fetch_policy: OcspFetchPolicy,
+    ctp: &CertificateTrustPolicy,
+    validation_log: &mut impl StatusTracker,
+) -> Result<OcspResponse, CoseError> {
+    match get_ocsp_der(sign1) {
+        Some(ocsp_response_der) => {
+            if _sync {
+                check_stapled_ocsp_response(sign1, &ocsp_response_der, data, ctp, validation_log)
+            } else {
+                check_stapled_ocsp_response_async(
+                    sign1,
+                    &ocsp_response_der,
+                    data,
+                    ctp,
+                    validation_log,
+                )
+                .await
+            }
+        }
+
+        None => match fetch_policy {
+            OcspFetchPolicy::FetchAllowed => {
+                fetch_and_check_ocsp_response(sign1, data, ctp, validation_log)
+            }
+            OcspFetchPolicy::DoNotFetch => Ok(OcspResponse::default()),
+        },
+    }
+}
+
+/// Policy for fetching OCSP responses.
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub enum OcspFetchPolicy {
+    /// Allow internet connection to fetch OCSP response.
+    FetchAllowed,
+
+    /// Do not connect and ignore OCSP status if not available.
+    DoNotFetch,
+}
+
+#[async_generic]
+fn check_stapled_ocsp_response(
+    sign1: &CoseSign1,
+    ocsp_response_der: &[u8],
+    data: &[u8],
+    ctp: &CertificateTrustPolicy,
+    validation_log: &mut impl StatusTracker,
+) -> Result<OcspResponse, CoseError> {
+    let time_stamp_info = if _sync {
+        validate_cose_tst_info(sign1, data)
+    } else {
+        validate_cose_tst_info_async(sign1, data).await
+    };
+
+    // If the stapled OCSP response has a time stamp, we can validate it.
+    let Ok(tst_info) = &time_stamp_info else {
+        return Ok(OcspResponse::default());
+    };
+
+    let signing_time: DateTime<Utc> = tst_info.gen_time.clone().into();
+
+    let Ok(ocsp_data) =
+        OcspResponse::from_der_checked(ocsp_response_der, Some(signing_time), validation_log)
+    else {
+        return Ok(OcspResponse::default());
+    };
+
+    // If we get a valid response, validate the certs.
+    if ocsp_data.revoked_at.is_none() {
+        if let Some(ocsp_certs) = &ocsp_data.ocsp_certs {
+            check_certificate_profile(&ocsp_certs[0], ctp, validation_log, Some(tst_info))?;
+        }
+    }
+
+    Ok(ocsp_data)
+}
+
+// TO DO: Add async version of this?
+fn fetch_and_check_ocsp_response(
+    sign1: &CoseSign1,
+    data: &[u8],
+    ctp: &CertificateTrustPolicy,
+    validation_log: &mut impl StatusTracker,
+) -> Result<OcspResponse, CoseError> {
+    #[cfg(target_arch = "wasm32")]
+    {
+        let _ = (sign1, data, ctp, validation_log);
+        Ok(OcspResponse::default())
+    }
+
+    #[cfg(not(target_arch = "wasm32"))]
+    {
+        use crate::cose::cert_chain_from_sign1;
+
+        let certs = cert_chain_from_sign1(sign1)?;
+
+        let Some(ocsp_der) = crate::ocsp::fetch_ocsp_response(&certs) else {
+            return Ok(OcspResponse::default());
+        };
+
+        let ocsp_response_der = ocsp_der;
+
+        let signing_time: Option<DateTime<Utc>> = validate_cose_tst_info(sign1, data)
+            .ok()
+            .map(|tst_info| tst_info.gen_time.clone().into());
+
+        // Check the OCSP response, but only if it is well-formed.
+        // Revocation errors are reported in the validation log.
+        let Ok(ocsp_data) =
+            OcspResponse::from_der_checked(&ocsp_response_der, signing_time, validation_log)
+        else {
+            // TO REVIEW: This is how the old code worked, but is it correct to ignore a
+            // malformed OCSP response?
+            return Ok(OcspResponse::default());
+        };
+
+        // If we get a valid response validate the certs.
+        if ocsp_data.revoked_at.is_none() {
+            if let Some(ocsp_certs) = &ocsp_data.ocsp_certs {
+                check_certificate_profile(&ocsp_certs[0], ctp, validation_log, None)?;
+            }
+        }
+
+        Ok(ocsp_data)
+    }
+}
+
+fn get_ocsp_der(sign1: &coset::CoseSign1) -> Option<Vec<u8>> {
+    let der = sign1
+        .unprotected
+        .rest
+        .iter()
+        .find_map(|x: &(Label, Value)| {
+            if x.0 == Label::Text("rVals".to_string()) {
+                Some(x.1.clone())
+            } else {
+                None
+            }
+        })?;
+
+    let Value::Map(rvals_map) = der else {
+        return None;
+    };
+
+    // Find OCSP value if available.
+    rvals_map.iter().find_map(|x: &(Value, Value)| {
+        if x.0 == Value::Text("ocspVals".to_string()) {
+            x.1.as_array()
+                .and_then(|ocsp_rsp_val| ocsp_rsp_val.first())
+                .and_then(Value::as_bytes)
+                .cloned()
+        } else {
+            None
+        }
+    })
+}
diff --git a/internal/crypto/src/cose/sign.rs b/internal/crypto/src/cose/sign.rs
new file mode 100644
index 000000000..fc954c266
--- /dev/null
+++ b/internal/crypto/src/cose/sign.rs
@@ -0,0 +1,401 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use async_generic::async_generic;
+use ciborium::value::Value;
+use coset::{
+    iana::{self, EnumI64},
+    CoseSign1, CoseSign1Builder, Header, HeaderBuilder, Label, ProtectedHeader,
+    TaggedCborSerializable,
+};
+use serde_bytes::ByteBuf;
+
+use crate::{
+    cose::{add_sigtst_header, add_sigtst_header_async, CoseError, TimeStampStorage},
+    p1363::{der_to_p1363, parse_ec_der_sig},
+    raw_signature::{AsyncRawSigner, RawSigner, SigningAlg},
+};
+
+/// Given an arbitrary block of data and a [`RawSigner`] or [`AsyncRawSigner`]
+/// instance, generate a COSE signature for that block of data.
+///
+/// Returns a byte vector that is a `Cose_Sign1` data structure.
+///
+/// From [§14.5, X.509 Certificates] of the C2PA Technical Specification:
+///
+/// > X.509 Certificates are stored as defined by [RFC 9360] (CBOR Object
+/// > Signing and Encryption (COSE): Header Parameters for Carrying and
+/// > Referencing X.509 Certificates). For convenience, the definition of
+/// > `x5chain` is copied below.
+/// >
+/// > ...
+/// >
+/// > `x5chain`: This header parameter contains an ordered array of X.509
+/// > certificates. The certificates are to be ordered starting with the
+/// > certificate containing the end-entity key followed by the certificate that
+/// > signed it, and so on. There is no requirement for the entire chain to be
+/// > present in the element if there is reason to believe that the relying
+/// > party already has, or can locate, the missing certificates. This means
+/// > that the relying party is still required to do path building but that a
+/// > candidate path is proposed in this header parameter.
+/// >
+/// > The trust mechanism MUST process any certificates in this parameter as
+/// > untrusted input. The presence of a self-signed certificate in the
+/// > parameter MUST NOT cause the update of the set of trust anchors without
+/// > some out-of-band confirmation. As the contents of this header parameter
+/// > are untrusted input, the header parameter can be in either the protected
+/// > or unprotected header bucket. Sending the header parameter in the
+/// > unprotected header bucket allows an intermediary to remove or add
+/// > certificates.
+/// >
+/// > The end-entity certificate MUST be integrity protected by COSE. This can,
+/// > for example, be done by sending the header parameter in the protected
+/// > header, sending an `x5chain` in the unprotected header combined with an
+/// > `x5t` in the protected header, or including the end-entity certificate in
+/// > the `external_aad`.
+/// >
+/// > This header parameter allows for a single X.509 certificate or a chain of
+/// > X.509 certificates to be carried in the message.
+/// >
+/// > * If a single certificate is conveyed, it is placed in a CBOR byte string.
+/// > * If multiple certificates are conveyed, a CBOR array of byte strings is
+/// > used, with each certificate being in its own byte string.
+///
+/// [§14.5, X.509 Certificates]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#x509_certificates
+/// [RFC 9360]: https://datatracker.ietf.org/doc/html/rfc9360
+#[async_generic(async_signature(
+    signer: &dyn AsyncRawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage
+))]
+pub fn sign(
+    signer: &dyn RawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage,
+) -> Result<Vec<u8>, CoseError> {
+    if _sync {
+        match tss {
+            TimeStampStorage::V1_sigTst => sign_v1(signer, data, box_size, tss),
+            TimeStampStorage::V2_sigTst2_CTT => sign_v2(signer, data, box_size, tss),
+        }
+    } else {
+        match tss {
+            TimeStampStorage::V1_sigTst => sign_v1_async(signer, data, box_size, tss).await,
+            TimeStampStorage::V2_sigTst2_CTT => sign_v2_async(signer, data, box_size, tss).await,
+        }
+    }
+}
+
+#[async_generic(async_signature(
+    signer: &dyn AsyncRawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage
+))]
+pub fn sign_v1(
+    signer: &dyn RawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage,
+) -> Result<Vec<u8>, CoseError> {
+    let alg = signer.alg();
+
+    let protected_header = if _sync {
+        build_protected_header(signer, alg)?
+    } else {
+        build_protected_header_async(signer, alg).await?
+    };
+
+    // We don't use the additional data header.
+    let aad: &[u8; 0] = b"";
+
+    // V1: Generate time stamp then sign.
+    let unprotected_header = if _sync {
+        build_unprotected_header(signer, data, &protected_header, tss)?
+    } else {
+        build_unprotected_header_async(signer, data, &protected_header, tss).await?
+    };
+
+    let sign1_builder = CoseSign1Builder::new()
+        .protected(protected_header.header.clone())
+        .unprotected(unprotected_header)
+        .payload(data.to_vec());
+
+    let mut sign1 = sign1_builder.build();
+
+    let tbs = coset::sig_structure_data(
+        coset::SignatureContext::CoseSign1,
+        sign1.protected.clone(),
+        None,
+        aad,
+        sign1.payload.as_ref().unwrap_or(&vec![]),
+    );
+
+    let signature = if _sync {
+        signer.sign(&tbs)?
+    } else {
+        signer.sign(tbs).await?
+    };
+
+    // Fix up signatures that may be in the wrong format.
+    sign1.signature = match alg {
+        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
+            if parse_ec_der_sig(&signature).is_ok() {
+                // Fix up DER signature to be in P1363 format.
+                der_to_p1363(&signature, alg)?
+            } else {
+                signature
+            }
+        }
+        _ => signature,
+    };
+
+    // The payload is provided elsewhere, so we don't need to repeat it in the
+    // `Cose_Sign1` structure.
+    sign1.payload = None;
+    pad_cose_sig(&mut sign1, box_size)
+}
+
+#[async_generic(async_signature(
+    signer: &dyn AsyncRawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage
+))]
+pub fn sign_v2(
+    signer: &dyn RawSigner,
+    data: &[u8],
+    box_size: usize,
+    tss: TimeStampStorage,
+) -> Result<Vec<u8>, CoseError> {
+    let alg = signer.alg();
+
+    let protected_header = if _sync {
+        build_protected_header(signer, alg)?
+    } else {
+        build_protected_header_async(signer, alg).await?
+    };
+
+    // We don't use the additional data header.
+    let aad: &[u8; 0] = b"";
+
+    // V2: Sign then generate time stamp.
+    let sign1_builder = CoseSign1Builder::new()
+        .protected(protected_header.header.clone())
+        .payload(data.to_vec());
+
+    let mut sign1 = sign1_builder.build();
+
+    let tbs = coset::sig_structure_data(
+        coset::SignatureContext::CoseSign1,
+        sign1.protected.clone(),
+        None,
+        aad,
+        sign1.payload.as_ref().unwrap_or(&vec![]),
+    );
+
+    let signature = if _sync {
+        signer.sign(&tbs)?
+    } else {
+        signer.sign(tbs).await?
+    };
+
+    // Fix up signatures that may be in the wrong format.
+    sign1.signature = match alg {
+        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
+            if parse_ec_der_sig(&signature).is_ok() {
+                // Fix up DER signature to be in P1363 format.
+                der_to_p1363(&signature, alg)?
+            } else {
+                signature
+            }
+        }
+        _ => signature,
+    };
+
+    // The payload is provided elsewhere, so we don't need to repeat it in the
+    // `Cose_Sign1` structure.
+    sign1.payload = None;
+
+    let sig_data = ByteBuf::from(sign1.signature.clone());
+    let mut sig_data_cbor: Vec<u8> = vec![];
+    ciborium::into_writer(&sig_data, &mut sig_data_cbor)
+        .map_err(|e| CoseError::CborGenerationError(e.to_string()))?;
+
+    // Fill in the unprotected header with time stamp data.
+    let unprotected_header = if _sync {
+        build_unprotected_header(signer, &sig_data_cbor, &protected_header, tss)?
+    } else {
+        build_unprotected_header_async(signer, &sig_data_cbor, &protected_header, tss).await?
+    };
+
+    sign1.unprotected = unprotected_header;
+
+    pad_cose_sig(&mut sign1, box_size)
+}
+
+#[async_generic(async_signature(signer: &dyn AsyncRawSigner, alg: SigningAlg))]
+fn build_protected_header(
+    signer: &dyn RawSigner,
+    alg: SigningAlg,
+) -> Result<ProtectedHeader, CoseError> {
+    let mut protected_h = match alg {
+        SigningAlg::Ps256 => HeaderBuilder::new().algorithm(iana::Algorithm::PS256),
+        SigningAlg::Ps384 => HeaderBuilder::new().algorithm(iana::Algorithm::PS384),
+        SigningAlg::Ps512 => HeaderBuilder::new().algorithm(iana::Algorithm::PS512),
+        SigningAlg::Es256 => HeaderBuilder::new().algorithm(iana::Algorithm::ES256),
+        SigningAlg::Es384 => HeaderBuilder::new().algorithm(iana::Algorithm::ES384),
+        SigningAlg::Es512 => HeaderBuilder::new().algorithm(iana::Algorithm::ES512),
+        SigningAlg::Ed25519 => HeaderBuilder::new().algorithm(iana::Algorithm::EdDSA),
+    };
+
+    let certs = signer.cert_chain()?;
+
+    let sc_der_array_or_bytes = match certs.len() {
+        1 => Value::Bytes(certs[0].clone()),
+        _ => Value::Array(certs.into_iter().map(Value::Bytes).collect()),
+    };
+
+    // Add certs to protected header.
+    protected_h = protected_h.value(
+        iana::HeaderParameter::X5Chain.to_i64(),
+        sc_der_array_or_bytes.clone(),
+    );
+
+    let protected_header = protected_h.build();
+    let ph2 = ProtectedHeader {
+        original_data: None,
+        header: protected_header.clone(),
+    };
+
+    Ok(ph2)
+}
+
+#[async_generic(async_signature(signer: &dyn AsyncRawSigner, data: &[u8], p_header: &ProtectedHeader,     tss: TimeStampStorage,))]
+fn build_unprotected_header(
+    signer: &dyn RawSigner,
+    data: &[u8],
+    p_header: &ProtectedHeader,
+    tss: TimeStampStorage,
+) -> Result<Header, CoseError> {
+    // signed_data_from_time_stamp_response
+
+    // TO DO: Continue with diff here ... (let maybe_cts etc)
+
+    let unprotected_h = HeaderBuilder::new();
+
+    let mut unprotected_h = if _sync {
+        add_sigtst_header(signer, data, p_header, unprotected_h, tss)?
+    } else {
+        add_sigtst_header_async(signer, data, p_header, unprotected_h, tss).await?
+    };
+
+    // Set the OCSP responder response if available.
+    let ocsp_val = if _sync {
+        signer.ocsp_response()
+    } else {
+        signer.ocsp_response().await
+    };
+
+    if let Some(ocsp) = ocsp_val {
+        let mut ocsp_vec: Vec<Value> = Vec::new();
+        let mut r_vals: Vec<(Value, Value)> = vec![];
+
+        ocsp_vec.push(Value::Bytes(ocsp));
+        r_vals.push((Value::Text("ocspVals".to_string()), Value::Array(ocsp_vec)));
+
+        unprotected_h = unprotected_h.text_value("rVals".to_string(), Value::Map(r_vals));
+    }
+
+    // Build complete header.
+    Ok(unprotected_h.build())
+}
+
+const PAD: &str = "pad";
+const PAD2: &str = "pad2";
+const PAD_OFFSET: usize = 7;
+
+// Pad the CoseSign1 structure with zeroes to match the reserved box size. There
+// are some values lengths that are impossible to hit with a single padding so
+// when that happens a second padding is added to change the remaining needed
+// padding. The default initial guess works for almost all sizes, without the
+// need for additional loops.
+fn pad_cose_sig(sign1: &mut CoseSign1, end_size: usize) -> Result<Vec<u8>, CoseError> {
+    let mut sign1_clone = sign1.clone();
+
+    let cur_vec = sign1_clone
+        .to_tagged_vec()
+        .map_err(|e| CoseError::CborGenerationError(e.to_string()))?;
+
+    let cur_size = cur_vec.len();
+    if cur_size == end_size {
+        return Ok(cur_vec);
+    }
+
+    // check for box too small and matched size
+    if cur_size + PAD_OFFSET > end_size {
+        return Err(CoseError::BoxSizeTooSmall);
+    }
+
+    // Start close to desired end size, accounting for label.
+    let mut padding_found = false;
+    let mut last_pad = 0;
+    let mut target_guess = end_size - cur_size - PAD_OFFSET;
+
+    loop {
+        sign1_clone = sign1.clone();
+
+        // Replace padding with new estimate.
+        for header_pair in &mut sign1_clone.unprotected.rest {
+            if header_pair.0 == Label::Text("pad".to_string()) {
+                if let Value::Bytes(b) = &header_pair.1 {
+                    last_pad = b.len();
+                }
+                header_pair.1 = Value::Bytes(vec![0u8; target_guess]);
+                padding_found = true;
+                break;
+            }
+        }
+
+        // If there was no padding, add it and try again.
+        if !padding_found {
+            sign1_clone.unprotected.rest.push((
+                Label::Text(PAD.to_string()),
+                Value::Bytes(vec![0u8; target_guess]),
+            ));
+            return pad_cose_sig(&mut sign1_clone, end_size);
+        }
+
+        // Get current CBOR vec to see if we reached target size.
+        let new_cbor = sign1_clone
+            .to_tagged_vec()
+            .map_err(|e| CoseError::CborGenerationError(e.to_string()))?;
+
+        match new_cbor.len() < end_size {
+            true => target_guess += 1,
+            false if new_cbor.len() == end_size => return Ok(new_cbor),
+            false => break,
+            // ^^ We could not match end_size in a single pad so break and add a second.
+        }
+    }
+
+    // If we reach here, we need a new second padding object to hit exact size.
+    sign1.unprotected.rest.push((
+        Label::Text(PAD2.to_string()),
+        Value::Bytes(vec![0u8; last_pad - 10]),
+    ));
+
+    pad_cose_sig(sign1, end_size)
+}
diff --git a/internal/crypto/src/cose/sign1.rs b/internal/crypto/src/cose/sign1.rs
new file mode 100644
index 000000000..6eb2c121e
--- /dev/null
+++ b/internal/crypto/src/cose/sign1.rs
@@ -0,0 +1,188 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use async_generic::async_generic;
+use c2pa_status_tracker::{log_item, validation_codes::CLAIM_SIGNATURE_MISMATCH, StatusTracker};
+use ciborium::value::Value;
+use coset::{
+    iana::{self, Algorithm, EnumI64},
+    CoseSign1, Label, RegisteredLabelWithPrivate, TaggedCborSerializable,
+};
+
+use crate::{
+    cose::{validate_cose_tst_info, validate_cose_tst_info_async, CoseError},
+    raw_signature::SigningAlg,
+};
+
+/// Parse a byte slice as a COSE Sign1 data structure.
+///
+/// Log errors that might occur to the provided [`StatusTracker`].
+pub fn parse_cose_sign1(
+    cose_bytes: &[u8],
+    data: &[u8],
+    validation_log: &mut impl StatusTracker,
+) -> Result<CoseSign1, CoseError> {
+    let mut sign1 = <coset::CoseSign1 as TaggedCborSerializable>::from_tagged_slice(cose_bytes)
+        .map_err(|coset_error| {
+            log_item!(
+                "Cose_Sign1",
+                "could not parse signature",
+                "parse_cose_sign1"
+            )
+            .validation_status(CLAIM_SIGNATURE_MISMATCH)
+            .failure_no_throw(
+                validation_log,
+                CoseError::CborParsingError(coset_error.to_string()),
+            );
+
+            CoseError::CborParsingError(coset_error.to_string())
+        })?;
+
+    // Temporarily restore the payload into the signature for verification check.
+    sign1.payload = Some(data.to_vec());
+
+    Ok(sign1)
+}
+
+/// TO DO: Documentation for this function.
+pub fn signing_alg_from_sign1(sign1: &coset::CoseSign1) -> Result<SigningAlg, CoseError> {
+    let Some(ref alg) = sign1.protected.header.alg else {
+        return Err(CoseError::UnsupportedSigningAlgorithm);
+    };
+
+    match alg {
+        RegisteredLabelWithPrivate::PrivateUse(a) => match a {
+            -39 => Ok(SigningAlg::Ps512),
+            -38 => Ok(SigningAlg::Ps384),
+            -37 => Ok(SigningAlg::Ps256),
+            -36 => Ok(SigningAlg::Es512),
+            -35 => Ok(SigningAlg::Es384),
+            -7 => Ok(SigningAlg::Es256),
+            -8 => Ok(SigningAlg::Ed25519),
+            _ => Err(CoseError::UnsupportedSigningAlgorithm),
+        },
+
+        RegisteredLabelWithPrivate::Assigned(a) => match a {
+            Algorithm::PS512 => Ok(SigningAlg::Ps512),
+            Algorithm::PS384 => Ok(SigningAlg::Ps384),
+            Algorithm::PS256 => Ok(SigningAlg::Ps256),
+            Algorithm::ES512 => Ok(SigningAlg::Es512),
+            Algorithm::ES384 => Ok(SigningAlg::Es384),
+            Algorithm::ES256 => Ok(SigningAlg::Es256),
+            Algorithm::EdDSA => Ok(SigningAlg::Ed25519),
+            _ => Err(CoseError::UnsupportedSigningAlgorithm),
+        },
+
+        _ => Err(CoseError::UnsupportedSigningAlgorithm),
+    }
+}
+
+/// TO DO: Documentation for this function.
+pub fn cert_chain_from_sign1(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>, CoseError> {
+    // Check the protected header first.
+    let Some(value) = sign1
+        .protected
+        .header
+        .rest
+        .iter()
+        .find_map(|x: &(Label, Value)| {
+            if x.0 == Label::Text("x5chain".to_string())
+                || x.0 == Label::Int(iana::HeaderParameter::X5Chain.to_i64())
+            {
+                Some(x.1.clone())
+            } else {
+                None
+            }
+        })
+    else {
+        // Not there: Also try unprotected header. (This was permitted in older versions
+        // of C2PA.)
+        return get_unprotected_header_certs(sign1);
+    };
+
+    // Certs may be in protected or unprotected header, but not both.
+    if get_unprotected_header_certs(sign1).is_ok() {
+        return Err(CoseError::MultipleSigningCertificateChains);
+    }
+
+    cert_chain_from_cbor_value(value)
+}
+
+fn get_unprotected_header_certs(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>, CoseError> {
+    let Some(value) = sign1
+        .unprotected
+        .rest
+        .iter()
+        .find_map(|x: &(Label, Value)| {
+            if x.0 == Label::Text("x5chain".to_string()) {
+                Some(x.1.clone())
+            } else {
+                None
+            }
+        })
+    else {
+        return Err(CoseError::MissingSigningCertificateChain);
+    };
+
+    cert_chain_from_cbor_value(value)
+}
+
+fn cert_chain_from_cbor_value(value: Value) -> Result<Vec<Vec<u8>>, CoseError> {
+    match value {
+        Value::Array(cert_chain) => {
+            let certs: Vec<Vec<u8>> = cert_chain
+                .iter()
+                .filter_map(|c| {
+                    if let Value::Bytes(der_bytes) = c {
+                        Some(der_bytes.clone())
+                    } else {
+                        None
+                    }
+                })
+                .collect();
+
+            if certs.is_empty() {
+                Err(CoseError::MissingSigningCertificateChain)
+            } else {
+                Ok(certs)
+            }
+        }
+
+        Value::Bytes(ref der_bytes) => Ok(vec![der_bytes.clone()]),
+
+        _ => Err(CoseError::MissingSigningCertificateChain),
+    }
+}
+
+/// Return the time of signing for this signature.
+///
+/// Should not be used for certificate validation.
+#[async_generic]
+pub fn signing_time_from_sign1(
+    sign1: &coset::CoseSign1,
+    data: &[u8],
+) -> Option<chrono::DateTime<chrono::Utc>> {
+    // get timestamp info if available
+
+    let time_stamp_info = if _sync {
+        validate_cose_tst_info(sign1, data)
+    } else {
+        validate_cose_tst_info_async(sign1, data).await
+    };
+
+    if let Ok(tst_info) = time_stamp_info {
+        Some(tst_info.gen_time.into())
+    } else {
+        None
+    }
+}
diff --git a/internal/crypto/src/cose/sigtst.rs b/internal/crypto/src/cose/sigtst.rs
new file mode 100644
index 000000000..1faee0ce8
--- /dev/null
+++ b/internal/crypto/src/cose/sigtst.rs
@@ -0,0 +1,255 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use asn1_rs::nom::AsBytes;
+use async_generic::async_generic;
+use bcder::decode::Constructed;
+use ciborium::value::Value;
+use coset::{sig_structure_data, HeaderBuilder, Label, ProtectedHeader, SignatureContext};
+use serde::{Deserialize, Serialize};
+use serde_bytes::ByteBuf;
+
+use crate::{
+    asn1::rfc3161::{TimeStampResp, TstInfo},
+    cose::{CoseError, TimeStampStorage},
+    raw_signature::{AsyncRawSigner, RawSigner},
+    time_stamp::{verify_time_stamp, verify_time_stamp_async, ContentInfo, TimeStampResponse},
+};
+
+/// Given a COSE signature, retrieve the `sigTst` header from it and validate
+/// the information within it.
+///
+/// Return a [`TstInfo`] struct if available and valid.
+#[async_generic]
+pub(crate) fn validate_cose_tst_info(
+    sign1: &coset::CoseSign1,
+    data: &[u8],
+) -> Result<TstInfo, CoseError> {
+    let Some((sigtst, tss)) = &sign1
+        .unprotected
+        .rest
+        .iter()
+        .find_map(|x: &(Label, Value)| {
+            if x.0 == Label::Text("sigTst2".to_string()) {
+                Some((x.1.clone(), TimeStampStorage::V2_sigTst2_CTT))
+            } else if x.0 == Label::Text("sigTst".to_string()) {
+                Some((x.1.clone(), TimeStampStorage::V1_sigTst))
+            } else {
+                None
+            }
+        })
+    else {
+        return Err(CoseError::NoTimeStampToken);
+    };
+
+    // `maybe_sig_data` has to be declared outside the match block below so that the
+    // slice we return can live long enough.
+    let mut maybe_sig_data: Vec<u8> = vec![];
+    let tbs = match tss {
+        TimeStampStorage::V1_sigTst => data,
+        TimeStampStorage::V2_sigTst2_CTT => {
+            let sig_data = ByteBuf::from(sign1.signature.clone());
+            ciborium::into_writer(&sig_data, &mut maybe_sig_data)
+                .map_err(|e| CoseError::CborParsingError(e.to_string()))?;
+            maybe_sig_data.as_slice()
+        }
+    };
+
+    let mut time_cbor: Vec<u8> = vec![];
+    ciborium::into_writer(sigtst, &mut time_cbor)
+        .map_err(|e| CoseError::InternalError(e.to_string()))?;
+
+    let tst_infos = if _sync {
+        parse_and_validate_sigtst(&time_cbor, tbs, &sign1.protected)?
+    } else {
+        parse_and_validate_sigtst_async(&time_cbor, tbs, &sign1.protected).await?
+    };
+
+    // For now, we only pay attention to the first time stamp header.
+    // Technically, more are permitted, but we ignore them for now.
+    let Some(tst_info) = tst_infos.into_iter().next() else {
+        return Err(CoseError::NoTimeStampToken);
+    };
+
+    Ok(tst_info)
+}
+
+/// Parse the `sigTst` header from a COSE signature, which should contain one or
+/// more `TstInfo` structures ([RFC 3161] time stamps).
+///
+/// Validate each time stamp and return them if valid.
+///
+/// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
+#[async_generic]
+pub(crate) fn parse_and_validate_sigtst(
+    sigtst_cbor: &[u8],
+    data: &[u8],
+    p_header: &ProtectedHeader,
+) -> Result<Vec<TstInfo>, CoseError> {
+    let tst_container: TstContainer = ciborium::from_reader(sigtst_cbor)
+        .map_err(|err| CoseError::CborParsingError(err.to_string()))?;
+
+    let mut tstinfos: Vec<TstInfo> = vec![];
+
+    for token in &tst_container.tst_tokens {
+        let tbs = cose_countersign_data(data, p_header);
+        let tst_info = if _sync {
+            verify_time_stamp(&token.val, &tbs)?
+        } else {
+            verify_time_stamp_async(&token.val, &tbs).await?
+        };
+
+        tstinfos.push(tst_info);
+    }
+
+    if tstinfos.is_empty() {
+        Err(CoseError::NoTimeStampToken)
+    } else {
+        Ok(tstinfos)
+    }
+}
+
+/// Given an arbitrary message and a COSE protected header, generate the binary
+/// blob to be signed as part of the COSE signature.
+pub fn cose_countersign_data(data: &[u8], p_header: &ProtectedHeader) -> Vec<u8> {
+    let aad: Vec<u8> = vec![];
+
+    sig_structure_data(
+        SignatureContext::CounterSignature,
+        p_header.clone(),
+        None,
+        &aad,
+        data,
+    )
+}
+
+/// Raw contents of an [RFC 3161] time stamp.
+///
+/// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
+#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
+pub(crate) struct TstToken {
+    #[allow(missing_docs)]
+    #[serde(with = "serde_bytes")]
+    pub val: Vec<u8>,
+}
+
+#[derive(Debug, Default, Deserialize, Eq, PartialEq, Serialize)]
+struct TstContainer {
+    #[serde(rename = "tstTokens")]
+    tst_tokens: Vec<TstToken>,
+}
+
+impl TstContainer {
+    pub(crate) fn add_token(&mut self, token: TstToken) {
+        self.tst_tokens.push(token);
+    }
+}
+
+/// Given a COSE [`ProtectedHeader`] and an arbitrary block of data, use the
+/// provided [`TimeStampProvider`] or [`AsyncTimeStampProvider`] to request a
+/// timestamp for that block of data.
+///
+/// [`TimeStampProvider`]: crate::time_stamp::TimeStampProvider
+/// [`AsyncTimeStampProvider`]: crate::time_stamp::AsyncTimeStampProvider
+#[async_generic(
+    async_signature(
+        ts_provider: &dyn AsyncRawSigner,
+        data: &[u8],
+        p_header: &ProtectedHeader,
+        mut header_builder: HeaderBuilder,
+        tss: TimeStampStorage,
+    ))]
+pub(crate) fn add_sigtst_header(
+    ts_provider: &dyn RawSigner,
+    data: &[u8],
+    p_header: &ProtectedHeader,
+    mut header_builder: HeaderBuilder,
+    tss: TimeStampStorage,
+) -> Result<HeaderBuilder, CoseError> {
+    let sd = cose_countersign_data(data, p_header);
+
+    let maybe_cts = if _sync {
+        ts_provider.send_time_stamp_request(&sd)
+    } else {
+        ts_provider.send_time_stamp_request(&sd).await
+    };
+
+    if let Some(cts) = maybe_cts {
+        let mut cts = cts?;
+
+        if tss == TimeStampStorage::V2_sigTst2_CTT {
+            // In `sigTst2`, we use only the `TimeStampToken` and not `TimeStampRsp` for
+            // sigTst2
+            cts = timestamptoken_from_timestamprsp(&cts).ok_or(CoseError::CborGenerationError(
+                "unable to generate time stamp token".to_string(),
+            ))?;
+        }
+
+        let cts = make_cose_timestamp(&cts);
+
+        let mut sigtst_vec: Vec<u8> = vec![];
+        ciborium::into_writer(&cts, &mut sigtst_vec)
+            .map_err(|e| CoseError::CborGenerationError(e.to_string()))?;
+
+        let sigtst_cbor: Value = ciborium::from_reader(sigtst_vec.as_slice())
+            .map_err(|e| CoseError::CborGenerationError(e.to_string()))?;
+
+        match tss {
+            TimeStampStorage::V1_sigTst => {
+                header_builder = header_builder.text_value("sigTst".to_string(), sigtst_cbor);
+            }
+            TimeStampStorage::V2_sigTst2_CTT => {
+                header_builder = header_builder.text_value("sigTst2".to_string(), sigtst_cbor);
+            }
+        }
+    }
+
+    Ok(header_builder)
+}
+
+// Wrap RFC 3161 TimeStampRsp in COSE sigTst object.
+fn make_cose_timestamp(ts_data: &[u8]) -> TstContainer {
+    let token = TstToken {
+        val: ts_data.to_vec(),
+    };
+
+    let mut container = TstContainer::default();
+    container.add_token(token);
+
+    container
+}
+
+// Return timeStampToken used by sigTst2.
+fn timestamptoken_from_timestamprsp(ts: &[u8]) -> Option<Vec<u8>> {
+    let ts_resp = TimeStampResponse(
+        Constructed::decode(ts, bcder::Mode::Der, TimeStampResp::take_from).ok()?,
+    );
+
+    let tst = ts_resp.0.time_stamp_token?;
+
+    let a: Result<Vec<u32>, CoseError> = tst
+        .content_type
+        .iter()
+        .map(|v| {
+            v.to_u32()
+                .ok_or(CoseError::InternalError("invalid component".to_string()))
+        })
+        .collect();
+
+    let ci = ContentInfo {
+        content_type: rasn::types::ObjectIdentifier::new(a.ok()?)?,
+        content: rasn::types::Any::new(tst.content.as_bytes().to_vec()),
+    };
+
+    rasn::der::encode(&ci).ok()
+}
diff --git a/internal/crypto/src/cose/time_stamp_storage.rs b/internal/crypto/src/cose/time_stamp_storage.rs
new file mode 100644
index 000000000..b5a30ff91
--- /dev/null
+++ b/internal/crypto/src/cose/time_stamp_storage.rs
@@ -0,0 +1,51 @@
+// Copyright 2025 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+/// The `TimeStampStorage` parameter defines how [RFC 3161] time stamps are to
+/// be stored in a COSE signature.
+///
+/// This is as defined in [§10.3.2.5.4, Storing the time-stamp], of version 2.1
+/// of the C2PA Technical Specification.
+///
+/// [§10.3.2.5.4, Storing the time-stamp]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_storing_the_time_stamp
+/// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
+#[allow(non_camel_case_types)] // We choose to match the exact header names as used in the C2PA specification.
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub enum TimeStampStorage {
+    /// v1 time-stamps _(deprecated)_ are stored in a COSE unprotected header
+    /// whose label is the string `sigTst`. If present, the value of this header
+    /// shall be a `tstContainer` defined by [Example 2, “CDDL for
+    /// `tstContainer`”]. The content of the `TimeStampResp` structure received
+    /// in reply from the TSA shall be stored as the value of the `val property
+    /// of an element of `tstTokens`.
+    ///
+    /// [Example 2, “CDDL for `tstContainer`”]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#tstContainer-CDDL
+    V1_sigTst,
+
+    /// v2 time-stamps shall be stored in a COSE unprotected header whose label
+    /// is the string `sigTst2`. When present, the value of this header shall be
+    /// a `tstContainer` defined by [Example 2, “CDDL for `tstContainer`”]. The
+    /// content of value of the `timeStampToken` field of the `TimeStampResp`
+    /// structure received in reply from the TSA shall be stored as the value of
+    /// the `val` property of an element of `tstTokens`.
+    ///
+    /// **NOTE:** A v2 time-stamp is equivalent to the "CTT" model of [COSE
+    /// Header parameter for RFC 3161 Time-Stamp Tokens Draft]. It requires that
+    /// the complete signature structure be completed prior to time-stamping,
+    /// thus enabling the time-stamp to serve as a countersignature on the
+    /// entire signature structure, including the actual certificate.
+    ///
+    /// [Example 2, “CDDL for `tstContainer`”]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#tstContainer-CDDL
+    /// [COSE Header parameter for RFC 3161 Time-Stamp Tokens Draft]: https://datatracker.ietf.org/doc/draft-ietf-cose-tsa-tst-header-parameter/
+    V2_sigTst2_CTT,
+}
diff --git a/internal/crypto/src/cose/valid_eku_oids.cfg b/internal/crypto/src/cose/valid_eku_oids.cfg
new file mode 100644
index 000000000..abdaf912b
--- /dev/null
+++ b/internal/crypto/src/cose/valid_eku_oids.cfg
@@ -0,0 +1,14 @@
+// id-kp-emailProtection
+1.3.6.1.5.5.7.3.4
+
+// id-kp-documentSigning
+1.3.6.1.5.5.7.3.36
+
+// id-kp-timeStamping
+1.3.6.1.5.5.7.3.8
+
+// id-kp-OCSPSigning
+1.3.6.1.5.5.7.3.9
+
+// MS C2PA Signing
+1.3.6.1.4.1.311.76.59.1.9
diff --git a/sdk/src/validator.rs b/internal/crypto/src/cose/validation_info.rs
similarity index 55%
rename from sdk/src/validator.rs
rename to internal/crypto/src/cose/validation_info.rs
index dc06bc551..d7f5d6421 100644
--- a/sdk/src/validator.rs
+++ b/internal/crypto/src/cose/validation_info.rs
@@ -1,4 +1,4 @@
-// Copyright 2022 Adobe. All rights reserved.
+// Copyright 2024 Adobe. All rights reserved.
 // This file is licensed to you under the Apache License,
 // Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
 // or the MIT license (http://opensource.org/licenses/MIT),
@@ -11,17 +11,38 @@
 // specific language governing permissions and limitations under
 // each license.
 
-use c2pa_crypto::SigningAlg;
+//! Signature validation info.
+
 use chrono::{DateTime, Utc};
 use x509_parser::num_bigint::BigUint;
 
+use crate::raw_signature::SigningAlg;
+
+/// Describes a signature's validation data and status.
 #[derive(Debug, Default)]
 pub struct ValidationInfo {
-    pub alg: Option<SigningAlg>, // validation algorithm
+    /// Algorithm used to validate the signature
+    pub alg: Option<SigningAlg>,
+
+    /// Date the signature was created
     pub date: Option<DateTime<Utc>>,
+
+    /// Certificate serial number
     pub cert_serial_number: Option<BigUint>,
+
+    /// Certificate issuer organization
     pub issuer_org: Option<String>,
-    pub validated: bool,     // claim signature is valid
-    pub cert_chain: Vec<u8>, // certificate chain used to validate signature
+
+    /// Signature validity
+    ///
+    /// TO REVIEW: What does this `bool` mean?
+    pub validated: bool,
+
+    /// Certificate chain used to validate the signature
+    pub cert_chain: Vec<u8>,
+
+    /// Signature revocation status
+    ///
+    /// TO REVIEW: What does this `bool` mean?
     pub revocation_status: Option<bool>,
 }
diff --git a/internal/crypto/src/cose/verifier.rs b/internal/crypto/src/cose/verifier.rs
new file mode 100644
index 000000000..1171d82ec
--- /dev/null
+++ b/internal/crypto/src/cose/verifier.rs
@@ -0,0 +1,320 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use std::io::Cursor;
+
+use asn1_rs::FromDer;
+use async_generic::async_generic;
+use c2pa_status_tracker::{
+    log_item,
+    validation_codes::{
+        ALGORITHM_UNSUPPORTED, SIGNING_CREDENTIAL_INVALID, SIGNING_CREDENTIAL_TRUSTED,
+        SIGNING_CREDENTIAL_UNTRUSTED, TIMESTAMP_MISMATCH, TIMESTAMP_OUTSIDE_VALIDITY,
+    },
+    StatusTracker,
+};
+use coset::CoseSign1;
+use x509_parser::prelude::X509Certificate;
+
+use crate::{
+    asn1::rfc3161::TstInfo,
+    cose::{
+        cert_chain_from_sign1, check_certificate_profile, parse_cose_sign1, signing_alg_from_sign1,
+        validate_cose_tst_info, validate_cose_tst_info_async, CertificateTrustError,
+        CertificateTrustPolicy, CoseError, ValidationInfo,
+    },
+    p1363::parse_ec_der_sig,
+    raw_signature::{async_validator_for_signing_alg, validator_for_signing_alg, SigningAlg},
+    time_stamp::TimeStampError,
+};
+
+/// A `Verifier` reads a COSE signature and reports on its validity.
+///
+/// It can provide different levels of verification depending on the enum value
+/// chosen.
+#[derive(Debug)]
+#[non_exhaustive]
+pub enum Verifier<'a> {
+    /// Use a [`CertificateTrustPolicy`] to validate the signing certificate's
+    /// profile against C2PA requirements _and_ validate the certificate's
+    /// membership against a trust configuration.
+    VerifyTrustPolicy(&'a CertificateTrustPolicy),
+
+    /// Validate the certificate's membership against a trust configuration, but
+    /// do not against any trust list. The [`CertificateTrustPolicy`] is used to
+    /// enforce EKU (Extended Key Usage) policy only.
+    VerifyCertificateProfileOnly(&'a CertificateTrustPolicy),
+
+    /// Ignore both trust configuration and trust lists.
+    IgnoreProfileAndTrustPolicy,
+}
+
+impl Verifier<'_> {
+    /// Verify a COSE signature according to the configured policies.
+    #[async_generic]
+    pub fn verify_signature(
+        &self,
+        cose_sign1: &[u8],
+        data: &[u8],
+        additional_data: &[u8],
+        validation_log: &mut impl StatusTracker,
+    ) -> Result<ValidationInfo, CoseError> {
+        let mut sign1 = parse_cose_sign1(cose_sign1, data, validation_log)?;
+
+        let Ok(alg) = signing_alg_from_sign1(&sign1) else {
+            log_item!(
+                "Cose_Sign1",
+                "unsupported or missing Cose algorithm",
+                "verify_cose"
+            )
+            .validation_status(ALGORITHM_UNSUPPORTED)
+            .failure_no_throw(validation_log, CoseError::UnsupportedSigningAlgorithm);
+
+            return Err(CoseError::UnsupportedSigningAlgorithm);
+        };
+
+        let tst_info_res = if _sync {
+            validate_cose_tst_info(&sign1, data)
+        } else {
+            validate_cose_tst_info_async(&sign1, data).await
+        };
+
+        match alg {
+            SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
+                if parse_ec_der_sig(&sign1.signature).is_ok() {
+                    // Should have been in P1363 format, not DER.
+                    log_item!("Cose_Sign1", "unsupported signature format", "verify_cose")
+                        .validation_status(SIGNING_CREDENTIAL_INVALID)
+                        .failure_no_throw(validation_log, CoseError::InvalidEcdsaSignature);
+
+                    // validation_log.log(log_item, CoseError::InvalidEcdsaSignature)?;
+                    return Err(CoseError::InvalidEcdsaSignature);
+                }
+            }
+            _ => (),
+        }
+
+        if _sync {
+            self.verify_profile(&sign1, &tst_info_res, validation_log)?;
+            self.verify_trust(&sign1, &tst_info_res, validation_log)?;
+        } else {
+            self.verify_profile_async(&sign1, &tst_info_res, validation_log)
+                .await?;
+            self.verify_trust_async(&sign1, &tst_info_res, validation_log)
+                .await?;
+        }
+
+        // Reconstruct payload and additional data as it should have been at time of
+        // signing.
+        sign1.payload = Some(data.to_vec());
+        let tbs = sign1.tbs_data(additional_data);
+
+        let certs = cert_chain_from_sign1(&sign1)?;
+        let end_entity_cert_der = &certs[0];
+
+        let (_rem, sign_cert) = X509Certificate::from_der(end_entity_cert_der)
+            .map_err(|_| CoseError::CborParsingError("invalid X509 certificate".to_string()))?;
+        let pk = sign_cert.public_key();
+        let pk_der = pk.raw;
+
+        if _sync {
+            let Some(validator) = validator_for_signing_alg(alg) else {
+                return Err(CoseError::UnsupportedSigningAlgorithm);
+            };
+
+            validator.validate(&sign1.signature, &tbs, pk_der)?;
+        } else {
+            let Some(validator) = async_validator_for_signing_alg(alg) else {
+                return Err(CoseError::UnsupportedSigningAlgorithm);
+            };
+
+            validator
+                .validate_async(&sign1.signature, &tbs, pk_der)
+                .await?;
+        }
+
+        let subject = sign_cert
+            .subject()
+            .iter_organization()
+            .map(|attr| attr.as_str())
+            .last()
+            .ok_or(CoseError::MissingSigningCertificateChain)?
+            .map(|attr| attr.to_string())
+            .map_err(|_| CoseError::MissingSigningCertificateChain)?;
+
+        Ok(ValidationInfo {
+            alg: Some(alg),
+            date: tst_info_res.map(|t| t.gen_time.into()).ok(),
+            cert_serial_number: Some(sign_cert.serial.clone()),
+            issuer_org: Some(subject),
+            validated: true,
+            cert_chain: dump_cert_chain(&certs)?,
+            revocation_status: Some(true),
+        })
+    }
+
+    /// Verify certificate profile if so configured.
+    #[async_generic]
+    pub(crate) fn verify_profile(
+        &self,
+        sign1: &CoseSign1,
+        tst_info_res: &Result<TstInfo, CoseError>,
+        validation_log: &mut impl StatusTracker,
+    ) -> Result<(), CoseError> {
+        let ctp = match self {
+            Self::VerifyTrustPolicy(ctp) => *ctp,
+            Self::VerifyCertificateProfileOnly(ctp) => *ctp,
+            Self::IgnoreProfileAndTrustPolicy => {
+                return Ok(());
+            }
+        };
+
+        let certs = cert_chain_from_sign1(sign1)?;
+        let end_entity_cert_der = &certs[0];
+
+        match tst_info_res {
+            Ok(tst_info) => Ok(check_certificate_profile(
+                end_entity_cert_der,
+                ctp,
+                validation_log,
+                Some(tst_info),
+            )?),
+
+            Err(CoseError::NoTimeStampToken) => Ok(check_certificate_profile(
+                end_entity_cert_der,
+                ctp,
+                validation_log,
+                None,
+            )?),
+
+            Err(CoseError::TimeStampError(TimeStampError::InvalidData)) => {
+                log_item!(
+                    "Cose_Sign1",
+                    "timestamp did not match signed data",
+                    "verify_cose"
+                )
+                .validation_status(TIMESTAMP_MISMATCH)
+                .failure_no_throw(validation_log, TimeStampError::InvalidData);
+
+                Err(TimeStampError::InvalidData.into())
+            }
+
+            Err(CoseError::TimeStampError(TimeStampError::ExpiredCertificate)) => {
+                log_item!(
+                    "Cose_Sign1",
+                    "timestamp certificate outside of validity",
+                    "verify_cose"
+                )
+                .validation_status(TIMESTAMP_OUTSIDE_VALIDITY)
+                .failure_no_throw(validation_log, TimeStampError::ExpiredCertificate);
+
+                Err(TimeStampError::ExpiredCertificate.into())
+            }
+
+            Err(e) => {
+                log_item!("Cose_Sign1", "error parsing timestamp", "verify_cose")
+                    .failure_no_throw(validation_log, e);
+
+                // Frustratingly, we can't clone CoseError. The likely cases are already handled
+                // above, so we'll call this an internal error.
+
+                Err(CoseError::InternalError(e.to_string()))
+            }
+        }
+    }
+
+    /// Verify certificate profile if so configured.
+    #[async_generic]
+    pub(crate) fn verify_trust(
+        &self,
+        sign1: &CoseSign1,
+        tst_info_res: &Result<TstInfo, CoseError>,
+        validation_log: &mut impl StatusTracker,
+    ) -> Result<(), CoseError> {
+        // IMPORTANT: This function assumes that verify_profile has already been called.
+
+        let ctp = match self {
+            Self::VerifyTrustPolicy(ctp) => *ctp,
+
+            Self::VerifyCertificateProfileOnly(_ctp) => {
+                return Ok(());
+            }
+
+            Self::IgnoreProfileAndTrustPolicy => {
+                return Ok(());
+            }
+        };
+
+        let certs = cert_chain_from_sign1(sign1)?;
+        let end_entity_cert_der = &certs[0];
+        let chain_der = &certs[1..];
+
+        let signing_time_epoch = tst_info_res.as_ref().ok().map(|tst_info| {
+            let dt: chrono::DateTime<chrono::Utc> = tst_info.gen_time.clone().into();
+            dt.timestamp()
+        });
+
+        let verify_result = if _sync {
+            ctp.check_certificate_trust(chain_der, end_entity_cert_der, signing_time_epoch)
+        } else {
+            ctp.check_certificate_trust_async(chain_der, end_entity_cert_der, signing_time_epoch)
+                .await
+        };
+
+        match verify_result {
+            Ok(()) => {
+                log_item!("Cose_Sign1", "signing certificate trusted", "verify_cose")
+                    .validation_status(SIGNING_CREDENTIAL_TRUSTED)
+                    .success(validation_log);
+
+                Ok(())
+            }
+
+            Err(CertificateTrustError::CertificateNotTrusted) => {
+                log_item!("Cose_Sign1", "signing certificate untrusted", "verify_cose")
+                    .validation_status(SIGNING_CREDENTIAL_UNTRUSTED)
+                    .failure_no_throw(validation_log, CertificateTrustError::CertificateNotTrusted);
+
+                Err(CertificateTrustError::CertificateNotTrusted.into())
+            }
+
+            Err(e) => {
+                log_item!("Cose_Sign1", "signing certificate untrusted", "verify_cose")
+                    .validation_status(SIGNING_CREDENTIAL_UNTRUSTED)
+                    .failure_no_throw(validation_log, &e);
+
+                // TO REVIEW: Mixed message: Are we using CoseCertUntrusted in log or &e from
+                // above? validation_log.log(log_item,
+                // Error::CoseCertUntrusted)?;
+                Err(e.into())
+            }
+        }
+    }
+}
+
+fn dump_cert_chain(certs: &[Vec<u8>]) -> Result<Vec<u8>, CoseError> {
+    let mut out_buf: Vec<u8> = Vec::new();
+    let mut writer = Cursor::new(out_buf);
+
+    for der_bytes in certs {
+        let c = x509_certificate::X509Certificate::from_der(der_bytes)
+            .map_err(|_e| CoseError::CborParsingError("invalid X509 certificate".to_string()))?;
+
+        c.write_pem(&mut writer).map_err(|_| {
+            CoseError::InternalError("I/O error constructing cert_chain dump".to_string())
+        })?;
+    }
+
+    out_buf = writer.into_inner();
+    Ok(out_buf)
+}
diff --git a/internal/crypto/src/hash.rs b/internal/crypto/src/hash.rs
index bb3515a19..5e45d6ada 100644
--- a/internal/crypto/src/hash.rs
+++ b/internal/crypto/src/hash.rs
@@ -13,11 +13,21 @@
 
 //! Hash convenience functions.
 
-use sha1::{Digest, Sha1};
-
 /// Given a byte slice, return the SHA-1 hash of that content.
-pub fn sha1(data: &[u8]) -> Vec<u8> {
+#[allow(dead_code)] // not used on all platforms
+pub(crate) fn sha1(data: &[u8]) -> Vec<u8> {
+    use sha1::{Digest, Sha1};
+
     let mut hasher = Sha1::default();
     hasher.update(data);
     hasher.finalize().to_vec()
 }
+
+/// Given a byte slice, return the SHA-256 hash of that content.
+pub fn sha256(data: &[u8]) -> Vec<u8> {
+    use sha2::{Digest, Sha256};
+
+    let mut hasher = Sha256::new();
+    hasher.update(data);
+    hasher.finalize().to_vec()
+}
diff --git a/internal/crypto/src/internal/time.rs b/internal/crypto/src/internal/time.rs
index 408450bc5..c057c0f5c 100644
--- a/internal/crypto/src/internal/time.rs
+++ b/internal/crypto/src/internal/time.rs
@@ -11,8 +11,6 @@
 // specific language governing permissions and limitations under
 // each license.
 
-#![allow(dead_code)] // TEMPORARY while building
-
 use chrono::{DateTime, Utc};
 
 /// Return the current time in UTC.
diff --git a/internal/crypto/src/lib.rs b/internal/crypto/src/lib.rs
index 33a84d8d9..9794c7504 100644
--- a/internal/crypto/src/lib.rs
+++ b/internal/crypto/src/lib.rs
@@ -19,22 +19,22 @@
 #![doc = include_str!("../README.md")]
 #![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg, doc_cfg_hide))]
 
-pub mod asn1;
+pub(crate) mod asn1;
 pub mod base64;
+pub mod cose;
 pub mod hash;
 pub(crate) mod internal;
 pub mod ocsp;
 
-#[cfg(all(feature = "openssl", not(target_arch = "wasm32")))]
-pub mod openssl;
-
 #[cfg(all(feature = "openssl", target_arch = "wasm32"))]
 compile_error!("OpenSSL feature is not compatible with WASM platform");
 
-pub mod raw_signature;
+#[cfg(feature = "openssl")]
+pub mod openssl;
+
+pub(crate) mod p1363;
 
-mod signing_alg;
-pub use signing_alg::{SigningAlg, UnknownAlgorithmError};
+pub mod raw_signature;
 
 pub mod time_stamp;
 
diff --git a/internal/crypto/src/ocsp/fetch.rs b/internal/crypto/src/ocsp/fetch.rs
index 440851b16..0eefa37e0 100644
--- a/internal/crypto/src/ocsp/fetch.rs
+++ b/internal/crypto/src/ocsp/fetch.rs
@@ -29,7 +29,7 @@ use crate::base64;
 /// will attempt to retrieve the raw DER-encoded OCSP response.
 ///
 /// Not available on WASM builds.
-pub fn fetch_ocsp_response(certs: &[Vec<u8>]) -> Option<Vec<u8>> {
+pub(crate) fn fetch_ocsp_response(certs: &[Vec<u8>]) -> Option<Vec<u8>> {
     // There must be at least one cert that isn't an end-entity cert.
     if certs.len() < 2 {
         return None;
diff --git a/internal/crypto/src/ocsp/mod.rs b/internal/crypto/src/ocsp/mod.rs
index 371a7ce57..d621f6f22 100644
--- a/internal/crypto/src/ocsp/mod.rs
+++ b/internal/crypto/src/ocsp/mod.rs
@@ -50,7 +50,7 @@ impl Default for OcspResponse {
 
 impl OcspResponse {
     /// Convert an OCSP response in DER format to `OcspResponse`.
-    pub fn from_der_checked(
+    pub(crate) fn from_der_checked(
         der: &[u8],
         signing_time: Option<DateTime<Utc>>,
         validation_log: &mut impl StatusTracker,
@@ -265,7 +265,8 @@ impl OcspResponse {
 
 /// Describes errors that can be identified when parsing an OCSP response.
 #[derive(Debug, Eq, Error, PartialEq)]
-pub enum OcspError {
+#[allow(unused)] // InvalidSystemTime may not exist on all platforms.
+pub(crate) enum OcspError {
     /// An invalid certificate was detected.
     #[error("Invalid certificate detected")]
     InvalidCertificate,
@@ -289,4 +290,4 @@ const DATE_FMT: &str = "%Y-%m-%d %H:%M:%S %Z";
 mod fetch;
 
 #[cfg(not(target_arch = "wasm32"))]
-pub use fetch::fetch_ocsp_response;
+pub(crate) use fetch::fetch_ocsp_response;
diff --git a/internal/crypto/src/openssl/cert_chain.rs b/internal/crypto/src/openssl/cert_chain.rs
new file mode 100644
index 000000000..5d531fcfb
--- /dev/null
+++ b/internal/crypto/src/openssl/cert_chain.rs
@@ -0,0 +1,46 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use openssl::x509::X509;
+
+// Verify the certificate chain order.
+//
+// Return `true` if each cert in the chain can be verified as issued by the next
+// issuer.
+pub(crate) fn check_chain_order(certs: &[X509]) -> bool {
+    // IMPORTANT: ffi_mutex::acquire() should have been called by calling fn. Please
+    // don't make this pub or pub(crate) without finding a way to ensure that
+    // precondition.
+
+    let mut iter = certs.iter().peekable();
+
+    while let Some(cert) = iter.next() {
+        let Some(next) = iter.peek() else {
+            break;
+        };
+
+        let Ok(pkey) = next.public_key() else {
+            return false;
+        };
+
+        let Ok(verified) = cert.verify(&pkey) else {
+            return false;
+        };
+
+        if !verified {
+            return false;
+        }
+    }
+
+    true
+}
diff --git a/internal/crypto/src/openssl/check_certificate_trust.rs b/internal/crypto/src/openssl/check_certificate_trust.rs
new file mode 100644
index 000000000..adc526301
--- /dev/null
+++ b/internal/crypto/src/openssl/check_certificate_trust.rs
@@ -0,0 +1,74 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use openssl::{
+    stack::Stack,
+    x509::{verify::X509VerifyFlags, X509StoreContext, X509},
+};
+
+use crate::{
+    cose::{CertificateTrustError, CertificateTrustPolicy},
+    openssl::OpenSslMutex,
+};
+
+pub(crate) fn check_certificate_trust(
+    ctp: &CertificateTrustPolicy,
+    chain_der: &[Vec<u8>],
+    cert_der: &[u8],
+    signing_time_epoch: Option<i64>,
+) -> Result<(), CertificateTrustError> {
+    let _openssl = OpenSslMutex::acquire()?;
+
+    let mut cert_chain = Stack::new()?;
+    for cert_der in chain_der {
+        let x509_cert = X509::from_der(cert_der)?;
+        cert_chain.push(x509_cert)?;
+    }
+
+    let cert = X509::from_der(cert_der)?;
+
+    let mut builder = openssl::x509::store::X509StoreBuilder::new()?;
+    builder.set_flags(X509VerifyFlags::X509_STRICT)?;
+
+    let mut verify_param = openssl::x509::verify::X509VerifyParam::new()?;
+    verify_param.set_flags(X509VerifyFlags::X509_STRICT)?;
+
+    if let Some(st) = signing_time_epoch {
+        verify_param.set_time(st);
+    } else {
+        verify_param.set_flags(X509VerifyFlags::NO_CHECK_TIME)?;
+    }
+
+    builder.set_param(&verify_param)?;
+
+    // Add trust anchors.
+    let mut has_anchors = false;
+    for der in ctp.trust_anchor_ders() {
+        let root_cert = X509::from_der(der)?;
+        builder.add_cert(root_cert)?;
+        has_anchors = true;
+    }
+
+    let store = builder.build();
+
+    if !has_anchors {
+        return Err(CertificateTrustError::CertificateNotTrusted);
+    }
+
+    let mut store_ctx = X509StoreContext::new()?;
+    if store_ctx.init(&store, cert.as_ref(), &cert_chain, |f| f.verify_cert())? {
+        Ok(())
+    } else {
+        Err(CertificateTrustError::CertificateNotTrusted)
+    }
+}
diff --git a/internal/crypto/src/openssl/mod.rs b/internal/crypto/src/openssl/mod.rs
index 2b0ad9437..7cbff7d7a 100644
--- a/internal/crypto/src/openssl/mod.rs
+++ b/internal/crypto/src/openssl/mod.rs
@@ -18,7 +18,11 @@
 //!
 //! [`openssl` native code library]: https://crates.io/crates/openssl
 
+mod cert_chain;
+
 mod ffi_mutex;
 pub use ffi_mutex::{OpenSslMutex, OpenSslMutexUnavailable};
 
+pub(crate) mod check_certificate_trust;
+pub(crate) mod signers;
 pub mod validators;
diff --git a/internal/crypto/src/openssl/signers/ecdsa_signer.rs b/internal/crypto/src/openssl/signers/ecdsa_signer.rs
new file mode 100644
index 000000000..c52417e2f
--- /dev/null
+++ b/internal/crypto/src/openssl/signers/ecdsa_signer.rs
@@ -0,0 +1,139 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use openssl::{
+    ec::EcKey,
+    hash::MessageDigest,
+    pkey::{PKey, Private},
+    sign::Signer,
+    x509::X509,
+};
+
+use crate::{
+    openssl::{cert_chain::check_chain_order, OpenSslMutex},
+    p1363::der_to_p1363,
+    raw_signature::{RawSigner, RawSignerError, SigningAlg},
+    time_stamp::TimeStampProvider,
+};
+
+enum EcdsaSigningAlg {
+    Es256,
+    Es384,
+    Es512,
+}
+
+/// Implements `Signer` trait using OpenSSL's implementation of
+/// ECDSA encryption.
+pub struct EcdsaSigner {
+    alg: EcdsaSigningAlg,
+
+    cert_chain: Vec<X509>,
+    cert_chain_len: usize,
+
+    private_key: EcKey<Private>,
+
+    time_stamp_service_url: Option<String>,
+    time_stamp_size: usize,
+}
+
+impl EcdsaSigner {
+    pub(crate) fn from_cert_chain_and_private_key(
+        cert_chain: &[u8],
+        private_key: &[u8],
+        alg: SigningAlg,
+        time_stamp_service_url: Option<String>,
+    ) -> Result<Self, RawSignerError> {
+        let alg = match alg {
+            SigningAlg::Es256 => EcdsaSigningAlg::Es256,
+            SigningAlg::Es384 => EcdsaSigningAlg::Es384,
+            SigningAlg::Es512 => EcdsaSigningAlg::Es512,
+            _ => {
+                return Err(RawSignerError::InternalError(
+                    "EcdsaSigner should be used only for SigningAlg::Es***".to_string(),
+                ));
+            }
+        };
+
+        let _openssl = OpenSslMutex::acquire()?;
+
+        let cert_chain = X509::stack_from_pem(cert_chain)?;
+        let cert_chain_len = cert_chain.len();
+
+        if !check_chain_order(&cert_chain) {
+            return Err(RawSignerError::InvalidSigningCredentials(
+                "certificate chain in incorrect order".to_string(),
+            ));
+        }
+
+        let private_key = EcKey::private_key_from_pem(private_key)?;
+
+        Ok(EcdsaSigner {
+            alg,
+            cert_chain,
+            cert_chain_len,
+            private_key,
+            time_stamp_service_url,
+            time_stamp_size: 10000,
+            // TO DO: Call out to time stamp service to get actual time stamp and use that size?
+        })
+    }
+}
+
+impl RawSigner for EcdsaSigner {
+    fn sign(&self, data: &[u8]) -> Result<Vec<u8>, RawSignerError> {
+        let _openssl = OpenSslMutex::acquire()?;
+
+        let private_key = PKey::from_ec_key(self.private_key.clone())?;
+
+        let mut signer = match self.alg {
+            EcdsaSigningAlg::Es256 => Signer::new(MessageDigest::sha256(), &private_key)?,
+            EcdsaSigningAlg::Es384 => Signer::new(MessageDigest::sha384(), &private_key)?,
+            EcdsaSigningAlg::Es512 => Signer::new(MessageDigest::sha512(), &private_key)?,
+        };
+
+        signer.update(data)?;
+
+        let der_sig = signer.sign_to_vec()?;
+        der_to_p1363(&der_sig, self.alg())
+    }
+
+    fn alg(&self) -> SigningAlg {
+        match self.alg {
+            EcdsaSigningAlg::Es256 => SigningAlg::Es256,
+            EcdsaSigningAlg::Es384 => SigningAlg::Es384,
+            EcdsaSigningAlg::Es512 => SigningAlg::Es512,
+        }
+    }
+
+    fn reserve_size(&self) -> usize {
+        1024 + self.cert_chain_len + self.time_stamp_size
+    }
+
+    fn cert_chain(&self) -> Result<Vec<Vec<u8>>, RawSignerError> {
+        let _openssl = OpenSslMutex::acquire()?;
+
+        self.cert_chain
+            .iter()
+            .map(|cert| {
+                cert.to_der()
+                    .map_err(|e| RawSignerError::OpenSslError(e.to_string()))
+            })
+            .collect()
+    }
+}
+
+impl TimeStampProvider for EcdsaSigner {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.time_stamp_service_url.clone()
+    }
+}
diff --git a/internal/crypto/src/openssl/signers/ed25519_signer.rs b/internal/crypto/src/openssl/signers/ed25519_signer.rs
new file mode 100644
index 000000000..9d2b1d94b
--- /dev/null
+++ b/internal/crypto/src/openssl/signers/ed25519_signer.rs
@@ -0,0 +1,104 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use openssl::{
+    pkey::{PKey, Private},
+    sign::Signer,
+    x509::X509,
+};
+
+use crate::{
+    openssl::{cert_chain::check_chain_order, OpenSslMutex},
+    raw_signature::{RawSigner, RawSignerError, SigningAlg},
+    time_stamp::TimeStampProvider,
+};
+
+/// Implements `RawSigner` trait using OpenSSL's implementation of
+/// Edwards Curve encryption.
+pub struct Ed25519Signer {
+    cert_chain: Vec<X509>,
+    cert_chain_len: usize,
+
+    private_key: PKey<Private>,
+
+    time_stamp_service_url: Option<String>,
+    time_stamp_size: usize,
+}
+
+impl Ed25519Signer {
+    pub(crate) fn from_cert_chain_and_private_key(
+        cert_chain: &[u8],
+        private_key: &[u8],
+        time_stamp_service_url: Option<String>,
+    ) -> Result<Self, RawSignerError> {
+        let _openssl = OpenSslMutex::acquire()?;
+
+        let cert_chain = X509::stack_from_pem(cert_chain)?;
+        let cert_chain_len = cert_chain.len();
+
+        if !check_chain_order(&cert_chain) {
+            return Err(RawSignerError::InvalidSigningCredentials(
+                "certificate chain in incorrect order".to_string(),
+            ));
+        }
+
+        let private_key = PKey::private_key_from_pem(private_key)?;
+
+        Ok(Ed25519Signer {
+            cert_chain,
+            cert_chain_len,
+
+            private_key,
+
+            time_stamp_service_url,
+            time_stamp_size: 10000,
+            // TO DO: Call out to time stamp service to get actual time stamp and use that size?
+        })
+    }
+}
+
+impl RawSigner for Ed25519Signer {
+    fn sign(&self, data: &[u8]) -> Result<Vec<u8>, RawSignerError> {
+        let _openssl = OpenSslMutex::acquire()?;
+
+        let mut signer = Signer::new_without_digest(&self.private_key)?;
+
+        Ok(signer.sign_oneshot_to_vec(data)?)
+    }
+
+    fn alg(&self) -> SigningAlg {
+        SigningAlg::Ed25519
+    }
+
+    fn reserve_size(&self) -> usize {
+        1024 + self.cert_chain_len + self.time_stamp_size
+    }
+
+    fn cert_chain(&self) -> Result<Vec<Vec<u8>>, RawSignerError> {
+        let _openssl = OpenSslMutex::acquire()?;
+
+        self.cert_chain
+            .iter()
+            .map(|cert| {
+                cert.to_der()
+                    .map_err(|e| RawSignerError::OpenSslError(e.to_string()))
+            })
+            .collect()
+    }
+}
+
+impl TimeStampProvider for Ed25519Signer {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.time_stamp_service_url.clone()
+    }
+}
diff --git a/internal/crypto/src/openssl/signers/mod.rs b/internal/crypto/src/openssl/signers/mod.rs
new file mode 100644
index 000000000..0977a803c
--- /dev/null
+++ b/internal/crypto/src/openssl/signers/mod.rs
@@ -0,0 +1,64 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+//! This module binds OpenSSL logic for generating raw signatures to this
+//! crate's [`RawSigner`] trait.
+
+use crate::raw_signature::{RawSigner, RawSignerError, SigningAlg};
+
+mod ecdsa_signer;
+mod ed25519_signer;
+mod rsa_signer;
+
+/// Return a built-in [`RawSigner`] instance using the provided signing
+/// certificate and private key.
+///
+/// Which signers are available may vary depending on the platform and which
+/// crate features were enabled.
+///
+/// Returns `None` if the signing algorithm is unsupported. May return an `Err`
+/// response if the certificate chain or private key are invalid.
+pub(crate) fn signer_from_cert_chain_and_private_key(
+    cert_chain: &[u8],
+    private_key: &[u8],
+    alg: SigningAlg,
+    time_stamp_service_url: Option<String>,
+) -> Result<Box<dyn RawSigner + Send + Sync>, RawSignerError> {
+    match alg {
+        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => Ok(Box::new(
+            ecdsa_signer::EcdsaSigner::from_cert_chain_and_private_key(
+                cert_chain,
+                private_key,
+                alg,
+                time_stamp_service_url,
+            )?,
+        )),
+
+        SigningAlg::Ed25519 => Ok(Box::new(
+            ed25519_signer::Ed25519Signer::from_cert_chain_and_private_key(
+                cert_chain,
+                private_key,
+                time_stamp_service_url,
+            )?,
+        )),
+
+        SigningAlg::Ps256 | SigningAlg::Ps384 | SigningAlg::Ps512 => Ok(Box::new(
+            rsa_signer::RsaSigner::from_cert_chain_and_private_key(
+                cert_chain,
+                private_key,
+                alg,
+                time_stamp_service_url,
+            )?,
+        )),
+    }
+}
diff --git a/internal/crypto/src/openssl/signers/rsa_signer.rs b/internal/crypto/src/openssl/signers/rsa_signer.rs
new file mode 100644
index 000000000..d9fea36f7
--- /dev/null
+++ b/internal/crypto/src/openssl/signers/rsa_signer.rs
@@ -0,0 +1,185 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use openssl::{
+    hash::MessageDigest,
+    pkey::{PKey, Private},
+    rsa::{Rsa, RsaPrivateKeyBuilder},
+    sign::Signer,
+    x509::X509,
+};
+
+use crate::{
+    openssl::{cert_chain::check_chain_order, OpenSslMutex},
+    raw_signature::{RawSigner, RawSignerError, SigningAlg},
+    time_stamp::TimeStampProvider,
+};
+
+enum RsaSigningAlg {
+    Ps256,
+    Ps384,
+    Ps512,
+}
+
+/// Implements [`RawSigner`] trait using OpenSSL's implementation of SHA256 +
+/// RSA encryption.
+pub(crate) struct RsaSigner {
+    alg: RsaSigningAlg,
+
+    cert_chain: Vec<X509>,
+    cert_chain_len: usize,
+
+    private_key: PKey<Private>,
+
+    time_stamp_service_url: Option<String>,
+    time_stamp_size: usize,
+}
+
+impl RsaSigner {
+    pub(crate) fn from_cert_chain_and_private_key(
+        cert_chain: &[u8],
+        private_key: &[u8],
+        alg: SigningAlg,
+        time_stamp_service_url: Option<String>,
+    ) -> Result<Self, RawSignerError> {
+        let _openssl = OpenSslMutex::acquire()?;
+
+        let cert_chain = X509::stack_from_pem(cert_chain)?;
+        let cert_chain_len = cert_chain.len();
+
+        if !check_chain_order(&cert_chain) {
+            return Err(RawSignerError::InvalidSigningCredentials(
+                "certificate chain in incorrect order".to_string(),
+            ));
+        }
+
+        // Rebuild RSA keys to eliminate incompatible values.
+        let private_key = Rsa::private_key_from_pem(private_key)?;
+
+        let n = private_key.n().to_owned()?;
+        let e = private_key.e().to_owned()?;
+        let d = private_key.d().to_owned()?;
+        let po = private_key.p();
+        let qo = private_key.q();
+        let dmp1o = private_key.dmp1();
+        let dmq1o = private_key.dmq1();
+        let iqmpo = private_key.iqmp();
+
+        let mut pk_builder = RsaPrivateKeyBuilder::new(n, e, d)?;
+
+        if let Some(p) = po {
+            if let Some(q) = qo {
+                pk_builder = pk_builder.set_factors(p.to_owned()?, q.to_owned()?)?;
+            }
+        }
+
+        if let Some(dmp1) = dmp1o {
+            if let Some(dmq1) = dmq1o {
+                if let Some(iqmp) = iqmpo {
+                    pk_builder = pk_builder.set_crt_params(
+                        dmp1.to_owned()?,
+                        dmq1.to_owned()?,
+                        iqmp.to_owned()?,
+                    )?;
+                }
+            }
+        }
+
+        let private_key = PKey::from_rsa(pk_builder.build())?;
+
+        let alg: RsaSigningAlg = match alg {
+            SigningAlg::Ps256 => RsaSigningAlg::Ps256,
+            SigningAlg::Ps384 => RsaSigningAlg::Ps384,
+            SigningAlg::Ps512 => RsaSigningAlg::Ps512,
+            _ => {
+                return Err(RawSignerError::InternalError(
+                    "RsaSigner should be used only for SigningAlg::Ps***".to_string(),
+                ));
+            }
+        };
+
+        Ok(RsaSigner {
+            alg,
+            cert_chain,
+            private_key,
+            cert_chain_len,
+            time_stamp_service_url,
+            time_stamp_size: 10000,
+            // TO DO: Call out to time stamp service to get actual time stamp and use that size?
+        })
+    }
+}
+
+impl RawSigner for RsaSigner {
+    fn sign(&self, data: &[u8]) -> Result<Vec<u8>, RawSignerError> {
+        let _openssl = OpenSslMutex::acquire()?;
+
+        let mut signer = match self.alg {
+            RsaSigningAlg::Ps256 => {
+                let mut signer = Signer::new(MessageDigest::sha256(), &self.private_key)?;
+                signer.set_rsa_padding(openssl::rsa::Padding::PKCS1_PSS)?;
+                signer.set_rsa_mgf1_md(MessageDigest::sha256())?;
+                signer.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?;
+                signer
+            }
+
+            RsaSigningAlg::Ps384 => {
+                let mut signer = Signer::new(MessageDigest::sha384(), &self.private_key)?;
+                signer.set_rsa_padding(openssl::rsa::Padding::PKCS1_PSS)?;
+                signer.set_rsa_mgf1_md(MessageDigest::sha384())?;
+                signer.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?;
+                signer
+            }
+
+            RsaSigningAlg::Ps512 => {
+                let mut signer = Signer::new(MessageDigest::sha512(), &self.private_key)?;
+                signer.set_rsa_padding(openssl::rsa::Padding::PKCS1_PSS)?;
+                signer.set_rsa_mgf1_md(MessageDigest::sha512())?;
+                signer.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?;
+                signer
+            }
+        };
+
+        Ok(signer.sign_oneshot_to_vec(data)?)
+    }
+
+    fn reserve_size(&self) -> usize {
+        1024 + self.cert_chain_len + self.time_stamp_size
+    }
+
+    fn cert_chain(&self) -> Result<Vec<Vec<u8>>, RawSignerError> {
+        let _openssl = OpenSslMutex::acquire()?;
+
+        self.cert_chain
+            .iter()
+            .map(|cert| {
+                cert.to_der()
+                    .map_err(|e| RawSignerError::OpenSslError(e.to_string()))
+            })
+            .collect()
+    }
+
+    fn alg(&self) -> SigningAlg {
+        match self.alg {
+            RsaSigningAlg::Ps256 => SigningAlg::Ps256,
+            RsaSigningAlg::Ps384 => SigningAlg::Ps384,
+            RsaSigningAlg::Ps512 => SigningAlg::Ps512,
+        }
+    }
+}
+
+impl TimeStampProvider for RsaSigner {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.time_stamp_service_url.clone()
+    }
+}
diff --git a/internal/crypto/src/openssl/validators/mod.rs b/internal/crypto/src/openssl/validators/mod.rs
index f22e4fd5f..815a9ec2a 100644
--- a/internal/crypto/src/openssl/validators/mod.rs
+++ b/internal/crypto/src/openssl/validators/mod.rs
@@ -16,10 +16,7 @@
 
 use bcder::Oid;
 
-use crate::{
-    raw_signature::{oids::*, RawSignatureValidator},
-    SigningAlg,
-};
+use crate::raw_signature::{oids::*, RawSignatureValidator, SigningAlg};
 
 mod ecdsa_validator;
 pub use ecdsa_validator::EcdsaValidator;
diff --git a/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs b/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs
index 77f292fec..b8544107d 100644
--- a/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs
+++ b/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs
@@ -23,10 +23,7 @@ use crate::{
 /// An `RsaLegacyValidator` can validate raw signatures with an RSA signature
 /// algorithm that is not supported directly by C2PA. (Some RFC 3161 time stamp
 /// providers issue these signatures, which is why it's supported here.)
-///
-/// TEMPORARILY public; will move to `pub(crate)` visibility later in the
-/// refactoring.
-pub enum RsaLegacyValidator {
+pub(crate) enum RsaLegacyValidator {
     Sha1,
     Rsa256,
     Rsa384,
diff --git a/sdk/src/utils/sig_utils.rs b/internal/crypto/src/p1363.rs
similarity index 50%
rename from sdk/src/utils/sig_utils.rs
rename to internal/crypto/src/p1363.rs
index 6e5752734..0baf5a848 100644
--- a/sdk/src/utils/sig_utils.rs
+++ b/internal/crypto/src/p1363.rs
@@ -11,26 +11,27 @@
 // specific language governing permissions and limitations under
 // each license.
 
-use c2pa_crypto::SigningAlg;
-use x509_parser::der_parser::{self, der::parse_der_integer};
+//! Utilities for working with the P1363 signature format used by C2PA in ECDSA
+//! signatures.
 
-use crate::{Error, Result};
+use x509_parser::der_parser::{
+    der::{parse_der_integer, parse_der_sequence_defined_g},
+    error::BerResult,
+};
 
-// C2PA use P1363 format for EC signatures so we must
-// convert from ASN.1 DER to IEEE P1363 format to verify.
-pub(crate) struct ECSigComps<'a> {
-    r: &'a [u8],
-    s: &'a [u8],
-}
+use crate::raw_signature::{RawSignerError, SigningAlg};
 
-pub(crate) fn parse_ec_der_sig(data: &[u8]) -> der_parser::error::BerResult<ECSigComps> {
-    x509_parser::der_parser::der::parse_der_sequence_defined_g(|content: &[u8], _| {
+/// Parse an ASN.1 DER object that contains a P1363 format into its components.
+///
+/// This format is used by C2PA to describe ECDSA signature keys.
+pub fn parse_ec_der_sig(data: &[u8]) -> BerResult<EcSigComps> {
+    parse_der_sequence_defined_g(|content: &[u8], _| {
         let (rem1, r) = parse_der_integer(content)?;
         let (_rem2, s) = parse_der_integer(rem1)?;
 
         Ok((
             data,
-            ECSigComps {
+            EcSigComps {
                 r: r.as_slice()?,
                 s: s.as_slice()?,
             },
@@ -38,28 +39,38 @@ pub(crate) fn parse_ec_der_sig(data: &[u8]) -> der_parser::error::BerResult<ECSi
     })(data)
 }
 
-pub(crate) fn der_to_p1363(data: &[u8], alg: SigningAlg) -> Result<Vec<u8>> {
+/// Component data for ECDSA signature components.
+#[allow(missing_docs)]
+pub struct EcSigComps<'a> {
+    pub r: &'a [u8],
+    pub s: &'a [u8],
+}
+
+pub(crate) fn der_to_p1363(data: &[u8], alg: SigningAlg) -> Result<Vec<u8>, RawSignerError> {
     // P1363 format: r | s
 
-    let (_, p) = parse_ec_der_sig(data).map_err(|_err| Error::InvalidEcdsaSignature)?;
+    let (_, p) = parse_ec_der_sig(data)
+        .map_err(|err| RawSignerError::InternalError(format!("invalid DER signature: {err}")))?;
 
-    let mut r = extfmt::Hexlify(p.r).to_string();
-    let mut s = extfmt::Hexlify(p.s).to_string();
+    let mut r = const_hex::encode(p.r);
+    let mut s = const_hex::encode(p.s);
 
     let sig_len: usize = match alg {
         SigningAlg::Es256 => 64,
         SigningAlg::Es384 => 96,
         SigningAlg::Es512 => 132,
-        _ => return Err(Error::UnsupportedType),
+        _ => {
+            return Err(RawSignerError::InternalError(
+                "unsupported algorithm for der_to_p1363".to_string(),
+            ))
+        }
     };
 
-    // pad or truncate as needed
+    // Pad or truncate as needed.
     let rp = if r.len() > sig_len {
-        // truncate
         let offset = r.len() - sig_len;
         &r[offset..r.len()]
     } else {
-        // pad
         while r.len() != sig_len {
             r.insert(0, '0');
         }
@@ -67,11 +78,9 @@ pub(crate) fn der_to_p1363(data: &[u8], alg: SigningAlg) -> Result<Vec<u8>> {
     };
 
     let sp = if s.len() > sig_len {
-        // truncate
         let offset = s.len() - sig_len;
         &s[offset..s.len()]
     } else {
-        // pad
         while s.len() != sig_len {
             s.insert(0, '0');
         }
@@ -79,18 +88,15 @@ pub(crate) fn der_to_p1363(data: &[u8], alg: SigningAlg) -> Result<Vec<u8>> {
     };
 
     if rp.len() != sig_len || rp.len() != sp.len() {
-        return Err(Error::InvalidEcdsaSignature);
+        return Err(RawSignerError::InternalError(
+            "invalid signature components".to_string(),
+        ));
     }
 
-    // merge r and s strings
-    let mut new_sig = rp.to_string();
-    new_sig.push_str(sp);
-
-    // convert back from hex string to byte array
-    (0..new_sig.len())
-        .step_by(2)
-        .map(|i| {
-            u8::from_str_radix(&new_sig[i..i + 2], 16).map_err(|_err| Error::InvalidEcdsaSignature)
-        })
-        .collect()
+    // Merge r and s strings.
+    let new_sig = format!("{rp}{sp}");
+
+    // Convert back from hex string to byte array.
+    const_hex::decode(&new_sig)
+        .map_err(|e| RawSignerError::InternalError(format!("invalid signature components {e}")))
 }
diff --git a/internal/crypto/src/raw_signature/mod.rs b/internal/crypto/src/raw_signature/mod.rs
index 67e0510b5..949a524c5 100644
--- a/internal/crypto/src/raw_signature/mod.rs
+++ b/internal/crypto/src/raw_signature/mod.rs
@@ -15,8 +15,18 @@
 
 pub(crate) mod oids;
 
+pub(crate) mod signer;
+pub use signer::{
+    async_signer_from_cert_chain_and_private_key, signer_from_cert_chain_and_private_key,
+    AsyncRawSigner, RawSigner, RawSignerError,
+};
+
+mod signing_alg;
+pub use signing_alg::{SigningAlg, UnknownAlgorithmError};
+
 mod validator;
+pub(crate) use validator::validator_for_sig_and_hash_algs;
 pub use validator::{
-    validator_for_sig_and_hash_algs, validator_for_signing_alg, RawSignatureValidationError,
-    RawSignatureValidator,
+    async_validator_for_signing_alg, validator_for_signing_alg, AsyncRawSignatureValidator,
+    RawSignatureValidationError, RawSignatureValidator,
 };
diff --git a/internal/crypto/src/raw_signature/signer.rs b/internal/crypto/src/raw_signature/signer.rs
new file mode 100644
index 000000000..32b88b1b6
--- /dev/null
+++ b/internal/crypto/src/raw_signature/signer.rs
@@ -0,0 +1,308 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use async_trait::async_trait;
+use thiserror::Error;
+
+use crate::{
+    raw_signature::SigningAlg,
+    time_stamp::{AsyncTimeStampProvider, TimeStampError, TimeStampProvider},
+};
+
+/// Implementations of the `RawSigner` trait generate a cryptographic signature
+/// over an arbitrary byte array.
+///
+/// If an implementation _can_ be asynchronous, that is preferred.
+pub trait RawSigner: TimeStampProvider {
+    /// Return a raw signature over the original byte slice.
+    fn sign(&self, data: &[u8]) -> Result<Vec<u8>, RawSignerError>;
+
+    /// Return the algorithm implemented by this signer.
+    fn alg(&self) -> SigningAlg;
+
+    /// Return the signing certificate chain.
+    ///
+    /// Each certificate should be encoded in DER format and sequenced from
+    /// end-entity certificate to the outermost certificate authority.
+    fn cert_chain(&self) -> Result<Vec<Vec<u8>>, RawSignerError>;
+
+    /// Return the size in bytes of the largest possible expected signature.
+    /// Signing will fail if the result of the [`sign`] function is larger
+    /// than this value.
+    ///
+    /// [`sign`]: Self::sign
+    fn reserve_size(&self) -> usize;
+
+    /// Return an OCSP response for the signing certificate if available.
+    ///
+    /// By pre-querying the value for the signing certificate, the value can be
+    /// cached which will reduce load on the certificate authority, as
+    /// recommended by the C2PA spec.
+    fn ocsp_response(&self) -> Option<Vec<u8>> {
+        None
+    }
+}
+
+/// Implementations of the `AsyncRawSigner` trait generate a cryptographic
+/// signature over an arbitrary byte array.
+///
+/// Use this trait only when the implementation must be asynchronous.
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+pub trait AsyncRawSigner: Sync + AsyncTimeStampProvider {
+    /// Return a raw signature over the original byte slice.
+    async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>, RawSignerError>;
+
+    /// Return the algorithm implemented by this signer.
+    fn alg(&self) -> SigningAlg;
+
+    /// Return the signing certificate chain.
+    ///
+    /// Each certificate should be encoded in DER format and sequenced from
+    /// end-entity certificate to the outermost certificate authority.
+    fn cert_chain(&self) -> Result<Vec<Vec<u8>>, RawSignerError>;
+
+    /// Return the size in bytes of the largest possible expected signature.
+    /// Signing will fail if the result of the [`sign`] function is larger
+    /// than this value.
+    ///
+    /// [`sign`]: Self::sign
+    fn reserve_size(&self) -> usize;
+
+    /// Return an OCSP response for the signing certificate if available.
+    ///
+    /// By pre-querying the value for the signing certificate, the value can be
+    /// cached which will reduce load on the certificate authority, as
+    /// recommended by the C2PA spec.
+    async fn ocsp_response(&self) -> Option<Vec<u8>> {
+        None
+    }
+}
+
+/// Describes errors that can be identified when generating a raw signature.
+#[derive(Debug, Eq, Error, PartialEq)]
+#[non_exhaustive]
+pub enum RawSignerError {
+    /// The signing credentials are invalid.
+    #[error("invalid signing credentials ({0})")]
+    InvalidSigningCredentials(String),
+
+    /// An I/O error occurred. This typically happens when loading
+    /// public/private key material from files.
+    ///
+    /// NOTE: We do not directly capture the I/O error itself because it
+    /// lacks an `Eq` implementation. Instead we capture the error description.
+    #[error("I/O error ({0})")]
+    IoError(String),
+
+    /// An error was reported by the OpenSSL native code.
+    ///
+    /// NOTE: We do not directly capture the OpenSSL error itself because it
+    /// lacks an `Eq` implementation. Instead we capture the error description.
+    #[cfg(feature = "openssl")]
+    #[error("an error was reported by OpenSSL native code: {0}")]
+    OpenSslError(String),
+
+    /// The OpenSSL native code mutex could not be acquired.
+    #[cfg(feature = "openssl")]
+    #[error(transparent)]
+    OpenSslMutexUnavailable(#[from] crate::openssl::OpenSslMutexUnavailable),
+
+    /// An unexpected internal error occured while requesting the time stamp
+    /// response.
+    #[error("internal error ({0})")]
+    InternalError(String),
+}
+
+impl From<std::io::Error> for RawSignerError {
+    fn from(err: std::io::Error) -> Self {
+        Self::IoError(err.to_string())
+    }
+}
+
+#[cfg(feature = "openssl")]
+impl From<openssl::error::ErrorStack> for RawSignerError {
+    fn from(err: openssl::error::ErrorStack) -> Self {
+        Self::OpenSslError(err.to_string())
+    }
+}
+
+#[cfg(target_arch = "wasm32")]
+impl From<crate::webcrypto::WasmCryptoError> for RawSignerError {
+    fn from(err: crate::webcrypto::WasmCryptoError) -> Self {
+        match err {
+            crate::webcrypto::WasmCryptoError::UnknownContext => {
+                Self::InternalError("unknown WASM context".to_string())
+            }
+            crate::webcrypto::WasmCryptoError::NoCryptoAvailable => {
+                Self::InternalError("WASM crypto unavailable".to_string())
+            }
+        }
+    }
+}
+
+/// Return a built-in [`RawSigner`] instance using the provided signing
+/// certificate and private key.
+///
+/// Which signers are available may vary depending on the platform and which
+/// crate features were enabled. If the desired signing algorithm is
+/// unavailable, will respond with `Err(RawSignerError::InternalError)`.
+///
+/// May return an `Err` response if the certificate chain or private key are
+/// invalid.
+#[allow(unused)] // arguments may or may not be used depending on crate features
+pub fn signer_from_cert_chain_and_private_key(
+    cert_chain: &[u8],
+    private_key: &[u8],
+    alg: SigningAlg,
+    time_stamp_service_url: Option<String>,
+) -> Result<Box<dyn RawSigner + Send + Sync>, RawSignerError> {
+    #[cfg(feature = "openssl")]
+    {
+        return crate::openssl::signers::signer_from_cert_chain_and_private_key(
+            cert_chain,
+            private_key,
+            alg,
+            time_stamp_service_url,
+        );
+    }
+
+    #[cfg(all(target_arch = "wasm32", not(target_os = "wasi")))]
+    {
+        return crate::webcrypto::signers::signer_from_cert_chain_and_private_key(
+            cert_chain,
+            private_key,
+            alg,
+            time_stamp_service_url,
+        );
+    }
+
+    Err(RawSignerError::InternalError(format!(
+        "unsupported algorithm: {alg}"
+    )))
+}
+
+/// Return a built-in [`AsyncRawSigner`] instance using the provided signing
+/// certificate and private key.
+///
+/// Which signers are available may vary depending on the platform and which
+/// crate features were enabled. If the desired signing algorithm is
+/// unavailable, will respond with `Err(RawSignerError::InternalError)`.
+///
+/// May return an `Err` response if the certificate chain or private key are
+/// invalid.
+#[allow(unused)] // arguments may or may not be used depending on crate features
+pub fn async_signer_from_cert_chain_and_private_key(
+    cert_chain: &[u8],
+    private_key: &[u8],
+    alg: SigningAlg,
+    time_stamp_service_url: Option<String>,
+) -> Result<Box<dyn AsyncRawSigner + Send + Sync>, RawSignerError> {
+    // TO DO: Preferentially use WASM-based signers, some of which are necessarily
+    // async.
+
+    let sync_signer = signer_from_cert_chain_and_private_key(
+        cert_chain,
+        private_key,
+        alg,
+        time_stamp_service_url,
+    )?;
+
+    Ok(Box::new(AsyncRawSignerWrapper(sync_signer)))
+}
+
+struct AsyncRawSignerWrapper(Box<dyn RawSigner + Send + Sync>);
+
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl AsyncRawSigner for AsyncRawSignerWrapper {
+    async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>, RawSignerError> {
+        self.0.sign(&data)
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.0.alg()
+    }
+
+    fn cert_chain(&self) -> Result<Vec<Vec<u8>>, RawSignerError> {
+        self.0.cert_chain()
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.0.reserve_size()
+    }
+
+    async fn ocsp_response(&self) -> Option<Vec<u8>> {
+        self.0.ocsp_response()
+    }
+}
+
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+impl AsyncTimeStampProvider for AsyncRawSignerWrapper {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.0.time_stamp_service_url()
+    }
+
+    fn time_stamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        self.0.time_stamp_request_headers()
+    }
+
+    fn time_stamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>, TimeStampError> {
+        self.0.time_stamp_request_body(message)
+    }
+
+    async fn send_time_stamp_request(
+        &self,
+        message: &[u8],
+    ) -> Option<Result<Vec<u8>, TimeStampError>> {
+        self.0.send_time_stamp_request(message)
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+pub(crate) fn test_signer(alg: SigningAlg) -> Box<dyn RawSigner> {
+    let (cert_chain, private_key) = match alg {
+        SigningAlg::Ed25519 => (
+            include_bytes!("../tests/fixtures/raw_signature/ed25519.pub").as_slice(),
+            include_bytes!("../tests/fixtures/raw_signature/ed25519.priv").as_slice(),
+        ),
+        SigningAlg::Es256 => (
+            include_bytes!("../tests/fixtures/raw_signature/es256.pub").as_slice(),
+            include_bytes!("../tests/fixtures/raw_signature/es256.priv").as_slice(),
+        ),
+        SigningAlg::Es384 => (
+            include_bytes!("../tests/fixtures/raw_signature/es384.pub").as_slice(),
+            include_bytes!("../tests/fixtures/raw_signature/es384.priv").as_slice(),
+        ),
+        SigningAlg::Es512 => (
+            include_bytes!("../tests/fixtures/raw_signature/es512.pub").as_slice(),
+            include_bytes!("../tests/fixtures/raw_signature/es512.priv").as_slice(),
+        ),
+        SigningAlg::Ps256 => (
+            include_bytes!("../tests/fixtures/raw_signature/ps256.pub").as_slice(),
+            include_bytes!("../tests/fixtures/raw_signature/ps256.priv").as_slice(),
+        ),
+        SigningAlg::Ps384 => (
+            include_bytes!("../tests/fixtures/raw_signature/ps384.pub").as_slice(),
+            include_bytes!("../tests/fixtures/raw_signature/ps384.priv").as_slice(),
+        ),
+        SigningAlg::Ps512 => (
+            include_bytes!("../tests/fixtures/raw_signature/ps512.pub").as_slice(),
+            include_bytes!("../tests/fixtures/raw_signature/ps512.priv").as_slice(),
+        ),
+    };
+
+    signer_from_cert_chain_and_private_key(cert_chain, private_key, alg, None).unwrap()
+}
diff --git a/internal/crypto/src/signing_alg.rs b/internal/crypto/src/raw_signature/signing_alg.rs
similarity index 99%
rename from internal/crypto/src/signing_alg.rs
rename to internal/crypto/src/raw_signature/signing_alg.rs
index 9b2d3c292..256870747 100644
--- a/internal/crypto/src/signing_alg.rs
+++ b/internal/crypto/src/raw_signature/signing_alg.rs
@@ -28,6 +28,7 @@ use serde::{Deserialize, Serialize};
 /// [§13.2, “Digital Signatures”]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_digital_signatures
 #[derive(Copy, Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
 #[cfg_attr(feature = "json_schema", derive(JsonSchema))]
+#[non_exhaustive]
 pub enum SigningAlg {
     /// ECDSA with SHA-256
     Es256,
diff --git a/internal/crypto/src/raw_signature/validator.rs b/internal/crypto/src/raw_signature/validator.rs
index 089f2de57..7cc9bd61b 100644
--- a/internal/crypto/src/raw_signature/validator.rs
+++ b/internal/crypto/src/raw_signature/validator.rs
@@ -11,11 +11,11 @@
 // specific language governing permissions and limitations under
 // each license.
 
+use async_trait::async_trait;
 use bcder::Oid;
 use thiserror::Error;
 
-use super::oids::*;
-use crate::SigningAlg;
+use crate::raw_signature::{oids::*, SigningAlg};
 
 /// A `RawSignatureValidator` implementation checks a signature encoded using a
 /// specific signature algorithm and a private/public key pair.
@@ -24,8 +24,8 @@ use crate::SigningAlg;
 /// another signature mechanism. In the C2PA ecosystem, this wrapper is
 /// typically COSE, but `RawSignatureValidator` does not implement COSE.
 pub trait RawSignatureValidator {
-    /// Return `true` if the signature `sig` is valid for the raw content `data`
-    /// and the public key `public_key`.
+    /// Return `Ok(())` if the signature `sig` is valid for the raw content
+    /// `data` and the public key `public_key`.
     fn validate(
         &self,
         sig: &[u8],
@@ -34,6 +34,31 @@ pub trait RawSignatureValidator {
     ) -> Result<(), RawSignatureValidationError>;
 }
 
+/// An `AsyncRawSignatureValidator` implementation checks a signature encoded
+/// using a specific signature algorithm and a private/public key pair.
+///
+/// IMPORTANT: This signature is typically embedded in a wrapper provided by
+/// another signature mechanism. In the C2PA ecosystem, this wrapper is
+/// typically COSE, but `AsyncRawSignatureValidator` does not implement COSE.
+///
+/// The WASM implementation of `c2pa-crypto` also implements
+/// [`RawSignatureValidator`] (the synchronous version), but some encryption
+/// algorithms are not supported. For that reason, it's preferable to use this
+/// implementation on WASM.
+///
+/// [`RawSignatureValidator`]: crate::raw_signature::RawSignatureValidator
+#[async_trait(?Send)]
+pub trait AsyncRawSignatureValidator {
+    /// Return `Ok(())` if the signature `sig` is valid for the raw content
+    /// `data` and the public key `public_key`.
+    async fn validate_async(
+        &self,
+        sig: &[u8],
+        data: &[u8],
+        public_key: &[u8],
+    ) -> Result<(), RawSignatureValidationError>;
+}
+
 /// Return a built-in signature validator for the requested signature
 /// algorithm.
 ///
@@ -50,18 +75,34 @@ pub fn validator_for_signing_alg(alg: SigningAlg) -> Option<Box<dyn RawSignature
         return Some(validator);
     }
 
+    let _ = alg; // this value will be unused in this case
     None
 }
 
 /// Return a built-in signature validator for the requested signature
-/// algorithm as identified by OID.
+/// algorithm.
 ///
 /// Which validators are available may vary depending on the platform and
 /// which crate features were enabled.
+pub fn async_validator_for_signing_alg(
+    alg: SigningAlg,
+) -> Option<Box<dyn AsyncRawSignatureValidator>> {
+    #[cfg(target_arch = "wasm32")]
+    if let Some(validator) = crate::webcrypto::async_validator_for_signing_alg(alg) {
+        return Some(validator);
+    }
+
+    Some(Box::new(AsyncValidatorAdapter(validator_for_signing_alg(
+        alg,
+    )?)))
+}
+
+/// Return a built-in signature validator for the requested signature
+/// algorithm as identified by OID.
 ///
-/// TEMPORARILY PUBLIC: This will become `pub(crate)` once time stamp code moves
-/// into c2pa-crypto
-pub fn validator_for_sig_and_hash_algs(
+/// Which validators are available may vary depending on the platform and
+/// which crate features were enabled.
+pub(crate) fn validator_for_sig_and_hash_algs(
     sig_alg: &Oid,
     hash_alg: &Oid,
 ) -> Option<Box<dyn RawSignatureValidator>> {
@@ -164,3 +205,17 @@ impl From<crate::webcrypto::WasmCryptoError> for RawSignatureValidationError {
         }
     }
 }
+
+struct AsyncValidatorAdapter(Box<dyn RawSignatureValidator>);
+
+#[async_trait(?Send)]
+impl AsyncRawSignatureValidator for AsyncValidatorAdapter {
+    async fn validate_async(
+        &self,
+        sig: &[u8],
+        data: &[u8],
+        public_key: &[u8],
+    ) -> Result<(), RawSignatureValidationError> {
+        self.0.validate(sig, data, public_key)
+    }
+}
diff --git a/internal/crypto/src/tests/cose/certificate_profile.rs b/internal/crypto/src/tests/cose/certificate_profile.rs
new file mode 100644
index 000000000..9af841ad8
--- /dev/null
+++ b/internal/crypto/src/tests/cose/certificate_profile.rs
@@ -0,0 +1,65 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use c2pa_status_tracker::{
+    validation_codes::SIGNING_CREDENTIAL_EXPIRED, DetailedStatusTracker, StatusTracker,
+};
+#[cfg(target_arch = "wasm32")]
+use wasm_bindgen_test::wasm_bindgen_test;
+use x509_parser::pem::Pem;
+
+use crate::cose::{check_certificate_profile, CertificateTrustPolicy};
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn expired_cert() {
+    let ctp = CertificateTrustPolicy::default();
+    let mut validation_log = DetailedStatusTracker::default();
+
+    let cert_der = x509_der_from_pem(include_bytes!(
+        "../fixtures/cose/rsa-pss256_key-expired.pub"
+    ));
+
+    assert!(check_certificate_profile(&cert_der, &ctp, &mut validation_log, None).is_err());
+
+    assert!(!validation_log.logged_items().is_empty());
+
+    assert_eq!(
+        validation_log.logged_items()[0].validation_status,
+        Some(SIGNING_CREDENTIAL_EXPIRED.into())
+    );
+}
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn cert_algorithms() {
+    let ctp = CertificateTrustPolicy::default();
+
+    let mut validation_log = DetailedStatusTracker::default();
+
+    let es256_cert = x509_der_from_pem(include_bytes!("../fixtures/raw_signature/es256.pub"));
+    let es384_cert = x509_der_from_pem(include_bytes!("../fixtures/raw_signature/es384.pub"));
+    let es512_cert = x509_der_from_pem(include_bytes!("../fixtures/raw_signature/es512.pub"));
+    let ps256_cert = x509_der_from_pem(include_bytes!("../fixtures/raw_signature/ps256.pub"));
+
+    check_certificate_profile(&es256_cert, &ctp, &mut validation_log, None).unwrap();
+    check_certificate_profile(&es384_cert, &ctp, &mut validation_log, None).unwrap();
+    check_certificate_profile(&es512_cert, &ctp, &mut validation_log, None).unwrap();
+    check_certificate_profile(&ps256_cert, &ctp, &mut validation_log, None).unwrap();
+}
+
+fn x509_der_from_pem(cert_pem: &[u8]) -> Vec<u8> {
+    let mut pems = Pem::iter_from_buffer(cert_pem);
+    let pem = pems.next().unwrap().unwrap();
+    pem.contents
+}
diff --git a/internal/crypto/src/tests/cose/certificate_trust_policy.rs b/internal/crypto/src/tests/cose/certificate_trust_policy.rs
new file mode 100644
index 000000000..d2ec2b860
--- /dev/null
+++ b/internal/crypto/src/tests/cose/certificate_trust_policy.rs
@@ -0,0 +1,619 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use asn1_rs::{oid, Oid};
+#[cfg(target_arch = "wasm32")]
+use wasm_bindgen_test::wasm_bindgen_test;
+use x509_parser::{extensions::ExtendedKeyUsage, pem::Pem};
+
+use crate::{
+    cose::{CertificateTrustError, CertificateTrustPolicy, InvalidCertificateError},
+    raw_signature::{signer::test_signer, SigningAlg},
+};
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn impl_debug() {
+    let ctp = CertificateTrustPolicy::new();
+    let _ = format!("{ctp:#?}");
+}
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn new() {
+    let ctp = CertificateTrustPolicy::new();
+
+    assert_eq!(
+        ctp.has_allowed_eku(&email_eku()).unwrap(),
+        EMAIL_PROTECTION_OID
+    );
+
+    assert!(ctp.has_allowed_eku(&document_signing_eku()).is_none());
+
+    assert_eq!(
+        ctp.has_allowed_eku(&time_stamping_eku()).unwrap(),
+        TIME_STAMPING_OID
+    );
+
+    assert_eq!(
+        ctp.has_allowed_eku(&ocsp_signing_eku()).unwrap(),
+        OCSP_SIGNING_OID
+    );
+}
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn default() {
+    let ctp = CertificateTrustPolicy::default();
+
+    assert_eq!(
+        ctp.has_allowed_eku(&email_eku()).unwrap(),
+        EMAIL_PROTECTION_OID
+    );
+
+    assert_eq!(
+        ctp.has_allowed_eku(&document_signing_eku()).unwrap(),
+        DOCUMENT_SIGNING_OID
+    );
+
+    assert_eq!(
+        ctp.has_allowed_eku(&time_stamping_eku()).unwrap(),
+        TIME_STAMPING_OID
+    );
+
+    assert_eq!(
+        ctp.has_allowed_eku(&ocsp_signing_eku()).unwrap(),
+        OCSP_SIGNING_OID
+    );
+}
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn clear() {
+    let mut ctp = CertificateTrustPolicy::default();
+    ctp.clear();
+
+    assert_eq!(
+        ctp.has_allowed_eku(&email_eku()).unwrap(),
+        EMAIL_PROTECTION_OID
+    );
+
+    assert!(ctp.has_allowed_eku(&document_signing_eku()).is_none());
+
+    assert_eq!(
+        ctp.has_allowed_eku(&time_stamping_eku()).unwrap(),
+        TIME_STAMPING_OID
+    );
+
+    assert_eq!(
+        ctp.has_allowed_eku(&ocsp_signing_eku()).unwrap(),
+        OCSP_SIGNING_OID
+    );
+}
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn add_valid_ekus_err_bad_utf8() {
+    let mut ctp = CertificateTrustPolicy::new();
+    ctp.add_valid_ekus(&[128, 0]);
+
+    assert_eq!(
+        ctp.has_allowed_eku(&email_eku()).unwrap(),
+        EMAIL_PROTECTION_OID
+    );
+
+    assert!(ctp.has_allowed_eku(&document_signing_eku()).is_none());
+
+    assert_eq!(
+        ctp.has_allowed_eku(&time_stamping_eku()).unwrap(),
+        TIME_STAMPING_OID
+    );
+
+    assert_eq!(
+        ctp.has_allowed_eku(&ocsp_signing_eku()).unwrap(),
+        OCSP_SIGNING_OID
+    );
+}
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn add_trust_anchors_err_bad_pem() {
+    let mut ctp = CertificateTrustPolicy::new();
+    assert!(ctp.add_trust_anchors(BAD_PEM.as_bytes()).is_err());
+}
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn add_end_entity_credentials_err_bad_pem() {
+    let mut ctp = CertificateTrustPolicy::new();
+    assert!(ctp.add_end_entity_credentials(BAD_PEM.as_bytes()).is_err());
+}
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn err_to_string() {
+    let ice = InvalidCertificateError("foo".to_string());
+    assert_eq!(ice.to_string(), "Unable to parse certificate list: foo");
+}
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn err_debug() {
+    let ice = InvalidCertificateError("foo".to_string());
+    assert_eq!(
+        format!("{ice:#?}"),
+        "InvalidCertificateError(\n    \"foo\",\n)"
+    );
+}
+
+fn email_eku() -> ExtendedKeyUsage<'static> {
+    ExtendedKeyUsage {
+        any: false,
+        server_auth: false,
+        client_auth: false,
+        code_signing: false,
+        email_protection: true,
+        time_stamping: false,
+        ocsp_signing: false,
+        other: vec![],
+    }
+}
+
+fn document_signing_eku() -> ExtendedKeyUsage<'static> {
+    ExtendedKeyUsage {
+        any: false,
+        server_auth: false,
+        client_auth: false,
+        code_signing: false,
+        email_protection: false,
+        time_stamping: false,
+        ocsp_signing: false,
+        other: vec![DOCUMENT_SIGNING_OID.clone()],
+    }
+}
+
+fn time_stamping_eku() -> ExtendedKeyUsage<'static> {
+    ExtendedKeyUsage {
+        any: false,
+        server_auth: false,
+        client_auth: false,
+        code_signing: false,
+        email_protection: false,
+        time_stamping: true,
+        ocsp_signing: false,
+        other: vec![],
+    }
+}
+
+fn ocsp_signing_eku() -> ExtendedKeyUsage<'static> {
+    ExtendedKeyUsage {
+        any: false,
+        server_auth: false,
+        client_auth: false,
+        code_signing: false,
+        email_protection: false,
+        time_stamping: false,
+        ocsp_signing: true,
+        other: vec![],
+    }
+}
+
+static EMAIL_PROTECTION_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .4);
+static DOCUMENT_SIGNING_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .36);
+static TIME_STAMPING_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .8);
+static OCSP_SIGNING_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .9);
+
+static BAD_PEM: &str = r#"
+-----BEGIN CERTIFICATE-----
+µIICEzCCAcWgAwIBAgIUW4fUnS38162x10PCnB8qFsrQuZgwBQYDK2VwMHcxCzAJ
+BgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29tZXdoZXJlMRowGAYD
+VQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9SIFRFU1RJTkdfT05M
+WTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2NDFaFw0zMjA2MDcxODQ2
+NDFaMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29tZXdo
+ZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9SIFRF
+U1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAqMAUGAytlcAMhAGPUgK9q1H3D
+eKMGqLGjTXJSpsrLpe0kpxkaFMe7KUAuo2MwYTAdBgNVHQ4EFgQUXuZWArP1jiRM
+fgye6ZqRyGupTowwHwYDVR0jBBgwFoAUXuZWArP1jiRMfgye6ZqRyGupTowwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwBQYDK2VwA0EA8E79g54u2fUy
+dfVLPyqKmtjenOUMvVQD7waNbetLY7kvUJZCd5eaDghk30/Q1RaNjiP/2RfA/it8
+zGxQnM2hCA==
+-----END CERTIFICATE-----
+"#;
+
+#[test]
+fn test_trust_store() {
+    let ctp = CertificateTrustPolicy::default();
+
+    let ps256 = test_signer(SigningAlg::Ps256);
+    let ps384 = test_signer(SigningAlg::Ps384);
+    let ps512 = test_signer(SigningAlg::Ps512);
+    let es256 = test_signer(SigningAlg::Es256);
+    let es384 = test_signer(SigningAlg::Es384);
+    let es512 = test_signer(SigningAlg::Es512);
+    let ed25519 = test_signer(SigningAlg::Ed25519);
+
+    let ps256_certs = ps256.cert_chain().unwrap();
+    let ps384_certs = ps384.cert_chain().unwrap();
+    let ps512_certs = ps512.cert_chain().unwrap();
+    let es256_certs = es256.cert_chain().unwrap();
+    let es384_certs = es384.cert_chain().unwrap();
+    let es512_certs = es512.cert_chain().unwrap();
+    let ed25519_certs = ed25519.cert_chain().unwrap();
+
+    ctp.check_certificate_trust(&ps256_certs[1..], &ps256_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ps384_certs[1..], &ps384_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ps512_certs[1..], &ps512_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es256_certs[1..], &es256_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es384_certs[1..], &es384_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es512_certs[1..], &es512_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ed25519_certs[1..], &ed25519_certs[0], None)
+        .unwrap();
+}
+
+#[cfg_attr(not(target_arch = "wasm32"), actix::test)]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+async fn test_trust_store_async() {
+    let ctp = CertificateTrustPolicy::default();
+
+    let ps256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps256.pub"));
+    let ps384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps384.pub"));
+    let ps512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps512.pub"));
+    let es256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es256.pub"));
+    let es384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es384.pub"));
+    let es512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es512.pub"));
+    let ed25519_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ed25519.pub"));
+
+    ctp.check_certificate_trust_async(&ps256_certs[1..], &ps256_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&ps384_certs[1..], &ps384_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&ps512_certs[1..], &ps512_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&es256_certs[1..], &es256_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&es384_certs[1..], &es384_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&es512_certs[1..], &es512_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&ed25519_certs[1..], &ed25519_certs[0], None)
+        .await
+        .unwrap();
+}
+
+#[test]
+fn test_broken_trust_chain() {
+    let ctp = CertificateTrustPolicy::default();
+
+    let ps256 = test_signer(SigningAlg::Ps256);
+    let ps384 = test_signer(SigningAlg::Ps384);
+    let ps512 = test_signer(SigningAlg::Ps512);
+    let es256 = test_signer(SigningAlg::Es256);
+    let es384 = test_signer(SigningAlg::Es384);
+    let es512 = test_signer(SigningAlg::Es512);
+    let ed25519 = test_signer(SigningAlg::Ed25519);
+
+    let ps256_certs = ps256.cert_chain().unwrap();
+    let ps384_certs = ps384.cert_chain().unwrap();
+    let ps512_certs = ps512.cert_chain().unwrap();
+    let es256_certs = es256.cert_chain().unwrap();
+    let es384_certs = es384.cert_chain().unwrap();
+    let es512_certs = es512.cert_chain().unwrap();
+    let ed25519_certs = ed25519.cert_chain().unwrap();
+
+    // Break the trust chain by skipping the first intermediate CA.
+    assert_eq!(
+        ctp.check_certificate_trust(&ps256_certs[2..], &ps256_certs[0], None)
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust(&ps384_certs[2..], &ps384_certs[0], None)
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust(&ps384_certs[2..], &ps384_certs[0], None)
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust(&ps512_certs[2..], &ps512_certs[0], None)
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust(&es256_certs[2..], &es256_certs[0], None)
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust(&es384_certs[2..], &es384_certs[0], None)
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust(&es512_certs[2..], &es512_certs[0], None)
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust(&ed25519_certs[2..], &ed25519_certs[0], None)
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+}
+
+#[cfg_attr(not(target_arch = "wasm32"), actix::test)]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+async fn test_broken_trust_chain_async() {
+    let ctp = CertificateTrustPolicy::default();
+
+    let ps256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps256.pub"));
+    let ps384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps384.pub"));
+    let ps512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps512.pub"));
+    let es256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es256.pub"));
+    let es384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es384.pub"));
+    let es512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es512.pub"));
+    let ed25519_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ed25519.pub"));
+
+    // Break the trust chain by skipping the first intermediate CA.
+    assert_eq!(
+        ctp.check_certificate_trust_async(&ps256_certs[2..], &ps256_certs[0], None)
+            .await
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust_async(&ps384_certs[2..], &ps384_certs[0], None)
+            .await
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust_async(&ps384_certs[2..], &ps384_certs[0], None)
+            .await
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust_async(&ps512_certs[2..], &ps512_certs[0], None)
+            .await
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust_async(&es256_certs[2..], &es256_certs[0], None)
+            .await
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust_async(&es384_certs[2..], &es384_certs[0], None)
+            .await
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust_async(&es512_certs[2..], &es512_certs[0], None)
+            .await
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+
+    assert_eq!(
+        ctp.check_certificate_trust_async(&ed25519_certs[2..], &ed25519_certs[0], None)
+            .await
+            .unwrap_err(),
+        CertificateTrustError::CertificateNotTrusted
+    );
+}
+
+#[test]
+fn test_allowed_list() {
+    let mut ctp = CertificateTrustPolicy::new();
+
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/ed25519.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/es256.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/es384.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/es512.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/ps256.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/ps384.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/ps512.pub"))
+        .unwrap();
+
+    let ps256 = test_signer(SigningAlg::Ps256);
+    let ps384 = test_signer(SigningAlg::Ps384);
+    let ps512 = test_signer(SigningAlg::Ps512);
+    let es256 = test_signer(SigningAlg::Es256);
+    let es384 = test_signer(SigningAlg::Es384);
+    let es512 = test_signer(SigningAlg::Es512);
+    let ed25519 = test_signer(SigningAlg::Ed25519);
+
+    let ps256_certs = ps256.cert_chain().unwrap();
+    let ps384_certs = ps384.cert_chain().unwrap();
+    let ps512_certs = ps512.cert_chain().unwrap();
+    let es256_certs = es256.cert_chain().unwrap();
+    let es384_certs = es384.cert_chain().unwrap();
+    let es512_certs = es512.cert_chain().unwrap();
+    let ed25519_certs = ed25519.cert_chain().unwrap();
+
+    ctp.check_certificate_trust(&ps256_certs[1..], &ps256_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ps384_certs[1..], &ps384_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ps512_certs[1..], &ps512_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es256_certs[1..], &es256_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es384_certs[1..], &es384_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es512_certs[1..], &es512_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ed25519_certs[1..], &ed25519_certs[0], None)
+        .unwrap();
+}
+
+#[cfg_attr(not(target_arch = "wasm32"), actix::test)]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+async fn test_allowed_list_async() {
+    let mut ctp = CertificateTrustPolicy::new();
+
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/ed25519.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/es256.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/es384.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/es512.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/ps256.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/ps384.pub"))
+        .unwrap();
+    ctp.add_end_entity_credentials(include_bytes!("../fixtures/raw_signature/ps512.pub"))
+        .unwrap();
+
+    let ps256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps256.pub"));
+    let ps384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps384.pub"));
+    let ps512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps512.pub"));
+    let es256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es256.pub"));
+    let es384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es384.pub"));
+    let es512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es512.pub"));
+    let ed25519_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ed25519.pub"));
+
+    ctp.check_certificate_trust_async(&ps256_certs[1..], &ps256_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&ps384_certs[1..], &ps384_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&ps512_certs[1..], &ps512_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&es256_certs[1..], &es256_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&es384_certs[1..], &es384_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&es512_certs[1..], &es512_certs[0], None)
+        .await
+        .unwrap();
+    ctp.check_certificate_trust_async(&ed25519_certs[1..], &ed25519_certs[0], None)
+        .await
+        .unwrap();
+}
+
+#[test]
+fn test_allowed_list_hashes() {
+    let mut ctp = CertificateTrustPolicy::new();
+
+    ctp.add_end_entity_credentials(include_bytes!(
+        "../fixtures/raw_signature/allowed_list.hash"
+    ))
+    .unwrap();
+
+    let ps256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps256.pub"));
+    let ps384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps384.pub"));
+    let ps512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps512.pub"));
+    let es256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es256.pub"));
+    let es384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es384.pub"));
+    let es512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es512.pub"));
+    let ed25519_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ed25519.pub"));
+
+    ctp.check_certificate_trust(&ps256_certs[1..], &ps256_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ps384_certs[1..], &ps384_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ps512_certs[1..], &ps512_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es256_certs[1..], &es256_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es384_certs[1..], &es384_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es512_certs[1..], &es512_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ed25519_certs[1..], &ed25519_certs[0], None)
+        .unwrap();
+}
+
+#[cfg_attr(not(target_arch = "wasm32"), actix::test)]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+async fn test_allowed_list_hashes_async() {
+    let mut ctp = CertificateTrustPolicy::new();
+
+    ctp.add_end_entity_credentials(include_bytes!(
+        "../fixtures/raw_signature/allowed_list.hash"
+    ))
+    .unwrap();
+
+    let ps256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps256.pub"));
+    let ps384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps384.pub"));
+    let ps512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ps512.pub"));
+    let es256_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es256.pub"));
+    let es384_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es384.pub"));
+    let es512_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/es512.pub"));
+    let ed25519_certs = cert_ders_from_pem(include_bytes!("../fixtures/raw_signature/ed25519.pub"));
+
+    ctp.check_certificate_trust(&ps256_certs[1..], &ps256_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ps384_certs[1..], &ps384_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ps512_certs[1..], &ps512_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es256_certs[1..], &es256_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es384_certs[1..], &es384_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&es512_certs[1..], &es512_certs[0], None)
+        .unwrap();
+    ctp.check_certificate_trust(&ed25519_certs[1..], &ed25519_certs[0], None)
+        .unwrap();
+}
+
+fn cert_ders_from_pem(cert_chain: &[u8]) -> Vec<Vec<u8>> {
+    Pem::iter_from_buffer(cert_chain)
+        .map(|r| r.unwrap().contents)
+        .collect()
+}
diff --git a/internal/crypto/src/tests/cose/mod.rs b/internal/crypto/src/tests/cose/mod.rs
new file mode 100644
index 000000000..3c4f5adf3
--- /dev/null
+++ b/internal/crypto/src/tests/cose/mod.rs
@@ -0,0 +1,15 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+mod certificate_profile;
+mod certificate_trust_policy;
diff --git a/internal/crypto/src/tests/fixtures/cose/rsa-pss256_key-expired.pub b/internal/crypto/src/tests/fixtures/cose/rsa-pss256_key-expired.pub
new file mode 100644
index 000000000..b091ae605
--- /dev/null
+++ b/internal/crypto/src/tests/fixtures/cose/rsa-pss256_key-expired.pub
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEATCCAumgAwIBAgIUAMXK1m2iDtQ165Ruxogp1TjplcUwDQYJKoZIhvcNAQEL
+BQAwfzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMREwDwYDVQQHDAhTYW4gSm9z
+ZTEUMBIGA1UECgwLQWRvYmUsIEluYy4xGDAWBgNVBAsMD0NBSSAoVGVtcG9yYXJ5
+KTEgMB4GA1UEAwwXY29udGVudGF1dGhlbnRpY2l0eS5vcmcwHhcNMjIwMjAyMTMy
+NDI4WhcNMjIwMjAzMTMyNDI4WjB/MQswCQYDVQQGEwJ1czELMAkGA1UECAwCY2Ex
+ETAPBgNVBAcMCFNhbiBKb3NlMRQwEgYDVQQKDAtBZG9iZSwgSW5jLjEYMBYGA1UE
+CwwPQ0FJIChUZW1wb3JhcnkpMSAwHgYDVQQDDBdjb250ZW50YXV0aGVudGljaXR5
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAML8WVHo1HcXkQ7g
+P73aP+9AfZE8uNq0sFIHB9jNF9HN5UYCPLfYr4v6XJd1I1wkygypxZgBsI5UUfKY
+uMDhijf5+Obxv52Y+4Ein59oKUuM6B53aaiCvwRmTHp2MeOqt5nTkhvCarhdJipn
+tn+zNLzGGAdXu0jmS/h4dH0nPN0qJdfliDtkPSRvTqAEfOAPfGas/lTWX/8baVg6
+cOMnLupYR0787WE4Y6n4ynRLgwsMj8K2GCIHFceHQMhE8lMjC6ltmmR8dbnCOxMM
+QDB8SZLyMEKHWw8jM6fz5RVW/L7B0kcww/tPqE4ODBU1k6SZIti8DT7ONpgaufzH
+J5vjmEMCAwEAAaN1MHMwHQYDVR0OBBYEFJNnwVuf7Gh/xPkAvGGmK+Q6gB3NMB8G
+A1UdIwQYMBaAFJNnwVuf7Gh/xPkAvGGmK+Q6gB3NMA8GA1UdEwEB/wQFMAMBAf8w
+CwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUA
+A4IBAQAVBKqok5V5SxnfAE5Mt9WyQjfMWu19MwrquPo0I40KyYJI+2coLyo2tkuE
+bXezJTP/RY7v2hqOwlk+2kK82m2idRZcRT3r8yAUwKkg/tX5jlVt4WTNQgdamVtd
+mpCb97ozXdjGGv/FlSji5ufs7u8hNP9jhO0/LFzHoeJDRJc13HBJCdOmGd0topWZ
+NW4UtOdmke5ZPxaWkjxDwtfJxsplsinD3bcaiYGfhQPSNyacYB0UnimdUQaVpO6i
+U9t08t4+zBoFpCoC9XgEAOs9DP7WOGmKPhafL7dbSUhqyFHwacGY3PxoWZPqHwpH
+jsseAnInq8Ves5Bhnd6l6sc4GjiR
+-----END CERTIFICATE-----
diff --git a/sdk/tests/fixtures/certs/trust/allowed_list.hash b/internal/crypto/src/tests/fixtures/raw_signature/allowed_list.hash
similarity index 100%
rename from sdk/tests/fixtures/certs/trust/allowed_list.hash
rename to internal/crypto/src/tests/fixtures/raw_signature/allowed_list.hash
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ed25519.priv b/internal/crypto/src/tests/fixtures/raw_signature/ed25519.priv
new file mode 100644
index 000000000..fda14a840
--- /dev/null
+++ b/internal/crypto/src/tests/fixtures/raw_signature/ed25519.priv
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIL2+9INLPNSLH3STzKQJ3Wen9R6uPbIYOIKA2574YQ4O
+-----END PRIVATE KEY-----
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/es256.priv b/internal/crypto/src/tests/fixtures/raw_signature/es256.priv
new file mode 100644
index 000000000..5e59fcc5e
--- /dev/null
+++ b/internal/crypto/src/tests/fixtures/raw_signature/es256.priv
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfNJBsaRLSeHizv0m
+GL+gcn78QmtfLSm+n+qG9veC2W2hRANCAAQPaL6RkAkYkKU4+IryBSYxJM3h77sF
+iMrbvbI8fG7w2Bbl9otNG/cch3DAw5rGAPV7NWkyl3QGuV/wt0MrAPDo
+-----END PRIVATE KEY-----
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/es384.priv b/internal/crypto/src/tests/fixtures/raw_signature/es384.priv
new file mode 100644
index 000000000..9dcc3af1c
--- /dev/null
+++ b/internal/crypto/src/tests/fixtures/raw_signature/es384.priv
@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDClh93nMdKl9Ujg71e3
+95QK1Z7OnmHrAYRv9B4ujlgWBoLQVtkoamQdizWQI/GvpAuhZANiAATY7kzZpbiB
+azyKpJ3gb/6TZPMaNfJ+P5YeyhCynvzQtQT5l3HnJosPxUWYKTkdwqBWwe9P7QKl
+KyX4PpQXVkJXYHffOGYOOKhLkJbc3JpYZzrxlZzY2FiVa1NQ/wOPXiU=
+-----END PRIVATE KEY-----
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/es512.priv b/internal/crypto/src/tests/fixtures/raw_signature/es512.priv
new file mode 100644
index 000000000..33cb2ad84
--- /dev/null
+++ b/internal/crypto/src/tests/fixtures/raw_signature/es512.priv
@@ -0,0 +1,8 @@
+-----BEGIN PRIVATE KEY-----
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBDCrjJaQ9kS2QVZHr
+AoJMiCyk3YtvecNK913LsZ5alTlq01W13cEWVl3nprbCrCVzANiHWLjqUzfVW2oN
+wT0rW5qhgYkDgYYABAHbhWCA1ywh5K74+Al75qoC2FLcqEmIJQoU4lNpy5lsPU59
+3LNjzmVUY8VTK8bK9SLnqhZC0sdijlqitmSOJg/VLwB9uYVTnwBmize3WEQmlEyz
+nYJ0XdmCZYJcB4ke1aQKpHw1jNhHGSxEO9xn7+50v1EzEwRa0yM934mF3UxCV2c5
+nw==
+-----END PRIVATE KEY-----
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps256.priv b/internal/crypto/src/tests/fixtures/raw_signature/ps256.priv
index 877712f05..ed4c7318d 100644
--- a/internal/crypto/src/tests/fixtures/raw_signature/ps256.priv
+++ b/internal/crypto/src/tests/fixtures/raw_signature/ps256.priv
@@ -1,52 +1,53 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC57PRjgHzQU0yv
-x6Gkmzg9WDVYzFESquAm3c6QCfKjnvD62JTxjxlg/U/f+6+mCbb+XJA4P0KRrQ5w
-lB77j6SfcRDxIEsDtlExNM/UXwaNC1ZHG+TFHDFaHj6jpJLczAgSgmnUo4vHHTjO
-78SEQS7HXiQbPJnkEEaFUocRQ9pAAylbDsa9Z8o7v8lCImwkoSGW2OhMN4IqOrvO
-ZqMPJsUE/5jJ/aGuxO8eF/PowzJnhV3fkBDXZ2079Sc6+NAJWt2eyrc/Zt4kooY9
-U4yEUgPrCu8oDgcSipcdZrS7cEuLVYZtqkcoloZicmPCTNlOmmaQP0cbbxJeWuOe
-7BNa9qV/Gtso/GU9o1pALumBuS8TSGpwgwS7X9gFFCyrjXINqtlpHjxbZ5JDg2N5
-EO9gDrG858CGOplOj8dzwpPIWZ4rKUuDzY7e8yLHyQ4GR9cWhtB39P39fmOrh32o
-KKaU6hAimYjg9MM+MQEEv56OflUufH7Xzj5YrJsyeks4s7GkQV+7GiWzl4e9Zc5n
-EVmggx6GRt9b+PWLV2pxHTMcBjIY2FycYuxjxi7tXjLNeWzdPEqKUdraWZfNQFip
-/LBuwqOU1TnnhOq2Dhl+fXmAekKo0OtW8XcCwK3xvpZ9n17Qng1gCbQnz6qMEyV3
-5lyQgExyT7sFy3yYVuur4FXH29iSDwIDAQABAoICAFWRHYpbnFW+OHlfnV9lxlTJ
-L0gORDOcq6uHgmTdByvRXuN7YNTpQEtYWXXiXdzC9NKMpB0W1Bq6M/6Q1M9+tMti
-XGM0swFi22wTe6CoGRo5gPwZ9MfYaUgpyjdC6wot5nsqRO2FVTOOmdH3HBCn9RDx
-HRnh4otJCEOcjyfde+jg65wKKWILDdJAui2zLOUQuSY07ngBRekMfdmId/vlol/i
-CB3SGiKWZNwLNwhFKYHmKaVVpsKTyXyCH4tu7kOX644EiqBlxc/Dcpdvx6gwHLiE
-IDvldNDOMqzn0z6+eC4IbuUyrCwcVn2hWpMWDh60RYaWcLHKBQCiwMYnrOK8x731
-Evz+/qY3fXCK0T/KntmHO8IaDMkJRYYO+PgDCM3ju3GmTdr94y3QdY8aYHuBlYi9
-yEA5FFce/Iwit9QBIouce0yIPM1lx5rDQFfgp8z7TEE+YYtLMrs+9vwQf0Gxe4cu
-rVgYYiDeXidKQ9wcq5ZgiuhilpsM0RXd53HQUql8iOLQi3Vzo/zbnit8tFm4w4oA
-WgvN1zFHcAxmuPZ3hImnTfhS/tniw1VqBoKKldHcslaNzl3fCpbs4Khi8i7h7ADR
-ULu28sFnsYhIhkHxHwV1J5rsh4t1kQbhTD4N9PlVSyw9j7WYEuz0Fahb1fZ3Vxas
-smsjluaHJE60ngerybYhAoIBAQDy7wo/pbs+Urdp+uZVbvIZqcY/ZxW9+kiCcrJk
-W85R3J0OmkhQMThy6eKRTV3AjnCRB3O2WRL0BO49nluRnHidlZdyJ9w4QBBryomF
-IvleI6YZeSvb1FaC1stQLIyKP56X/VwvbbO1QWHFT5gGjZ3+jB5rvF5siofnYOn2
-FjL9ch7o90doTOe/4qEoLLkMRwhBsc7gvvw0TVLsWEEHJ/6MbR04y94aH7NxpA5A
-0Msb21WkhF9Dus2qlWTJexu4uSqo2i7s2Jxre3CefWiTF12eKsjxu1xP07fUB9Dn
-HQ1zmTmXRRvVyIuQ6VEGJOS5QTE71HjB2EhF2FdBKcMYdA+vAoIBAQDD7PfeSBHI
-n0E7tbr6PmHMX8jIdyAHIKEPko6K/2Y82AitfY7oL7Pt1oS/SQIy1TJHbaNsXbvz
-l8BVDO33vZ7HHcyVT4uheCdQM0MaoTk2xWMKrHi/AYm8zDdvMo+X1dcaQJZheaMC
-KsvHTyaJknt4ov8BNJpf4CmAnhUcje1wGD2W5i8u1wQCzzuFWoe0p7Ed46khVl2U
-uf38hod08PX7zGUe2p1dSKgJEXgDZLB8FzqvZHrLGafU4WLvg7e6CzAPW8US1Ptc
-OK+9BWZ9uSSNckKAD+piKinNzwMjpGyrlarnNQljo3+u54wq2/sO2VRsQqkDSvIE
-3yZbNIVRkNuhAoIBABWHebEKTv3G9to9kgwgOPRtR1R3HkYn2CU3ZPff6vj2RDT3
-F1GECyyj7aBS6uwVs4Qm1OpkGnnltfdgAV12MHpGt5U2Ux3pD4t995IE93SQVDgN
-tQVWXBRcVMhWKl5WJQfzPCg34KU/lhqWYzKxej8Ey+1gVD3qSQEIZbOZZAtyAatD
-vuBPcHpg60dUL1IXOXQY/eyNAGziLWckqx6nPLfVM7HE33oRNSXtFBZKarWdSom5
-8XdfJrrnYnc4ocxNHKq6K05yI+qileh11L60Y2eRAx3pLNUmPjRcPPc+a+LCwYfW
-aBEaJMRC6RtSSbLhRCu5OLp1IHKQKatsuA2Cu6ECggEBAKFq2IQPyGcLngj9noCR
-aK2itJ9EVeTJYyibTEkERk0Wh3+4FEcDFjB7Ln8SPXd34qaqk5uyVilI+zKXJm+X
-j/roeCcDlDyB65HNyhlkfui7EvA2THzBXaNodLtuYpNroH6Ge97vAffFHoKkmVF6
-l7M6RvHNTupymn7Wvvn5jIdv0T5DgtgKWcmexqEFhwy1o9zGNg+7QfpIihLFG1Cj
-PWYobZ9P6ZpzQ83E0KWrDSQPV1AtbmVqS7W9w28li/cBRKVCrEjpo/XE1jTbACfQ
-o2bNnjA37JjXt/1R8noo+0caVeWK8qNejtGg/wBIoL0JHN7cxLZrxp1w4/78dGJR
-AEECggEBAPDrbygzfoa3+/mNUEJ5U29tb1GewwfeWrNDIMh1U9+ASEWJN15x9IiK
-zYt5a4kEmPmrYm+6bNFTkUIwDtg3+dqc8yG63aZi3R8IEUu9/rLGXAaUicreCPD7
-MS8yAl4l2flZCtuIdeYZuKM9c8AHIFLrmcNdi7P0mY7vO+1ClBS1JZ4kVzcm4INP
-epuRHhVGca5mKiMQgtPR73XOPKxCLcChRAaBrF2kqPTK3GrjFzi/QUXJnV/fvfRM
-vwuEpq0ErP7xTszhH/y4kLkJy2/km218osYhIZVQI1NQ+EDfyt4DjnWWOq0U8rC6
-Ojrhn4um0bWD0vEStufjDsDov/TL0Bo=
+MIIJdwIBADBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZI
+hvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAEggktMIIJKQIBAAKCAgEA62I1JYGk
+qQcvvySENhXYdNiRVSZO7l2CfbQaJSM6NaEDJYrm5kv6K4daYdQ6rTGoLf1H6HJo
+yRwgBR/9dwlErjQmHWzaQnj6QKTv5EHWfXF5l4mOsqEnvMIOEfp4VWo706bemFyl
+nIq3TXIOSF8g/3kbMIgu4+bmUspgjc/QWakLzOXly16+AbVNclxfxs1Tp+weabDS
+sGtVdQ5H43Uw4U7+H76bEiGEtbrTVeuBi7qUNAMgM5z8jHDMSnz5IDMve/o1K0ER
+girZ35qVSARQA4zwTNmy6eCzR2i8w8Zx/DsI6wbjGt2YscTFFq7gTWDUA1+HZCxh
+2to0y1L/BykjU8boGSpRDjOUyg78IjadnmieKdu4v3H9Qm35rpW8cDR7htMhwklW
+rf+3r2alm017paoN8ZT4otnkclIE1Jb0rJbFIBQW4MUAy0plFmZMGicodKNiVi1P
+79Y3uf8uAUnYRjE94VwYY+tWpFPDfyDRADxzIV7Ad9AFlSJIp28xEHXOYiP72eZi
+yHyBqcnO49pSCwY1Uqg4lker5hrd7AGPCyVH3WRC0Qarjc9EK/HhV/6qJd4wLMr4
+vUaDS/6O3zSCvP7LwKHn8STGK1of96L8dEkbK8Nm7u+tXp9tYt9bKwGgVK0daKtB
+yhxgMawWb2GHtvAz5bSq80H+FtFDTF+swj0CAwEAAQKCAgAcfZAaQJVqIiUM2UIp
+e75t8jKxIEhogKgFSBHsEdX/XMRRPH1TPboDn8f4VGRfx0Vof6I/B+4X/ZAAns0i
+pdwKy+QbJqxKZHNB9NTWh4OLPntttKgxheEV71Udpvf+urOQHEAQKBKhnoauWJJS
+/zSyx3lbh/hI/I8/USCbuZ4p5BS6Ec+dLJQKB+ReZcDwArVP+3v45f6yfONknjxk
+UzB97P5EYGFLsgPqrTjcSvusqoI6w3AX3zYQV6zajULoO1nRg0kBOciBPWeOsZrF
+E0SOEXaajrUhquF4ULycY74zPgAH1pcRjuXnCn6ijrs2knRHDj6IiPi1MTk3rQ2S
+U8/jHhyTmHgfMN45RS4d+aeDTTJ7brnpsNQeDCua9nyo9G6CyPQtox93L8EyjsM6
++sI7KzMl4HwKzA7BwkAKIG+h08QqjpNSRoYSkhwapjTX6Izowi8kH4ss0rLVEQYh
+EyjNQYfT+joqFa5pF1pNcmlC24258CLTZHMc/WGq2uD8PzSukbCoIYBBXVEJdiVB
+2sTFpUpQt1wK5PgKLoPVAwD+jwkdsIvvE/1uhLkLSX42w/boEKYGl1kvhx5smAwM
+k7Fiy8YVkniQNHrJ7RFxFG8cfGI/RKl0H09JQUQONh/ERTQ7HNC41UFlQVuW4mG+
++62+EYL580ee8mikUL5XpWSbIQKCAQEA+3fQu899ET2BgzViKvWkyYLs3FRtkvtg
+MUBbMiW+J5cbaWYwN8wHA0lj+xLvInCuE/6Lqe4YOwVilaIBFGl0yXjk9UI2teZX
+HFBmkhhY6UnIAHHlyV2el8Mf2Zf2zy4aEfFn4ZdXhMdYkrWyhBBv/r4zKWAUpknA
+g7dO15Dq0oOpu/4h2TmGGj4nKKH35Q9dXqRjNVKoXNxtJjmVrV6Az0TScys4taIu
+Y0a+7I/+Ms/d+ZshNIQx6ViLdsBU0TLvhnukVO9ExPyyhAFFviS5unISTnzTN3pN
+a06l0h/d2WsFvlWEDdZrpAIfPk3ITVl0mv7XpY1LUVtTlXWhBAjWTQKCAQEA76Av
+Obvgt8v1m/sO/a7A8c+nAWGxOlw76aJLj1ywHG63LGJd9IaHD8glkOs4S3g+VEuN
+G8qFMhRluaY/PFO7wCGCFFR7yRfu/IFCNL63NVsXGYsLseQCRxl05KG8iEFe7JzE
+isfoiPIvgeJiI5yF0rSLIxHRzLmKidwpaKBJxtNy/h1Rvj4xNnDsr8WJkzqxlvq9
+Z6zY/P99IhS1YEZ/6TuDEfUfyC+EsPxw9PCGiTyxumY+IVSEpDdMk7oPT0m4Oson
+ORp5D1D0RDR5UxhGoqVNc0cPOL41Bi/DSmNrVSW6CwIfpEUX/tXDGr4zZrW2z75k
+EpUzkKvXDXBsEHxzsQKCAQEA8D2ogjUZJCZhnAudLLOfahEV3u0d/eUAIi18sq0S
+PNqFCq3g9P2L2Zz80rplEb8a3+k4XvEj3wcnBxNN+sVBGNXRz2ohwKg9osRBKePu
+1XlyhNJLmJRDVnPI8uXWmlpN98Rs3T3sE+MrAIZr9PWLOZFWaXnsYG1naa7vuMwv
+O00kFIEWr2PgdSPZ31zV6tVB+5ALY78DMCw6buFm2MnHP71dXT/2nrhBnwDQmEp8
+rOigBb4p+/UrheXc32eh4HbMFOv8tFQenB9bIPfiPGTzt2cRjEB+vaqvWgw6KUPe
+e79eLleeoGWwUnDgjnJbIWKMHyPGu9gAE8qvUMOfP659pQKCAQBU0AFnEdRruUjp
+OGcJ6vxnmfOmTYmI+nRKMSNFTq0Woyk6EGbo0WSkdVa2gEqgi6Kj+0mqeHfETevj
+VbA0Df759eIwh+Z4Onxf6vAf8xCtVdxLMielguo7eAsjkQtFvr12SdZWuILZVb7y
+3cmWiSPke/pzIy96ooEiYkZVvcXfFaAxyPbRuvl4J2fenrAe6DtLENxRAaCbi2Ii
+2emIdet4BZRSmsvw8sCoU/E3AJrdoBnXu7Bp45w+80OrVcNtcM5AIKTZVUFb5m9O
+ZLQ8cO8vSgqrro74qnniAq3AeofWz0+V7d59KedgTxCLOp6+z7owtVZ+LUje/7NS
+EmRtQV9BAoIBAQDHRD0FCBb8AqZgN5nxjZGNUpLwD09cOfc3PfKtz0U/2PvMKV2e
+ElgAhiwMhOZoHIHnmDmWzqu37lj7gICyeSQyiA3jHSMDHGloOJLCIfKAiZO8gf0O
+w0ptBYvTaMJH/XlVHREoVPxQVnf4Ro87cNCCJ8XjLfzHwnWWCFUxdjqS1kgwb2bs
+dTR8UN2kzXVYL3bi0lUrrIu6uAebzNw/qy29oJ+xhl0g9GVJdNCmr6uX5go+8z0Q
+gDSDvQ6OrLvVYh4nKbM1QcwDZYQCBpd4H+0ZHnUeEpDA7jer4Yzvp9EF9RGZWvc+
+G/dZR0Qj3j0T5F9GX719XpmzYbVFKIKPTsKF
 -----END PRIVATE KEY-----
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps256.pub b/internal/crypto/src/tests/fixtures/raw_signature/ps256.pub
index 47929fc50..9ed670a94 100644
--- a/internal/crypto/src/tests/fixtures/raw_signature/ps256.pub
+++ b/internal/crypto/src/tests/fixtures/raw_signature/ps256.pub
@@ -1,36 +1,76 @@
 -----BEGIN CERTIFICATE-----
-MIIGVzCCBAugAwIBAgIUBCFBOCIjNtCU37ACTfi+QfTkI7QwQQYJKoZIhvcNAQEK
+MIIGsDCCBGSgAwIBAgIUfj5imtzP59mXEBNbWkgFaXLfgZkwQQYJKoZIhvcNAQEK
 MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
-AKIDAgEgMHYxCzAJBgNVBAYTAnVzMQswCQYDVQQIDAJjYTESMBAGA1UEBwwJU29t
-ZXdoZXJlMRUwEwYDVQQKDAxTb21lIENvbXBhbnkxGTAXBgNVBAsMEEZPUiBURVNU
-SU5HIE9OTFkxFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTI0MTExODE5MDExMloX
-DTI1MDUxNzE5MDExMlowdjELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMRIwEAYD
-VQQHDAlTb21ld2hlcmUxFTATBgNVBAoMDFNvbWUgQ29tcGFueTEZMBcGA1UECwwQ
-Rk9SIFRFU1RJTkcgT05MWTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQC57PRjgHzQU0yvx6Gkmzg9WDVYzFESquAm
-3c6QCfKjnvD62JTxjxlg/U/f+6+mCbb+XJA4P0KRrQ5wlB77j6SfcRDxIEsDtlEx
-NM/UXwaNC1ZHG+TFHDFaHj6jpJLczAgSgmnUo4vHHTjO78SEQS7HXiQbPJnkEEaF
-UocRQ9pAAylbDsa9Z8o7v8lCImwkoSGW2OhMN4IqOrvOZqMPJsUE/5jJ/aGuxO8e
-F/PowzJnhV3fkBDXZ2079Sc6+NAJWt2eyrc/Zt4kooY9U4yEUgPrCu8oDgcSipcd
-ZrS7cEuLVYZtqkcoloZicmPCTNlOmmaQP0cbbxJeWuOe7BNa9qV/Gtso/GU9o1pA
-LumBuS8TSGpwgwS7X9gFFCyrjXINqtlpHjxbZ5JDg2N5EO9gDrG858CGOplOj8dz
-wpPIWZ4rKUuDzY7e8yLHyQ4GR9cWhtB39P39fmOrh32oKKaU6hAimYjg9MM+MQEE
-v56OflUufH7Xzj5YrJsyeks4s7GkQV+7GiWzl4e9Zc5nEVmggx6GRt9b+PWLV2px
-HTMcBjIY2FycYuxjxi7tXjLNeWzdPEqKUdraWZfNQFip/LBuwqOU1TnnhOq2Dhl+
-fXmAekKo0OtW8XcCwK3xvpZ9n17Qng1gCbQnz6qMEyV35lyQgExyT7sFy3yYVuur
-4FXH29iSDwIDAQABo3UwczAdBgNVHQ4EFgQUuT2YsFLnLlua8GziUBIMgpIjg1Iw
-HwYDVR0jBBgwFoAUuT2YsFLnLlua8GziUBIMgpIjg1IwDwYDVR0TAQH/BAUwAwEB
-/zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwQwQQYJKoZIhvcNAQEK
+AKIDAgEgMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNv
+bWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0ZSBSb290IENB
+MRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9JbnRlcm1lZGlh
+dGUgQ0EwHhcNMjIwNjEwMTg0NjI4WhcNMzAwODI2MTg0NjI4WjCBgDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUxHzAdBgNVBAoM
+FkMyUEEgVGVzdCBTaWduaW5nIENlcnQxGTAXBgNVBAsMEEZPUiBURVNUSU5HX09O
+TFkxFDASBgNVBAMMC0MyUEEgU2lnbmVyMIICVjBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAD
+ggIPADCCAgoCggIBAOtiNSWBpKkHL78khDYV2HTYkVUmTu5dgn20GiUjOjWhAyWK
+5uZL+iuHWmHUOq0xqC39R+hyaMkcIAUf/XcJRK40Jh1s2kJ4+kCk7+RB1n1xeZeJ
+jrKhJ7zCDhH6eFVqO9Om3phcpZyKt01yDkhfIP95GzCILuPm5lLKYI3P0FmpC8zl
+5ctevgG1TXJcX8bNU6fsHmmw0rBrVXUOR+N1MOFO/h++mxIhhLW601XrgYu6lDQD
+IDOc/IxwzEp8+SAzL3v6NStBEYIq2d+alUgEUAOM8EzZsungs0dovMPGcfw7COsG
+4xrdmLHExRau4E1g1ANfh2QsYdraNMtS/wcpI1PG6BkqUQ4zlMoO/CI2nZ5oninb
+uL9x/UJt+a6VvHA0e4bTIcJJVq3/t69mpZtNe6WqDfGU+KLZ5HJSBNSW9KyWxSAU
+FuDFAMtKZRZmTBonKHSjYlYtT+/WN7n/LgFJ2EYxPeFcGGPrVqRTw38g0QA8cyFe
+wHfQBZUiSKdvMRB1zmIj+9nmYsh8ganJzuPaUgsGNVKoOJZHq+Ya3ewBjwslR91k
+QtEGq43PRCvx4Vf+qiXeMCzK+L1Gg0v+jt80grz+y8Ch5/EkxitaH/ei/HRJGyvD
+Zu7vrV6fbWLfWysBoFStHWirQcocYDGsFm9hh7bwM+W0qvNB/hbRQ0xfrMI9AgMB
+AAGjeDB2MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwQwDgYD
+VR0PAQH/BAQDAgbAMB0GA1UdDgQWBBQ3KHUtnyxDJcV9ncAu37sql3aF7jAfBgNV
+HSMEGDAWgBQMMoDK5ZZtTx/7+QsB1qnlDNwA4jBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAD
+ggIBAAmBZubOjnCXIYmg2l1pDYH+XIyp5feayZz6Nhgz6xB7CouNgvcjkYW7EaqN
+RuEkAJWJC68OnjMwwe6tXWQC4ifMKbVg8aj/IRaVAqkEL/MRQ89LnL9F9AGxeugJ
+ulYtpqzFOJUKCPxcXGEoPyqjY7uMdTS14JzluKUwtiQZAm4tcwh/ZdRkt69i3wRq
+VxIY2TK0ncvr4N9cX1ylO6m+GxufseFSO0NwEMxjonJcvsxFwjB8eFUhE0yH3pdD
+gqE2zYfv9kjYkFGngtOqbCe2ixRM5oj9qoS+aKVdOi9m/gObcJkSW9JYAJD2GHLO
+yLpGWRhg4xnn1s7n2W9pWB7+txNR7aqkrUNhZQdznNVdWRGOale4uHJRSPZAetQT
+oYoVAyIX1ba1L/GRo52mOOT67AJhmIVVJJFVvMvvJeQ8ktW8GlxYjG9HHbRpE0S1
+Hv7FhOg0vEAqyrKcYn5JWYGAvEr0VqUqBPz3/QZ8gbmJwXinnUku1QZbGZUIFFIS
+3MDaPXMWmp2KuNMxJXHE1CfaiD7yn2plMV5QZakde3+Kfo6qv2GISK+WYhnGZAY/
+LxtEOqwVrQpDQVJ5jgR/RKPIsOobdboR/aTVjlp7OOfvLxFUvD66zOiVa96fAsfw
+ltU2Cp0uWdQKSLoktmQWLYgEe3QOqvgLDeYP2ScAdm+S+lHV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGkTCCBEWgAwIBAgIUeTn90WGAkw2fOJHBNX6EhnB7FZ4wQQYJKoZIhvcNAQEK
 MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
-AKIDAgEgA4ICAQBlhahQCCSPl5rT7+hO8qZT854odjcd8owyExmXPAsuMl79D2mA
-fJU1shqUYv7qqEHFORaByhh+0Yg8jcZ4mDik4VQKIvJ5MPd9UASQjw81OtN8SfI7
-HQ5O7N1r0YzcGYGOpa2IEi7iO2oU1EeP/emEwS+hXf/7KAZRrtfRZ3PmBk2uVDH3
-7+HJzuVDqtdE+q4MI2I6Ev1ivV/ku1F15zmsG83SKFyA+eSBe2pawRHyDBjcOdBK
-gxyub/o1mBVgjDRs+RRZCHlHQ2wGXVxw+HLBVs0vDRErej3qr1YQRrdqnPzRXew9
-MrKVTbWmugeY8qGNzU0WGKISzJWqjpwbVk2s3gUp4Vl7NkL2yIvjt1jcwASzgoO2
-al/tDGHKJNPFrjmUQkCXnJ3ILWz04lqPBJ+0VXSGdYwpasQCaD7dNuYbYrrQfZCA
-vSE1J38FQBdhjvo60sJL0UbxGXX+dSdMcfn6IV+Jkph4s/qNLQQzg+bSuSuILYqv
-d0Df9hwlv7YSwLBqy3tLAiMFgF5+NaPLHcr7oDt0TvCPMMXThwcuX5jDoEd5MCOO
-93JJROVpJQTt6SO6l/pWtG2bso4yIPylORVo2qvdITXTzse5TewmQgXlNU4JesLq
-IgXA282cqR4CQqfdovi4jyM/MBrhlC1YCMWsxFrhZcTRNFCcz2PaqJTeMw==
+AKIDAgEgMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
+IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MjZa
+Fw0zMDA4MjcxODQ2MjZaMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQ
+BgNVBAcMCVNvbWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0
+ZSBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9J
+bnRlcm1lZGlhdGUgQ0EwggJWMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIB
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIAOCAg8AMIICCgKC
+AgEAqlafkrMkDom4SFHQBGwqODnuj+xi7IoCxADsKs9rDjvEB7qK2cj/d7sGhp4B
+vCTu6I+2xUmfz+yvJ/72+HnQvoUGInPp8Rbvb1T3LcfyDcY4WHqJouKNGa4T4ZVN
+u3HdgbaD/S3BSHmBJZvZ6YH0pWDntbNra1WR0KfCsA+jccPfCI3NTVCjEnFlTSdH
+UasJLnh9tMvefk1QDUp3mNd3x7X1FWIZquXOgHxDNVS+GDDWfSN20dwyIDvotleN
+5bOTQb3Pzgg0D/ZxKb/1oiRgIJffTfROITnU0Mk3gUwLzeQHaXwKDR4DIVst7Git
+A4yIIq8xXDvyKlYde6eRY1JV/H0RExTxRgCcXKQrNrUmIPoFSuz05TadQ93A0Anr
+EaPJOaY20mJlHa6bLSecFa/yW1hSf/oNKkjqtIGNV8k6fOfdO6j/ZkxRUI19IcqY
+Ly/IewMFOuowJPay8LCoM0xqI7/yj1gvfkyjl6wHuJ32e17kj1wnmUbg/nvmjvp5
+sPZjIpIXJmeEm2qwvwOtBJN8EFSI4emeIO2NVtQS51RRonazWNuHRKf/hpCXsJpI
+snZhH3mEqQAwKuobDhL+9pNnRag8ssCGLZmLGB0XfSFufMp5/gQyZYj4Q6wUh/OI
+O/1ZYTtQPlnHLyFBVImGlCxvMiDuh2ue7lYyrNuNwDKXMI8CAwEAAaNjMGEwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFAwygMrllm1P
+H/v5CwHWqeUM3ADiMB8GA1UdIwQYMBaAFEVvG+J0LmYCLXksOfn6Mk2UKxlQMEEG
+CSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIBBQChHDAaBgkqhkiG9w0BAQgwDQYJ
+YIZIAWUDBAIBBQCiAwIBIAOCAgEAqkYEUJP1BJLY55B7NWThZ31CiTiEnAUyR3O6
+F2MBWfXMrYEAIG3+vzQpLbbAh2u/3W4tzDiLr9uS7KA9z6ruwUODgACMAHZ7kfT/
+Ze3XSmhezYVZm3c4b/F0K/d92GDAzjgldBiKIkVqTrRSrMyjCyyJ+kR4VOWz8EoF
+vdwvrd0SP+1l9V5ThlmHzQ3cXT1pMpCjj+bw1z7ScZjYdAotOk74jjRXF5Y0HYra
+bGh6tl0sn6WXsYZK27LuQ/iPJrXLVqt/+BKHYtqD73+6dh8PqXG1oXO9KoEOwJpt
+8R9IwGoAj37hFpvZm2ThZ6TKXM0+HpByZamExoCiL2mQWRbKWPSyJjFwXjLScWSB
+IJg1eY45+a3AOwhuSE34alhwooH2qDEuGK7KW1W5V/02jtsbYc2upEfkMzd2AaJb
+2ALDGCwa4Gg6IkEadNBdXvNewG1dFDPOgPiJM9gTGeXMELO9sBpoOvZsoVj2wbVC
++5FFnqm40bPy0zeR99CGjgZBMr4siCLRJybBD8sX6sE0WSx896Q0PlRdS4Wniu+Y
+8QCS293tAyD7tWztko5mdVGfcYYfa2UnHqKlDZOpdMq/rjzXtPVREq+dRKld3KLy
+oqiZiY7ceUPTraAQ3pK535dcX3XA7p9RsGztyl7jma6HO2WmO9a6rGR2xCqW5/g9
+wvq03sA=
 -----END CERTIFICATE-----
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps256.pub_key b/internal/crypto/src/tests/fixtures/raw_signature/ps256.pub_key
index abd47a72d..ec6b57a5e 100644
Binary files a/internal/crypto/src/tests/fixtures/raw_signature/ps256.pub_key and b/internal/crypto/src/tests/fixtures/raw_signature/ps256.pub_key differ
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps256.raw_sig b/internal/crypto/src/tests/fixtures/raw_signature/ps256.raw_sig
index 34900b713..0a7b7d660 100644
Binary files a/internal/crypto/src/tests/fixtures/raw_signature/ps256.raw_sig and b/internal/crypto/src/tests/fixtures/raw_signature/ps256.raw_sig differ
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps384.priv b/internal/crypto/src/tests/fixtures/raw_signature/ps384.priv
index 5fe7ca12b..0925372a9 100644
--- a/internal/crypto/src/tests/fixtures/raw_signature/ps384.priv
+++ b/internal/crypto/src/tests/fixtures/raw_signature/ps384.priv
@@ -1,52 +1,53 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCUkAXf1okZ/c3G
-eUyOskibMTUv+r0Sy92HECDzGg14UtmzNn4RFhxxHRcuZinXqL+h42Khmgz8+45V
-PkooPJudpcO4mg3M03Bf+MyftapuBy3cFzVkW3+v8yLq5gS9Q4HMHUfO/D4YnnaI
-rxTe5PsZ5cWJnMu5G1/vSRmwTGGF/oSWRl3kfTgLqCKbBmtTHgB4RpJpB3X3LZtt
-kaK9E52XMjrZe5GQE4C5aWJ4Nnj86LDCz3rjpgFtWZ+9cyCFbRcRHdilKheDU70d
-RR65GnEy5M82z7Y3XT0ZcVXIDxDYzn0fAEFDcUIygo/VVPTkACccK1uJbyU6T2tV
-UhuvenwP2rGMOFWJjIkSZErefLKEyRBfpbQoU4ft+8dxNaXtC5CAfLAJ8qNC+bDy
-yWhMuCUJZ8Xcyp5tsOR4IwAf50FPkP9vH/S5gPelIidmrSzzTG5M+qiE36/uVvUL
-0FfOSrj0Z70J/aRqAr9UGhxe8Cp/eb6YxclSGN9Ii5MVwEM9r/Gdfyzo3EtVMUW8
-hlYv+3JUmKxgVySpuzcWUq3BJalnepOHQGsRzrvpQyLfXCJkYlEqitRp62afpgh7
-rsclqB/aqi16ScH0ywwhydTDxWyQrpOS+2X8AhA2v2xFFd1d4XahPgbOymuUMtlf
-v18N7IXBvmSnfwFK+7UAvhp0dPQi8QIDAQABAoICAA2rb+LwBFcAJ8REqoLxzCT9
-guGajnWxjP1twj5kLgudgfsPv0tWr8DHtreV/nEhzZo5iDyK5nmLswXMcLnhk8cO
-duMgR7dKWEt4YumqJ1eu8O0QtKC6m5XmxxZ6mkKI+OM9aXtV8efFgu4iQAcfZix0
-nDfElek/J9VmckbqzEluSShjqqWI0RSfgKmnjk4MU2o9wiCIZ3YaO/Q5w5HmwWgl
-Xs1epZ7ucHh/Bii+CGVrCsKuISZbwsNbTQu7UWl9h3MTfjj6VcYHeT39e214TaSr
-cZafR6qx+VqDN2usWTY9z7z/wsGQJRFtOotcYRkum2qn4akUcUY7gwqLftEncc1G
-smNxWJQ9quwN7jT13/qD7YV8JuDwjYZHjY6EvymRkI/smsSp6FjFSqCMWLjrZYZe
-HVlDeJyxheYkQ5vYcxIJHZ0h/6dB9lvRmqVnQiVNRVCMIp/7DnNrkt9pE/KDsCQt
-fHZNPR910MbUdmAK/qX1k8Y8jN4wToKoccT3KtfkoMp06YkkyRSEM2Yx2xQOMjem
-aGvTwEO2/h9OTWltcXqYtYZBattRMUHDDTF8F7r7z8nWmToCfwZHF9X/Bu201s3X
-SjdFb/vY1L3pH2ftrRGwui4qk2RfFZBtbh17/Jqic0oyvBF/aDGnd4oCjx67VDmZ
-fWsIzSzLlcT5J3KCfVLRAoIBAQDPnQuZm1VHJx2qZi1EDgBB9PBFAe88T7hyeKtA
-YJvngBCN5OFd9USHIE934WS0K8ykhWMymGsJUsCsGD7BDtoJH2xWzJCcO7l43IQN
-FZ3VvKlLPRWLrJ4skuvKsnytJkfeM7zpWtFrWzNcI//+445sc0+PgC7vp6sHN1Sa
-UzvtcVueB6JR5g/93AYzDCPbzoJkV+CVuzGmAsQYHSdIBkxFqsywNh1K1dE/+G+X
-ZQ4QmQ09Tkh1UGLxkDAOuNZco6/FeZIoKUxt0c5LNzDgjfvAAJi7YcoZ99/5exE4
-BVxiBrx0pGKs68vUR1hAxDOdO0N2dtHl4+ld9Gvk4ePe7vNJAoIBAQC3L8slcyqn
-2Dg1+13Z9xp0Be0HuKPcqxUcIGFPrTTWKHdFH5tNMxi6/lel05CBRl+JPeP6KHQl
-XPDoFaDPTNVcFCyz9fr/TfIYLie14Ly4/UbHnveq8Aev7/3p2GgZW7QZWWxsB5hR
-a0vU+z8uzdjwm39eKl7J92AXCQzKddCkrksrAL4gbJ9/C79rrWPqI1WJdIe6s1lF
-xDkUKvWs/YoQUgX+Vbf3Dx2XqAf7HL8Jl1sbqRtpteEWUYLZ7sHtRYX7bFGDbZ6u
-pfGloyS/RxsXRT2cjM9M/0JzAlizVZYRsIrx+qXJxkBgTYL+5t+DKMn3A3k7quoO
-/e8Cs1dqZYppAoIBAQCslUECVNTkDAkmEEAKtZTTP1jIFJ6ZxS9vwQ2iu2x+Wb/p
-JF2PrIZlyZ8l6XC8MTixfsyCT5+SpX7S0GjCNaVcNgnqcay4oxE//herhM+q0GTu
-zX1umXT3Wr61xf/MM+lENkAQv9UcaDjenHJ+oQ1Q6940TPs3b2rF2eHzU8OaU0Q0
-ruXpLNUYU2G355ybaSSNY1unPHA+L0hxPzLbNZkLxLrYtHNPNUT3535kHLY/Z+tQ
-jhW/p65IXnMEmfRgGBXSk4fC6OnG1MSnU97GnGCtMBHGmrjVM2+1RO+AYTx1pGHe
-mJQKaQ0Mjq43UKITTyN6g7ViZD4nQzq5jmnNdVc5AoIBAFS3QZdcH0nn8HbmfIyk
-fhNR+kAr33vZkrWjM92JGHpB1IafC080Zid0IEyL/rQKO3xYpum1c6EjzjVGa0vz
-GGiw28uN4jnXbjJIhgzSlfRnDSicF6Vxw9xVfHN8pQe1JSDj/gQnrwVYPYWNe7bF
-c6IyB0EhDx0PzdxZTxUCTy8Ze6Gzgjm0gj5azHebhC1vkcsznOF2t75P9KWjCGKs
-DgFmLWdldOJIl0LfbnFu5dolqPityAOnHSUZJQ5sIDr+f+u6OCgztcLG823KeOAM
-njawysFvTR8qnSxa1XJ6DiC4KEmnxKv/hx4COqZvVsZtQpl9fb9eV0f/n1z8W1zV
-AKECggEAAyxACtso9w4T1zdso7cvwDx++N9NXKCXbq/tCIMoz8j0VYwsar7Dsy3B
-UKaFFwm0JHZCRF599BAa3EWKPUTKIpnDFImfD/C6iYF1TJ07YIU6aVKZnmnoFm4Z
-2sV/yygUe+8j00USDynsujwfOLhsjLm16ctg7ANiDmuB1Ch0rBB4r29eiFJpVqSk
-0IFMjvBLDUntl/XLPNiHV87COuLWPAlgCaVrxkrB83M24SMvpKerp+XQFvEgfZp0
-qX2dhthBxT2rbykJ4/EY4SVUERDBy9wz6zQXUp99JhSexg0UAkTTRUtX3p9oRKai
-EmeuakxUPnIA/j1PIkHudR4FDqHUUg==
+MIIJcwIBADBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAgUAoRwwGgYJKoZI
+hvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATAEggkpMIIJJQIBAAKCAgEAuLicnrIw
+hCPP4edbN4rBHtalag3RH8+vSEy+ncW10EOWHJtSmMJ5aVhmeHTVq/KMsQHppntl
+YVfaqaeF4zrMrWZFJVYgArkVHsymWdRAPxn8EC220NWSYz8wxOjvyywCmKG2V9Fk
+IxwzQGrKsE3TczUghRvXGDyVsxhTQCQtIjnVcUe+hhSpvvd5E+CGCPnzpUB/5BvW
+imTn6pZaKhvDe/2ixIFO78vjVe97RFMU9aNSKmvokz/+8TFkeuiDqxqI2b9rD6WY
+n30rzsm9Gvx7if5skBuTTckh6QUFqa16SZT+RBHLJtGBD4iDNg7NuKEJYW/oOCra
+uF+GbPczj0few1uwicR26XM25kdJWmx0NMtidRshERHuDiUrFxWq8rLPpDY4NJzm
+JrSTB8AzmIz0b2iRUOcH355TvtObToME5cDpqjrv/Fedw/aNAxydCpGJ+N6IWUAo
+tOYGKznMN4amMMVmNS/D9oNPnQ5xR9d5avh5BbpY4Zo0tLvwRvlVZNp1Euxg3MpR
+wHkDbQRnDgRTSq90k2/179bjf0AMwRVipUUdPJ3lov3NTfmTcjDsUdgQur0OCpxG
+hvN/piuSxl3VGVRlVAtceV50cnRKi+lyKDmGLAU1pB57ItJiMJczqFzu3ZyUsU1G
+ewDcRzmx/2d2dRO2zZicXkL0AC1q1IbfrWECAwEAAQKCAgAFLKgNKqkA7USOVkia
+r93aCyGQwiNTX0zQhdR/H0HeZs5GgzQB8yIAiUk8OEBLXpzXUS+Q33sHCjV7XtB5
+fYpXPyVSYZe9oR6jgWXANW8OoB/h+iMutWoyMoZ0taEQpsJ0hm8mWvIRqQwR0rar
+z/pLi2JGUvHTDCYWDBPk7j5/a3GnCIn16o/uDrOgaBUzx4CuO+DOly21gb8ctf/U
+7HiCOX1861xhNkEU2q5ayx2sBdpa4DFLKACbFAr1sHFjx8yr64NIacHykciPidzX
+a9mFaOWfTHkeCt4oJLZfEEImhoXFirQPTyYXineWej1ZXdV2mnJoWbb3xuFBSH7J
+auDQDvXhV+yL/v1+bNdO2qwdTlmfoGHXAq0tXxyPF1RRB7bQ9ZGa+tbQ30VcZy1G
+4SsdBNRXiu2u7dyB4jOD2eyPeMQ4Au2Z4MPx8FZP9fprBZMj8eXeDjD4XxBITh+J
+FSi3tHtOK8m4ql1b6cbUIi4GaxrQbwOuD+27urOT85dewyfVM8xOb1eK/ohyQdyt
+pMS2b7TG73HLIs0tv9maUW30Gzr2bkzDMlhq33vUllbcDiOMVc2DpuqbOVeUu0zG
+WDt7oNJd96CvLXEGb2HsAtwpjUh0pmy6yurj/tyN4dbuPqiSlgEFKIazF1PxuJL3
+jgq9NpFwrdxZg7TxicVbG8Ek+QKCAQEA1xcQX5lM5LhdA8YmXmGqRI4uPt+h6SNZ
+YWW/lL6wy0AIs74jKz9Q0UdymI59DpxkqSj5It9tgyyw+XugrGHz3GTSV4OhWzQ3
+Uh63LwNDDsz2K8LDOn9vIP5BVyjXxgA4i1Ox2CJs11rCi5jmw13evuOFZkPhel+j
+0bXghBylOirQ9xA5ux8BkX+OpOJJgdwyrwWt5bYGftV5oaTtWwSZWbME5S7++EEh
+Ri+wNqHz9cFqBI4QIJHxPwM+Amx8NPZ+Cmi0OjUv3EAY387W5x4ks5tJBmhzruGN
+mX5E+RS8J6BiHHe9LwJYiGDdkOPBtBbloYTpwf/sSzAr4wc+boZIjQKCAQEA29ra
+9sPTPNOiJ5c7rkb51TslFyE8s2X++sTTUvz8whg3or/mkm1C4E+mF6FJukKiVWy0
+7NJPoiU1B9Rq0dx1LqGZptF1LIvBRGMZbmtd829KLrIpu+P+cC4AL8YvAx9Oihzt
+TvQwe94J4XLx0pGrEihy8TjZyOSRrevY8WB85cR6lBLCk6bnbRbxpLdW3ajqzyfa
+MNUtbUy4Gx1FBgaJ//NLRvHh8akaPObZuse4aHdFMNEGt7lmOxQpGecNzTsgF5/I
+U61eXIyLKoA1GPy7k5ULLClbJ9pAZ12Nn1r9L1vtmm4ufkV9UOXNqbt3r5E2zvOj
+pq8gCQn1tFwSsro1JQKB/01L/JZegUOw/bxdeWxxrL72Wag+tfESwww9hJvv65kf
+agEuU3U3S9Pp2UT57/dQPNyN3PqrUK/TX8ZIp3VLvld15CGPLG2aVkcswqgig/bN
+saoIVCCxqz4wIUsxYlnFuoxXh5IkzPiXpVKFoGiVU3dGTKpzupQ/yp+SvRy9LqO4
+v2AKdLTKb8XaEWkv6TrB53T+lX/36l2qWgu9OY98F6AktZ2nRfnxbgPLH4iCqymm
+WHNKmoEZ8ZizkZVNZ1WhP6p99kb01j5Qyp+jtZdZPddN9vBWmTw/0qNWvXLGANg8
+ywVwAoziSu634Ogw8WvGzr89BMSzNDfRF/R+pfESUQKCAQAV1sGVbZJYInWjFSS6
+hRZgFgXzLDwJXgJcCp0rSzIYXat5ITLYLL5N5duL0Vuvgtr5PVkjhSif5K5F3tXV
+jt6dCTRoG7pV+HP0RRvLmiK1AcMOrGf04ArwPcGK/VbCKqP0mDcCdsMyKrY0jOR0
+lD+4CAiS6aDIkdveuOTN5VXCxSef+dUWMagfb/4E7KlWT2czuLO10hc3Gj3Xg6rN
+lGy03ggGPhTBmpieoBfUs+4fgml/FeRi76m2CKSkjA0U6+CeOCMAHOKYsuVIDYA4
+wTIo0M9RTbJeXRG0sthUkgdAYxNRGczIgkKWfJ1XVOXorLYTDKSe9Bpsi266wcKh
+ull5AoIBACMQuI7hQjRSXmyrMgTHnyWuLC5lSOhvP82RO/y1n71Usdf7csoFLFKD
+eOemGL/nVLEZotZ5I6elUXZt1LyvnkukGP4hzT5aR3nOUjTKIkX/JOkWDrCHC/Kg
+MvwdhyTZ1rnMCjbvus73eJfZA+xCarg3GGi58QjkfxfAbmXHpQDBbskA8A56XsvQ
+Z2FrM6U7HbNedvaO+2gBlGmB/HpPxc/1tF5JNPshjB7metgOXjfNGxm0gBcdk15/
+RAxTt3umrwm90bWNAZyaQf+aToCkDcps57vmf2hkdNK3TdYCX6P2SPBGi0iORzT1
+3tua228WMQ3Sc+Hm+GUn4kI+is5V1Yw=
 -----END PRIVATE KEY-----
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps384.pub b/internal/crypto/src/tests/fixtures/raw_signature/ps384.pub
index 95d83001e..28b55864b 100644
--- a/internal/crypto/src/tests/fixtures/raw_signature/ps384.pub
+++ b/internal/crypto/src/tests/fixtures/raw_signature/ps384.pub
@@ -1,36 +1,77 @@
 -----BEGIN CERTIFICATE-----
-MIIGVzCCBAugAwIBAgIUSdPQsmEKeM3jhi0QB/uJFENaV3cwQQYJKoZIhvcNAQEK
+MIIGsDCCBGSgAwIBAgIUDMHaktQfbjkGz32t9DI9c99694EwQQYJKoZIhvcNAQEK
 MDSgDzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIF
-AKIDAgEwMHYxCzAJBgNVBAYTAnVzMQswCQYDVQQIDAJjYTESMBAGA1UEBwwJU29t
-ZXdoZXJlMRUwEwYDVQQKDAxTb21lIENvbXBhbnkxGTAXBgNVBAsMEEZPUiBURVNU
-SU5HIE9OTFkxFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTI0MTExODE5MzY1NVoX
-DTI1MDUxNzE5MzY1NVowdjELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMRIwEAYD
-VQQHDAlTb21ld2hlcmUxFTATBgNVBAoMDFNvbWUgQ29tcGFueTEZMBcGA1UECwwQ
-Rk9SIFRFU1RJTkcgT05MWTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQCUkAXf1okZ/c3GeUyOskibMTUv+r0Sy92H
-ECDzGg14UtmzNn4RFhxxHRcuZinXqL+h42Khmgz8+45VPkooPJudpcO4mg3M03Bf
-+MyftapuBy3cFzVkW3+v8yLq5gS9Q4HMHUfO/D4YnnaIrxTe5PsZ5cWJnMu5G1/v
-SRmwTGGF/oSWRl3kfTgLqCKbBmtTHgB4RpJpB3X3LZttkaK9E52XMjrZe5GQE4C5
-aWJ4Nnj86LDCz3rjpgFtWZ+9cyCFbRcRHdilKheDU70dRR65GnEy5M82z7Y3XT0Z
-cVXIDxDYzn0fAEFDcUIygo/VVPTkACccK1uJbyU6T2tVUhuvenwP2rGMOFWJjIkS
-ZErefLKEyRBfpbQoU4ft+8dxNaXtC5CAfLAJ8qNC+bDyyWhMuCUJZ8Xcyp5tsOR4
-IwAf50FPkP9vH/S5gPelIidmrSzzTG5M+qiE36/uVvUL0FfOSrj0Z70J/aRqAr9U
-Ghxe8Cp/eb6YxclSGN9Ii5MVwEM9r/Gdfyzo3EtVMUW8hlYv+3JUmKxgVySpuzcW
-Uq3BJalnepOHQGsRzrvpQyLfXCJkYlEqitRp62afpgh7rsclqB/aqi16ScH0ywwh
-ydTDxWyQrpOS+2X8AhA2v2xFFd1d4XahPgbOymuUMtlfv18N7IXBvmSnfwFK+7UA
-vhp0dPQi8QIDAQABo3UwczAdBgNVHQ4EFgQUZaDURYeI7Cdbo8F0d/B0PAYyRG0w
-HwYDVR0jBBgwFoAUZaDURYeI7Cdbo8F0d/B0PAYyRG0wDwYDVR0TAQH/BAUwAwEB
-/zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwQwQQYJKoZIhvcNAQEK
+AKIDAgEwMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNv
+bWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0ZSBSb290IENB
+MRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9JbnRlcm1lZGlh
+dGUgQ0EwHhcNMjIwNjEwMTg0NjMyWhcNMzAwODI2MTg0NjMyWjCBgDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUxHzAdBgNVBAoM
+FkMyUEEgVGVzdCBTaWduaW5nIENlcnQxGTAXBgNVBAsMEEZPUiBURVNUSU5HX09O
+TFkxFDASBgNVBAMMC0MyUEEgU2lnbmVyMIICVjBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAgUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATAD
+ggIPADCCAgoCggIBALi4nJ6yMIQjz+HnWzeKwR7WpWoN0R/Pr0hMvp3FtdBDlhyb
+UpjCeWlYZnh01avyjLEB6aZ7ZWFX2qmnheM6zK1mRSVWIAK5FR7MplnUQD8Z/BAt
+ttDVkmM/MMTo78ssApihtlfRZCMcM0BqyrBN03M1IIUb1xg8lbMYU0AkLSI51XFH
+voYUqb73eRPghgj586VAf+Qb1opk5+qWWiobw3v9osSBTu/L41Xve0RTFPWjUipr
+6JM//vExZHrog6saiNm/aw+lmJ99K87JvRr8e4n+bJAbk03JIekFBamtekmU/kQR
+yybRgQ+IgzYOzbihCWFv6Dgq2rhfhmz3M49H3sNbsInEdulzNuZHSVpsdDTLYnUb
+IRER7g4lKxcVqvKyz6Q2ODSc5ia0kwfAM5iM9G9okVDnB9+eU77Tm06DBOXA6ao6
+7/xXncP2jQMcnQqRifjeiFlAKLTmBis5zDeGpjDFZjUvw/aDT50OcUfXeWr4eQW6
+WOGaNLS78Eb5VWTadRLsYNzKUcB5A20EZw4EU0qvdJNv9e/W439ADMEVYqVFHTyd
+5aL9zU35k3Iw7FHYELq9DgqcRobzf6YrksZd1RlUZVQLXHledHJ0Sovpcig5hiwF
+NaQeeyLSYjCXM6hc7t2clLFNRnsA3Ec5sf9ndnUTts2YnF5C9AAtatSG361hAgMB
+AAGjeDB2MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwQwDgYD
+VR0PAQH/BAQDAgbAMB0GA1UdDgQWBBR69phFrhyabdNDWl0CcUVJrOCioDAfBgNV
+HSMEGDAWgBR/I6BntYxiBW/EXOg6zKRqbZ4TtTBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAgUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATAD
+ggIBAKCodqniGAZRqQhE8hv1akD3UjgYEYcFiBaCIny00N2DcyOhTyDf6SgZbiBm
+Ch8xDHVN+0EnyCohFf6raAQMHXQSpRFpdomJeXTr2czMVAWA3fvZknfg0+SAx5GZ
+xGQf8rEEXL6HIEJk4wcSCRGA9NYyxUxh/i06EjDlePdkOrhXHvGoHb6M8vkyiHxU
+DLpsagZ6NIZ+LXAv+I7H8mgjgpmMqYnpN12JGhtZ1GptkIPPftZeVEOvOMKkUyTP
+8bYEbOamQ3yuzNPM59xFYxmDYiRev5r7jvAM6+G8lLOPjhPrOjy8iYMWGOsPScsp
+y9+CClDw+Nc37iG0W42VjSRi1YbcJ4xpYc9PcdL2h4qa3tdl8EVNMo9LzdsT1gJ7
+B1EU9jhQ+wDYs2SpKd9+tMaKV/69sL/3jFr5oCUlJaxqeySmwEr34NMbrAEyrvMi
+dt/uJBVAImZqnn6zRiSPUYu6AN8F9TCdlJUI0QlzbvumuQIKWaNv764oOxuhEMFu
+eKo6Y2NB4kZUN/OOjG8KcHAk20jggrtNPtHRa+H38c41zfpEW3dAYVZcj1dCBBWT
+CtN/zDE7Nzf6KKtAT8jUHP6fN1+3ejwuB3ryOG9n3+JZ32YwCcBYCToW1HtbE8R1
+qLThn5LCKmYBJ6kvqWzA4AbEH5iZPBxFV/FGTDONt7R63wNd
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGkTCCBEWgAwIBAgIUU5gNA/JoZpnbJ+WDk1iyAYPKMYswQQYJKoZIhvcNAQEK
 MDSgDzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIF
-AKIDAgEwA4ICAQBtnzu9eyNvp7y9FFcECt6tySjvpyWJi4qs4wAVOJ5xRDKmnqLa
-H7SSWiiJSreHs/yUe4nS084xpaRGpVQLH/sggypTRBRpLDXRdmcfVSRFgP6sEkpN
-5amOybDJHZ9GYfzOxJFBnuwrqugoojEPt4QBWVkL4iG1yWTig+gGZwkg7EGJHZy+
-ix2UK8TEG83BPvBDJv4+aoTFs5xt2Sfa3g1PGChTqUnE9izsEtAZjfQnD7CP/cOH
-vjBF+NOyDXFTNcemh2ywcT9WpmmVeiHfwKc58NAXCgP3CE/DV4tM3SBFahzv6jkz
-4B0XPocQwMHIl5DfxYgu5lnuvhGKrnrs+DE9dcHd6ohbHAJhan0noTXzsIQr3ctf
-sh2KpBFh3eKI6nklcAsWlHiIqNJyZdpgKElsbZS9fHqgfIBztue23zDSWENgObIh
-73pmJvigTqb/weaC7K1UYyYvSTZhv3HeFZIEzQa9Ewxc4aDmJcypn/FemGfvcEqc
-dnsM9aHU/S0wqNxnNwElMf672juZmFSyra2AkXzRr9IrqHyiqcxcOfVsHzVLZxUQ
-dTfcugAWp3ERRl3GRHWNbr+Xc4Gh3JE+YBIJEFBn1sEdiniQbiTGfRP8ABi9DJVn
-v7WRXCkkmVr3JTjKMqwsRJ7hm6no678Iv4hpJhpFU1ksbbaCbuB71tJuHQ==
+AKIDAgEwMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
+IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MzFa
+Fw0zMDA4MjcxODQ2MzFaMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQ
+BgNVBAcMCVNvbWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0
+ZSBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9J
+bnRlcm1lZGlhdGUgQ0EwggJWMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMAOCAg8AMIICCgKC
+AgEAvZhs1MRJC2oySyZBB8f9CeQJXv2FMe7HIy+MK38QVURNVra6OsAoBTA+TjEX
+tqQEG+ldjusp+npyIcMrjxrMfUw4LD2xlqwd2IX7CYBT1R86Iw19stZZLK4v/tv/
+2Z4ccwcVlVMsFx+BgpDAJQg1fk6vtgKWZSvrbvmzA0NFOleGRik74tEEN3rSpmo8
+5XKHuNbU0o4MLuZYOWA0AJQ8pvVoMOF2MSIpa76M+z91z7ijJuqg7+CAm9Buu5jh
+M0HIO4Daome4hKGKoriJ4LtE0N0vowknXMDNR8k+GrK8lbYePlDLslkfy7G1N0JY
+TVyBm5EJddHjLpa4QfmBbFzjIAQDGI/CNsh+aTgymtoGe8R40VhsOlZqzTvEbJ3C
+AvDeCeIvIoZHhx7HdWeT5rFli1Eu7JpT3b75G4bF/y1f284mdToY0sNpNNSC7FDU
+WILqXR6KygJdecryZzKozLiJZrVdkgw5yqzsVtcIFVYeU5wAH6Lpn10fwPjPnzs9
+CJVATpAAXRcN65B1E7grusr9WfLgwLlRPhcX/VT7vgmy06Gz0CpnCIMqOMv7Ujli
+PM1ggDF3ipJGldYce1UuwnJEUYox1JHMw7RnKON9QFFWrFzhDzOk7Jar/LnnLFkk
+ZfCfc60bumccT9LRTTR3ndRcbwDvhOCo9oeNZ6PQGYzRhFsCAwEAAaNjMGEwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFH8joGe1jGIF
+b8Rc6DrMpGptnhO1MB8GA1UdIwQYMBaAFNaJw+8kdbivOaNERXlQhEDNdUufMEEG
+CSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJ
+YIZIAWUDBAICBQCiAwIBMAOCAgEAjIveqiHq0Qir4hIF7+Coa05HNMLpMi5FZn4F
+TbgwoRzGlYNPKB7CafyACY6UDw0buz8VUY1kXht97HXgQYPGxP2OYXgqaJO7Wq6P
+XCH249b+vnWiHUGM6PFCkWeQv+TUAzp7wz+IsctsGNXbjYkhGpvcV3H78ccTgr0+
+A654H1ucxxOimiJGokCkw5gvaTsfE/WLJVQusYGeMNKURilgyQ85fW1n1DMw4YjD
+/picdkmU5y1A0gEDeGtFr8ODeIZCbvyZ3xls52sQCFV04jX4UTXro6D5u/zbOxyf
+T467UbydAkYDaIy3d/xKs/puRP7AwzQ4skCLTVTonmrHkqeJzmhrRE5YkV1GCStE
+I2jfFoqVI3JWv37xOXKx8SBGlYUALBSxXoLInU5VWza8aAE928jeqbpNPiAV/Uy1
+UJGqROzZAks+aJOQ1qqFNVhiBX2hz+OCopXYv+brWSRcg0oew2B0Q1mC/yM2C540
+HZDfD0fTZbpMhHb01d9dO81ilTSRt0x5GQVs3fYSDE4uXjAFv/3pULE4BSwxTsVr
+x+GF2ilyW4/m9H2Gsf2FZLFlGIXyGCr9bW85ajUzq/iMCnNCBka+3RQJgx7MaLf8
+k/E/+nklFqHDgT4uSoKiVlD8VawHFLddzNb9F9XmmiLnAStAt59obeK5GBfGjxCx
+LxWpjig=
 -----END CERTIFICATE-----
+
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps384.pub_key b/internal/crypto/src/tests/fixtures/raw_signature/ps384.pub_key
index 15d7441ca..38f5aec66 100644
Binary files a/internal/crypto/src/tests/fixtures/raw_signature/ps384.pub_key and b/internal/crypto/src/tests/fixtures/raw_signature/ps384.pub_key differ
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps384.raw_sig b/internal/crypto/src/tests/fixtures/raw_signature/ps384.raw_sig
index e7790f89d..5b097bef1 100644
Binary files a/internal/crypto/src/tests/fixtures/raw_signature/ps384.raw_sig and b/internal/crypto/src/tests/fixtures/raw_signature/ps384.raw_sig differ
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps512.priv b/internal/crypto/src/tests/fixtures/raw_signature/ps512.priv
index d6fbb6ef9..0e1fc5c84 100644
--- a/internal/crypto/src/tests/fixtures/raw_signature/ps512.priv
+++ b/internal/crypto/src/tests/fixtures/raw_signature/ps512.priv
@@ -1,52 +1,53 @@
 -----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC34wktIzq+vQDZ
-6sKg4WrQU1clnN/KGCFqgFrGMKbpDgCj72lc9/NB091H1T/cwPsjjc31v4BBPAB4
-NqABJNKJoZmeZgpa6jiK2CFiIW2AZGrk9k0Jb7yY4s07wQQHD0po3gN5sWUIuJkJ
-qjjKIJ9okP6lKxUfLsW0YcC7COw4DnH1WYcwrKvretjReamzP19EHZRxpRkTFFC3
-7ZgFBBrWSoJbt1kLRA8x8P7pCh2FFV7DOPHyNb/1pFKVmyRqbMYcVkmpggveBLWi
-sx4P3Vc0meiWO1KMuTbSbQh//zDSgO10P2iSv5uYfY75lMYgOHXfEazZ7RrvPDm0
-2kAeE2vhVVq4HVQAvzDGpwEeCxT/ZZEVg2WdpzkW/QsDPnSLEg/FVg6x5fsh30zP
-+P0hxKkq/ndyHq0IWG8uvSmLcDELhQaPoceH3bztfkPTPpTvR82HgHVLyy8Ch5yO
-H0gneakMn3pRAWtu7+UO9u73XfEL4TB4n8hCWZfSo51sx5qzrB/SyGZvWvu4A4N3
-sSi7+B/4T5uvxZGHHFmgjHiOaVUSbElJxJoeDHK4Trjco8FZpFh9JGZlWfUUuXiv
-4niIRvEd17FAY3WJs/Wr8boRDOFazTPpwK1o1oZVMyjq4P6D98ehSBTUmbj+8RGm
-oXrAJD9ZlXyF2yo625laSWsaU/gqfwIDAQABAoICAAspvrRdR6MtoSAZhtAybwQP
-kyJG6DUCCwFGonwWlwNd5L8O+SP6L2vHG09RjEtv8a8CXEb3ZadQJ60kj8kR/a/6
-PfOmOSm0v1L6dOhapCWfsveMVjfk7xuO5Suj94UgMgG0vJxGHx6M6klyankmytaT
-usm3GFSox7rAFm2kSIbMpbFhynmzecpVTlVFH/6wMa3WZ90QSznjyVSpGUnwqlpo
-8onz0vWCn7OF8EugYBNkrTiHu/Rau/kDDTpkzSyixtIQkO835FWJjqc+XWxUIQeh
-8kMwfb3qPoA+uz3d9Y5J4mBkuwnxlNYIhUX0eKSbGNi+X3JpWPG+A7jNaQgKYMmW
-Hul6aFPMHMO3wgQJGE8dEacgtrZNgetZPxwu25i18oR9z3QuF9NKodDlWYkFJElM
-NrhKvf07mvl0fK+EfuSfcEZv452/hjEBkTlfe0lymlNjwepvQpE01by92iD2BVPx
-ccrCYQ3fUmzy5mb19ZGBZGMLJ/IeEuvNDNDhVwIU3hgDFw6Y8ijl8ERDxl8Jn2Dj
-amkTaFDo0KuWGYQXy5Wxidv77DHfxaX5URBuz5S9vvEPq/UXxkhmRNTmyrfyK7Ya
-GVjfbzKu3vfM7ayCUTytgl6385qds7Q+jzSD4eMmOqhPkvyr61vJlciu1yp+/z8T
-cQzMk8ew/3QE6OE2RXWNAoIBAQDyJgwMgD2loy7elFlrk7uK8pXQ+qwmh7YTlNTf
-QeOrpIHkYm1d1/hsh+UmxdQERlRnyHXD47xp42icJTsQ6ZNqgXfmIdl5sM60L8X9
-26aN5hNG/pbzFC+pHZfIzhO5f4XG938vHmi2l/vcSm63p2TMcjrD4wh+daCA1V+F
-rY0DtB8hVqVwDj4Csn7udeEv8VqMpWLaUQPxxA5Z87Pk2qXbxIZur0eQ/hIoaf+I
-YSSYKXoWgsZ0yLZyXAlbudXvLNzFUlHdce/Q3yi12ywbYeada2JqcqU3j66hYDPo
-HrOMwVuKQt5M8FNrG9SVnoii3zu70QuQyZGuDGX44WRhICW7AoIBAQDCZ9IbEhmd
-4FpETsvSmwWr60hutDt0QoUYiIY0vmigu9xPBrTYLumWeWfVoXuWJ84H1ahBzVHg
-ssN+RvGcelOx1fOHIzYOFc1oSjwdlKTHsE9hkE3AMz7AUkTl+foArrmY25qRzmAf
-eq2sjnjcj8J+sg1fISWFfJwdh50oMflVkGs4MHbhEPDwr+KGwHGTrmgLyEsxfhIq
-pLsam56fpyUqNI3xTRMpmzViwjAGTTjKcUzyu+b61W0CeOEa9TbnBcXclLoIBTPE
-CAYWfMVZoDTKRk9mS5YTmhe0Z8Xc02SyEyOXUnomj3xDzt++dj04vtx2ePueFiGN
-GEtRq6U1fsANAoIBAQDbDVwc+u3Jp4NAywbRcIVZvvWUZQ/SkzY9JIglpx9kKJ9w
-kTHKkRMkaxL7Lj8L1uuILymJmbzaNWRuzKdQN1yqHpDuWHS5xx5WllkPuuJCv310
-3d6D6yDqZeDnQLVLO3czdLVTVLj5ZSfsMlFSRlXDNRrAFeObMqGNqniNH2DPluQK
-bq2eXuPt4Lc+1NhvXHDDhuGUCXH+BZPN/84fG0SrOG88NcgR/CVE9g65utc151+Q
-eaE6CFAzx9qXZdeIVBcrUbrJDscZNqdHTAvsgXXzti8DiM65InuhdLvAIfXfQROk
-UbVz+HweCsEW0KFeZX9N+l/yDMaCoqikqpD54/D9AoIBAELh2wwLLxr8u7FydncP
-dGUQPkwv36CA3i9xkNKGi5J47zOU+BTEFwL447tAojcnnJ9fZ1K0I64tckp4d9lA
-0JiHJhBhEdDIuXFe0M3QfNxikPzc25L7TmR2KVQBq3weoKWxL71oBfPujd+m6Hfh
-UaWq9iS7T6BcHY2fQXc5sjE4zVp4ef22iV4U9NctUCXhw9QB5bSyTeez4tcloO4G
-YCfkCs1wmd4fkr9WVZVlbdtgHXwJH08+rBFEqxVONcRHXSolVNc7ivKvXADSjkbm
-ciMBC4IDES/PPMaJSS5O3/7PzNfbvUCU7siZXKq3HRrvtwNfXhmmPYbAS/FeHymH
-YOUCggEAD8Mg5N8KfT0yUIRhjTJPy7J7ZMZotO/cu3dnymHo3keu0vrVyH5afbZo
-PUP4LQp3lKzxR6bacgEYdtzFQvC1Mvf6G1RUWMLj/hPahqwc/oORMYZh2JwqvIRx
-d4C3V+nWWyT4A0KcICkP7oE7KkXwe/0NwOzTJK31cI8uTL9ljeQ1XcGyPVAEEjlF
-O8Y1rqWYbDuE1bxvJIzMDq4cWsLNH5aWdU2wWuFk5c1UZBpq+5OWJ2sPg5nWL2Ig
-/egk1lMYaYsJJ35lk9qYAz52V3HoYq2T53EMx3GuqqmvD16De15aycPGHTnDHhhW
-rgQ9XXObL8vHzpW/dBMsd5lIiuL4Jw==
+MIIJdwIBADBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAwUAoRwwGgYJKoZI
+hvcNAQEIMA0GCWCGSAFlAwQCAwUAogMCAUAEggktMIIJKQIBAAKCAgEArYeMExYd
+i0aS8+9II7ZnmvJS5dUXMzS1sgqsZcciklb+c9ruuobyRqYr88WwysLNpbkl/wjX
+bVV7X1VxbnL2cZ2W+mFufcILADwq5C86gdLzsAAZr7w59SgLOIJPYY89Ze0dqeJS
+wuWmcPmRGaHOyhiqNDXf/GenPIDrnacV6WS/3QhuBRYb0bEF9fJpPR1h0cWN96To
+cFq/r+fKBE+S6T3K+uruMVBq5l7RG/7961/+3CWEgMjmgatDg+DBALi7uYiAw52j
+2nMvnhcj4kLo/Z6z5IEcGoGbNoEVO1yBLvLfLQ7KIdmR6I+fOkIQ6PGLC0y9cABo
+d+O6ZUNYsfr9iSleBOCuk9htbBJKNfnrEFN0Vz74OUobtkQKZsl/Lwudn7WLPz0l
+FvhhxhXRkrv3DOozI536SxGBW+R4NDDUrGAQonBjm1wmoI5zRl+PGHHuoslX5861
+wDEECy0mMkf0Nkm+gCwQMyJ1L++TXw6Elo/O4sgwUoGgsL8FXm3L9lVFb64AAOSA
+DZkg+zCKwEGsCr+QrVd60mWFUYpmwhZlywMfbPYeqpOVwLck3wWVungC8gGgrBIY
+vTkBaCD25sdcIKUH3FEEaoHMEa3uoBL6y9GLHGI0clRKwPeey/BxhrsN08PYDwDU
+4Zx+hCVC+i/MsroaHrXzE/no9eQ+2PjHwBUCAwEAAQKCAgAUGXoxD8O2SSNmW9Xo
+RQ11FhJiCq+YP8e36qKTW2B2wNrSQo6aTl0rr72xi7lxkuTNCEgNZVHGmTskDLqJ
+x4kiGdXOBJEOwfYSPeXd7laBiRSu0yQmhc/UxKGgFv/o1fWPo8pmzg82AfGobk/P
+Pz27jOXSDFd4Xe0yBeDErwDLut66VGqh7jCktjNxjHWCHbAh4xcRkylVMj23u0pb
++3eRypWDQMj8L0tiiaMA8iUpKUJU74eMfzir1lGIqfTRB5S+5b+8aLr855ChaB7A
+620fS02c7xN5Qn/e7U6vRIS2Em2lQ2xIRXIwFMqlrddVk/y9/1KF8ZYoJNmHNyjD
+3MWW90qTbpQoOlaXj3YYwP/+pUSuRPiDH4zjrK57A+eE6c5xJPJ8ITfV0o1iJvRE
++x2JF1SjXhxVuh0JL4SedREOtC5aBuEvrSmRH+MIOeIVnESM0BTCySB4Z8M+w8A2
+Nr7Ae860thyYY6aNIbHQS9IxhwS5I+yN7HToYNZahRila0Bc7S8pPLcpDp5J8/ka
+ZOtQi3KLp48cGpl4J+8NOxdtQuS8IdML2hhkeSbFN1Vr1yNpwlGw909thwYogCmM
+eJlZX+gDv5GalavVcOERUCccA0OgF7QQkwV+O9fC1k96gv4pAKSeI59f104Rz+qh
+mF3rJomR1H8Z2aEwVr8Lt5VNgQKCAQEA8ZPyC7YG6ZiX7dstj7NnnJJeNPCmV0VG
+DhmMHOpSJras5SLg7Nbgssb8LBrR29txXCteEiExf8kFTE6HXgpgDcB3o3f2/9Wb
+UWElwaDLMcvz+/neScJ3cv9HP5GmuNfRKsFfEaAasMPUgjF1/ya5hLX0A/k7hgpD
+p1B3cg3Ugnrv/qii1vaT2uPcC07fVnhVkyhMA4mCewbmnzfxjiHugJy1tEK+OrSd
+8D0dTesZw7O1SgzVIEk6fS/fCEu0z5/KwLkMSpDBCKGn002namdMjsolJ6vvP2kJ
+AqMfxSB27VDqJPxbl0cOx8qvO6YB7bqIeUGKp4bgb2oh46ATnpnqIQKCAQEAt+Oc
+sOZhNbEeRCVfQFcrWlUoB1bJ81fUjfSkOvsE+y6L6Jm0SVwJm6lmuAYkaocuQmVv
+DWR8vKAL+lci1bT1X2Vwq0pSGH0wfcg75xFs+RtlS8ehyaNFxET1VYTUtUmtxxjm
+h9QjXMkseZeqwAfsLaf8M1i3x3SsgKpNBHi+gl3EIGG03O1XJkzAGhpgzMrpQGcy
+R3j+658A4Fm0xcF4z3ggJ3sUEcfbdz2bIi36ORtOMfsgh9YGYKOV5pYyiTpLzLi3
+00fIHojnnvzDEDrdTgejt3EzBH1QLSruTMKmkYSGpZUFuZBnmVE35LVNJE8WTpTH
+yXWH/s8GdLgu693fdQKCAQEA19lF8trQsFWsolUtD3HQSSCq1giTx/RYlO6Ut51S
+i867Cv0wFc4k9PhAhzPrgNNBJYaGRhKshK3bcwPThd4lVwQ6oa/l3U9BuOPhdXGz
+PKosNV9cE3GTgwe+5HjCi/Qhq18eD8SLNJe1QCLreHBkYMSm5AoD+k8fhdaq8xiS
+YYdw+ow4+3NURsdDbEMr4LoiVBs0WBC8qipPU8ILreB5lybuX8Mm75NEb0xb66v9
+2FOwzxpKL8/eV863LFVgmAcBhVOSPOm74Hd4WZ/Pz42+5PKPYjQI0BKMf3O7Rkos
+mPysSSHGwJM4DKH4EobQwFXj7Nv4BJnJ3SLqZtU30oVZoQKCAQA1qwlVG7etSucR
+bnLRPV+aupW3Jp5EFhMj5w1zZUV75YbRuOJEMsdfFd6zwJ8qNA/NMvtpRjWde3xj
+cMDq7Chc0idC5qr1GLxpSWIqOwy520QCDN5sEenPsWyErALEch90pxDI/aHgd5oy
+VpBwAR/t50QU3ESuwp+B4bIepvq645DU/o8hl2dC901tkNtFicbvk+65q1eC/uHr
+mGLJAIE4089WlnYyBklIEMPRAugveIem0Ksa2dz8oWGjbZyMLmZm9lY4JJAEUWKA
+JTbs6rEiD9q5NCF2ovgeZpQr9PdWKv59HvQPx1RlC64rYrqD6U0SXBu+8T1ioZs5
+v3N6RUPtAoIBAQDwYLoek37M7yJiso8+y8FkseAoL8SqwStOTadBn7MYwEBS/PIH
+KO5kHDDTWmHOV6tF6XwgiKoXKwmZqSmeORGFjIHB+F+Mpw5QVZMviSqTw9YPZ1LM
+bqiuxqNHxt7Nl5yoiA4o/JS+AcNKhBy4FZRmT2/E7z+CBH/RW+Jmpw7w4GtiBm88
+zlE1+uXQeOv19iE3ENxrklHL6GjiFZDTaDEQpj8bhpgwwlK6ZMdtFbMeoPAe314f
+mqOa1nLOckDQj7f4MGQRgSZMSGe5ZgvfstOYtlxixiqKh0QmW324WdEL2Ho0KWYn
+pH2QDGsL0MKY4ZOue7YfmK+miF9PZ8cqsHUr
 -----END PRIVATE KEY-----
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps512.pub b/internal/crypto/src/tests/fixtures/raw_signature/ps512.pub
index bde24e2f8..029c3e3c5 100644
--- a/internal/crypto/src/tests/fixtures/raw_signature/ps512.pub
+++ b/internal/crypto/src/tests/fixtures/raw_signature/ps512.pub
@@ -1,36 +1,76 @@
 -----BEGIN CERTIFICATE-----
-MIIGVzCCBAugAwIBAgIUF/f0rGHApMMJ6KcNPoAd3b1V5AowQQYJKoZIhvcNAQEK
+MIIGsDCCBGSgAwIBAgIUfengSNBGhz8yc6qH3oxefoKqrRIwQQYJKoZIhvcNAQEK
 MDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMF
-AKIDAgFAMHYxCzAJBgNVBAYTAnVzMQswCQYDVQQIDAJjYTESMBAGA1UEBwwJU29t
-ZXdoZXJlMRUwEwYDVQQKDAxTb21lIENvbXBhbnkxGTAXBgNVBAsMEEZPUiBURVNU
-SU5HIE9OTFkxFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTI0MTExODE5NDIyM1oX
-DTI1MDUxNzE5NDIyM1owdjELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMRIwEAYD
-VQQHDAlTb21ld2hlcmUxFTATBgNVBAoMDFNvbWUgQ29tcGFueTEZMBcGA1UECwwQ
-Rk9SIFRFU1RJTkcgT05MWTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQC34wktIzq+vQDZ6sKg4WrQU1clnN/KGCFq
-gFrGMKbpDgCj72lc9/NB091H1T/cwPsjjc31v4BBPAB4NqABJNKJoZmeZgpa6jiK
-2CFiIW2AZGrk9k0Jb7yY4s07wQQHD0po3gN5sWUIuJkJqjjKIJ9okP6lKxUfLsW0
-YcC7COw4DnH1WYcwrKvretjReamzP19EHZRxpRkTFFC37ZgFBBrWSoJbt1kLRA8x
-8P7pCh2FFV7DOPHyNb/1pFKVmyRqbMYcVkmpggveBLWisx4P3Vc0meiWO1KMuTbS
-bQh//zDSgO10P2iSv5uYfY75lMYgOHXfEazZ7RrvPDm02kAeE2vhVVq4HVQAvzDG
-pwEeCxT/ZZEVg2WdpzkW/QsDPnSLEg/FVg6x5fsh30zP+P0hxKkq/ndyHq0IWG8u
-vSmLcDELhQaPoceH3bztfkPTPpTvR82HgHVLyy8Ch5yOH0gneakMn3pRAWtu7+UO
-9u73XfEL4TB4n8hCWZfSo51sx5qzrB/SyGZvWvu4A4N3sSi7+B/4T5uvxZGHHFmg
-jHiOaVUSbElJxJoeDHK4Trjco8FZpFh9JGZlWfUUuXiv4niIRvEd17FAY3WJs/Wr
-8boRDOFazTPpwK1o1oZVMyjq4P6D98ehSBTUmbj+8RGmoXrAJD9ZlXyF2yo625la
-SWsaU/gqfwIDAQABo3UwczAdBgNVHQ4EFgQU1VOPm18Ztfu+QmWezExxYaBR5m8w
-HwYDVR0jBBgwFoAU1VOPm18Ztfu+QmWezExxYaBR5m8wDwYDVR0TAQH/BAUwAwEB
-/zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwQwQQYJKoZIhvcNAQEK
+AKIDAgFAMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNv
+bWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0ZSBSb290IENB
+MRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9JbnRlcm1lZGlh
+dGUgQ0EwHhcNMjIwNjEwMTg0NjM5WhcNMzAwODI2MTg0NjM5WjCBgDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUxHzAdBgNVBAoM
+FkMyUEEgVGVzdCBTaWduaW5nIENlcnQxGTAXBgNVBAsMEEZPUiBURVNUSU5HX09O
+TFkxFDASBgNVBAMMC0MyUEEgU2lnbmVyMIICVjBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAwUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAwUAogMCAUAD
+ggIPADCCAgoCggIBAK2HjBMWHYtGkvPvSCO2Z5ryUuXVFzM0tbIKrGXHIpJW/nPa
+7rqG8kamK/PFsMrCzaW5Jf8I121Ve19VcW5y9nGdlvphbn3CCwA8KuQvOoHS87AA
+Ga+8OfUoCziCT2GPPWXtHaniUsLlpnD5kRmhzsoYqjQ13/xnpzyA652nFelkv90I
+bgUWG9GxBfXyaT0dYdHFjfek6HBav6/nygRPkuk9yvrq7jFQauZe0Rv+/etf/twl
+hIDI5oGrQ4PgwQC4u7mIgMOdo9pzL54XI+JC6P2es+SBHBqBmzaBFTtcgS7y3y0O
+yiHZkeiPnzpCEOjxiwtMvXAAaHfjumVDWLH6/YkpXgTgrpPYbWwSSjX56xBTdFc+
++DlKG7ZECmbJfy8LnZ+1iz89JRb4YcYV0ZK79wzqMyOd+ksRgVvkeDQw1KxgEKJw
+Y5tcJqCOc0Zfjxhx7qLJV+fOtcAxBAstJjJH9DZJvoAsEDMidS/vk18OhJaPzuLI
+MFKBoLC/BV5ty/ZVRW+uAADkgA2ZIPswisBBrAq/kK1XetJlhVGKZsIWZcsDH2z2
+HqqTlcC3JN8Flbp4AvIBoKwSGL05AWgg9ubHXCClB9xRBGqBzBGt7qAS+svRixxi
+NHJUSsD3nsvwcYa7DdPD2A8A1OGcfoQlQvovzLK6Gh618xP56PXkPtj4x8AVAgMB
+AAGjeDB2MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwQwDgYD
+VR0PAQH/BAQDAgbAMB0GA1UdDgQWBBSUceH6x+PyygFBhvfOHZevhww0XTAfBgNV
+HSMEGDAWgBRmF7xQwYaHrt9PiNXcFdcau13BdDBBBgkqhkiG9w0BAQowNKAPMA0G
+CWCGSAFlAwQCAwUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAwUAogMCAUAD
+ggIBAB1/NSEhbwxNGPbgBqojcV9Mi84UhQxbqMt96IMrGO1ojPxrYEseYa7TFmVF
+Qsy7Zc+SzIFlfPMVDp15V94qnFTuIHRWZXfWdsK+zubno6odrWR0dPkKfCaHh2Ut
+NhARYBU6E9vHT3F5Rm6ogcKw6GD8Ze+5dPHnjI4k+HjbTYRrRq3uSSsW0VBgIJ9x
+c4ZN4PZQXYzBOAL2lFccblJdsRSf1PkTkw/pAY+kD5Nlwvr1k1k1kgwmqrUBOJ/l
+2+CSB7CX9HmjgB0+Isq+WbBC6+gkirJtzC+M2JxqXvfxEO9ULVOmx7KyxnehD540
+j8Ny/GYUkiRFKvQ9RYmcLE96fu+q9PdLRtsYkOuyKNf20HTrLdEYGeBWGbOrDT1Z
+WBE79GUs9c1kZOEZolQLWpsrTkc1ZH0Mxs/XVaDjBlqgjAcny8ULDtbf5MYz6y5f
+nuY0J0CjF8MC+hv6W1abYf3/1okfw5d+cQ2LUT0bTaeErkIwez2GwR8ifbAvPHT5
+QDH5yMCWWRx3Qg94vjCY7Vxnc8Pmto4Q9tUEu4HfdAyBtkrv2IrY+gCue731PUvg
+v6GGsvfpRQQqWxb9wF3uTwT6pY/1E0HkgCiJOxTtmgAV5cBUKjKfk6FEmjWb/zPd
+Ks/2NeBV4JH/iteq9/2SvhZwc8OSWcBlrGl6yC3iOWgwwbXY
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGkTCCBEWgAwIBAgIUeRpit6o3cGi4HKh0On6yd+Lp4aIwQQYJKoZIhvcNAQEK
 MDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMF
-AKIDAgFAA4ICAQBjphfzAlkGQIvEkOExL8QhIRsoiYN3C8n1L8QSu7k9xHzI/nNv
-AmSxrTQ20aNZA/EgX1FPIdSQz4rBe2Pwvm7HCLlaseglH9oQRQ5CE3ofJFqjejOx
-l4SL32qRzhbdCnWModsOY3xJvBu+WoWw6xhe66qMOYymfERKhB3VyvbAA7kr33Xh
-FMILoczlEcaUT1YZy2JaoPRg1PO0i1bgYyLS9JZfEApN/7O+8Ysbexdl2lgkJ7pd
-jzkN8PeIRsvToiHwGnbdh6yODdU7w3ztioZp/xpX/MjJDxAks2Eqz+ymW6UXdfsU
-fG7Wjao1ZSJbztvnpjDrqPYrlCDYXLKjMxBgj2MeLaBT5ljp126eDLug8il76e2A
-2X/6Ts+d8+jbyv3BuRDVug+k98dkuPuRx6cn3bqcSJokFdcNhFLpriGlTE+DO/HA
-tCQdWkLvih1lrgnN3MdB+Bh08Sr6giAnCv7mqRfJPtwapMrHZ0ICMY4cdOUdNosG
-CBWvs46GzwJy+LaibUdlBZrqZmEZ3p/Qt1bVcLt4LpGQ5shRbU8HgWlvIJgs7G24
-38S5UsR86VWZty8LsN8kbEkLPBFR0exkVSRlruXh+hImmelcV1iVOR3boUpylLzE
-6MW02bf5NSUcMRnmJ8llf4sHYfrlVTousrkomZLHHlGfXtv2CuWER/Izmw==
+AKIDAgFAMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
+IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MzZa
+Fw0zMDA4MjcxODQ2MzZaMIGMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQ
+BgNVBAcMCVNvbWV3aGVyZTEnMCUGA1UECgweQzJQQSBUZXN0IEludGVybWVkaWF0
+ZSBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElOR19PTkxZMRgwFgYDVQQDDA9J
+bnRlcm1lZGlhdGUgQ0EwggJWMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAID
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIDBQCiAwIBQAOCAg8AMIICCgKC
+AgEAlYmBdw9uEwKH2mjH9v4CMFnh1rVRmnx8bMtyh0fCCTJw4hEDpkJttorWq3qd
+aBZps/vPw1YlC+f+yaaxd4dKuW2zcNjiBlV4ho6lEPMkqEmVlxIuJHiMkgPD8Cc6
+Cw7olqdb5FBy58+InQIsoeF9Mt5N3UJdPLQAjEWW7f5UvZbWOlurQUQAN9IbOoAa
+6ZdB83YACY7KT7MEQWALakfXca6QajHz6FWFe9UYnWQzh3x1VjnJZX3tSe9p4Kpm
+CQ4phiIVbypnH7sq5P095EKtZXm+O0JikRO3trd0tl9rQpj0I2LYwkC2x4phyZfI
+uEFiuEoViPGebCcm3sWrj5cDAh9oF8G5iaZQWsi0Wa4Sw9bOhUQ2UCtY+JP7lrUU
+j9pef/PDPJMgL+mVrW01CjajPF+rWre9nze4e7EE0DS2WzuLq3+q0PpwOr+cnWeP
+lc8HrFDyoaLeNgjZgFAlft+nUES2opf2Jm40Y9zIy2oA7WxZZBwUchvuv/mxKE1l
+BI67hvtAr/R19LevojvvrwUiippx44NmBuJ0ZkR+8capC6pAeZcS7t2eP+Dx5sY3
+vpuPbzhSoqBrYDVMbtSomQyLNJhuvomBVclxjH52fIy/jUo2A/iB1dhC0IVWBsqZ
+c3O4Qex3bmweEAcNQtyTsSGGClKSt0txXoOlpgOyWHyXp0cCAwEAAaNjMGEwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFGYXvFDBhoeu
+30+I1dwV1xq7XcF0MB8GA1UdIwQYMBaAFKGv/PJ0o1k3/Q67ytCJqJAEVzGMMEEG
+CSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIDBQChHDAaBgkqhkiG9w0BAQgwDQYJ
+YIZIAWUDBAIDBQCiAwIBQAOCAgEACoGQ1TDb0jDZ8VMta+LIJ3v8VWhh/U8k9zu4
+bo8sLyxyZ9YQCPE+t2Hey4tBUO13AHKkpFaZ0mv9SvNkDK/vG6mszpc4QY6RkLGI
+GVhxbvAbE3EtO7uBv091V9Wnmm3LdeFT82/HnOtFhlog8XJXmC74B8ccvna5Kd+d
+adusSCGc5vH2QxZmwprfD41meAmFUCGPJSZwHRBSgDdgB+ELdz0ibkhcSEu+Rq4y
+X+dUR8Buv3IFtk2Zpo97sPMdFCamahPE2NZPgFo1Sts4Kqy8G7tEAiirjbB45Agc
+HJqSSxu4GWzYQJ1HVhVWoOVQTI/l4ER7Q3IMooeLIJHpSdyRXbbGvU3VBdcc+Yed
+vK8EBOJEFHjCS0icKJhEMkOIkLdHfPLYAQCviUAa2bHOlgSDnOczu/mAHhUFrAD6
+75RgvfXL0gdDMm1g1HdSOwFXQSYnV/ZI4B2Zymf4j0//ojxMDvpmUMwkdlZpwNSH
+SAfxnfK/WnyiUKY83xIJRnh5DCGS4s4iE/Ad1I57p00Vs+ZhLcY6+XCqOUQ3p3ya
+Eqhr24aYkxCYMHAYZGN6BaUfQx3CyJxMfz7FI56eE0ipZXJuVAdCrvawfBWyxCRU
+zyloU9+TNxSdQOBr3UwGh0GTusoBkdnPDnk/GtcQr3HFsRh7XeLnKpV2/lJ+EJT8
+c9oJ+uc=
 -----END CERTIFICATE-----
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps512.pub_key b/internal/crypto/src/tests/fixtures/raw_signature/ps512.pub_key
index 35dedacb0..47287e10d 100644
Binary files a/internal/crypto/src/tests/fixtures/raw_signature/ps512.pub_key and b/internal/crypto/src/tests/fixtures/raw_signature/ps512.pub_key differ
diff --git a/internal/crypto/src/tests/fixtures/raw_signature/ps512.raw_sig b/internal/crypto/src/tests/fixtures/raw_signature/ps512.raw_sig
index 004875a42..7f18889a1 100644
Binary files a/internal/crypto/src/tests/fixtures/raw_signature/ps512.raw_sig and b/internal/crypto/src/tests/fixtures/raw_signature/ps512.raw_sig differ
diff --git a/sdk/src/openssl/test_cert_root_bundle.pem b/internal/crypto/src/tests/fixtures/raw_signature/test_cert_root_bundle.pem
similarity index 100%
rename from sdk/src/openssl/test_cert_root_bundle.pem
rename to internal/crypto/src/tests/fixtures/raw_signature/test_cert_root_bundle.pem
diff --git a/internal/crypto/src/tests/hash.rs b/internal/crypto/src/tests/hash.rs
index c9cc602c8..e80ff1b9d 100644
--- a/internal/crypto/src/tests/hash.rs
+++ b/internal/crypto/src/tests/hash.rs
@@ -14,7 +14,7 @@
 #[cfg(target_arch = "wasm32")]
 use wasm_bindgen_test::wasm_bindgen_test;
 
-use crate::hash::sha1;
+use crate::hash::{sha1, sha256};
 
 #[test]
 #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
@@ -28,3 +28,16 @@ fn test_sha1() {
         ]
     );
 }
+
+#[test]
+#[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+fn test_sha256() {
+    let hash = sha256(b"test message");
+    assert_eq!(
+        hash,
+        [
+            63, 10, 55, 123, 160, 164, 164, 96, 236, 182, 22, 246, 80, 124, 224, 216, 207, 163,
+            231, 4, 2, 93, 79, 218, 62, 208, 197, 202, 5, 70, 135, 40
+        ]
+    );
+}
diff --git a/internal/crypto/src/tests/mod.rs b/internal/crypto/src/tests/mod.rs
index 1fc61d740..ce8d94561 100644
--- a/internal/crypto/src/tests/mod.rs
+++ b/internal/crypto/src/tests/mod.rs
@@ -22,6 +22,7 @@
 wasm_bindgen_test::wasm_bindgen_test_configure!(run_in_browser);
 
 mod base64;
+mod cose;
 mod hash;
 mod internal;
 mod ocsp;
diff --git a/internal/crypto/src/tests/ocsp.rs b/internal/crypto/src/tests/ocsp.rs
index f67a2e7bf..2167161cd 100644
--- a/internal/crypto/src/tests/ocsp.rs
+++ b/internal/crypto/src/tests/ocsp.rs
@@ -30,7 +30,7 @@ fn good() {
     let ocsp_data =
         OcspResponse::from_der_checked(rsp_data, Some(test_time), &mut validation_log).unwrap();
 
-    assert!(ocsp_data.revoked_at.is_none());
+    assert_eq!(ocsp_data.revoked_at, None);
     assert!(ocsp_data.ocsp_certs.is_some());
 }
 
diff --git a/internal/crypto/src/tests/openssl/mod.rs b/internal/crypto/src/tests/openssl/mod.rs
index 27cb16350..1ce823fa2 100644
--- a/internal/crypto/src/tests/openssl/mod.rs
+++ b/internal/crypto/src/tests/openssl/mod.rs
@@ -12,4 +12,5 @@
 // each license.
 
 mod ffi_mutex;
+mod signers;
 mod validators;
diff --git a/internal/crypto/src/tests/openssl/signers/ecdsa_signer.rs b/internal/crypto/src/tests/openssl/signers/ecdsa_signer.rs
new file mode 100644
index 000000000..6948c71ac
--- /dev/null
+++ b/internal/crypto/src/tests/openssl/signers/ecdsa_signer.rs
@@ -0,0 +1,177 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use openssl::x509::X509;
+
+use crate::{
+    openssl::{signers::signer_from_cert_chain_and_private_key, validators::EcdsaValidator},
+    raw_signature::{
+        async_signer_from_cert_chain_and_private_key, RawSignatureValidator, SigningAlg,
+    },
+};
+
+#[test]
+fn es256() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/es256.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/es256.priv");
+
+    let signer =
+        signer_from_cert_chain_and_private_key(cert_chain, private_key, SigningAlg::Es256, None)
+            .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data).unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    EcdsaValidator::Es256
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[actix::test]
+async fn es256_async() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/es256.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/es256.priv");
+
+    let signer = async_signer_from_cert_chain_and_private_key(
+        cert_chain,
+        private_key,
+        SigningAlg::Es256,
+        None,
+    )
+    .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data.to_vec()).await.unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    EcdsaValidator::Es256
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[test]
+fn es384() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/es384.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/es384.priv");
+
+    let signer =
+        signer_from_cert_chain_and_private_key(cert_chain, private_key, SigningAlg::Es384, None)
+            .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data).unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    EcdsaValidator::Es384
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[actix::test]
+async fn es384_async() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/es384.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/es384.priv");
+
+    let signer = async_signer_from_cert_chain_and_private_key(
+        cert_chain,
+        private_key,
+        SigningAlg::Es384,
+        None,
+    )
+    .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data.to_vec()).await.unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    EcdsaValidator::Es384
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[test]
+fn es512() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/es512.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/es512.priv");
+
+    let signer =
+        signer_from_cert_chain_and_private_key(cert_chain, private_key, SigningAlg::Es512, None)
+            .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data).unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    EcdsaValidator::Es512
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[actix::test]
+async fn es512_async() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/es512.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/es512.priv");
+
+    let signer = async_signer_from_cert_chain_and_private_key(
+        cert_chain,
+        private_key,
+        SigningAlg::Es512,
+        None,
+    )
+    .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data.to_vec()).await.unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    EcdsaValidator::Es512
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
diff --git a/internal/crypto/src/tests/openssl/signers/ed25519_signer.rs b/internal/crypto/src/tests/openssl/signers/ed25519_signer.rs
new file mode 100644
index 000000000..c158434c9
--- /dev/null
+++ b/internal/crypto/src/tests/openssl/signers/ed25519_signer.rs
@@ -0,0 +1,73 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use openssl::x509::X509;
+
+use crate::{
+    openssl::{signers::signer_from_cert_chain_and_private_key, validators::Ed25519Validator},
+    raw_signature::{
+        async_signer_from_cert_chain_and_private_key, RawSignatureValidator, SigningAlg,
+    },
+};
+
+#[test]
+fn ed25519() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/ed25519.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/ed25519.priv");
+
+    let signer =
+        signer_from_cert_chain_and_private_key(cert_chain, private_key, SigningAlg::Ed25519, None)
+            .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data).unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    Ed25519Validator {}
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[actix::test]
+async fn ed25519_async() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/ed25519.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/ed25519.priv");
+
+    let signer = async_signer_from_cert_chain_and_private_key(
+        cert_chain,
+        private_key,
+        SigningAlg::Ed25519,
+        None,
+    )
+    .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data.to_vec()).await.unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    Ed25519Validator {}
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
diff --git a/internal/crypto/src/tests/openssl/signers/mod.rs b/internal/crypto/src/tests/openssl/signers/mod.rs
new file mode 100644
index 000000000..c6d556b09
--- /dev/null
+++ b/internal/crypto/src/tests/openssl/signers/mod.rs
@@ -0,0 +1,16 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+mod ecdsa_signer;
+mod ed25519_signer;
+mod rsa_signer;
diff --git a/internal/crypto/src/tests/openssl/signers/rsa_signer.rs b/internal/crypto/src/tests/openssl/signers/rsa_signer.rs
new file mode 100644
index 000000000..5914f8f43
--- /dev/null
+++ b/internal/crypto/src/tests/openssl/signers/rsa_signer.rs
@@ -0,0 +1,177 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use openssl::x509::X509;
+
+use crate::{
+    openssl::{signers::signer_from_cert_chain_and_private_key, validators::RsaValidator},
+    raw_signature::{
+        async_signer_from_cert_chain_and_private_key, RawSignatureValidator, SigningAlg,
+    },
+};
+
+#[test]
+fn ps256() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/ps256.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/ps256.priv");
+
+    let signer =
+        signer_from_cert_chain_and_private_key(cert_chain, private_key, SigningAlg::Ps256, None)
+            .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data).unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    RsaValidator::Ps256
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[actix::test]
+async fn ps256_async() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/ps256.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/ps256.priv");
+
+    let signer = async_signer_from_cert_chain_and_private_key(
+        cert_chain,
+        private_key,
+        SigningAlg::Ps256,
+        None,
+    )
+    .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data.to_vec()).await.unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    RsaValidator::Ps256
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[test]
+fn ps384() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/ps384.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/ps384.priv");
+
+    let signer =
+        signer_from_cert_chain_and_private_key(cert_chain, private_key, SigningAlg::Ps384, None)
+            .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data).unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    RsaValidator::Ps384
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[actix::test]
+async fn ps384_async() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/ps384.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/ps384.priv");
+
+    let signer = async_signer_from_cert_chain_and_private_key(
+        cert_chain,
+        private_key,
+        SigningAlg::Ps384,
+        None,
+    )
+    .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data.to_vec()).await.unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    RsaValidator::Ps384
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[test]
+fn ps512() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/ps512.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/ps512.priv");
+
+    let signer =
+        signer_from_cert_chain_and_private_key(cert_chain, private_key, SigningAlg::Ps512, None)
+            .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data).unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    RsaValidator::Ps512
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
+
+#[actix::test]
+async fn ps512_async() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/ps512.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/ps512.priv");
+
+    let signer = async_signer_from_cert_chain_and_private_key(
+        cert_chain,
+        private_key,
+        SigningAlg::Ps512,
+        None,
+    )
+    .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data.to_vec()).await.unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let cert = X509::from_pem(cert_chain).unwrap();
+    let pub_key = cert.public_key().unwrap();
+    let pub_key = pub_key.public_key_to_der().unwrap();
+
+    RsaValidator::Ps512
+        .validate(&signature, data, &pub_key)
+        .unwrap();
+}
diff --git a/internal/crypto/src/tests/raw_signature/mod.rs b/internal/crypto/src/tests/raw_signature/mod.rs
index e9a37e9de..f7e346d76 100644
--- a/internal/crypto/src/tests/raw_signature/mod.rs
+++ b/internal/crypto/src/tests/raw_signature/mod.rs
@@ -11,4 +11,5 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(any(target_arch = "wasm32", feature = "openssl"))]
 mod validator;
diff --git a/internal/crypto/src/tests/raw_signature/validator.rs b/internal/crypto/src/tests/raw_signature/validator.rs
index 3fdc27879..75201eca9 100644
--- a/internal/crypto/src/tests/raw_signature/validator.rs
+++ b/internal/crypto/src/tests/raw_signature/validator.rs
@@ -16,10 +16,8 @@ use rasn::types::OctetString;
 #[cfg(target_arch = "wasm32")]
 use wasm_bindgen_test::wasm_bindgen_test;
 
-use crate::{
-    raw_signature::{
-        validator_for_sig_and_hash_algs, validator_for_signing_alg, RawSignatureValidationError,
-    },
+use crate::raw_signature::{
+    validator_for_sig_and_hash_algs, validator_for_signing_alg, RawSignatureValidationError,
     SigningAlg,
 };
 
diff --git a/internal/crypto/src/tests/signing_alg.rs b/internal/crypto/src/tests/signing_alg.rs
index 2835294a3..92adafc54 100644
--- a/internal/crypto/src/tests/signing_alg.rs
+++ b/internal/crypto/src/tests/signing_alg.rs
@@ -14,7 +14,7 @@
 #[cfg(target_arch = "wasm32")]
 use wasm_bindgen_test::wasm_bindgen_test;
 
-use crate::signing_alg::{SigningAlg, UnknownAlgorithmError};
+use crate::raw_signature::{SigningAlg, UnknownAlgorithmError};
 
 #[test]
 #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
diff --git a/internal/crypto/src/tests/webcrypto/mod.rs b/internal/crypto/src/tests/webcrypto/mod.rs
index c1bbf2757..a2a612f0f 100644
--- a/internal/crypto/src/tests/webcrypto/mod.rs
+++ b/internal/crypto/src/tests/webcrypto/mod.rs
@@ -11,5 +11,6 @@
 // specific language governing permissions and limitations under
 // each license.
 
+mod signers;
 mod validators;
 mod window_or_worker;
diff --git a/internal/crypto/src/tests/webcrypto/signers/ed25519_signer.rs b/internal/crypto/src/tests/webcrypto/signers/ed25519_signer.rs
new file mode 100644
index 000000000..6d11753c9
--- /dev/null
+++ b/internal/crypto/src/tests/webcrypto/signers/ed25519_signer.rs
@@ -0,0 +1,41 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use wasm_bindgen_test::wasm_bindgen_test;
+
+use crate::{
+    raw_signature::{signer_from_cert_chain_and_private_key, RawSignatureValidator, SigningAlg},
+    webcrypto::validators::Ed25519Validator,
+};
+
+#[wasm_bindgen_test]
+fn ed25519() {
+    let cert_chain = include_bytes!("../../fixtures/raw_signature/ed25519.pub");
+    let private_key = include_bytes!("../../fixtures/raw_signature/ed25519.priv");
+
+    let signer =
+        signer_from_cert_chain_and_private_key(cert_chain, private_key, SigningAlg::Ed25519, None)
+            .unwrap();
+
+    let data = b"some sample content to sign";
+    let signature = signer.sign(data).unwrap();
+
+    println!("signature len = {}", signature.len());
+    assert!(signature.len() <= signer.reserve_size());
+
+    let pub_key = include_bytes!("../../fixtures/raw_signature/ed25519.pub_key");
+
+    Ed25519Validator {}
+        .validate(&signature, data, pub_key)
+        .unwrap();
+}
diff --git a/internal/crypto/src/tests/webcrypto/signers/mod.rs b/internal/crypto/src/tests/webcrypto/signers/mod.rs
new file mode 100644
index 000000000..577cd72b2
--- /dev/null
+++ b/internal/crypto/src/tests/webcrypto/signers/mod.rs
@@ -0,0 +1,14 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+mod ed25519_signer;
diff --git a/internal/crypto/src/tests/webcrypto/validators/async_validators.rs b/internal/crypto/src/tests/webcrypto/validators/async_validators.rs
index ec5ff9e92..aa32958a3 100644
--- a/internal/crypto/src/tests/webcrypto/validators/async_validators.rs
+++ b/internal/crypto/src/tests/webcrypto/validators/async_validators.rs
@@ -16,11 +16,10 @@ use rasn::types::OctetString;
 use wasm_bindgen_test::wasm_bindgen_test;
 
 use crate::{
-    raw_signature::RawSignatureValidationError,
+    raw_signature::{RawSignatureValidationError, SigningAlg},
     webcrypto::{
         async_validator_for_sig_and_hash_algs, async_validators::async_validator_for_signing_alg,
     },
-    SigningAlg,
 };
 
 const SAMPLE_DATA: &[u8] = b"some sample content to sign";
diff --git a/internal/crypto/src/time_stamp/error.rs b/internal/crypto/src/time_stamp/error.rs
index f75915224..f9ca9fd80 100644
--- a/internal/crypto/src/time_stamp/error.rs
+++ b/internal/crypto/src/time_stamp/error.rs
@@ -60,7 +60,7 @@ pub enum TimeStampError {
     #[error("unable to complete HTTP request ({0})")]
     HttpConnectionError(String),
 
-    /// An unexpected internal error occured whiel requesting the time stamp
+    /// An unexpected internal error occured while requesting the time stamp
     /// response.
     #[error("internal error ({0})")]
     InternalError(String),
diff --git a/internal/crypto/src/time_stamp/mod.rs b/internal/crypto/src/time_stamp/mod.rs
index f1796d58a..e5990d1f9 100644
--- a/internal/crypto/src/time_stamp/mod.rs
+++ b/internal/crypto/src/time_stamp/mod.rs
@@ -20,14 +20,16 @@ pub use error::TimeStampError;
 
 #[cfg(not(target_arch = "wasm32"))]
 mod http_request;
+#[cfg(not(target_arch = "wasm32"))]
+pub use http_request::{default_rfc3161_request, default_rfc3161_request_async};
 
 mod provider;
-pub use provider::{AsyncTimeStampProvider, TimeStampProvider};
+pub use provider::{default_rfc3161_message, AsyncTimeStampProvider, TimeStampProvider};
 
 mod response;
 pub use response::ts_token_from_time_stamp_response;
 // ^^ TO REVIEW: Does this need to be public after refactoring?
+pub(crate) use response::{ContentInfo, TimeStampResponse};
 
 mod verify;
-/// TEMPORARILY PUBLIC while refactoring
-pub use verify::{verify_time_stamp, verify_time_stamp_async};
+pub(crate) use verify::{verify_time_stamp, verify_time_stamp_async};
diff --git a/internal/crypto/src/time_stamp/provider.rs b/internal/crypto/src/time_stamp/provider.rs
index 99fad54cd..62eb30b16 100644
--- a/internal/crypto/src/time_stamp/provider.rs
+++ b/internal/crypto/src/time_stamp/provider.rs
@@ -75,9 +75,79 @@ pub trait TimeStampProvider {
 /// asynchronously.
 ///
 /// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
-#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
-#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg(not(target_arch = "wasm32"))]
+#[async_trait]
+pub trait AsyncTimeStampProvider: Sync {
+    // IMPORTANT: It appears that the Sync (most platforms) vs not-Sync (WASM)
+    // distinction can't be achieved without duplicating the trait definition 👎🏻.
+    // Please verify that any changes made here are also made to the subsequent
+    // definition of AsyncTimeStampProvider for WASM builds.
+
+    /// Return the URL for time stamp service.
+    fn time_stamp_service_url(&self) -> Option<String> {
+        None
+    }
+
+    /// Additional request headers to pass to the time stamp service.
+    ///
+    /// IMPORTANT: You should not include the "Content-type" header here.
+    /// That is provided by default.
+    fn time_stamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        None
+    }
+
+    /// Generate the request body for the HTTPS request to the time stamp
+    /// service.
+    fn time_stamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>, TimeStampError> {
+        default_rfc3161_message(message)
+    }
+
+    /// Request a [RFC 3161] time stamp over an arbitrary data packet.
+    ///
+    /// The default implementation will send the request to the URL
+    /// provided by [`Self::time_stamp_service_url()`], if any.
+    ///
+    /// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
+    #[allow(unused_variables)] // `message` not used on WASM
+    async fn send_time_stamp_request(
+        &self,
+        message: &[u8],
+    ) -> Option<Result<Vec<u8>, TimeStampError>> {
+        // NOTE: This is currently synchronous, but may become
+        // async in the future.
+        #[cfg(not(target_arch = "wasm32"))]
+        if let Some(url) = self.time_stamp_service_url() {
+            if let Ok(body) = self.time_stamp_request_body(message) {
+                let headers: Option<Vec<(String, String)>> = self.time_stamp_request_headers();
+                return Some(
+                    super::http_request::default_rfc3161_request_async(
+                        &url, headers, &body, message,
+                    )
+                    .await,
+                );
+            }
+        }
+
+        None
+    }
+}
+
+/// An `AsyncTimeStampProvider` implementation can contact a [RFC 3161] time
+/// stamp service and generate a corresponding time stamp for a specific piece
+/// of data.
+///
+/// This is identical to [`TimeStampProvider`] except for performing its work
+/// asynchronously.
+///
+/// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
+#[cfg(target_arch = "wasm32")]
+#[async_trait(?Send)]
 pub trait AsyncTimeStampProvider {
+    // IMPORTANT: It appears that the Sync (most platforms) vs not-Sync (WASM)
+    // distinction can't be achieved without duplicating the trait definition 👎🏻.
+    // Please verify that any changes made here are also made to the previous
+    // definition of AsyncTimeStampProvider for non-WASM builds.
+
     /// Return the URL for time stamp service.
     fn time_stamp_service_url(&self) -> Option<String> {
         None
@@ -127,7 +197,10 @@ pub trait AsyncTimeStampProvider {
     }
 }
 
-fn default_rfc3161_message(data: &[u8]) -> Result<Vec<u8>, TimeStampError> {
+/// Create an [RFC 3161] time stamp request message for a given piece of data.
+///
+/// [RFC 3161]: https://datatracker.ietf.org/doc/html/rfc3161
+pub fn default_rfc3161_message(data: &[u8]) -> Result<Vec<u8>, TimeStampError> {
     let request = time_stamp_message_http(data, DigestAlgorithm::Sha256)?;
 
     let mut body = Vec::<u8>::new();
diff --git a/internal/crypto/src/time_stamp/response.rs b/internal/crypto/src/time_stamp/response.rs
index 658085082..7478d72eb 100644
--- a/internal/crypto/src/time_stamp/response.rs
+++ b/internal/crypto/src/time_stamp/response.rs
@@ -12,11 +12,9 @@
 // each license.
 
 use bcder::decode::Constructed;
-use rasn::{AsnType, Decode, Encode};
+use rasn::{AsnType, Decode, Decoder, Encode, Encoder};
 use x509_parser::nom::AsBytes;
 
-#[cfg(not(target_arch = "wasm32"))]
-use crate::asn1::rfc3161::PkiStatus;
 use crate::{
     asn1::{
         rfc3161::{TimeStampResp, TimeStampToken, TstInfo, OID_CONTENT_TYPE_TST_INFO},
@@ -25,10 +23,8 @@ use crate::{
     time_stamp::TimeStampError,
 };
 
-#[cfg(not(target_arch = "wasm32"))]
 pub(crate) struct TimeStampResponse(pub TimeStampResp);
 
-#[cfg(not(target_arch = "wasm32"))]
 impl std::ops::Deref for TimeStampResponse {
     type Target = TimeStampResp;
 
@@ -37,16 +33,19 @@ impl std::ops::Deref for TimeStampResponse {
     }
 }
 
-#[cfg(not(target_arch = "wasm32"))]
 impl TimeStampResponse {
     /// Return `true` if the request was successful.
+    #[cfg(not(target_arch = "wasm32"))]
     pub(crate) fn is_success(&self) -> bool {
+        use crate::asn1::rfc3161::PkiStatus;
+
         matches!(
             self.0.status.status,
             PkiStatus::Granted | PkiStatus::GrantedWithMods
         )
     }
 
+    #[cfg(not(target_arch = "wasm32"))]
     pub(crate) fn signed_data(&self) -> Result<Option<SignedData>, TimeStampError> {
         if let Some(token) = &self.0.time_stamp_token {
             if token.content_type == OID_ID_SIGNED_DATA {
@@ -67,6 +66,7 @@ impl TimeStampResponse {
         }
     }
 
+    #[cfg(not(target_arch = "wasm32"))]
     pub(crate) fn tst_info(&self) -> Result<Option<TstInfo>, TimeStampError> {
         if let Some(signed_data) = self.signed_data()? {
             if signed_data.content_info.content_type == OID_CONTENT_TYPE_TST_INFO {
@@ -90,14 +90,13 @@ impl TimeStampResponse {
 }
 
 #[derive(AsnType, Clone, Debug, Decode, Encode, PartialEq, Eq, PartialOrd, Ord, Hash)]
-struct ContentInfo {
-    content_type: rasn::types::ObjectIdentifier,
+pub(crate) struct ContentInfo {
+    pub(crate) content_type: rasn::types::ObjectIdentifier,
 
     #[rasn(tag(explicit(0)))]
-    content: rasn::types::Any,
+    pub(crate) content: rasn::types::Any,
 }
 
-/// TO REVIEW: Does this need to be public after refactoring?
 pub(crate) fn signed_data_from_time_stamp_response(
     ts_resp: &[u8],
 ) -> Result<Option<SignedData>, TimeStampError> {
@@ -136,8 +135,7 @@ pub(crate) fn signed_data_from_time_stamp_response(
     ))
 }
 
-/// TO REVIEW: Does this need to be public after refactoring?
-pub fn tst_info_from_signed_data(
+pub(crate) fn tst_info_from_signed_data(
     signed_data: &SignedData,
 ) -> Result<Option<TstInfo>, TimeStampError> {
     if signed_data.content_info.content_type != OID_CONTENT_TYPE_TST_INFO {
diff --git a/internal/crypto/src/time_stamp/verify.rs b/internal/crypto/src/time_stamp/verify.rs
index 8729145fe..71455e585 100644
--- a/internal/crypto/src/time_stamp/verify.rs
+++ b/internal/crypto/src/time_stamp/verify.rs
@@ -28,7 +28,6 @@ use crate::{
             CertificateChoices::Certificate, SignerIdentifier, OID_MESSAGE_DIGEST, OID_SIGNING_TIME,
         },
     },
-    raw_signature::validator_for_sig_and_hash_algs,
     time_stamp::{
         response::{signed_data_from_time_stamp_response, tst_info_from_signed_data},
         TimeStampError,
@@ -36,10 +35,8 @@ use crate::{
 };
 
 /// Decode the TimeStampToken info and verify it against the supplied data.
-///
-/// TEMPORARILY PUBLIC while refactoring
 #[async_generic]
-pub fn verify_time_stamp(ts: &[u8], data: &[u8]) -> Result<TstInfo, TimeStampError> {
+pub(crate) fn verify_time_stamp(ts: &[u8], data: &[u8]) -> Result<TstInfo, TimeStampError> {
     // Did the time stamp expire between issuance and verification?
     let Some(sd) = signed_data_from_time_stamp_response(ts)? else {
         return Err(TimeStampError::DecodeError(
@@ -266,7 +263,9 @@ pub fn verify_time_stamp(ts: &[u8], data: &[u8]) -> Result<TstInfo, TimeStampErr
             }
 
             #[cfg(not(target_arch = "wasm32"))]
-            unimplemented!();
+            if true {
+                unimplemented!();
+            }
         }
 
         // Make sure the time stamp's cert was valid for the stated signing time.
@@ -330,6 +329,7 @@ fn time_to_datetime(t: Time) -> DateTime<Utc> {
     }
 }
 
+#[cfg(any(feature = "openssl", target_arch = "wasm32"))]
 fn validate_timestamp_sig(
     sig_alg: &bcder::Oid,
     hash_alg: &bcder::Oid,
@@ -337,6 +337,8 @@ fn validate_timestamp_sig(
     tbs: &[u8],
     signing_key_der: &[u8],
 ) -> Result<(), TimeStampError> {
+    use crate::raw_signature::validator_for_sig_and_hash_algs;
+
     let Some(validator) = validator_for_sig_and_hash_algs(sig_alg, hash_alg) else {
         return Err(TimeStampError::UnsupportedAlgorithm);
     };
diff --git a/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs b/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs
index 88a0cba72..26548e65a 100644
--- a/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs
+++ b/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs
@@ -18,8 +18,8 @@ use wasm_bindgen_futures::JsFuture;
 use web_sys::CryptoKey;
 
 use crate::{
-    raw_signature::RawSignatureValidationError,
-    webcrypto::{AsyncRawSignatureValidator, WindowOrWorker},
+    raw_signature::{AsyncRawSignatureValidator, RawSignatureValidationError},
+    webcrypto::WindowOrWorker,
 };
 
 /// An `EcdsaValidator` can validate raw signatures with one of the ECDSA
@@ -71,9 +71,7 @@ impl AsyncRawSignatureValidator for EcdsaValidator {
 
         let crypto_key: CryptoKey = JsFuture::from(promise)
             .await
-            .map_err(|_err| {
-                RawSignatureValidationError::InternalError("unable to create CryptoKey promise")
-            })?
+            .map_err(|_err| RawSignatureValidationError::InternalError("invalid ECDSA key"))?
             .into();
 
         let algorithm = EcdsaParams(hash).as_js_object().map_err(|_err| {
diff --git a/internal/crypto/src/webcrypto/async_validators/ed25519_validator.rs b/internal/crypto/src/webcrypto/async_validators/ed25519_validator.rs
index fbf0b3530..578630d6f 100644
--- a/internal/crypto/src/webcrypto/async_validators/ed25519_validator.rs
+++ b/internal/crypto/src/webcrypto/async_validators/ed25519_validator.rs
@@ -13,9 +13,8 @@
 
 use async_trait::async_trait;
 
-use crate::{
-    raw_signature::{RawSignatureValidationError, RawSignatureValidator},
-    webcrypto::AsyncRawSignatureValidator,
+use crate::raw_signature::{
+    AsyncRawSignatureValidator, RawSignatureValidationError, RawSignatureValidator,
 };
 
 /// An `Ed25519Validator` can validate raw signatures with the Ed25519 signature
diff --git a/internal/crypto/src/webcrypto/async_validators/mod.rs b/internal/crypto/src/webcrypto/async_validators/mod.rs
index 2acaf4f22..00dacc21b 100644
--- a/internal/crypto/src/webcrypto/async_validators/mod.rs
+++ b/internal/crypto/src/webcrypto/async_validators/mod.rs
@@ -11,38 +11,9 @@
 // specific language governing permissions and limitations under
 // each license.
 
-use async_trait::async_trait;
 use bcder::Oid;
 
-use crate::{
-    raw_signature::{oids::*, RawSignatureValidationError},
-    SigningAlg,
-};
-
-/// An `AsyncRawSignatureValidator` implementation checks a signature encoded
-/// using a specific signature algorithm and a private/public key pair.
-///
-/// IMPORTANT: This signature is typically embedded in a wrapper provided by
-/// another signature mechanism. In the C2PA ecosystem, this wrapper is
-/// typically COSE, but `AsyncRawSignatureValidator` does not implement COSE.
-///
-/// The WASM implementation of `c2pa-crypto` also implements
-/// [`RawSignatureValidator`] (the synchronous version), but some encryption
-/// algorithms are not fully supported. When possible, it's preferable to use
-/// this implementation.
-///
-/// [`RawSignatureValidator`]: crate::raw_signature::RawSignatureValidator
-#[async_trait(?Send)]
-pub trait AsyncRawSignatureValidator {
-    /// Return `true` if the signature `sig` is valid for the raw content `data`
-    /// and the public key `public_key`.
-    async fn validate_async(
-        &self,
-        sig: &[u8],
-        data: &[u8],
-        public_key: &[u8],
-    ) -> Result<(), RawSignatureValidationError>;
-}
+use crate::raw_signature::{oids::*, AsyncRawSignatureValidator, SigningAlg};
 
 /// Return an async validator for the given signing algorithm.
 pub fn async_validator_for_signing_alg(
@@ -61,10 +32,7 @@ pub fn async_validator_for_signing_alg(
 
 /// Return a built-in async signature validator for the requested signature
 /// algorithm as identified by OID.
-///
-/// TEMPORARILY PUBLIC: This will become `pub(crate)` once time stamp code moves
-/// into c2pa-crypto.
-pub fn async_validator_for_sig_and_hash_algs(
+pub(crate) fn async_validator_for_sig_and_hash_algs(
     sig_alg: &Oid,
     hash_alg: &Oid,
 ) -> Option<Box<dyn AsyncRawSignatureValidator>> {
diff --git a/internal/crypto/src/webcrypto/async_validators/rsa_legacy_validator.rs b/internal/crypto/src/webcrypto/async_validators/rsa_legacy_validator.rs
index 2f3bcf297..89ecb81b2 100644
--- a/internal/crypto/src/webcrypto/async_validators/rsa_legacy_validator.rs
+++ b/internal/crypto/src/webcrypto/async_validators/rsa_legacy_validator.rs
@@ -13,9 +13,8 @@
 
 use async_trait::async_trait;
 
-use crate::{
-    raw_signature::{RawSignatureValidationError, RawSignatureValidator},
-    webcrypto::AsyncRawSignatureValidator,
+use crate::raw_signature::{
+    AsyncRawSignatureValidator, RawSignatureValidationError, RawSignatureValidator,
 };
 
 /// An `RsaLegacyValidator` can validate raw signatures with an RSA signature
diff --git a/internal/crypto/src/webcrypto/async_validators/rsa_validator.rs b/internal/crypto/src/webcrypto/async_validators/rsa_validator.rs
index 2e71d8934..f3af91e65 100644
--- a/internal/crypto/src/webcrypto/async_validators/rsa_validator.rs
+++ b/internal/crypto/src/webcrypto/async_validators/rsa_validator.rs
@@ -13,9 +13,8 @@
 
 use async_trait::async_trait;
 
-use crate::{
-    raw_signature::{RawSignatureValidationError, RawSignatureValidator},
-    webcrypto::AsyncRawSignatureValidator,
+use crate::raw_signature::{
+    AsyncRawSignatureValidator, RawSignatureValidationError, RawSignatureValidator,
 };
 
 /// An `RsaValidator` can validate raw signatures with one of the RSA-PSS
diff --git a/internal/crypto/src/webcrypto/check_certificate_trust.rs b/internal/crypto/src/webcrypto/check_certificate_trust.rs
new file mode 100644
index 000000000..f4f2dac6e
--- /dev/null
+++ b/internal/crypto/src/webcrypto/check_certificate_trust.rs
@@ -0,0 +1,281 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use asn1_rs::{Any, Class, FromDer, Header, Tag};
+use nom::AsBytes;
+use x509_parser::{
+    certificate::X509Certificate, der_parser::oid, oid_registry::Oid, x509::AlgorithmIdentifier,
+};
+
+use crate::{
+    cose::{CertificateTrustError, CertificateTrustPolicy},
+    p1363::der_to_p1363,
+    raw_signature::{RawSignatureValidationError, SigningAlg},
+    webcrypto::async_validator_for_signing_alg,
+};
+
+pub(crate) async fn check_certificate_trust(
+    ctp: &CertificateTrustPolicy,
+    chain_der: &[Vec<u8>],
+    cert_der: &[u8],
+    _signing_time_epoch: Option<i64>,
+) -> Result<(), CertificateTrustError> {
+    let Ok((_rem, cert)) = X509Certificate::from_der(cert_der) else {
+        return Err(CertificateTrustError::InvalidCertificate);
+    };
+
+    let Ok(Some(eku)) = cert.extended_key_usage() else {
+        return Err(CertificateTrustError::InvalidEku);
+    };
+
+    let Some(_approved_oid) = ctp.has_allowed_eku(&eku.value) else {
+        return Err(CertificateTrustError::InvalidEku);
+    };
+
+    // Add end-entity cert to the chain if not already there.
+    let full_chain = if !chain_der.is_empty() && cert_der == &chain_der[0] {
+        chain_der.to_vec()
+    } else {
+        let mut full_chain: Vec<Vec<u8>> = Vec::new();
+        full_chain.push(cert_der.to_vec());
+        let mut in_chain = chain_der.to_vec();
+        full_chain.append(&mut in_chain);
+        full_chain
+    };
+
+    // Make sure chain is in the correct order and valid.
+    check_chain_order(&full_chain).await?;
+
+    // Build anchors and check against trust anchors.
+    let anchors = ctp
+        .trust_anchor_ders()
+        .map(|anchor_der| {
+            X509Certificate::from_der(anchor_der)
+                .map_err(|_e| CertificateTrustError::CertificateNotTrusted)
+                .map(|r| r.1)
+        })
+        .collect::<Result<Vec<X509Certificate>, CertificateTrustError>>()?;
+
+    if anchors.is_empty() {
+        return Err(CertificateTrustError::CertificateNotTrusted);
+    }
+
+    // Work back from last cert in chain against the trust anchors.
+    for cert in chain_der.iter().rev() {
+        let (_, chain_cert) = X509Certificate::from_der(cert)
+            .map_err(|_e| CertificateTrustError::CertificateNotTrusted)?;
+
+        for anchor in ctp.trust_anchor_ders() {
+            let data = chain_cert.tbs_certificate.as_ref();
+            let sig = chain_cert.signature_value.as_ref();
+
+            let sig_alg = cert_signing_alg(&chain_cert);
+
+            let (_, anchor_cert) = X509Certificate::from_der(anchor)
+                .map_err(|_e| CertificateTrustError::CertificateNotTrusted)?;
+
+            if chain_cert.issuer() == anchor_cert.subject() {
+                let result =
+                    verify_data(anchor.clone(), sig_alg, sig.to_vec(), data.to_vec()).await;
+
+                match result {
+                    Ok(b) => {
+                        if b {
+                            return Ok(());
+                        }
+                    }
+                    Err(_) => continue,
+                }
+            }
+        }
+    }
+
+    // TO DO: Consider path check and names restrictions.
+    return Err(CertificateTrustError::CertificateNotTrusted);
+}
+
+async fn check_chain_order(certs: &[Vec<u8>]) -> Result<(), CertificateTrustError> {
+    let chain_length = certs.len();
+    if chain_length < 2 {
+        return Ok(());
+    }
+
+    for i in 1..chain_length {
+        let (_, current_cert) = X509Certificate::from_der(&certs[i - 1])
+            .map_err(|_e| CertificateTrustError::CertificateNotTrusted)?;
+
+        let issuer_der = certs[i].to_vec();
+        let data = current_cert.tbs_certificate.as_ref();
+        let sig = current_cert.signature_value.as_ref();
+        let sig_alg = cert_signing_alg(&current_cert);
+
+        if !verify_data(issuer_der, sig_alg, sig.to_vec(), data.to_vec()).await? {
+            return Err(CertificateTrustError::CertificateNotTrusted);
+        }
+    }
+
+    Ok(())
+}
+
+fn cert_signing_alg(cert: &X509Certificate) -> Option<String> {
+    let cert_alg = &cert.signature_algorithm.algorithm;
+
+    if *cert_alg == SHA256_WITH_RSAENCRYPTION_OID {
+        Some("rsa256".to_string())
+    } else if *cert_alg == SHA384_WITH_RSAENCRYPTION_OID {
+        Some("rsa384".to_string())
+    } else if *cert_alg == SHA512_WITH_RSAENCRYPTION_OID {
+        Some("rsa512".to_string())
+    } else if *cert_alg == ECDSA_WITH_SHA256_OID {
+        Some(SigningAlg::Es256.to_string())
+    } else if *cert_alg == ECDSA_WITH_SHA384_OID {
+        Some(SigningAlg::Es384.to_string())
+    } else if *cert_alg == ECDSA_WITH_SHA512_OID {
+        Some(SigningAlg::Es512.to_string())
+    } else if *cert_alg == RSASSA_PSS_OID {
+        signing_alg_from_rsapss_alg(&cert.signature_algorithm)
+    } else if *cert_alg == ED25519_OID {
+        Some(SigningAlg::Ed25519.to_string())
+    } else {
+        None
+    }
+}
+
+fn signing_alg_from_rsapss_alg(alg: &AlgorithmIdentifier) -> Option<String> {
+    let Some(parameters) = &alg.parameters else {
+        return None;
+    };
+
+    let Ok(seq) = parameters.as_sequence() else {
+        return None;
+    };
+
+    let Ok((_i, (ha_alg, mgf_ai))) = seq.parse(|i| {
+        let (i, h) = <Header as asn1_rs::FromDer>::from_der(i)?;
+        if h.class() != Class::ContextSpecific || h.tag() != Tag(0) {
+            return Err(nom::Err::Error(asn1_rs::Error::BerValueError));
+        }
+
+        let (i, ha_alg) = AlgorithmIdentifier::from_der(i)
+            .map_err(|_| nom::Err::Error(asn1_rs::Error::BerValueError))?;
+
+        let (i, h) = <Header as asn1_rs::FromDer>::from_der(i)?;
+        if h.class() != Class::ContextSpecific || h.tag() != Tag(1) {
+            return Err(nom::Err::Error(asn1_rs::Error::BerValueError));
+        }
+
+        let (i, mgf_ai) = AlgorithmIdentifier::from_der(i)
+            .map_err(|_| nom::Err::Error(asn1_rs::Error::BerValueError))?;
+
+        // Ignore anything that follows these two parameters.
+
+        Ok((i, (ha_alg, mgf_ai)))
+    }) else {
+        return None;
+    };
+
+    let Some(mgf_ai_parameters) = mgf_ai.parameters else {
+        return None;
+    };
+
+    let Ok(mgf_ai_parameters) = mgf_ai_parameters.as_sequence() else {
+        return None;
+    };
+
+    let Ok((_i, mgf_ai_params_algorithm)) =
+        <Any as asn1_rs::FromDer>::from_der(&mgf_ai_parameters.content)
+    else {
+        return None;
+    };
+
+    let Ok(mgf_ai_params_algorithm) = mgf_ai_params_algorithm.as_oid() else {
+        return None;
+    };
+
+    // Algorithms must be the same.
+    if ha_alg.algorithm.to_id_string() != mgf_ai_params_algorithm.to_id_string() {
+        return None;
+    }
+
+    // We only recognize a few specific algorithm types.
+    if ha_alg.algorithm == SHA256_OID {
+        Some("ps256".to_string())
+    } else if ha_alg.algorithm == SHA384_OID {
+        Some("ps384".to_string())
+    } else if ha_alg.algorithm == SHA512_OID {
+        Some("ps512".to_string())
+    } else {
+        None
+    }
+}
+
+async fn verify_data(
+    cert_der: Vec<u8>,
+    sig_alg: Option<String>,
+    sig: Vec<u8>,
+    data: Vec<u8>,
+) -> Result<bool, CertificateTrustError> {
+    let (_, cert) = X509Certificate::from_der(cert_der.as_bytes())
+        .map_err(|_e| CertificateTrustError::InvalidCertificate)?;
+
+    let certificate_public_key = cert.public_key();
+
+    let Some(cert_alg_string) = sig_alg else {
+        return Err(CertificateTrustError::InvalidCertificate);
+    };
+
+    let signing_alg: SigningAlg = cert_alg_string
+        .parse()
+        .map_err(|_| CertificateTrustError::InvalidCertificate)?;
+
+    // Not sure this is needed any more. Leaving this for now, but I think this
+    // should be handled in c2pa_crypto's raw signature code.
+
+    // TO REVIEW: For now, this is needed because this function could validate C2PA
+    // signatures (P1363) or those from certificates which are ASN.1 DER. I don't
+    // know if the new code is only used for DER now.
+    let adjusted_sig = if cert_alg_string.starts_with("es") {
+        match der_to_p1363(&sig, signing_alg) {
+            Ok(p1363) => p1363,
+            Err(_) => sig,
+        }
+    } else {
+        sig
+    };
+
+    let Some(validator) = async_validator_for_signing_alg(signing_alg) else {
+        return Err(CertificateTrustError::InvalidCertificate);
+    };
+
+    let result = validator
+        .validate_async(&adjusted_sig, &data, certificate_public_key.raw.as_ref())
+        .await;
+
+    match result {
+        Ok(()) => Ok(true),
+        Err(RawSignatureValidationError::SignatureMismatch) => Ok(false),
+        Err(_err) => Err(CertificateTrustError::InvalidCertificate),
+    }
+}
+
+const RSASSA_PSS_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .10);
+const ECDSA_WITH_SHA256_OID: Oid<'static> = oid!(1.2.840 .10045 .4 .3 .2);
+const ECDSA_WITH_SHA384_OID: Oid<'static> = oid!(1.2.840 .10045 .4 .3 .3);
+const ECDSA_WITH_SHA512_OID: Oid<'static> = oid!(1.2.840 .10045 .4 .3 .4);
+const SHA256_WITH_RSAENCRYPTION_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .11);
+const SHA384_WITH_RSAENCRYPTION_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .12);
+const SHA512_WITH_RSAENCRYPTION_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .13);
+const ED25519_OID: Oid<'static> = oid!(1.3.101 .112);
+const SHA256_OID: Oid<'static> = oid!(2.16.840 .1 .101 .3 .4 .2 .1);
+const SHA384_OID: Oid<'static> = oid!(2.16.840 .1 .101 .3 .4 .2 .2);
+const SHA512_OID: Oid<'static> = oid!(2.16.840 .1 .101 .3 .4 .2 .3);
diff --git a/internal/crypto/src/webcrypto/mod.rs b/internal/crypto/src/webcrypto/mod.rs
index fb51e2d32..ec62a2f1a 100644
--- a/internal/crypto/src/webcrypto/mod.rs
+++ b/internal/crypto/src/webcrypto/mod.rs
@@ -20,11 +20,12 @@
 //! [`SubtleCrypto`]: https://rustwasm.github.io/wasm-bindgen/api/web_sys/struct.SubtleCrypto.html
 
 pub(crate) mod async_validators;
-pub use async_validators::{
+pub(crate) use async_validators::{
     async_validator_for_sig_and_hash_algs, async_validator_for_signing_alg,
-    AsyncRawSignatureValidator,
 };
 
+pub(crate) mod check_certificate_trust;
+pub(crate) mod signers;
 pub mod validators;
 
 mod window_or_worker;
diff --git a/internal/crypto/src/webcrypto/signers/ed25519_signer.rs b/internal/crypto/src/webcrypto/signers/ed25519_signer.rs
new file mode 100644
index 000000000..6805a66b2
--- /dev/null
+++ b/internal/crypto/src/webcrypto/signers/ed25519_signer.rs
@@ -0,0 +1,100 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use ed25519_dalek::{pkcs8::DecodePrivateKey, SigningKey};
+use x509_parser::{error::PEMError, pem::Pem};
+
+use crate::{
+    raw_signature::{RawSigner, RawSignerError, SigningAlg},
+    time_stamp::TimeStampProvider,
+};
+
+/// Implements `RawSigner` trait using `ed25519_dalek` crate's implementation of
+/// Edwards Curve encryption.
+pub struct Ed25519Signer {
+    #[allow(dead_code)]
+    cert_chain: Vec<Vec<u8>>,
+    cert_chain_len: usize,
+
+    signing_key: SigningKey,
+
+    time_stamp_service_url: Option<String>,
+    time_stamp_size: usize,
+}
+
+impl Ed25519Signer {
+    pub(crate) fn from_cert_chain_and_private_key(
+        cert_chain: &[u8],
+        private_key: &[u8],
+        time_stamp_service_url: Option<String>,
+    ) -> Result<Self, RawSignerError> {
+        let cert_chain = Pem::iter_from_buffer(cert_chain)
+            .map(|r| match r {
+                Ok(pem) => Ok(pem.contents),
+                Err(e) => Err(e),
+            })
+            .collect::<Result<Vec<Vec<u8>>, PEMError>>()
+            .map_err(|e| RawSignerError::InvalidSigningCredentials(e.to_string()))?;
+
+        let cert_chain_len = cert_chain.len();
+
+        let private_key_pem = std::str::from_utf8(private_key).map_err(|e| {
+            RawSignerError::InvalidSigningCredentials(format!("invalid private key: {e}"))
+        })?;
+
+        let signing_key = SigningKey::from_pkcs8_pem(private_key_pem).map_err(|e| {
+            RawSignerError::InvalidSigningCredentials(format!("invalid private key: {e}"))
+        })?;
+
+        Ok(Ed25519Signer {
+            cert_chain,
+            cert_chain_len,
+
+            signing_key,
+
+            time_stamp_service_url,
+            time_stamp_size: 10000,
+            // TO DO: Call out to time stamp service to get actual time stamp and use that size?
+        })
+    }
+}
+
+impl RawSigner for Ed25519Signer {
+    fn sign(&self, data: &[u8]) -> Result<Vec<u8>, RawSignerError> {
+        use ed25519_dalek::Signer;
+
+        Ok(self
+            .signing_key
+            .try_sign(data)
+            .map_err(|e| RawSignerError::InternalError(format!("signature error: {e}")))?
+            .to_vec())
+    }
+
+    fn alg(&self) -> SigningAlg {
+        SigningAlg::Ed25519
+    }
+
+    fn reserve_size(&self) -> usize {
+        1024 + self.cert_chain_len + self.time_stamp_size
+    }
+
+    fn cert_chain(&self) -> Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(self.cert_chain.clone())
+    }
+}
+
+impl TimeStampProvider for Ed25519Signer {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.time_stamp_service_url.clone()
+    }
+}
diff --git a/internal/crypto/src/webcrypto/signers/mod.rs b/internal/crypto/src/webcrypto/signers/mod.rs
new file mode 100644
index 000000000..29d195f65
--- /dev/null
+++ b/internal/crypto/src/webcrypto/signers/mod.rs
@@ -0,0 +1,45 @@
+// Copyright 2024 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+use crate::raw_signature::{RawSigner, RawSignerError, SigningAlg};
+
+mod ed25519_signer;
+
+/// Return a built-in [`RawSigner`] instance using the provided signing
+/// certificate and private key.
+///
+/// Which signers are available may vary depending on the platform and which
+/// crate features were enabled.
+///
+/// Returns `None` if the signing algorithm is unsupported. May return an `Err`
+/// response if the certificate chain or private key are invalid.
+pub(crate) fn signer_from_cert_chain_and_private_key(
+    cert_chain: &[u8],
+    private_key: &[u8],
+    alg: SigningAlg,
+    time_stamp_service_url: Option<String>,
+) -> Result<Box<dyn RawSigner + Send + Sync>, RawSignerError> {
+    match alg {
+        SigningAlg::Ed25519 => Ok(Box::new(
+            ed25519_signer::Ed25519Signer::from_cert_chain_and_private_key(
+                cert_chain,
+                private_key,
+                time_stamp_service_url,
+            )?,
+        )),
+
+        _ => Err(RawSignerError::InternalError(format!(
+            "unsupported algorithm: {alg}"
+        ))),
+    }
+}
diff --git a/internal/crypto/src/webcrypto/validators/mod.rs b/internal/crypto/src/webcrypto/validators/mod.rs
index 5e2d5dff4..679e83c0c 100644
--- a/internal/crypto/src/webcrypto/validators/mod.rs
+++ b/internal/crypto/src/webcrypto/validators/mod.rs
@@ -16,10 +16,7 @@
 
 use bcder::Oid;
 
-use crate::{
-    raw_signature::{oids::*, RawSignatureValidator},
-    SigningAlg,
-};
+use crate::raw_signature::{oids::*, RawSignatureValidator, SigningAlg};
 
 mod ecdsa_validator;
 pub use ecdsa_validator::EcdsaValidator;
diff --git a/internal/status-tracker/CHANGELOG.md b/internal/status-tracker/CHANGELOG.md
index 0b7dca1e4..a8b844038 100644
--- a/internal/status-tracker/CHANGELOG.md
+++ b/internal/status-tracker/CHANGELOG.md
@@ -6,6 +6,13 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 The format of this changelog is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [0.2.0](https://github.com/contentauth/c2pa-rs/compare/c2pa-status-tracker-v0.1.0...c2pa-status-tracker-v0.2.0)
+_11 December 2024_
+
+### Added
+
+* Move `validation_codes` from `c2pa-crypto` to `c2pa-status-tracker`
+
 ## [0.1.0](https://github.com/contentauth/c2pa-rs/releases/tag/c2pa-status-tracker-v0.1.0)
 _13 November 2024_
 
diff --git a/internal/status-tracker/Cargo.toml b/internal/status-tracker/Cargo.toml
index 1d6f015c9..101685fb8 100644
--- a/internal/status-tracker/Cargo.toml
+++ b/internal/status-tracker/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "c2pa-status-tracker"
-version = "0.1.0"
+version = "0.2.0"
 description = "Status tracking internals for c2pa-rs crate"
 authors = [
     "Maurice Fisher <mfisher@adobe.com>",
@@ -13,7 +13,7 @@ homepage = "https://contentauthenticity.org"
 repository = "https://github.com/contentauth/c2pa-rs"
 readme = "README.md"
 edition = "2021"
-rust-version = "1.76.0"
+rust-version = "1.81.0"
 exclude = ["tests/fixtures"]
 
 [package.metadata.docs.rs]
diff --git a/internal/status-tracker/src/log.rs b/internal/status-tracker/src/log.rs
index b77177c25..2a5075533 100644
--- a/internal/status-tracker/src/log.rs
+++ b/internal/status-tracker/src/log.rs
@@ -44,8 +44,7 @@ use crate::StatusTracker;
 ///         file: Cow::Borrowed(file!()),
 ///         function: Cow::Borrowed("test func"),
 ///         line: log.line,
-///         err_val: None,
-///         validation_status: None,
+///         ..Default::default()
 ///     }
 /// );
 /// #
@@ -63,8 +62,7 @@ macro_rules! log_item {
             function: $function.into(),
             line: line!(),
             description: $description.into(),
-            err_val: None,
-            validation_status: None,
+            ..Default::default()
         }
     }};
 }
@@ -103,6 +101,27 @@ pub struct LogItem {
 
     /// C2PA validation status code
     pub validation_status: Option<Cow<'static, str>>,
+
+    /// Ingredient URI (for ingredient-related logs)
+    pub ingredient_uri: Option<Cow<'static, str>>,
+}
+
+impl Default for LogItem {
+    fn default() -> Self {
+        LogItem {
+            kind: LogKind::Success,
+            label: Cow::Borrowed(""),
+            description: Cow::Borrowed(""),
+            crate_name: env!("CARGO_PKG_NAME").into(),
+            crate_version: env!("CARGO_PKG_VERSION").into(),
+            file: Cow::Borrowed(""),
+            function: Cow::Borrowed(""),
+            line: 0,
+            err_val: None,
+            validation_status: None,
+            ingredient_uri: None,
+        }
+    }
 }
 
 impl LogItem {
@@ -126,8 +145,8 @@ impl LogItem {
     ///         file: Cow::Borrowed(file!()),
     ///         function: Cow::Borrowed("test func"),
     ///         line: 7,
-    ///         err_val: None,
     ///         validation_status: Some(Cow::Borrowed("claim.missing")),
+    ///         ..Default::default()
     ///     }
     /// );
     /// ```
@@ -139,6 +158,22 @@ impl LogItem {
         }
     }
 
+    /// Add an ingredient URI.
+    ///
+    /// ## Example
+    ///
+    /// ```
+    /// # use std::borrow::Cow;
+    /// # use c2pa_status_tracker::{log_item, LogKind, LogItem};
+    /// let log = log_item!("test1", "test item 1", "test func")
+    ///     .set_ingredient_uri("self#jumbf=/c2pa/contentauth:urn:uuid:bef41f24-13aa-4040-8efa-08e5e85c4a00/c2pa.assertions/c2pa.ingredient__1");
+    pub fn set_ingredient_uri<S: Into<String>>(self, uri: S) -> Self {
+        LogItem {
+            ingredient_uri: Some(uri.into().into()),
+            ..self
+        }
+    }
+
     /// Set the log item kind to [`LogKind::Success`] and add it to the
     /// [`StatusTracker`].
     pub fn success(mut self, tracker: &mut impl StatusTracker) {
@@ -164,7 +199,6 @@ impl LogItem {
     pub fn failure<E: Debug>(mut self, tracker: &mut impl StatusTracker, err: E) -> Result<(), E> {
         self.kind = LogKind::Failure;
         self.err_val = Some(format!("{err:?}").into());
-
         tracker.add_error(self, err)
     }
 
diff --git a/internal/status-tracker/src/status_tracker/detailed.rs b/internal/status-tracker/src/status_tracker/detailed.rs
index 1ded4f61c..c9f68ad13 100644
--- a/internal/status-tracker/src/status_tracker/detailed.rs
+++ b/internal/status-tracker/src/status_tracker/detailed.rs
@@ -22,6 +22,7 @@ use crate::{LogItem, StatusTracker};
 #[derive(Debug, Default)]
 pub struct DetailedStatusTracker {
     logged_items: Vec<LogItem>,
+    ingredient_uris: Vec<String>,
 }
 
 impl DetailedStatusTracker {
@@ -49,12 +50,26 @@ impl StatusTracker for DetailedStatusTracker {
         &self.logged_items
     }
 
-    fn add_non_error(&mut self, log_item: LogItem) {
+    fn add_non_error(&mut self, mut log_item: LogItem) {
+        if let Some(ingredient_uri) = self.ingredient_uris.last() {
+            log_item.ingredient_uri = Some(ingredient_uri.to_string().into());
+        }
         self.logged_items.push(log_item);
     }
 
-    fn add_error<E>(&mut self, log_item: LogItem, _err: E) -> Result<(), E> {
+    fn add_error<E>(&mut self, mut log_item: LogItem, _err: E) -> Result<(), E> {
+        if let Some(ingredient_uri) = self.ingredient_uris.last() {
+            log_item.ingredient_uri = Some(ingredient_uri.to_string().into());
+        }
         self.logged_items.push(log_item);
         Ok(())
     }
+
+    fn push_ingredient_uri<S: Into<String>>(&mut self, uri: S) {
+        self.ingredient_uris.push(dbg!(uri.into()));
+    }
+
+    fn pop_ingredient_uri(&mut self) -> Option<String> {
+        dbg!(self.ingredient_uris.pop())
+    }
 }
diff --git a/internal/status-tracker/src/status_tracker/mod.rs b/internal/status-tracker/src/status_tracker/mod.rs
index 7081fa9e7..9e74ff6b5 100644
--- a/internal/status-tracker/src/status_tracker/mod.rs
+++ b/internal/status-tracker/src/status_tracker/mod.rs
@@ -80,6 +80,16 @@ pub trait StatusTracker: Debug + Send {
             }
         })
     }
+
+    /// Keeps track of the current ingredient URI, if any.
+    ///
+    /// The current uri may be added to any log items created
+    fn push_ingredient_uri<S: Into<String>>(&mut self, _uri: S) {}
+
+    /// Removes the current ingredient URI, if any.
+    fn pop_ingredient_uri(&mut self) -> Option<String> {
+        None
+    }
 }
 
 pub(crate) mod detailed;
diff --git a/internal/status-tracker/src/tests/log.rs b/internal/status-tracker/src/tests/log.rs
index e859ce2ef..c875369d4 100644
--- a/internal/status-tracker/src/tests/log.rs
+++ b/internal/status-tracker/src/tests/log.rs
@@ -32,6 +32,7 @@ fn r#macro() {
             line: log.line,
             err_val: None,
             validation_status: None,
+            ..Default::default()
         }
     );
 
@@ -56,6 +57,7 @@ fn macro_from_string() {
             line: log.line,
             err_val: None,
             validation_status: None,
+            ..Default::default()
         }
     );
 
@@ -82,6 +84,7 @@ fn success() {
             line: log_item.line,
             err_val: None,
             validation_status: None,
+            ingredient_uri: None,
         }
     );
 }
@@ -106,6 +109,7 @@ fn informational() {
             line: log_item.line,
             err_val: None,
             validation_status: None,
+            ..Default::default()
         }
     );
 }
@@ -132,6 +136,7 @@ fn failure() {
             line: log_item.line,
             err_val: Some(Cow::Borrowed("\"sample error message\"")),
             validation_status: None,
+            ..Default::default()
         }
     );
 }
@@ -156,7 +161,7 @@ fn failure_no_throw() {
             function: Cow::Borrowed("test func"),
             line: log_item.line,
             err_val: Some(Cow::Borrowed("\"sample error message\"")),
-            validation_status: None,
+            ..Default::default()
         }
     );
 }
@@ -179,6 +184,7 @@ fn validation_status() {
             line: log_item.line,
             err_val: None,
             validation_status: Some(Cow::Borrowed("claim.missing")),
+            ..Default::default()
         }
     );
 }
diff --git a/internal/status-tracker/src/validation_codes.rs b/internal/status-tracker/src/validation_codes.rs
index 466caca59..204c01eb0 100644
--- a/internal/status-tracker/src/validation_codes.rs
+++ b/internal/status-tracker/src/validation_codes.rs
@@ -293,7 +293,7 @@ pub const GENERAL_ERROR: &str = "general.error";
 /// Returns `false` if the status code is a known C2PA failure status
 /// code or is unknown.
 ///
-/// # Examples
+/// ## Examples
 ///
 /// ```
 /// use c2pa_status_tracker::validation_codes::*;
diff --git a/make_test_images/Cargo.toml b/make_test_images/Cargo.toml
index d1e9599ce..9ecbaeb7e 100644
--- a/make_test_images/Cargo.toml
+++ b/make_test_images/Cargo.toml
@@ -4,25 +4,28 @@ version = "0.36.1"
 authors = ["Gavin Peacock <gpeacock@adobe.com>"]
 license = "MIT OR Apache-2.0"
 edition = "2021"
-rust-version = "1.76.0"
+rust-version = "1.81.0"
+
+[[bin]]
+name = "make_test_images"
+required-features = ["default"]
 
 [dependencies]
 anyhow = "1.0.40"
-c2pa = { path = "../sdk", default-features = false, features = [
-	"file_io",
-	"openssl_sign",
-	"unstable_api",
-	"file_io",
-] }
+c2pa = { path = "../sdk", default-features = false, features = ["unstable_api"] }
 env_logger = "0.11"
 log = "0.4.8"
 image = { version = "0.25.2", default-features = false, features = [
 	"jpeg",
 	"png",
 ] }
-memchr = "2.7.1"
+memchr = "2.7.4"
 nom = "7.1.3"
 regex = "1.5.6"
 serde = "1.0.197"
 serde_json = { version = "1.0.117", features = ["preserve_order"] }
 tempfile = "3.10.1"
+
+[features]
+# prevents these features from being always enabled in the workspace
+default = ["c2pa/openssl_sign", "c2pa/file_io"]
diff --git a/release-plz.toml b/release-plz.toml
index 58ed69220..fe0fe3e01 100644
--- a/release-plz.toml
+++ b/release-plz.toml
@@ -47,14 +47,17 @@ changelog_path = "./CHANGELOG.md"
 # of in the `sdk` folder (which would be the default).
 
 [[package]]
-name = "c2pa-crypto"
+name = "c2pa-status-tracker"
 
 [[package]]
-name = "c2pa-status-tracker"
+name = "c2pa-crypto"
 
 [[package]]
 name = "cawg-identity"
 
+[[package]]
+name = "c2patool"
+
 [[package]]
 name = "export_schema"
 publish = false
diff --git a/sdk/Cargo.toml b/sdk/Cargo.toml
index ebbc25c2c..8a1277057 100644
--- a/sdk/Cargo.toml
+++ b/sdk/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "c2pa"
-version = "0.39.0"
+version = "0.40.0"
 description = "Rust SDK for C2PA (Coalition for Content Provenance and Authenticity) implementors"
 authors = [
     "Maurice Fisher <mfisher@adobe.com>",
@@ -18,7 +18,7 @@ readme = "../README.md"
 keywords = ["xmp", "metadata"]
 categories = ["api-bindings"]
 edition = "2021"
-rust-version = "1.76.0"
+rust-version = "1.81.0"
 exclude = ["tests/fixtures"]
 
 [package.metadata.docs.rs]
@@ -28,12 +28,11 @@ rustdoc-args = ["--cfg", "docsrs"]
 [features]
 default = ["v1_api"]
 add_thumbnails = ["image"]
-psxxx_ocsp_stapling_experimental = []
 file_io = ["openssl_sign"]
 serialize_thumbnails = []
 no_interleaved_io = ["file_io"]
 fetch_remote_manifests = []
-openssl = ["dep:openssl", "c2pa-crypto/openssl"]
+openssl = ["c2pa-crypto/openssl"]
 openssl_sign = ["openssl", "c2pa-crypto/openssl"]
 json_schema = ["dep:schemars", "c2pa-crypto/json_schema"]
 pdf = ["dep:lopdf"]
@@ -64,7 +63,7 @@ required-features = ["unstable_api"]
 crate-type = ["lib"]
 
 [dependencies]
-asn1-rs = "0.5.2"
+asn1-rs = "0.6.2"
 async-generic = "1.1"
 async-recursion = "1.1.1"
 async-trait = { version = "0.1.77" }
@@ -73,13 +72,13 @@ bcder = "0.7.3"
 bytes = "1.7.2"
 byteorder = { version = "1.4.3", default-features = false }
 byteordered = "0.6.0"
-c2pa-crypto = { path = "../internal/crypto", version = "0.1.2" }
-c2pa-status-tracker = { path = "../internal/status-tracker", version = "0.1.0" }
-chrono = { version = "0.4.38", default-features = false, features = [
+c2pa-crypto = { path = "../internal/crypto", version = "0.2.0" }
+c2pa-status-tracker = { path = "../internal/status-tracker", version = "0.2.0" }
+chrono = { version = "0.4.39", default-features = false, features = [
     "serde",
     "wasmbind",
 ] }
-ciborium = "0.2.0"
+ciborium = "0.2.2"
 config = { version = "0.14.0", default-features = false, features = [
     "json",
     "json5",
@@ -96,20 +95,20 @@ hex = "0.4.3"
 # Version 1.13.0 doesn't compile under Rust < 1.75, pinning to 1.12.0
 id3 = "=1.14.0"
 img-parts = "0.3.0"
-jfifdump = "0.5.1"
+jfifdump = "0.6.0"
 log = "0.4.8"
 lopdf = { version = "0.31.0", optional = true }
 lazy_static = "1.4.0"
-memchr = "2.7.1"
+memchr = "2.7.4"
 mp4 = "0.14.0"
 pem = "3.0.2"
 png_pong = "0.9.1"
 rand = "0.8.5"
 rand_chacha = "0.3.1"
 range-set = "0.0.11"
-rasn-ocsp = "0.18.0"
-rasn-pkix = "0.18.0"
-rasn = "0.18.0"
+rasn-ocsp = "0.22.0"
+rasn-pkix = "0.22.0"
+rasn = "0.22.0"
 riff = "2.0.0"
 schemars = { version = "0.8.21", optional = true }
 serde = { version = "1.0.197", features = ["derive"] }
@@ -122,13 +121,13 @@ serde-transcode = "1.1.1"
 sha1 = "0.10.6"
 sha2 = "0.10.6"
 tempfile = "3.10.1"
-thiserror = "1.0.61"
+thiserror = "2.0.8"
 treeline = "0.1.0"
 url = "2.5.3"
 uuid = { version = "1.10.0", features = ["serde", "v4", "js"] }
 x509-parser = "0.16.0"
 x509-certificate = "0.21.0"
-zip = { version = "0.6.6", default-features = false }
+zip = { version = "2.2.1", default-features = false }
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 ureq = "2.4.0"
@@ -136,19 +135,14 @@ image = { version = "0.24.7", default-features = false, features = [
     "jpeg",
     "png",
 ], optional = true }
-instant = "0.1.12"
-openssl = { version = "0.10.61", features = ["vendored"], optional = true }
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 console_log = { version = "1.0.0", features = ["color"] }
 getrandom = { version = "0.2.7", features = ["js"] }
-# We need to use the `inaccurate` flag here to ensure usage of the JavaScript Date API
-# to handle certificate timestamp checking correctly.
-instant = { version = "0.1.12", features = ["wasm-bindgen", "inaccurate"] }
 js-sys = "0.3.58"
 rand_core = "0.9.0-alpha.2"
 rsa = { version = "0.9.6", features = ["sha2"] }
-serde-wasm-bindgen = "0.5.0"
+serde-wasm-bindgen = "0.6.5"
 spki = "0.7.3"
 wasm-bindgen = "0.2.83"
 wasm-bindgen-futures = "0.4.31"
@@ -162,8 +156,8 @@ web-sys = { version = "0.3.58", features = [
 
 [dev-dependencies]
 anyhow = "1.0.40"
-mockall = "0.11.2"
-c2pa = { path = ".", features = [
+mockall = "0.13.1"
+c2pa = { path = ".", default-features = false, features = [
     "unstable_api",
 ] } # allow integration tests to use the new API
 glob = "0.3.1"
diff --git a/sdk/examples/client/client.rs b/sdk/examples/client/client.rs
index d0ae786f9..38a9ba960 100644
--- a/sdk/examples/client/client.rs
+++ b/sdk/examples/client/client.rs
@@ -20,7 +20,7 @@ use c2pa::{
     assertions::{c2pa_action, labels, Action, Actions, CreativeWork, Exif, SchemaDotOrgPerson},
     create_signer, Builder, ClaimGeneratorInfo, Ingredient, Reader, Relationship,
 };
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::SigningAlg;
 
 const GENERATOR: &str = "test_app";
 const INDENT_SPACE: usize = 2;
diff --git a/sdk/examples/client/main.rs b/sdk/examples/client/main.rs
index e2ebfaadc..87eb85bbd 100644
--- a/sdk/examples/client/main.rs
+++ b/sdk/examples/client/main.rs
@@ -15,10 +15,10 @@ use anyhow::Result;
 // This example is not designed to work with a wasm build
 // so we provide this shell to avoid testing errors
 
-#[cfg(not(target_arch = "wasm32"))]
+#[cfg(feature = "openssl")]
 mod client;
 fn main() -> Result<()> {
-    #[cfg(not(target_arch = "wasm32"))]
+    #[cfg(feature = "openssl")]
     client::main()?;
     Ok(())
 }
diff --git a/sdk/examples/data_hash.rs b/sdk/examples/data_hash.rs
index 92dc0d2d7..a297a45ec 100644
--- a/sdk/examples/data_hash.rs
+++ b/sdk/examples/data_hash.rs
@@ -20,30 +20,32 @@ use std::{
     path::{Path, PathBuf},
 };
 
+#[cfg(feature = "openssl_sign")]
+use c2pa::create_signer;
 #[cfg(not(target_arch = "wasm32"))]
 use c2pa::{
     assertions::{
         c2pa_action, labels::*, Action, Actions, CreativeWork, DataHash, Exif, SchemaDotOrgPerson,
     },
-    create_signer, hash_stream_by_alg, Builder, ClaimGeneratorInfo, HashRange, Ingredient, Reader,
-    Relationship, Result,
+    hash_stream_by_alg, Builder, ClaimGeneratorInfo, HashRange, Ingredient, Reader, Relationship,
+    Result,
 };
 #[cfg(not(target_arch = "wasm32"))]
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::SigningAlg;
 
 fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
     println!("DataHash demo");
 
-    #[cfg(not(target_arch = "wasm32"))]
+    #[cfg(all(feature = "openssl_sign", feature = "file_io"))]
     user_data_hash_with_sdk_hashing()?;
     println!("Done with SDK hashing1");
-    #[cfg(not(target_arch = "wasm32"))]
+    #[cfg(all(feature = "openssl_sign", feature = "file_io"))]
     user_data_hash_with_user_hashing()?;
     println!("Done with SDK hashing2");
     Ok(())
 }
 
-#[cfg(not(target_arch = "wasm32"))]
+#[cfg(feature = "file_io")]
 fn builder_from_source<S: AsRef<Path>>(source: S) -> Result<Builder> {
     let mut parent = Ingredient::from_file(source.as_ref())?;
     parent.set_relationship(Relationship::ParentOf);
@@ -86,7 +88,7 @@ fn builder_from_source<S: AsRef<Path>>(source: S) -> Result<Builder> {
     Ok(builder)
 }
 
-#[cfg(not(target_arch = "wasm32"))]
+#[cfg(all(feature = "openssl_sign", feature = "file_io"))]
 fn user_data_hash_with_sdk_hashing() -> Result<()> {
     // You will often implement your own Signer trait to perform on device signing
     let signcert_path = "sdk/tests/fixtures/certs/es256.pub";
@@ -146,7 +148,7 @@ fn user_data_hash_with_sdk_hashing() -> Result<()> {
     Ok(())
 }
 
-#[cfg(not(target_arch = "wasm32"))]
+#[cfg(all(feature = "openssl_sign", feature = "file_io"))]
 fn user_data_hash_with_user_hashing() -> Result<()> {
     // You will often implement your own Signer trait to perform on device signing
     let signcert_path = "sdk/tests/fixtures/certs/es256.pub";
@@ -166,7 +168,7 @@ fn user_data_hash_with_user_hashing() -> Result<()> {
         .write(true)
         .create(true)
         .truncate(true)
-        .open(&dest)?;
+        .open(dest)?;
 
     let mut builder = builder_from_source(&source)?;
     // get the composed manifest ready to insert into a file (returns manifest of same length as finished manifest)
diff --git a/sdk/examples/show.rs b/sdk/examples/show.rs
index 876fd0b3f..600c24c4c 100644
--- a/sdk/examples/show.rs
+++ b/sdk/examples/show.rs
@@ -15,7 +15,7 @@
 use anyhow::Result;
 use c2pa::Reader;
 
-#[cfg(not(target_arch = "wasm32"))]
+#[cfg(feature = "openssl")]
 fn main() -> Result<()> {
     let args: Vec<String> = std::env::args().collect();
     if args.len() > 1 {
diff --git a/sdk/examples/v2api.rs b/sdk/examples/v2api.rs
index ac2dd503e..d1811ceca 100644
--- a/sdk/examples/v2api.rs
+++ b/sdk/examples/v2api.rs
@@ -16,7 +16,7 @@ use std::io::{Cursor, Seek};
 
 use anyhow::Result;
 use c2pa::{settings::load_settings_from_str, Builder, CallbackSigner, Reader};
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::SigningAlg;
 use serde_json::json;
 
 const TEST_IMAGE: &[u8] = include_bytes!("../tests/fixtures/CA.jpg");
@@ -151,7 +151,7 @@ fn main() -> Result<()> {
     }
 
     println!("{}", reader.json());
-    assert!(reader.validation_status().is_none());
+    assert_eq!(reader.validation_status(), None);
     assert_eq!(reader.active_manifest().unwrap().title().unwrap(), title);
 
     Ok(())
@@ -175,6 +175,7 @@ mod tests {
 
     #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
     async fn test_v2_api() -> Result<()> {
         main()
     }
diff --git a/sdk/examples/v2show.rs b/sdk/examples/v2show.rs
index 62c2fb909..06620fda9 100644
--- a/sdk/examples/v2show.rs
+++ b/sdk/examples/v2show.rs
@@ -14,12 +14,12 @@
 //! Example App that generates a manifest store listing for a given file
 
 use anyhow::Result;
-#[cfg(target_arch = "wasm32")]
+#[cfg(any(not(feature = "openssl"), target_arch = "wasm32"))]
 fn main() -> Result<()> {
     Ok(())
 }
 
-#[cfg(not(target_arch = "wasm32"))]
+#[cfg(all(feature = "openssl", not(target_arch = "wasm32")))]
 fn main() -> Result<()> {
     use std::io::Read;
 
diff --git a/sdk/src/assertions/actions.rs b/sdk/src/assertions/actions.rs
index 02407e877..ae5d73e15 100644
--- a/sdk/src/assertions/actions.rs
+++ b/sdk/src/assertions/actions.rs
@@ -291,6 +291,7 @@ impl Action {
     }
 
     // Internal function to return any ingredients referenced by this action.
+    #[allow(dead_code)] // not used in some scenarios
     pub(crate) fn ingredient_ids(&mut self) -> Option<Vec<String>> {
         match self.get_parameter(CAI_INGREDIENT_IDS) {
             Some(Value::Array(ids)) => {
diff --git a/sdk/src/assertions/bmff_hash.rs b/sdk/src/assertions/bmff_hash.rs
index d97383b46..8b0f09421 100644
--- a/sdk/src/assertions/bmff_hash.rs
+++ b/sdk/src/assertions/bmff_hash.rs
@@ -1259,7 +1259,7 @@ pub mod tests {
     //use super::*;
     use crate::utils::test::fixture_path;
 
-    #[cfg(not(target_arch = "wasm32"))]
+    #[cfg(feature = "openssl")]
     #[test]
     fn test_fragemented_mp4() {
         use crate::{
diff --git a/sdk/src/asset_handlers/bmff_io.rs b/sdk/src/asset_handlers/bmff_io.rs
index a1879732c..61cacb3e1 100644
--- a/sdk/src/asset_handlers/bmff_io.rs
+++ b/sdk/src/asset_handlers/bmff_io.rs
@@ -1708,7 +1708,7 @@ impl RemoteRefEmbed for BmffIO {
                 let xmp = match self.get_reader().read_xmp(input_stream) {
                     Some(xmp) => add_provenance(&xmp, &manifest_uri)?,
                     None => {
-                        let xmp = format!("http://ns.adobe.com/xap/1.0/\0 {}", MIN_XMP);
+                        let xmp = MIN_XMP.to_string();
                         add_provenance(&xmp, &manifest_uri)?
                     }
                 };
@@ -1853,8 +1853,7 @@ pub mod tests {
     use super::*;
     use crate::utils::test::{fixture_path, temp_dir_path};
 
-    #[cfg(not(target_arch = "wasm32"))]
-    #[cfg(feature = "file_io")]
+    #[cfg(all(feature = "openssl", feature = "file_io"))]
     #[test]
     fn test_read_mp4() {
         use c2pa_status_tracker::DetailedStatusTracker;
diff --git a/sdk/src/asset_handlers/c2pa_io.rs b/sdk/src/asset_handlers/c2pa_io.rs
index 400122525..0db895ac7 100644
--- a/sdk/src/asset_handlers/c2pa_io.rs
+++ b/sdk/src/asset_handlers/c2pa_io.rs
@@ -146,13 +146,17 @@ pub mod tests {
     #![allow(clippy::expect_used)]
     #![allow(clippy::unwrap_used)]
 
+    use c2pa_crypto::raw_signature::SigningAlg;
     use c2pa_status_tracker::OneShotStatusTracker;
     use tempfile::tempdir;
 
     use super::{AssetIO, C2paIO, CAIReader, CAIWriter};
     use crate::{
         store::Store,
-        utils::test::{fixture_path, temp_dir_path, temp_signer},
+        utils::{
+            test::{fixture_path, temp_dir_path},
+            test_signer::test_signer,
+        },
     };
 
     #[test]
@@ -171,7 +175,7 @@ pub mod tests {
         let store = Store::load_from_asset(&temp_path, false, &mut OneShotStatusTracker::default())
             .expect("loading store");
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let manifest2 = store.to_jumbf(signer.as_ref()).expect("to_jumbf");
         assert_eq!(&manifest, &manifest2);
diff --git a/sdk/src/asset_handlers/gif_io.rs b/sdk/src/asset_handlers/gif_io.rs
index b1c165418..d84e122e6 100644
--- a/sdk/src/asset_handlers/gif_io.rs
+++ b/sdk/src/asset_handlers/gif_io.rs
@@ -201,7 +201,7 @@ impl RemoteRefEmbed for GifIO {
                     // TODO: we read xmp here, then search for it again after, we can cache it
                     &self
                         .read_xmp(source_stream)
-                        .unwrap_or_else(|| format!("http://ns.adobe.com/xap/1.0/\0 {}", MIN_XMP)),
+                        .unwrap_or_else(|| MIN_XMP.to_string()),
                     &url,
                 )?;
 
@@ -1132,7 +1132,9 @@ impl DataSubBlocks {
 
 #[cfg(test)]
 mod tests {
+    #![allow(clippy::unwrap_used)]
     use io::{Cursor, Seek};
+    use xmp_inmemory_utils::extract_provenance;
 
     use super::*;
 
@@ -1459,7 +1461,7 @@ mod tests {
 
         let gif_io = GifIO {};
 
-        assert!(gif_io.read_xmp(&mut stream).is_none());
+        assert_eq!(gif_io.read_xmp(&mut stream), None);
 
         let mut output_stream1 = Cursor::new(Vec::with_capacity(SAMPLE1.len()));
         gif_io.embed_reference_to_stream(
@@ -1468,8 +1470,9 @@ mod tests {
             RemoteRefEmbedType::Xmp("Test".to_owned()),
         )?;
 
-        let xmp = gif_io.read_xmp(&mut output_stream1);
-        assert_eq!(xmp, Some("http://ns.adobe.com/xap/1.0/\0<?xpacket begin=\"\" id=\"W5M0MpCehiHzreSzNTczkc9d\"?>\n<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"XMP Core 6.0.0\">\n  <rdf:RDF xmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\">\n    <rdf:Description rdf:about=\"\" xmlns:dcterms=\"http://purl.org/dc/terms/\" dcterms:provenance=\"Test\">\n    </rdf:Description>\n  </rdf:RDF>\n</x:xmpmeta>".to_owned()));
+        let xmp = gif_io.read_xmp(&mut output_stream1).unwrap();
+        let p = extract_provenance(&xmp).unwrap();
+        assert_eq!(&p, "Test");
 
         Ok(())
     }
diff --git a/sdk/src/asset_handlers/jpeg_io.rs b/sdk/src/asset_handlers/jpeg_io.rs
index e0296c982..c8dce6b3f 100644
--- a/sdk/src/asset_handlers/jpeg_io.rs
+++ b/sdk/src/asset_handlers/jpeg_io.rs
@@ -141,7 +141,13 @@ fn get_cai_segments(jpeg: &img_parts::jpeg::Jpeg) -> Result<Vec<usize>> {
                 cai_segs.push(i);
             } else {
                 // check if this is a CAI JUMBF block
-                let jumb_type = &raw_vec.as_mut_slice()[24..28];
+                let jumb_type = &raw_vec
+                    .as_mut_slice()
+                    .get(24..28)
+                    .ok_or(Error::InvalidAsset(
+                        "Invalid JPEG CAI JUMBF block".to_string(),
+                    ))?;
+
                 let is_cai = vec_compare(&C2PA_MARKER, jumb_type);
                 if is_cai {
                     cai_segs.push(i);
@@ -304,7 +310,9 @@ impl CAIWriter for JpegIO {
             if seg > 1 {
                 // the LBox and TBox are already in the JUMBF
                 // but we need to duplicate them in all other segments
-                let lbox_tbox = &store_bytes[..8];
+                let lbox_tbox = store_bytes
+                    .get(0..8)
+                    .ok_or(Error::InvalidAsset("Store bytes too short".to_string()))?;
                 seg_data.extend(lbox_tbox);
             }
             if seg_chucks.len() > 0 {
@@ -318,7 +326,11 @@ impl CAIWriter for JpegIO {
 
             let seg_bytes = Bytes::from(seg_data);
             let app11_segment = JpegSegment::new_with_contents(markers::APP11, seg_bytes);
-            jpeg.segments_mut().insert(seg, app11_segment); // we put this in the beginning...
+            if seg <= jpeg.segments().len() {
+                jpeg.segments_mut().insert(seg, app11_segment); // we put this in the beginning...
+            } else {
+                return Err(Error::InvalidAsset("JPEG JUMBF segment error".to_owned()));
+            }
         }
 
         output_stream.rewind()?;
@@ -377,7 +389,12 @@ impl CAIWriter for JpegIO {
                                     positions.push(v);
                                 } else {
                                     // check if this is a CAI JUMBF block
-                                    let jumb_type = raw_vec.as_mut_slice()[24..28].to_vec();
+                                    let jumb_type = raw_vec
+                                        .get(24..28)
+                                        .ok_or(Error::InvalidAsset(
+                                            "Invalid JPEG CAI JUMBF block".to_string(),
+                                        ))?
+                                        .to_vec();
                                     let is_cai = vec_compare(&C2PA_MARKER, &jumb_type);
                                     if is_cai {
                                         cai_seg_cnt = 1;
@@ -794,11 +811,22 @@ fn make_box_maps(input_stream: &mut dyn CAIRead) -> Result<Vec<BoxMap>> {
                     if cai_seg_cnt > 0 && is_cai_continuation {
                         cai_seg_cnt += 1;
 
-                        let cai_bm = &mut box_maps[cai_index];
-                        cai_bm.range_len += raw_bytes.len() + 4;
+                        if let Some(cai_bm) = box_maps.get_mut(cai_index) {
+                            cai_bm.range_len += raw_bytes.len() + 4;
+                        } else {
+                            return Err(Error::InvalidAsset(
+                                "CAI segment index out of bounds".to_string(),
+                            ));
+                        }
                     } else {
                         // check if this is a CAI JUMBF block
-                        let jumb_type = raw_vec.as_mut_slice()[24..28].to_vec();
+                        let jumb_type = raw_vec
+                            .as_mut_slice()
+                            .get(24..28)
+                            .ok_or(Error::InvalidAsset(
+                                "Invalid JPEG CAI JUMBF block".to_string(),
+                            ))?
+                            .to_vec();
                         let is_cai = vec_compare(&C2PA_MARKER, &jumb_type);
                         if is_cai {
                             cai_seg_cnt = 1;
@@ -992,13 +1020,15 @@ impl AssetBoxHash for JpegIO {
         let mut box_maps = make_box_maps(input_stream)?;
 
         for bm in box_maps.iter_mut() {
-            if bm.names[0] == C2PA_BOXHASH {
-                continue;
+            if let Some(name) = bm.names.first() {
+                if name == C2PA_BOXHASH {
+                    continue;
+                }
             }
 
             input_stream.seek(std::io::SeekFrom::Start(bm.range_start as u64))?;
 
-            let size = if bm.names[0] == "SOS" {
+            let size = if bm.names.first().is_some_and(|name| name == "SOS") {
                 let mut size = get_seg_size(input_stream)?;
 
                 input_stream.seek(std::io::SeekFrom::Start((bm.range_start + size) as u64))?;
@@ -1050,7 +1080,9 @@ impl ComposedManifestRef for JpegIO {
             if seg > 1 {
                 // the LBox and TBox are already in the JUMBF
                 // but we need to duplicate them in all other segments
-                let lbox_tbox = &manifest_data[..8];
+                let lbox_tbox = manifest_data
+                    .get(0..8)
+                    .ok_or(Error::InvalidAsset("Manifest data too short".to_string()))?;
                 seg_data.extend(lbox_tbox);
             }
             if seg_chucks.len() > 0 {
@@ -1281,4 +1313,64 @@ pub mod tests {
 
         assert_eq!(&curr_manifest, &restored_manifest);
     }
+
+    #[test]
+    fn test_crash_write_cai() {
+        let data = [
+            0xff, 0xd8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd9, 0x00, 0x00, 0x00, 0x06, 0xc9,
+        ];
+
+        let mut stream = Cursor::new(&data);
+
+        let jpeg_io = JpegIO {};
+
+        let result = jpeg_io.get_object_locations_from_stream(&mut stream);
+        assert!(matches!(result, Err(Error::InvalidAsset(_))));
+    }
+
+    #[test]
+    fn test_crash_get_cai_segments() {
+        let data = [
+            0xff, 0xd8, 0xff, 0xfd, 0x60, 0xff, 0xff, 0xeb, 0x00, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b,
+            0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b,
+            0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b,
+            0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b,
+            0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b,
+            0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x27, 0xc2, 0xb8, 0x00, 0x00,
+            0xa3, 0x54, 0x8d, 0x8a, 0xff, 0x0b, 0x50, 0x50, 0x49, 0xff, 0xfb, 0xfb, 0xfb, 0xfb,
+            0xfb, 0xfb, 0xfb, 0xfb, 0x00, 0x00, 0x00, 0x00, 0xf3, 0xff, 0x55, 0xff, 0xd8, 0xff,
+            0x89, 0x50, 0x4e, 0x47, 0x52, 0x49, 0x46, 0x51, 0x42, 0x45, 0x57, 0x46, 0xff, 0xff,
+            0x00, 0xff, 0xff, 0xd8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xd8, 0xe5,
+            0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5,
+            0xe5, 0xe5, 0xe5, 0xff, 0xff, 0xff, 0xff, 0xff, 0x52, 0x00, 0x04, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xec,
+            0xe5, 0xe5, 0xe5, 0xe5, 0x50, 0x4e, 0x47, 0xda, 0x3a, 0x10, 0xff, 0x60, 0xff, 0xff,
+            0x53, 0x00, 0x00, 0x00, 0x52, 0x49, 0x46, 0x46, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5,
+            0xff, 0xff, 0xff, 0xff, 0xff, 0x52, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xec, 0xe5, 0xe5, 0xe5,
+            0xe5, 0x50, 0x4e, 0x47, 0xda, 0x00, 0x10, 0xff, 0x60, 0xff, 0xff, 0xeb, 0x00, 0x27,
+            0xc2, 0xb8, 0x00, 0x00, 0xff, 0xff, 0xff, 0x0b, 0x50, 0x52, 0x49, 0xff, 0xa3, 0x01,
+            0x00, 0x00, 0x00, 0xc2, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07,
+            0x28, 0xa4, 0x0d, 0x0a, 0xff, 0x60, 0xff, 0xff, 0xff, 0xff, 0xff, 0x24, 0xff, 0xff,
+            0xff, 0x44, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa3, 0x54, 0xe5, 0xe5,
+            0xe5, 0xe5, 0x50, 0x4e, 0x47, 0xda, 0x3a, 0x10, 0xff, 0x60, 0xff, 0xff, 0xeb, 0x00,
+            0x27, 0xc2, 0xb8, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xff, 0xff,
+            0xff, 0xff, 0xff, 0x52, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xe5, 0xec, 0xe5, 0xe5, 0xe5, 0xe5, 0x50,
+            0x4e, 0x47, 0xda, 0x00, 0x10, 0xff, 0x60, 0xff, 0xff, 0xeb, 0x00, 0x27, 0xc2, 0xb8,
+            0x00, 0x00, 0xff, 0xff, 0xff, 0x0b, 0x89, 0x50, 0x4e, 0x47, 0x53, 0x00, 0x00, 0x00,
+            0x52, 0x49, 0x46, 0x46, 0x0d, 0x0a, 0x1a, 0x0a, 0x50, 0x52, 0x49, 0xff, 0xa3, 0x01,
+            0x00, 0x00, 0x00, 0xc2, 0xb8, 0xff, 0x07, 0xff, 0x60, 0x25, 0xff, 0xff, 0xff, 0xff,
+            0xdf, 0x24, 0xff, 0xff, 0x00, 0x00, 0xf3, 0xff, 0xff, 0x24, 0xff, 0xff, 0xfb, 0xfb,
+            0xfb, 0xfb, 0xfb, 0xfb, 0xfb, 0xfb, 0xfb, 0xfb, 0xfb, 0xfb, 0xfb, 0xfb, 0xfb, 0x00,
+            0x27, 0xc2, 0xff, 0xd9, 0xff, 0x00, 0xff, 0xff,
+        ];
+
+        let mut stream = Cursor::new(&data);
+
+        let jpeg_io = JpegIO {};
+
+        let result = jpeg_io.get_object_locations_from_stream(&mut stream);
+        assert!(matches!(result, Err(Error::InvalidAsset(_))));
+    }
 }
diff --git a/sdk/src/asset_handlers/mp3_io.rs b/sdk/src/asset_handlers/mp3_io.rs
index 371f9e6c0..147aadd72 100644
--- a/sdk/src/asset_handlers/mp3_io.rs
+++ b/sdk/src/asset_handlers/mp3_io.rs
@@ -229,7 +229,7 @@ impl RemoteRefEmbed for Mp3IO {
                 let xmp = xmp_inmemory_utils::add_provenance(
                     &self
                         .read_xmp(source_stream)
-                        .unwrap_or_else(|| format!("http://ns.adobe.com/xap/1.0/\0 {}", MIN_XMP)),
+                        .unwrap_or_else(|| MIN_XMP.to_string()),
                     &url,
                 )?;
                 let frame = Frame::with_content(
@@ -507,6 +507,7 @@ pub mod tests {
     #![allow(clippy::unwrap_used)]
 
     use tempfile::tempdir;
+    use xmp_inmemory_utils::extract_provenance;
 
     use super::*;
     use crate::utils::{
@@ -592,7 +593,7 @@ pub mod tests {
         let mp3_io = Mp3IO::new("mp3");
 
         let mut stream = File::open(fixture_path("sample1.mp3"))?;
-        assert!(mp3_io.read_xmp(&mut stream).is_none());
+        assert_eq!(mp3_io.read_xmp(&mut stream), None);
         stream.rewind()?;
 
         let mut output_stream1 = Cursor::new(Vec::new());
@@ -603,8 +604,10 @@ pub mod tests {
         )?;
         output_stream1.rewind()?;
 
-        let xmp = mp3_io.read_xmp(&mut output_stream1);
-        assert_eq!(xmp, Some("http://ns.adobe.com/xap/1.0/\0<?xpacket begin=\"\" id=\"W5M0MpCehiHzreSzNTczkc9d\"?>\n<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"XMP Core 6.0.0\">\n  <rdf:RDF xmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\">\n    <rdf:Description rdf:about=\"\" xmlns:dcterms=\"http://purl.org/dc/terms/\" dcterms:provenance=\"Test\">\n    </rdf:Description>\n  </rdf:RDF>\n</x:xmpmeta>".to_owned()));
+        let xmp = mp3_io.read_xmp(&mut output_stream1).unwrap();
+
+        let p = extract_provenance(&xmp).unwrap();
+        assert_eq!(&p, "Test");
 
         Ok(())
     }
diff --git a/sdk/src/asset_handlers/pdf.rs b/sdk/src/asset_handlers/pdf.rs
index 96d290c89..370b1ee96 100644
--- a/sdk/src/asset_handlers/pdf.rs
+++ b/sdk/src/asset_handlers/pdf.rs
@@ -740,7 +740,7 @@ mod tests {
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
     fn test_read_xmp_on_pdf_with_none() {
         let pdf = Pdf::from_bytes(include_bytes!("../../tests/fixtures/basic-no-xmp.pdf")).unwrap();
-        assert!(pdf.read_xmp().is_none());
+        assert_eq!(pdf.read_xmp(), None);
     }
 
     #[cfg_attr(not(target_arch = "wasm32"), test)]
diff --git a/sdk/src/asset_handlers/pdf_io.rs b/sdk/src/asset_handlers/pdf_io.rs
index a56e35fb2..0210b611a 100644
--- a/sdk/src/asset_handlers/pdf_io.rs
+++ b/sdk/src/asset_handlers/pdf_io.rs
@@ -199,7 +199,7 @@ pub mod tests {
         mock_pdf.expect_read_xmp().returning(|| None);
 
         let pdf_io = PdfIO::new("pdf");
-        assert!(pdf_io.read_xmp_from_pdf(mock_pdf).is_none());
+        assert_eq!(pdf_io.read_xmp_from_pdf(mock_pdf), None);
     }
 
     #[test]
diff --git a/sdk/src/asset_handlers/png_io.rs b/sdk/src/asset_handlers/png_io.rs
index 7577c5d03..3b9eae73e 100644
--- a/sdk/src/asset_handlers/png_io.rs
+++ b/sdk/src/asset_handlers/png_io.rs
@@ -654,7 +654,7 @@ impl RemoteRefEmbed for PngIO {
 
                 let xmp = match self.read_xmp(source_stream) {
                     Some(s) => s,
-                    None => format!("http://ns.adobe.com/xap/1.0/\0 {}", MIN_XMP),
+                    None => MIN_XMP.to_string(),
                 };
 
                 // update XMP
diff --git a/sdk/src/asset_handlers/svg_io.rs b/sdk/src/asset_handlers/svg_io.rs
index 2e6e9b2ab..7a7fefcd9 100644
--- a/sdk/src/asset_handlers/svg_io.rs
+++ b/sdk/src/asset_handlers/svg_io.rs
@@ -12,7 +12,7 @@
 // each license.
 
 use std::{
-    fs::{File, OpenOptions},
+    fs::{self, File, OpenOptions},
     io::{BufReader, Cursor, Seek, SeekFrom, Write},
     path::Path,
 };
@@ -38,9 +38,13 @@ use crate::{
         //HashBlockObjectType,
         HashObjectPositions,
         RemoteRefEmbed,
+        RemoteRefEmbedType,
     },
     error::{Error, Result},
-    utils::io_utils::stream_len,
+    utils::{
+        io_utils::{patch_stream, stream_len, ReaderUtils},
+        xmp_inmemory_utils::{self, MIN_XMP},
+    },
 };
 
 static SUPPORTED_TYPES: [&str; 8] = [
@@ -59,6 +63,8 @@ const METADATA: &str = "metadata";
 const MANIFEST: &str = "c2pa:manifest";
 const MANIFEST_NS: &str = "xmlns:c2pa";
 const MANIFEST_NS_VAL: &str = "http://c2pa.org/manifest";
+const XPACKET: &str = "xpacket";
+const XMP_ID: &str = "W5M0MpCehiHzreSzNTczkc9d";
 
 pub struct SvgIO {}
 
@@ -80,8 +86,9 @@ impl CAIReader for SvgIO {
     }
 
     // Get XMP block
-    fn read_xmp(&self, _asset_reader: &mut dyn CAIRead) -> Option<String> {
-        None
+    fn read_xmp(&self, asset_reader: &mut dyn CAIRead) -> Option<String> {
+        let (xmp, _dtd, _insertion_pt) = read_xmp(asset_reader).ok()?;
+        xmp
     }
 }
 
@@ -153,7 +160,7 @@ impl AssetIO for SvgIO {
     }
 
     fn remote_ref_writer_ref(&self) -> Option<&dyn RemoteRefEmbed> {
-        None
+        Some(self)
     }
 
     fn supported_types(&self) -> &[&str] {
@@ -195,6 +202,7 @@ fn create_manifest_tag(data: &[u8], with_meta: bool) -> Result<Vec<u8>> {
 enum DetectedTagsDepth {
     Metadata,
     Manifest,
+    Xmp,
     Empty,
 }
 
@@ -205,16 +213,11 @@ fn detect_manifest_location(
     input_stream.rewind()?;
 
     let mut buf = Vec::new();
-
     let buf_reader = BufReader::new(input_stream);
-
     let mut xml_reader = Reader::from_reader(buf_reader);
-
     let mut xml_path: Vec<String> = Vec::new();
-
     let mut detected_level = DetectedTagsDepth::Empty;
     let mut insertion_point = 0;
-
     let mut output: Option<Vec<u8>> = None;
 
     loop {
@@ -266,6 +269,79 @@ fn detect_manifest_location(
     Ok((output, detected_level, insertion_point))
 }
 
+fn read_xmp(input_stream: &mut dyn CAIRead) -> Result<(Option<String>, DetectedTagsDepth, usize)> {
+    input_stream.rewind()?;
+
+    let mut insertion_point = usize::try_from(stream_len(input_stream)?)?;
+    let mut buf = Vec::new();
+    let buf_reader = BufReader::new(input_stream);
+    let mut xml_reader = Reader::from_reader(buf_reader);
+    let mut xml_path: Vec<String> = Vec::new();
+    let mut detected_level = DetectedTagsDepth::Empty;
+    let mut output = None;
+
+    loop {
+        match xml_reader.read_event(&mut buf) {
+            Ok(Event::Start(ref e)) => {
+                let name: String = String::from_utf8_lossy(e.name()).into_owned();
+                xml_path.push(name);
+
+                if xml_path.len() == 1 && xml_path[0] == SVG {
+                    detected_level = DetectedTagsDepth::Empty;
+                    insertion_point = xml_reader.buffer_position();
+                }
+
+                if xml_path.len() == 2 && xml_path[0] == SVG && xml_path[1] == METADATA {
+                    detected_level = DetectedTagsDepth::Metadata;
+                    insertion_point = xml_reader.buffer_position();
+                }
+            }
+            Ok(Event::PI(e)) => {
+                let possible_insertion_point = xml_reader.buffer_position();
+                let pi = e.unescape_and_decode(&xml_reader).map_err(|_e| {
+                    Error::InvalidAsset("XML bad processing instructions".to_string())
+                })?;
+
+                if pi.contains(XPACKET) && pi.contains(XMP_ID) {
+                    // reconstruct opening XMP PI tag
+                    let tag = format!("<?{}?>", pi);
+                    // start of xmp xpacket
+                    detected_level = DetectedTagsDepth::Xmp;
+                    // adjust to include the opening XMP PI
+                    insertion_point = possible_insertion_point
+                        .checked_sub(tag.len())
+                        .ok_or(Error::BadParam("file read out of range".into()))?;
+                } else if pi.contains(XPACKET) {
+                    // this has read to the end of xpacket
+                    let xmp_len = possible_insertion_point
+                        .checked_sub(insertion_point)
+                        .ok_or(Error::BadParam("file read out of range".into()))?;
+
+                    let mut reader = xml_reader.into_inner();
+                    reader.seek(SeekFrom::Start(insertion_point as u64))?;
+                    let raw_xmp = reader.read_to_vec(xmp_len as u64)?;
+
+                    let xmp = String::from_utf8(raw_xmp).map_err(|_e| {
+                        Error::InvalidAsset("XML could not convert UTF8".to_string())
+                    })?;
+
+                    // save value and break
+                    output = Some(xmp);
+                    break;
+                }
+            }
+            Ok(Event::End(_)) => {
+                let _p = xml_path.pop();
+            }
+            Ok(Event::Eof) => break,
+            Err(_) => return Err(Error::InvalidAsset("XML invalid".to_string())),
+            _ => (),
+        }
+    }
+
+    Ok((output, detected_level, insertion_point))
+}
+
 fn add_required_segs_to_stream(
     input_stream: &mut dyn CAIRead,
     output_stream: &mut dyn CAIReadWrite,
@@ -399,7 +475,7 @@ impl CAIWriter for SvgIO {
                     buf.clear();
                 }
             }
-            DetectedTagsDepth::Empty => {
+            _ => {
                 //add metadata & manifest case
                 let manifest_data = create_manifest_tag(store_bytes, true)?;
 
@@ -473,7 +549,7 @@ impl CAIWriter for SvgIO {
         let end = manifest_pos + encoded_manifest_len;
         let length = usize::value_from(stream_len(input_stream)?)
             .map_err(|_err| Error::InvalidAsset("value out of range".to_string()))?
-            - end;
+            .saturating_sub(end);
         positions.push(HashObjectPositions {
             offset: end,
             length,
@@ -590,6 +666,78 @@ impl AssetPatch for SvgIO {
     }
 }
 
+impl RemoteRefEmbed for SvgIO {
+    fn embed_reference(&self, asset_path: &Path, embed_ref: RemoteRefEmbedType) -> Result<()> {
+        match &embed_ref {
+            RemoteRefEmbedType::Xmp(_) => {
+                let mut input_stream = File::open(asset_path)?;
+                let mut output_stream = Cursor::new(Vec::new());
+                self.embed_reference_to_stream(&mut input_stream, &mut output_stream, embed_ref)?;
+                fs::write(asset_path, output_stream.into_inner())?;
+                Ok(())
+            }
+            _ => Err(Error::UnsupportedType),
+        }
+    }
+
+    fn embed_reference_to_stream(
+        &self,
+        source_stream: &mut dyn CAIRead,
+        output_stream: &mut dyn CAIReadWrite,
+        embed_ref: RemoteRefEmbedType,
+    ) -> Result<()> {
+        match embed_ref {
+            RemoteRefEmbedType::Xmp(url) => {
+                source_stream.rewind()?;
+
+                let (raw_xmp, dtd, insertion_pt) = read_xmp(source_stream)?;
+
+                let xmp = xmp_inmemory_utils::add_provenance(
+                    &raw_xmp.clone().unwrap_or_else(|| MIN_XMP.to_string()),
+                    &url,
+                )?;
+
+                if let Some(raw_xmp) = raw_xmp {
+                    // replace existing
+                    patch_stream(
+                        source_stream,
+                        output_stream,
+                        insertion_pt as u64,
+                        raw_xmp.len() as u64,
+                        xmp.as_bytes(),
+                    )
+                } else {
+                    // insert at location and level
+                    match dtd {
+                        DetectedTagsDepth::Metadata => patch_stream(
+                            source_stream,
+                            output_stream,
+                            insertion_pt as u64,
+                            0,
+                            xmp.as_bytes(),
+                        ),
+                        DetectedTagsDepth::Empty => {
+                            // we have to add metadata tag
+                            let new_xmp = format!("<metadata>{xmp}</metadata>");
+                            patch_stream(
+                                source_stream,
+                                output_stream,
+                                insertion_pt as u64,
+                                0,
+                                new_xmp.as_bytes(),
+                            )
+                        }
+                        _ => Err(Error::OtherError(
+                            "could not determine XML insertion point".into(),
+                        )),
+                    }
+                }
+            }
+            _ => Err(Error::UnsupportedType),
+        }
+    }
+}
+
 #[cfg(test)]
 pub mod tests {
     #![allow(clippy::expect_used)]
@@ -599,6 +747,7 @@ pub mod tests {
     use std::io::Read;
 
     use tempfile::tempdir;
+    use xmp_inmemory_utils::extract_provenance;
 
     use super::*;
     use crate::utils::{
@@ -759,4 +908,108 @@ pub mod tests {
         }
         assert!(success)
     }
+
+    #[test]
+    fn test_xmp_read() {
+        let source = fixture_path("sample1.svg");
+        let mut stream = File::open(&source).unwrap();
+
+        let svg_io = SvgIO::new("svg");
+
+        let xmp = svg_io.read_xmp(&mut stream).unwrap();
+
+        assert!(xmp.starts_with("<?xpacket"));
+        assert!(xmp.ends_with("<?xpacket end=\"w\"?>"));
+        println!("{xmp}")
+    }
+
+    #[test]
+    fn test_add_to_existing_xmp() {
+        let source = fixture_path("sample1.svg");
+        let mut stream = File::open(&source).unwrap();
+        let test_data = "http://mysite.com/somelink";
+        let mut output_stream = Cursor::new(Vec::new());
+
+        let svg_io = SvgIO::new("svg");
+
+        let ref_writer = svg_io.remote_ref_writer_ref().unwrap();
+        ref_writer
+            .embed_reference_to_stream(
+                &mut stream,
+                &mut output_stream,
+                RemoteRefEmbedType::Xmp(test_data.to_string()),
+            )
+            .unwrap();
+
+        output_stream.rewind().unwrap();
+        let xmp = svg_io.read_xmp(&mut output_stream).unwrap();
+
+        assert!(xmp.starts_with("<?xpacket"));
+        assert!(xmp.ends_with("<?xpacket end=\"w\"?>"));
+        assert_eq!(&extract_provenance(&xmp).unwrap(), test_data);
+        println!("{xmp}")
+    }
+
+    #[test]
+    fn test_add_to_no_xmp_and_metadata_tag() {
+        let source = fixture_path("sample2.svg");
+        let mut stream = File::open(&source).unwrap();
+        let test_data = "http://mysite.com/somelink";
+        let mut output_stream = Cursor::new(Vec::new());
+
+        let svg_io = SvgIO::new("svg");
+
+        let ref_writer = svg_io.remote_ref_writer_ref().unwrap();
+        ref_writer
+            .embed_reference_to_stream(
+                &mut stream,
+                &mut output_stream,
+                RemoteRefEmbedType::Xmp(test_data.to_string()),
+            )
+            .unwrap();
+
+        output_stream.rewind().unwrap();
+        let xmp = svg_io.read_xmp(&mut output_stream).unwrap();
+
+        assert!(xmp.starts_with("<?xpacket"));
+        assert!(xmp.ends_with("<?xpacket end=\"w\"?>"));
+        assert_eq!(&extract_provenance(&xmp).unwrap(), test_data);
+        println!("{xmp}");
+    }
+
+    #[test]
+    fn test_add_to_no_xmp_and_no_metadata_tag() {
+        let source = fixture_path("sample5.svg");
+        let mut stream = File::open(&source).unwrap();
+        let test_data = "http://mysite.com/somelink";
+        let mut output_stream = Cursor::new(Vec::new());
+
+        let svg_io = SvgIO::new("svg");
+
+        let ref_writer = svg_io.remote_ref_writer_ref().unwrap();
+        ref_writer
+            .embed_reference_to_stream(
+                &mut stream,
+                &mut output_stream,
+                RemoteRefEmbedType::Xmp(test_data.to_string()),
+            )
+            .unwrap();
+
+        output_stream.rewind().unwrap();
+        let xmp = svg_io.read_xmp(&mut output_stream).unwrap();
+
+        assert!(xmp.starts_with("<?xpacket"));
+        assert!(xmp.ends_with("<?xpacket end=\"w\"?>"));
+        assert_eq!(&extract_provenance(&xmp).unwrap(), test_data);
+        println!("{xmp}");
+    }
+
+    #[test]
+    fn test_crash_integer_underflow() {
+        let data = [0x22, 0x3c, 0x73, 0x76, 0x67];
+        let mut stream = Cursor::new(&data);
+        let svg_io = SvgIO::new("svg");
+
+        let _ = svg_io.get_object_locations_from_stream(&mut stream);
+    }
 }
diff --git a/sdk/src/asset_handlers/tiff_io.rs b/sdk/src/asset_handlers/tiff_io.rs
index b6e75b9be..a3810a87b 100644
--- a/sdk/src/asset_handlers/tiff_io.rs
+++ b/sdk/src/asset_handlers/tiff_io.rs
@@ -395,26 +395,31 @@ where
             let decoded_offset = decode_offset(subifd.value_offset, ts.byte_order, ts.big_tiff)?;
             input.seek(SeekFrom::Start(decoded_offset))?;
 
-            let num_longs = usize::value_from(subifd.value_count)
-                .map_err(|_err| Error::InvalidAsset("value out of range".to_string()))?;
+            let num_longs_x4 = usize::value_from(
+                subifd
+                    .value_count
+                    .checked_mul(4)
+                    .ok_or_else(|| Error::InvalidAsset("value out of range".to_string()))?,
+            )
+            .map_err(|_err| Error::InvalidAsset("value out of range".to_string()))?;
             let mut subfile_offsets = safe_vec(subifd.value_count, Some(0u32))?; // will contain offsets in native endianness
 
-            if num_longs * 4 <= 4 || ts.big_tiff && num_longs * 4 <= 8 {
+            if num_longs_x4 <= 4 || ts.big_tiff && num_longs_x4 <= 8 {
                 let offset_bytes = subifd.value_offset.to_ne_bytes();
                 let offset_reader = Cursor::new(offset_bytes);
 
                 with_order!(offset_reader, ts.byte_order, |src| {
-                    for item in subfile_offsets.iter_mut().take(num_longs) {
+                    for item in subfile_offsets.iter_mut().take(num_longs_x4 / 4) {
                         let s = src.read_u32()?; // read a long from offset
                         *item = s; // write a long in output endian
                     }
                 });
             } else {
-                let buf = input.read_to_vec(num_longs as u64 * 4)?;
+                let buf = input.read_to_vec(num_longs_x4 as u64)?;
                 let offsets_buf = Cursor::new(buf);
 
                 with_order!(offsets_buf, ts.byte_order, |src| {
-                    for item in subfile_offsets.iter_mut().take(num_longs) {
+                    for item in subfile_offsets.iter_mut().take(num_longs_x4 / 4) {
                         let s = src.read_u32()?; // read a long from offset
                         *item = s; // write a long in output endian
                     }
@@ -1052,17 +1057,20 @@ impl<T: Read + Write + Seek> TiffCloner<T> {
                     data
                 }
                 IFDEntryType::Short => {
-                    let num_shorts = usize::value_from(cnt)
+                    let num_shorts_x2 =
+                        usize::value_from(cnt.checked_mul(2).ok_or_else(|| {
+                            Error::InvalidAsset("value out of range".to_string())
+                        })?)
                         .map_err(|_err| Error::InvalidAsset("value out of range".to_string()))?;
 
-                    let mut data = safe_vec(cnt * 2, Some(0u8))?;
+                    let mut data = safe_vec(num_shorts_x2 as u64, Some(0u8))?;
 
-                    if num_shorts * 2 <= 4 || self.big_tiff && num_shorts * 2 <= 8 {
+                    if num_shorts_x2 <= 4 || self.big_tiff && num_shorts_x2 <= 8 {
                         let offset_bytes = entry.value_offset.to_ne_bytes();
                         let mut offset_reader = Cursor::new(offset_bytes);
 
                         let mut w = Cursor::new(data.as_mut_slice());
-                        for _i in 0..num_shorts {
+                        for _i in 0..num_shorts_x2 / 2 {
                             let s = offset_reader.read_u16::<NativeEndian>()?; // read a short from offset
                             w.write_u16::<NativeEndian>(s)?; // write a short in output endian
                         }
@@ -1079,17 +1087,20 @@ impl<T: Read + Write + Seek> TiffCloner<T> {
                     data
                 }
                 IFDEntryType::Long | IFDEntryType::Ifd => {
-                    let num_longs = usize::value_from(cnt)
+                    let num_longs_x4 =
+                        usize::value_from(cnt.checked_mul(4).ok_or_else(|| {
+                            Error::InvalidAsset("value out of range".to_string())
+                        })?)
                         .map_err(|_err| Error::InvalidAsset("value out of range".to_string()))?;
 
-                    let mut data = safe_vec(cnt * 4, Some(0u8))?;
+                    let mut data = safe_vec(num_longs_x4 as u64, Some(0u8))?;
 
-                    if num_longs * 4 <= 4 || self.big_tiff && num_longs * 4 <= 8 {
+                    if num_longs_x4 <= 4 || self.big_tiff && num_longs_x4 <= 8 {
                         let offset_bytes = entry.value_offset.to_ne_bytes();
                         let mut offset_reader = Cursor::new(offset_bytes);
 
                         let mut w = Cursor::new(data.as_mut_slice());
-                        for _i in 0..num_longs {
+                        for _i in 0..num_longs_x4 / 4 {
                             let s = offset_reader.read_u32::<NativeEndian>()?; // read a long from offset
                             w.write_u32::<NativeEndian>(s)?; // write a long in output endian
                         }
@@ -1106,17 +1117,20 @@ impl<T: Read + Write + Seek> TiffCloner<T> {
                     data
                 }
                 IFDEntryType::Sshort => {
-                    let num_sshorts = usize::value_from(cnt)
+                    let num_sshorts_x2 =
+                        usize::value_from(cnt.checked_mul(2).ok_or_else(|| {
+                            Error::InvalidAsset("value out of range".to_string())
+                        })?)
                         .map_err(|_err| Error::InvalidAsset("value out of range".to_string()))?;
 
-                    let mut data = safe_vec(cnt * 2, Some(0u8))?;
+                    let mut data = safe_vec(num_sshorts_x2 as u64, Some(0u8))?;
 
-                    if num_sshorts * 2 <= 4 || self.big_tiff && num_sshorts * 2 <= 8 {
+                    if num_sshorts_x2 <= 4 || self.big_tiff && num_sshorts_x2 <= 8 {
                         let offset_bytes = entry.value_offset.to_ne_bytes();
                         let mut offset_reader = Cursor::new(offset_bytes);
 
                         let mut w = Cursor::new(data.as_mut_slice());
-                        for _i in 0..num_sshorts {
+                        for _i in 0..num_sshorts_x2 / 2 {
                             let s = offset_reader.read_i16::<NativeEndian>()?; // read a short from offset
                             w.write_i16::<NativeEndian>(s)?; // write a short in output endian
                         }
@@ -1133,17 +1147,20 @@ impl<T: Read + Write + Seek> TiffCloner<T> {
                     data
                 }
                 IFDEntryType::Slong => {
-                    let num_slongs = usize::value_from(cnt)
+                    let num_slongs_x4 =
+                        usize::value_from(cnt.checked_mul(4).ok_or_else(|| {
+                            Error::InvalidAsset("value out of range".to_string())
+                        })?)
                         .map_err(|_err| Error::InvalidAsset("value out of range".to_string()))?;
 
-                    let mut data = safe_vec(cnt * 4, Some(0u8))?;
+                    let mut data = safe_vec(num_slongs_x4 as u64, Some(0u8))?;
 
-                    if num_slongs * 4 <= 4 || self.big_tiff && num_slongs * 4 <= 8 {
+                    if num_slongs_x4 <= 4 || self.big_tiff && num_slongs_x4 <= 8 {
                         let offset_bytes = entry.value_offset.to_ne_bytes();
                         let mut offset_reader = Cursor::new(offset_bytes);
 
                         let mut w = Cursor::new(data.as_mut_slice());
-                        for _i in 0..num_slongs {
+                        for _i in 0..num_slongs_x4 / 4 {
                             let s = offset_reader.read_i32::<NativeEndian>()?; // read a slong from offset
                             w.write_i32::<NativeEndian>(s)?; // write a slong in output endian
                         }
@@ -1160,17 +1177,20 @@ impl<T: Read + Write + Seek> TiffCloner<T> {
                     data
                 }
                 IFDEntryType::Float => {
-                    let num_floats = usize::value_from(cnt)
+                    let num_floats_x4 =
+                        usize::value_from(cnt.checked_mul(4).ok_or_else(|| {
+                            Error::InvalidAsset("value out of range".to_string())
+                        })?)
                         .map_err(|_err| Error::InvalidAsset("value out of range".to_string()))?;
 
-                    let mut data = safe_vec(cnt * 4, Some(0u8))?;
+                    let mut data = safe_vec(num_floats_x4 as u64, Some(0u8))?;
 
-                    if num_floats * 4 <= 4 || self.big_tiff && num_floats * 4 <= 8 {
+                    if num_floats_x4 <= 4 || self.big_tiff && num_floats_x4 <= 8 {
                         let offset_bytes = entry.value_offset.to_ne_bytes();
                         let mut offset_reader = Cursor::new(offset_bytes);
 
                         let mut w = Cursor::new(data.as_mut_slice());
-                        for _i in 0..num_floats {
+                        for _i in 0..num_floats_x4 / 4 {
                             let s = offset_reader.read_f32::<NativeEndian>()?; // read a float from offset
                             w.write_f32::<NativeEndian>(s)?; // write a float in output endian
                         }
@@ -1296,11 +1316,7 @@ where
     let (tiff_tree, page_0, e, big_tiff) = map_tiff(asset_reader).ok()?;
     let first_ifd = &tiff_tree[page_0].data;
 
-    let xmp_ifd_entry = match first_ifd.get_tag(XMP_TAG) {
-        Some(entry) => entry,
-        None => return None,
-    };
-
+    let xmp_ifd_entry = first_ifd.get_tag(XMP_TAG)?;
     // make sure the tag type is correct
     if IFDEntryType::from_u16(xmp_ifd_entry.entry_type)? != IFDEntryType::Byte {
         return None;
@@ -1570,7 +1586,7 @@ impl RemoteRefEmbed for TiffIO {
                 let xmp = match self.get_reader().read_xmp(source_stream) {
                     Some(xmp) => add_provenance(&xmp, &manifest_uri)?,
                     None => {
-                        let xmp = format!("http://ns.adobe.com/xap/1.0/\0 {}", MIN_XMP);
+                        let xmp = MIN_XMP.to_string();
                         add_provenance(&xmp, &manifest_uri)?
                     }
                 };
@@ -1730,6 +1746,48 @@ pub mod tests {
         }
         assert!(success);
     }
+
+    #[test]
+    fn test_overflow_clone_ifd_entries() {
+        let data = [
+            0x49, 0x49, 0x2b, 0x00, 0x08, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+            0x49, 0x2a, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xf9, 0x00,
+            0x00, 0x00, 0x00, 0x05, 0x00, 0x07, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //
+            // entry
+            //
+            0x00, 0x00, // entry_tag
+            0x04, 0x00, // entry_type
+            0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, // value_count (cnt)
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // value_offset
+            //
+            // entry
+            //
+            0x00, 0x00, // entry_tag
+            0x04, 0x00, // entry_type
+            0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, // value_count (cnt)
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // value_offset
+            //
+            // ...
+            //
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00,
+        ];
+
+        let mut stream = Cursor::new(&data);
+
+        let tiff_io = TiffIO {};
+
+        let locations = tiff_io.get_object_locations_from_stream(&mut stream);
+        assert!(matches!(locations, Err(Error::InvalidAsset(_))));
+    }
+
     /*  disable until I find smaller DNG
     #[test]
     fn test_read_write_dng_manifest() {
diff --git a/sdk/src/builder.rs b/sdk/src/builder.rs
index 1180e86ca..7f9aeb829 100644
--- a/sdk/src/builder.rs
+++ b/sdk/src/builder.rs
@@ -24,7 +24,7 @@ use schemars::JsonSchema;
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
 use serde_with::skip_serializing_none;
 use uuid::Uuid;
-use zip::{write::FileOptions, ZipArchive, ZipWriter};
+use zip::{write::SimpleFileOptions, ZipArchive, ZipWriter};
 
 use crate::{
     assertion::AssertionDecodeError,
@@ -460,7 +460,7 @@ impl Builder {
             {
                 let mut zip = ZipWriter::new(stream);
                 let options =
-                    FileOptions::default().compression_method(zip::CompressionMethod::Stored);
+                    SimpleFileOptions::default().compression_method(zip::CompressionMethod::Stored);
                 // write a version file
                 zip.start_file("version.txt", options)
                     .map_err(|e| Error::OtherError(Box::new(e)))?;
@@ -1104,6 +1104,7 @@ mod tests {
     #![allow(clippy::unwrap_used)]
     use std::io::Cursor;
 
+    use c2pa_crypto::raw_signature::SigningAlg;
     use serde_json::json;
     #[cfg(target_arch = "wasm32")]
     use wasm_bindgen_test::*;
@@ -1113,7 +1114,7 @@ mod tests {
         assertions::BoxHash,
         asset_handlers::jpeg_io::JpegIO,
         hash_stream_by_alg,
-        utils::test::{temp_signer, write_jpeg_placeholder_stream},
+        utils::{test::write_jpeg_placeholder_stream, test_signer::test_signer},
         Reader,
     };
 
@@ -1282,6 +1283,7 @@ mod tests {
     }
 
     #[test]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl_sign")), ignore)]
     fn test_builder_sign() {
         #[derive(Serialize, Deserialize)]
         struct TestAssertion {
@@ -1327,7 +1329,7 @@ mod tests {
         let mut _builder = Builder::from_archive(&mut zipped).unwrap();
 
         // sign and write to the output stream
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         builder
             .sign(signer.as_ref(), format, &mut source, &mut dest)
             .unwrap();
@@ -1337,7 +1339,7 @@ mod tests {
         let manifest_store = Reader::from_stream(format, &mut dest).expect("from_bytes");
 
         println!("{}", manifest_store);
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
         assert!(manifest_store.active_manifest().is_some());
         let manifest = manifest_store.active_manifest().unwrap();
         assert_eq!(manifest.title().unwrap(), "Test_Manifest");
@@ -1359,14 +1361,14 @@ mod tests {
             .unwrap();
 
         // sign and write to the output stream
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         builder.sign_file(signer.as_ref(), source, &dest).unwrap();
 
         // read and validate the signed manifest store
         let manifest_store = Reader::from_file(&dest).expect("from_bytes");
 
         println!("{}", manifest_store);
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
         assert_eq!(
             manifest_store.active_manifest().unwrap().title().unwrap(),
             "Test_Manifest"
@@ -1411,7 +1413,7 @@ mod tests {
                 .unwrap();
 
             // sign and write to the output stream
-            let signer = temp_signer();
+            let signer = test_signer(SigningAlg::Ps256);
             builder
                 .sign(signer.as_ref(), format, &mut source, &mut dest)
                 .unwrap();
@@ -1423,7 +1425,7 @@ mod tests {
             println!("{}", manifest_store);
             if format != "c2pa" {
                 // c2pa files will not validate since they have no associated asset
-                assert!(manifest_store.validation_status().is_none());
+                assert_eq!(manifest_store.validation_status(), None);
             }
             assert_eq!(
                 manifest_store.active_manifest().unwrap().title().unwrap(),
@@ -1443,6 +1445,7 @@ mod tests {
 
     #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl_sign")), ignore)]
     async fn test_builder_remote_sign() {
         let format = "image/jpeg";
         let mut source = Cursor::new(TEST_IMAGE);
@@ -1480,7 +1483,7 @@ mod tests {
     }
 
     #[test]
-    #[cfg(not(target_arch = "wasm32"))]
+    #[cfg(feature = "openssl_sign")]
     fn test_builder_remote_url() {
         let mut source = Cursor::new(TEST_IMAGE_CLEAN);
         let mut dest = Cursor::new(Vec::new());
@@ -1494,7 +1497,7 @@ mod tests {
             .unwrap();
 
         // sign the ManifestStoreBuilder and write it to the output stream
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         let manifest_data = builder
             .sign(signer.as_ref(), "image/jpeg", &mut source, &mut dest)
             .unwrap();
@@ -1510,15 +1513,16 @@ mod tests {
                 .expect("from_bytes");
 
         println!("{}", reader.json());
-        assert!(reader.validation_status().is_none());
+        assert_eq!(reader.validation_status(), None);
     }
 
     #[test]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl_sign")), ignore)]
     fn test_builder_data_hashed_embeddable() {
         const CLOUD_IMAGE: &[u8] = include_bytes!("../tests/fixtures/cloud.jpg");
         let mut input_stream = Cursor::new(CLOUD_IMAGE);
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let mut builder = Builder::from_json(&simple_manifest()).unwrap();
 
@@ -1569,11 +1573,15 @@ mod tests {
         let reader = crate::Reader::from_stream("image/jpeg", output_stream).unwrap();
         println!("{reader}");
         #[cfg(not(target_arch = "wasm32"))] // skip this until we get wasm async signing working
-        assert!(reader.validation_status().is_none());
+        assert_eq!(reader.validation_status(), None);
     }
 
     #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+    #[cfg(any(
+        target_arch = "wasm32",
+        all(feature = "openssl_sign", feature = "file_io")
+    ))]
     async fn test_builder_box_hashed_embeddable() {
         use crate::asset_io::{CAIWriter, HashBlockObjectType};
         const BOX_HASH_IMAGE: &[u8] = include_bytes!("../tests/fixtures/boxhash.jpg");
@@ -1591,7 +1599,7 @@ mod tests {
 
         builder.add_assertion(labels::BOX_HASH, &box_hash).unwrap();
 
-        let signer = crate::utils::test::temp_async_signer();
+        let signer = crate::utils::test_signer::async_test_signer(SigningAlg::Ed25519);
 
         let manifest_bytes = builder
             .sign_box_hashed_embeddable_async(signer.as_ref(), "image/jpeg")
@@ -1655,7 +1663,7 @@ mod tests {
         let mut builder = Builder::from_archive(&mut zipped).unwrap();
 
         // sign the ManifestStoreBuilder and write it to the output stream
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         let _manifest_data = builder
             .sign(signer.as_ref(), "image/jpeg", &mut source, &mut dest)
             .unwrap();
@@ -1665,7 +1673,7 @@ mod tests {
         let reader = Reader::from_stream("image/jpeg", &mut dest).expect("from_bytes");
 
         //println!("{}", reader);
-        assert!(reader.validation_status().is_none());
+        assert_eq!(reader.validation_status(), None);
         assert_eq!(
             reader
                 .active_manifest()
@@ -1677,7 +1685,7 @@ mod tests {
         );
     }
 
-    #[cfg(feature = "file_io")]
+    #[cfg(feature = "openssl_sign")]
     const MANIFEST_JSON: &str = r#"{
         "claim_generator": "test",
         "claim_generator_info": [
@@ -1831,7 +1839,7 @@ mod tests {
         // convert buffer to cursor with Read/Write/Seek capability
         let mut input = Cursor::new(image.to_vec());
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         // Embed a manifest using the signer.
         let mut output = Cursor::new(Vec::new());
         builder
diff --git a/sdk/src/callback_signer.rs b/sdk/src/callback_signer.rs
index 0bac60ec8..355358d93 100644
--- a/sdk/src/callback_signer.rs
+++ b/sdk/src/callback_signer.rs
@@ -16,13 +16,14 @@
 //! The `callback_signer` module provides a way to obtain a [`Signer`] or [`AsyncSigner`]
 //! using a callback and public signing certificates.
 
-use c2pa_crypto::SigningAlg;
-
-use crate::{
-    error::{Error, Result},
-    AsyncSigner, Signer,
+use async_trait::async_trait;
+use c2pa_crypto::{
+    raw_signature::{AsyncRawSigner, RawSigner, RawSignerError, SigningAlg},
+    time_stamp::{AsyncTimeStampProvider, TimeStampProvider},
 };
 
+use crate::{AsyncSigner, Error, Result, Signer};
+
 /// Defines a callback function interface for a [`CallbackSigner`].
 ///
 /// The callback should return a signature for the given data.
@@ -54,7 +55,6 @@ pub struct CallbackSigner {
 }
 
 unsafe impl Send for CallbackSigner {}
-
 unsafe impl Sync for CallbackSigner {}
 
 impl CallbackSigner {
@@ -66,6 +66,7 @@ impl CallbackSigner {
     {
         let certs = certs.into();
         let reserve_size = 10000 + certs.len();
+
         Self {
             context: std::ptr::null(),
             callback: Box::new(callback),
@@ -114,13 +115,14 @@ impl CallbackSigner {
 
         // Parse the PEM data to get the private key
         let pem = parse(private_key).map_err(|e| Error::OtherError(Box::new(e)))?;
+
         // For Ed25519, the key is 32 bytes long, so we skip the first 16 bytes of the PEM data
-        let key_bytes = &pem.contents()[16..];
+        let key_bytes = pem.contents().get(16..).ok_or(Error::InvalidSigningKey)?;
         let signing_key =
             SigningKey::try_from(key_bytes).map_err(|e| Error::OtherError(Box::new(e)))?;
+
         // Sign the data
         let signature: Signature = signing_key.sign(data);
-
         Ok(signature.to_bytes().to_vec())
     }
 }
@@ -156,6 +158,36 @@ impl Signer for CallbackSigner {
     fn reserve_size(&self) -> usize {
         self.reserve_size
     }
+
+    fn time_authority_url(&self) -> Option<String> {
+        self.tsa_url.clone()
+    }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(self)
+    }
+}
+
+impl RawSigner for CallbackSigner {
+    // TO DISCUSS WITH GAVIN: Perhaps we could make CallbackSigner's API return c2pa_crypto::Result<..., RawSignerError> instead?
+    fn sign(&self, data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+        (self.callback)(self.context, data)
+            .map_err(|e| RawSignerError::InternalError(e.to_string()))
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.alg
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        let pems = pem::parse_many(&self.certs)
+            .map_err(|e| RawSignerError::InvalidSigningCredentials(e.to_string()))?;
+        Ok(pems.into_iter().map(|p| p.into_contents()).collect())
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.reserve_size
+    }
 }
 
 impl TimeStampProvider for CallbackSigner {
@@ -164,12 +196,8 @@ impl TimeStampProvider for CallbackSigner {
     }
 }
 
-use async_trait::async_trait;
-use c2pa_crypto::time_stamp::{AsyncTimeStampProvider, TimeStampProvider};
-
 #[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
 #[cfg_attr(not(target_arch = "wasm32"), async_trait)]
-// I'm not sure if this is useful since the callback is still synchronous.
 impl AsyncSigner for CallbackSigner {
     async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>> {
         (self.callback)(self.context, &data)
@@ -187,19 +215,47 @@ impl AsyncSigner for CallbackSigner {
     fn reserve_size(&self) -> usize {
         self.reserve_size
     }
-}
 
-#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
-impl AsyncTimeStampProvider for CallbackSigner {
-    fn time_stamp_service_url(&self) -> Option<String> {
+    fn time_authority_url(&self) -> Option<String> {
         self.tsa_url.clone()
     }
 
     #[cfg(target_arch = "wasm32")]
-    async fn send_time_stamp_request(
-        &self,
-        _message: &[u8],
-    ) -> Option<std::result::Result<Vec<u8>, c2pa_crypto::time_stamp::TimeStampError>> {
+    async fn send_timestamp_request(&self, _message: &[u8]) -> Option<Result<Vec<u8>>> {
         None
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(self)
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl AsyncRawSigner for CallbackSigner {
+    // TO DISCUSS WITH GAVIN: Perhaps we could make CallbackSigner's API return c2pa_crypto::Result<..., RawSignerError> instead?
+    async fn sign(&self, data: Vec<u8>) -> std::result::Result<Vec<u8>, RawSignerError> {
+        (self.callback)(self.context, &data)
+            .map_err(|e| RawSignerError::InternalError(e.to_string()))
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.alg
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        let pems = pem::parse_many(&self.certs)
+            .map_err(|e| RawSignerError::InvalidSigningCredentials(e.to_string()))?;
+        Ok(pems.into_iter().map(|p| p.into_contents()).collect())
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.reserve_size
+    }
+}
+
+impl AsyncTimeStampProvider for CallbackSigner {
+    fn time_stamp_service_url(&self) -> Option<String> {
+        self.tsa_url.clone()
+    }
 }
diff --git a/sdk/src/claim.rs b/sdk/src/claim.rs
index a6508ff9b..fce0b9c46 100644
--- a/sdk/src/claim.rs
+++ b/sdk/src/claim.rs
@@ -16,7 +16,11 @@ use std::path::Path;
 use std::{collections::HashMap, fmt};
 
 use async_generic::async_generic;
-use c2pa_crypto::base64;
+use c2pa_crypto::{
+    base64,
+    cose::{parse_cose_sign1, CertificateTrustPolicy, OcspFetchPolicy, ValidationInfo},
+    ocsp::OcspResponse,
+};
 use c2pa_status_tracker::{log_item, OneShotStatusTracker, StatusTracker};
 use chrono::{DateTime, Utc};
 use serde::{ser::SerializeStruct, Deserialize, Serialize, Serializer};
@@ -35,10 +39,7 @@ use crate::{
     },
     asset_io::CAIRead,
     cbor_types::map_cbor_to_type,
-    cose_validator::{
-        check_ocsp_status, check_ocsp_status_async, get_signing_info, get_signing_info_async,
-        verify_cose, verify_cose_async,
-    },
+    cose_validator::{get_signing_info, get_signing_info_async, verify_cose, verify_cose_async},
     error::{Error, Result},
     hashed_uri::HashedUri,
     jumbf::{
@@ -54,11 +55,9 @@ use crate::{
     },
     jumbf_io::get_assetio_handler,
     salt::{DefaultSalt, SaltGenerator, NO_SALT},
-    trust_handler::TrustHandlerConfig,
+    settings::get_settings_value,
     utils::hash_utils::{hash_by_alg, vec_compare, verify_by_alg},
-    validation_status,
-    validator::ValidationInfo,
-    ClaimGeneratorInfo,
+    validation_status, ClaimGeneratorInfo,
 };
 
 const BUILD_HASH_ALG: &str = "sha256";
@@ -1697,7 +1696,7 @@ impl Claim {
         asset_data: &mut ClaimAssetData<'_>,
         is_provenance: bool,
         cert_check: bool,
-        th: &dyn TrustHandlerConfig,
+        ctp: &CertificateTrustPolicy,
         validation_log: &mut impl StatusTracker,
     ) -> Result<()> {
         // Parse COSE signed data (signature) and validate it.
@@ -1725,10 +1724,18 @@ impl Claim {
         }
 
         // check certificate revocation
-        check_ocsp_status_async(&sig, &data, th, validation_log).await?;
-
-        let verified =
-            verify_cose_async(sig, data, additional_bytes, cert_check, th, validation_log).await;
+        let sign1 = parse_cose_sign1(&sig, &data, validation_log)?;
+        check_ocsp_status_async(&sign1, &data, ctp, validation_log).await?;
+
+        let verified = verify_cose_async(
+            &sig,
+            &data,
+            &additional_bytes,
+            cert_check,
+            ctp,
+            validation_log,
+        )
+        .await;
 
         Claim::verify_internal(claim, asset_data, is_provenance, verified, validation_log)
     }
@@ -1741,7 +1748,7 @@ impl Claim {
         asset_data: &mut ClaimAssetData<'_>,
         is_provenance: bool,
         cert_check: bool,
-        th: &dyn TrustHandlerConfig,
+        ctp: &CertificateTrustPolicy,
         validation_log: &mut impl StatusTracker,
     ) -> Result<()> {
         // Parse COSE signed data (signature) and validate it.
@@ -1770,9 +1777,17 @@ impl Claim {
         };
 
         // check certificate revocation
-        check_ocsp_status(sig, data, th, validation_log)?;
+        let sign1 = parse_cose_sign1(sig, data, validation_log)?;
+        check_ocsp_status(&sign1, data, ctp, validation_log)?;
 
-        let verified = verify_cose(sig, data, &additional_bytes, cert_check, th, validation_log);
+        let verified = verify_cose(
+            sig,
+            data,
+            &additional_bytes,
+            cert_check,
+            ctp,
+            validation_log,
+        );
 
         Claim::verify_internal(claim, asset_data, is_provenance, verified, validation_log)
     }
@@ -2678,7 +2693,42 @@ impl Claim {
     }
 }
 
-#[cfg(not(target_arch = "wasm32"))]
+#[allow(dead_code)]
+#[async_generic]
+pub(crate) fn check_ocsp_status(
+    sign1: &coset::CoseSign1,
+    data: &[u8],
+    ctp: &CertificateTrustPolicy,
+    validation_log: &mut impl StatusTracker,
+) -> Result<OcspResponse> {
+    // Moved here instead of c2pa-crypto because of the dependency on settings.
+
+    let fetch_policy = match get_settings_value::<bool>("verify.ocsp_fetch") {
+        Ok(true) => OcspFetchPolicy::FetchAllowed,
+        _ => OcspFetchPolicy::DoNotFetch,
+    };
+
+    if _sync {
+        Ok(c2pa_crypto::cose::check_ocsp_status(
+            sign1,
+            data,
+            fetch_policy,
+            ctp,
+            validation_log,
+        )?)
+    } else {
+        Ok(c2pa_crypto::cose::check_ocsp_status_async(
+            sign1,
+            data,
+            fetch_policy,
+            ctp,
+            validation_log,
+        )
+        .await?)
+    }
+}
+
+#[cfg(feature = "openssl")]
 #[cfg(test)]
 pub mod tests {
     #![allow(clippy::expect_used)]
diff --git a/sdk/src/cose_sign.rs b/sdk/src/cose_sign.rs
index ef707fa95..2e27f1468 100644
--- a/sdk/src/cose_sign.rs
+++ b/sdk/src/cose_sign.rs
@@ -15,29 +15,15 @@
 
 #![deny(missing_docs)]
 
-use std::io::Cursor;
-
 use async_generic::async_generic;
-use c2pa_crypto::{time_stamp::ts_token_from_time_stamp_response, SigningAlg};
-use c2pa_status_tracker::OneShotStatusTracker;
-use ciborium::value::Value;
-use coset::{
-    iana::{self, EnumI64},
-    CoseSign1, CoseSign1Builder, Header, HeaderBuilder, Label, ProtectedHeader,
-    TaggedCborSerializable,
+use c2pa_crypto::cose::{
+    check_certificate_profile, sign, sign_async, CertificateTrustPolicy, TimeStampStorage,
 };
-use serde_bytes::ByteBuf;
+use c2pa_status_tracker::OneShotStatusTracker;
 
 use crate::{
-    claim::Claim,
-    cose_validator::{check_cert, verify_cose},
-    settings::get_settings_value,
-    time_stamp::{
-        cose_timestamp_countersign, cose_timestamp_countersign_async, make_cose_timestamp,
-    },
-    trust_handler::TrustHandlerConfig,
-    utils::sig_utils::{der_to_p1363, parse_ec_der_sig},
-    AsyncSigner, Error, Result, Signer,
+    claim::Claim, cose_validator::verify_cose, settings::get_settings_value, AsyncSigner, Error,
+    Result, Signer,
 };
 
 /// Generate a COSE signature for a block of bytes which must be a valid C2PA
@@ -67,24 +53,30 @@ pub fn sign_claim(claim_bytes: &[u8], signer: &dyn Signer, box_size: usize) -> R
     let label = "dummy_label";
     let claim = Claim::from_data(label, claim_bytes)?;
 
+    let tss = if claim.version() > 1 {
+        TimeStampStorage::V2_sigTst2_CTT
+    } else {
+        TimeStampStorage::V1_sigTst
+    };
+
     let signed_bytes = if _sync {
-        cose_sign(signer, claim_bytes, box_size, claim.version())
+        cose_sign(signer, claim_bytes, box_size, tss)
     } else {
-        cose_sign_async(signer, claim_bytes, box_size, claim.version()).await
+        cose_sign_async(signer, claim_bytes, box_size, tss).await
     };
 
     match signed_bytes {
         Ok(signed_bytes) => {
             // Sanity check: Ensure that this signature is valid.
             let mut cose_log = OneShotStatusTracker::default();
-            let passthrough_tb = crate::trust_handler::TrustPassThrough::new();
+            let passthrough_cap = CertificateTrustPolicy::default();
 
             match verify_cose(
                 &signed_bytes,
                 claim_bytes,
                 b"",
                 true,
-                &passthrough_tb,
+                &passthrough_cap,
                 &mut cose_log,
             ) {
                 Ok(r) => {
@@ -101,57 +93,21 @@ pub fn sign_claim(claim_bytes: &[u8], signer: &dyn Signer, box_size: usize) -> R
     }
 }
 
-fn signing_cert_valid(signing_cert: &[u8]) -> Result<()> {
-    // make sure signer certs are valid
-    let mut cose_log = OneShotStatusTracker::default();
-    let mut passthrough_tb = crate::trust_handler::TrustPassThrough::new();
-
-    // allow user EKUs through this check if configured
-    if let Ok(Some(trust_config)) = get_settings_value::<Option<String>>("trust.trust_config") {
-        let mut reader = Cursor::new(trust_config.as_bytes());
-        passthrough_tb.load_configuration(&mut reader)?;
-    }
-
-    check_cert(signing_cert, &passthrough_tb, &mut cose_log, None)
-}
-
 /// Returns signed Cose_Sign1 bytes for `data`.
 /// The Cose_Sign1 will be signed with the algorithm from [`Signer`].
 #[async_generic(async_signature(
     signer: &dyn AsyncSigner,
     data: &[u8],
     box_size: usize,
-    version: usize,
+    time_stamp_storage: TimeStampStorage,
 ))]
 pub(crate) fn cose_sign(
     signer: &dyn Signer,
     data: &[u8],
     box_size: usize,
-    version: usize,
+    time_stamp_storage: TimeStampStorage,
 ) -> Result<Vec<u8>> {
-    // 13.2.1. X.509 Certificates
-    //
-    // X.509 Certificates are stored in a header named x5chain draft-ietf-cose-x509.
-    // The value is a CBOR array of byte strings, each of which contains the certificate
-    // encoded as ASN.1 distinguished encoding rules (DER). This array must contain at
-    // least one element. The first element of the array must be the certificate of
-    // the signer, and the subjectPublicKeyInfo element of the certificate will be the
-    // public key used to validate the signature. The Validity member of the TBSCertificate
-    // sequence provides the time validity period of the certificate.
-
-    /*
-       This header parameter allows for a single X.509 certificate or a
-       chain of X.509 certificates to be carried in the message.
-
-       *  If a single certificate is conveyed, it is placed in a CBOR
-           byte string.
-
-       *  If multiple certificates are conveyed, a CBOR array of byte
-           strings is used, with each certificate being in its own byte
-           string.
-    */
-
-    // make sure the signing cert is valid
+    // Make sure the signing cert is valid.
     let certs = signer.certs()?;
     if let Some(signing_cert) = certs.first() {
         signing_cert_valid(signing_cert)?;
@@ -159,328 +115,79 @@ pub(crate) fn cose_sign(
         return Err(Error::CoseNoCerts);
     }
 
-    let alg = signer.alg();
-    let aad: &[u8; 0] = b""; // no additional data required here
-
-    // build complete header
-    let protected_header = if _sync {
-        build_protected_headers(signer, alg)?
-    } else {
-        build_protected_headers_async(signer, alg).await?
-    };
-
-    if version > 1 {
-        // sign then stamp  (Cose CTT)
-        let sign1_builder = CoseSign1Builder::new()
-            .protected(protected_header.header.clone())
-            .payload(data.to_vec());
-
-        let mut sign1 = sign1_builder.build();
-
-        let tbs = coset::sig_structure_data(
-            coset::SignatureContext::CoseSign1,
-            sign1.protected.clone(),
-            None,
-            aad,
-            sign1.payload.as_ref().unwrap_or(&vec![]),
-        );
-
-        let signature = if _sync {
-            signer.sign(&tbs)?
-        } else {
-            signer.sign(tbs).await?
-        };
-
-        // fix up signatures that may be in the wrong format
-        sign1.signature = match alg {
-            SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
-                if parse_ec_der_sig(&signature).is_ok() {
-                    // fix up DER signature to be in P1363 format
-                    der_to_p1363(&signature, alg)?
-                } else {
-                    signature
-                }
-            }
-            _ => signature,
-        };
-
-        sign1.payload = None; // clear the payload since it is known
-
-        let sig_data = ByteBuf::from(sign1.signature.clone());
-        let sig_data_cbor = serde_cbor::to_vec(&sig_data)?;
-        let unprotected_header = if _sync {
-            build_unprotected_headers(signer, &sig_data_cbor, &protected_header, version > 1)?
-        } else {
-            build_unprotected_headers_async(signer, &sig_data_cbor, &protected_header, version > 1)
-                .await?
-        };
-
-        // fill in the unprotected headers
-        sign1.unprotected = unprotected_header;
-
-        let c2pa_sig_data = pad_cose_sig(&mut sign1, box_size)?;
-
-        // println!("sig: {}", Hexlify(&c2pa_sig_data));
-
-        Ok(c2pa_sig_data)
-    } else {
-        // stamp then sign
-        let unprotected_header = if _sync {
-            build_unprotected_headers(signer, data, &protected_header, version > 1)?
-        } else {
-            build_unprotected_headers_async(signer, data, &protected_header, version > 1).await?
-        };
-
-        let sign1_builder = CoseSign1Builder::new()
-            .protected(protected_header.header.clone())
-            .unprotected(unprotected_header)
-            .payload(data.to_vec());
-
-        let mut sign1 = sign1_builder.build();
-
-        let tbs = coset::sig_structure_data(
-            coset::SignatureContext::CoseSign1,
-            sign1.protected.clone(),
-            None,
-            aad,
-            sign1.payload.as_ref().unwrap_or(&vec![]),
-        );
-
-        let signature = if _sync {
-            signer.sign(&tbs)?
-        } else {
-            signer.sign(tbs).await?
-        };
-
-        // fix up signatures that may be in the wrong format
-        sign1.signature = match alg {
-            SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
-                if parse_ec_der_sig(&signature).is_ok() {
-                    // fix up DER signature to be in P1363 format
-                    der_to_p1363(&signature, alg)?
-                } else {
-                    signature
-                }
-            }
-            _ => signature,
-        };
-
-        sign1.payload = None; // clear the payload since it is known
-
-        let c2pa_sig_data = pad_cose_sig(&mut sign1, box_size)?;
-
-        // println!("sig: {}", Hexlify(&c2pa_sig_data));
-
-        Ok(c2pa_sig_data)
-    }
-}
-
-#[async_generic(async_signature(signer: &dyn AsyncSigner, alg: SigningAlg))]
-fn build_protected_headers(signer: &dyn Signer, alg: SigningAlg) -> Result<ProtectedHeader> {
-    let mut protected_h = match alg {
-        SigningAlg::Ps256 => HeaderBuilder::new().algorithm(iana::Algorithm::PS256),
-        SigningAlg::Ps384 => HeaderBuilder::new().algorithm(iana::Algorithm::PS384),
-        SigningAlg::Ps512 => HeaderBuilder::new().algorithm(iana::Algorithm::PS512),
-        SigningAlg::Es256 => HeaderBuilder::new().algorithm(iana::Algorithm::ES256),
-        SigningAlg::Es384 => HeaderBuilder::new().algorithm(iana::Algorithm::ES384),
-        SigningAlg::Es512 => HeaderBuilder::new().algorithm(iana::Algorithm::ES512),
-        SigningAlg::Ed25519 => HeaderBuilder::new().algorithm(iana::Algorithm::EdDSA),
-    };
-
-    let certs = signer.certs()?;
-
-    let sc_der_array_or_bytes = match certs.len() {
-        1 => Value::Bytes(certs[0].clone()), // single cert
-        _ => {
-            let mut sc_der_array: Vec<Value> = Vec::new();
-            for cert in certs {
-                sc_der_array.push(Value::Bytes(cert));
-            }
-            Value::Array(sc_der_array) // provide vec of certs when required
-        }
-    };
-
-    // add certs to protected header (spec 1.3 now requires integer 33(X5Chain) in favor of string "x5chain" going forward)
-    protected_h = protected_h.value(
-        iana::HeaderParameter::X5Chain.to_i64(),
-        sc_der_array_or_bytes.clone(),
-    );
-
-    let protected_header = protected_h.build();
-    let ph2 = ProtectedHeader {
-        original_data: None,
-        header: protected_header.clone(),
-    };
-
-    Ok(ph2)
-}
-
-#[async_generic(async_signature(signer: &dyn AsyncSigner, data: &[u8], p_header: &ProtectedHeader, v2: bool,))]
-fn build_unprotected_headers(
-    signer: &dyn Signer,
-    data: &[u8],
-    p_header: &ProtectedHeader,
-    v2: bool,
-) -> Result<Header> {
-    let maybe_cts = if _sync {
-        cose_timestamp_countersign(signer, data, p_header)
-    } else {
-        cose_timestamp_countersign_async(signer, data, p_header).await
-    };
-
-    let mut unprotected_h = if let Some(cts) = maybe_cts {
-        let mut cts = cts?;
-
-        if v2 {
-            // we use the timestamptoken and not TimeStampRsp for sigTst2
-            cts = ts_token_from_time_stamp_response(&cts).ok_or(Error::CoseTimeStampGeneration)?;
-        }
-
-        let sigtst_vec = serde_cbor::to_vec(&make_cose_timestamp(&cts))?;
-        let sigtst_cbor = serde_cbor::from_slice(&sigtst_vec)?;
-
-        if v2 {
-            HeaderBuilder::new().text_value("sigTst2".to_string(), sigtst_cbor)
-        } else {
-            HeaderBuilder::new().text_value("sigTst".to_string(), sigtst_cbor)
-        }
+    let raw_signer = if _sync {
+        signer.raw_signer()
     } else {
-        HeaderBuilder::new()
+        signer.async_raw_signer()
     };
 
-    let ocsp_val = if _sync {
-        signer.ocsp_val()
+    if _sync {
+        Ok(sign(*raw_signer, data, box_size, time_stamp_storage)?)
     } else {
-        signer.ocsp_val().await
-    };
-
-    // set the ocsp responder response if available
-    if let Some(ocsp) = ocsp_val {
-        let mut ocsp_vec: Vec<Value> = Vec::new();
-        let mut r_vals: Vec<(Value, Value)> = vec![];
-
-        ocsp_vec.push(Value::Bytes(ocsp));
-        r_vals.push((Value::Text("ocspVals".to_string()), Value::Array(ocsp_vec)));
-
-        unprotected_h = unprotected_h.text_value("rVals".to_string(), Value::Map(r_vals));
+        Ok(sign_async(*raw_signer, data, box_size, time_stamp_storage).await?)
     }
-
-    // build complete header
-    let unprotected_header = unprotected_h.build();
-
-    Ok(unprotected_header)
 }
 
-const PAD: &str = "pad";
-const PAD2: &str = "pad2";
-const PAD_OFFSET: usize = 7;
-
-// Pad the CoseSign1 structure with 0s to match the reserved box size.
-// There are some values lengths that are impossible to hit with a single padding so
-// when that happens a second padding is added to change the remaining needed padding.
-// The default initial guess works for almost all sizes, without the need for additional loops.
-fn pad_cose_sig(sign1: &mut CoseSign1, end_size: usize) -> Result<Vec<u8>> {
-    let mut sign1_clone = sign1.clone();
-    let cur_vec = sign1_clone
-        .to_tagged_vec()
-        .map_err(|_e| Error::CoseSignature)?;
-    let cur_size = cur_vec.len();
-
-    if cur_size == end_size {
-        return Ok(cur_vec);
-    }
-
-    // check for box too small and matched size
-    if cur_size + PAD_OFFSET > end_size {
-        return Err(Error::CoseSigboxTooSmall);
-    }
-
-    let mut padding_found = false;
-    let mut last_pad = 0;
-    let mut target_guess = end_size - cur_size - PAD_OFFSET; // start close to desired end_size accounting for label
-    loop {
-        // clone to use
-        sign1_clone = sign1.clone();
-
-        // replace padding with new estimate
-        for header_pair in &mut sign1_clone.unprotected.rest {
-            if header_pair.0 == Label::Text("pad".to_string()) {
-                if let Value::Bytes(b) = &header_pair.1 {
-                    last_pad = b.len();
-                }
-                header_pair.1 = Value::Bytes(vec![0u8; target_guess]);
-                padding_found = true;
-                break;
-            }
-        }
-
-        // if there was no padding add it and call again
-        if !padding_found {
-            sign1_clone.unprotected.rest.push((
-                Label::Text(PAD.to_string()),
-                Value::Bytes(vec![0u8; target_guess]),
-            ));
-            return pad_cose_sig(&mut sign1_clone, end_size);
-        }
-
-        // get current cbor vec to size if we reached target size
-        let new_cbor = sign1_clone
-            .to_tagged_vec()
-            .map_err(|_e| Error::CoseSignature)?;
+fn signing_cert_valid(signing_cert: &[u8]) -> Result<()> {
+    // make sure signer certs are valid
+    let mut cose_log = OneShotStatusTracker::default();
+    let mut passthrough_cap = CertificateTrustPolicy::default();
 
-        match new_cbor.len() < end_size {
-            true => target_guess += 1,
-            false if new_cbor.len() == end_size => return Ok(new_cbor),
-            false => break, // we could not match end_size in a single pad so break and add a second
-        }
+    // allow user EKUs through this check if configured
+    if let Ok(Some(trust_config)) = get_settings_value::<Option<String>>("trust.trust_config") {
+        passthrough_cap.add_valid_ekus(trust_config.as_bytes());
     }
 
-    // if we reach here we need a new second padding object to hit exact size
-    sign1.unprotected.rest.push((
-        Label::Text(PAD2.to_string()),
-        Value::Bytes(vec![0u8; last_pad - 10]),
-    ));
-    pad_cose_sig(sign1, end_size)
+    Ok(check_certificate_profile(
+        signing_cert,
+        &passthrough_cap,
+        &mut cose_log,
+        None,
+    )?)
 }
 
 #[cfg(test)]
 mod tests {
     #![allow(clippy::unwrap_used)]
-
-    use c2pa_crypto::time_stamp::{TimeStampError, TimeStampProvider};
+    use c2pa_crypto::{
+        raw_signature::{RawSigner, RawSignerError, SigningAlg},
+        time_stamp::{TimeStampError, TimeStampProvider},
+    };
 
     use super::sign_claim;
-    use crate::{claim::Claim, utils::test::temp_signer};
+    #[cfg(not(target_arch = "wasm32"))]
+    use crate::utils::test_signer::async_test_signer;
+    use crate::{claim::Claim, utils::test_signer::test_signer, Result, Signer};
 
     #[test]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl_sign")), ignore)]
     fn test_sign_claim() {
         let mut claim = Claim::new("extern_sign_test", Some("contentauth"), 1);
         claim.build().unwrap();
 
         let claim_bytes = claim.data().unwrap();
 
-        let signer = temp_signer();
-        let box_size = signer.reserve_size();
+        let signer = test_signer(SigningAlg::Ps256);
+        let box_size = Signer::reserve_size(signer.as_ref());
 
         let cose_sign1 = sign_claim(&claim_bytes, signer.as_ref(), box_size).unwrap();
 
         assert_eq!(cose_sign1.len(), box_size);
     }
 
-    #[cfg(not(target_arch = "wasm32"))]
-    #[cfg(feature = "openssl")]
+    #[cfg(all(feature = "openssl_sign", feature = "file_io"))]
     #[actix::test]
     async fn test_sign_claim_async() {
-        use crate::{
-            cose_sign::sign_claim_async, openssl::AsyncSignerAdapter, AsyncSigner, SigningAlg,
-        };
+        use c2pa_crypto::raw_signature::SigningAlg;
+
+        use crate::{cose_sign::sign_claim_async, AsyncSigner};
 
         let mut claim = Claim::new("extern_sign_test", Some("contentauth"), 1);
         claim.build().unwrap();
 
         let claim_bytes = claim.data().unwrap();
 
-        let signer = AsyncSignerAdapter::new(SigningAlg::Ps256);
+        let signer = async_test_signer(SigningAlg::Ps256);
         let box_size = signer.reserve_size();
 
         let cose_sign1 = sign_claim_async(&claim_bytes, &signer, box_size)
@@ -498,17 +205,46 @@ mod tests {
         }
     }
 
-    impl crate::Signer for BogusSigner {
-        fn sign(&self, _data: &[u8]) -> crate::error::Result<Vec<u8>> {
+    impl Signer for BogusSigner {
+        fn sign(&self, _data: &[u8]) -> Result<Vec<u8>> {
+            eprintln!("Canary, canary, please cause this deploy to fail!");
+            Ok(b"totally bogus signature".to_vec())
+        }
+
+        fn alg(&self) -> c2pa_crypto::raw_signature::SigningAlg {
+            c2pa_crypto::raw_signature::SigningAlg::Ps256
+        }
+
+        fn certs(&self) -> Result<Vec<Vec<u8>>> {
+            let cert_vec: Vec<u8> = Vec::new();
+            let certs = vec![cert_vec];
+            Ok(certs)
+        }
+
+        fn reserve_size(&self) -> usize {
+            1024
+        }
+
+        fn send_timestamp_request(&self, _message: &[u8]) -> Option<crate::error::Result<Vec<u8>>> {
+            Some(Ok(Vec::new()))
+        }
+
+        fn raw_signer(&self) -> Box<&dyn c2pa_crypto::raw_signature::RawSigner> {
+            Box::new(self)
+        }
+    }
+
+    impl RawSigner for BogusSigner {
+        fn sign(&self, _data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
             eprintln!("Canary, canary, please cause this deploy to fail!");
             Ok(b"totally bogus signature".to_vec())
         }
 
-        fn alg(&self) -> c2pa_crypto::SigningAlg {
-            c2pa_crypto::SigningAlg::Ps256
+        fn alg(&self) -> c2pa_crypto::raw_signature::SigningAlg {
+            c2pa_crypto::raw_signature::SigningAlg::Ps256
         }
 
-        fn certs(&self) -> crate::error::Result<Vec<Vec<u8>>> {
+        fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
             let cert_vec: Vec<u8> = Vec::new();
             let certs = vec![cert_vec];
             Ok(certs)
@@ -523,7 +259,7 @@ mod tests {
         fn send_time_stamp_request(
             &self,
             _message: &[u8],
-        ) -> Option<Result<Vec<u8>, TimeStampError>> {
+        ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
             Some(Ok(Vec::new()))
         }
     }
diff --git a/sdk/src/cose_validator.rs b/sdk/src/cose_validator.rs
index 83335409e..56bea680a 100644
--- a/sdk/src/cose_validator.rs
+++ b/sdk/src/cose_validator.rs
@@ -13,751 +13,52 @@
 
 use std::io::Cursor;
 
-use asn1_rs::{Any, Class, Header, Tag};
 use async_generic::async_generic;
 use c2pa_crypto::{
-    asn1::rfc3161::TstInfo,
-    ocsp::OcspResponse,
-    raw_signature::{validator_for_signing_alg, RawSignatureValidator},
-    time_stamp::TimeStampError,
-    SigningAlg,
-};
-use c2pa_status_tracker::{log_item, StatusTracker};
-use ciborium::value::Value;
-use conv::*;
-use coset::{
-    iana::{self, EnumI64},
-    sig_structure_data, Label, TaggedCborSerializable,
-};
-use serde_bytes::ByteBuf;
-use x509_parser::{
-    der_parser::{ber::parse_ber_sequence, oid},
-    num_bigint::BigUint,
-    oid_registry::Oid,
-    prelude::*,
+    cose::{
+        cert_chain_from_sign1, parse_cose_sign1, signing_alg_from_sign1, signing_time_from_sign1,
+        signing_time_from_sign1_async, CertificateTrustPolicy, ValidationInfo, Verifier,
+    },
+    raw_signature::SigningAlg,
 };
+use c2pa_status_tracker::StatusTracker;
+use x509_parser::{num_bigint::BigUint, prelude::*};
 
-#[cfg(feature = "openssl")]
-use crate::openssl::verify_trust;
-#[cfg(target_arch = "wasm32")]
-use crate::wasm::webpki_trust_handler::verify_trust_async;
 use crate::{
     error::{Error, Result},
     settings::get_settings_value,
-    time_stamp::gt_to_datetime,
-    trust_handler::{has_allowed_oid, TrustHandlerConfig},
-    utils::sig_utils::parse_ec_der_sig,
-    validation_status,
-    validator::ValidationInfo,
 };
 
-pub(crate) const RSA_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .1);
-pub(crate) const EC_PUBLICKEY_OID: Oid<'static> = oid!(1.2.840 .10045 .2 .1);
-pub(crate) const RSASSA_PSS_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .10);
-
-pub(crate) const ECDSA_WITH_SHA256_OID: Oid<'static> = oid!(1.2.840 .10045 .4 .3 .2);
-pub(crate) const ECDSA_WITH_SHA384_OID: Oid<'static> = oid!(1.2.840 .10045 .4 .3 .3);
-pub(crate) const ECDSA_WITH_SHA512_OID: Oid<'static> = oid!(1.2.840 .10045 .4 .3 .4);
-pub(crate) const SHA256_WITH_RSAENCRYPTION_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .11);
-pub(crate) const SHA384_WITH_RSAENCRYPTION_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .12);
-pub(crate) const SHA512_WITH_RSAENCRYPTION_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .13);
-pub(crate) const ED25519_OID: Oid<'static> = oid!(1.3.101 .112);
-#[allow(dead_code)] // used only in WASM build
-pub(crate) const SHA1_OID: Oid<'static> = oid!(1.3.14 .3 .2 .26);
-pub(crate) const SHA256_OID: Oid<'static> = oid!(2.16.840 .1 .101 .3 .4 .2 .1);
-pub(crate) const SHA384_OID: Oid<'static> = oid!(2.16.840 .1 .101 .3 .4 .2 .2);
-pub(crate) const SHA512_OID: Oid<'static> = oid!(2.16.840 .1 .101 .3 .4 .2 .3);
-pub(crate) const SECP521R1_OID: Oid<'static> = oid!(1.3.132 .0 .35);
-pub(crate) const SECP384R1_OID: Oid<'static> = oid!(1.3.132 .0 .34);
-pub(crate) const PRIME256V1_OID: Oid<'static> = oid!(1.2.840 .10045 .3 .1 .7);
-
-/********************** Supported Validators ***************************************
-    RS256	RSASSA-PKCS1-v1_5 using SHA-256 - not recommended
-    RS384	RSASSA-PKCS1-v1_5 using SHA-384 - not recommended
-    RS512	RSASSA-PKCS1-v1_5 using SHA-512 - not recommended
-    PS256	RSASSA-PSS using SHA-256 and MGF1 with SHA-256
-    PS384	RSASSA-PSS using SHA-384 and MGF1 with SHA-384
-    PS512	RSASSA-PSS using SHA-512 and MGF1 with SHA-512
-    ES256	ECDSA using P-256 and SHA-256
-    ES384	ECDSA using P-384 and SHA-384
-    ES512	ECDSA using P-521 and SHA-512
-    ED25519 Edwards Curve 25519
-**********************************************************************************/
-
-fn get_cose_sign1(
-    cose_bytes: &[u8],
-    data: &[u8],
-    validation_log: &mut impl StatusTracker,
-) -> Result<coset::CoseSign1> {
-    match <coset::CoseSign1 as TaggedCborSerializable>::from_tagged_slice(cose_bytes) {
-        Ok(mut sign1) => {
-            sign1.payload = Some(data.to_vec()); // restore payload for verification check
-            Ok(sign1)
-        }
-        Err(coset_error) => {
-            log_item!(
-                "Cose_Sign1",
-                "could not deserialize signature",
-                "get_cose_sign1"
-            )
-            .validation_status(validation_status::CLAIM_SIGNATURE_MISMATCH)
-            .failure_no_throw(validation_log, Error::InvalidCoseSignature { coset_error });
-
-            Err(Error::CoseSignature)
-        }
-    }
-}
-
-pub(crate) fn check_cert(
-    ca_der_bytes: &[u8],
-    th: &dyn TrustHandlerConfig,
-    validation_log: &mut impl StatusTracker,
-    _tst_info_opt: Option<&TstInfo>,
-) -> Result<()> {
-    // get the cert in der format
-    let (_rem, signcert) = X509Certificate::from_der(ca_der_bytes).map_err(|_err| {
-        log_item!(
-            "Cose_Sign1",
-            "certificate could not be parsed",
-            "check_cert_alg"
-        )
-        .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-        .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-        Error::CoseInvalidCert
-    })?;
-
-    // cert version must be 3
-    if signcert.version() != X509Version::V3 {
-        log_item!(
-            "Cose_Sign1",
-            "certificate version incorrect",
-            "check_cert_alg"
-        )
-        .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-        .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-        return Err(Error::CoseInvalidCert);
-    }
-
-    // check for cert expiration
-    if let Some(tst_info) = _tst_info_opt {
-        // was there a time stamp association with this signature, is verify against that time
-        let signing_time = gt_to_datetime(tst_info.gen_time.clone());
-        if !signcert.validity().is_valid_at(
-            x509_parser::time::ASN1Time::from_timestamp(signing_time.timestamp())
-                .map_err(|_| Error::CoseInvalidCert)?,
-        ) {
-            log_item!("Cose_Sign1", "certificate expired", "check_cert_alg")
-                .validation_status(validation_status::SIGNING_CREDENTIAL_EXPIRED)
-                .failure_no_throw(validation_log, Error::CoseCertExpiration);
-
-            return Err(Error::CoseCertExpiration);
-        }
-    } else {
-        // no timestamp so check against current time
-        // use instant to avoid wasm issues
-        let now_f64 = instant::now() / 1000.0;
-        let now: i64 = now_f64
-            .approx_as::<i64>()
-            .map_err(|_e| Error::BadParam("system time invalid".to_string()))?;
-
-        if !signcert.validity().is_valid_at(
-            x509_parser::time::ASN1Time::from_timestamp(now).map_err(|_| Error::CoseInvalidCert)?,
-        ) {
-            log_item!("Cose_Sign1", "certificate expired", "check_cert_alg")
-                .validation_status(validation_status::SIGNING_CREDENTIAL_EXPIRED)
-                .failure_no_throw(validation_log, Error::CoseCertExpiration);
-
-            return Err(Error::CoseCertExpiration);
-        }
-    }
-
-    let cert_alg = signcert.signature_algorithm.algorithm.clone();
-
-    // check algorithm needed from cert
-
-    // cert must be signed with one the following algorithm
-    if !(cert_alg == SHA256_WITH_RSAENCRYPTION_OID
-        || cert_alg == SHA384_WITH_RSAENCRYPTION_OID
-        || cert_alg == SHA512_WITH_RSAENCRYPTION_OID
-        || cert_alg == ECDSA_WITH_SHA256_OID
-        || cert_alg == ECDSA_WITH_SHA384_OID
-        || cert_alg == ECDSA_WITH_SHA512_OID
-        || cert_alg == RSASSA_PSS_OID
-        || cert_alg == ED25519_OID)
-    {
-        log_item!(
-            "Cose_Sign1",
-            "certificate algorithm not supported",
-            "check_cert_alg"
-        )
-        .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-        .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-        return Err(Error::CoseInvalidCert);
-    }
-
-    // verify rsassa_pss parameters
-    if cert_alg == RSASSA_PSS_OID {
-        if let Some(parameters) = &signcert.signature_algorithm.parameters {
-            let seq = parameters
-                .as_sequence()
-                .map_err(|_err| Error::CoseInvalidCert)?;
-
-            let (_i, (ha_alg, mgf_ai)) = seq
-                .parse(|i| {
-                    let (i, h) = <Header as asn1_rs::FromDer>::from_der(i)?;
-                    if h.class() != Class::ContextSpecific || h.tag() != Tag(0) {
-                        return Err(nom::Err::Error(asn1_rs::Error::BerValueError));
-                    }
-
-                    let (i, ha_alg) = AlgorithmIdentifier::from_der(i)
-                        .map_err(|_| nom::Err::Error(asn1_rs::Error::BerValueError))?;
-
-                    let (i, h) = <Header as asn1_rs::FromDer>::from_der(i)?;
-                    if h.class() != Class::ContextSpecific || h.tag() != Tag(1) {
-                        return Err(nom::Err::Error(asn1_rs::Error::BerValueError));
-                    }
-
-                    let (i, mgf_ai) = AlgorithmIdentifier::from_der(i)
-                        .map_err(|_| nom::Err::Error(asn1_rs::Error::BerValueError))?;
-
-                    // Ignore anything that follows these two parameters.
-
-                    Ok((i, (ha_alg, mgf_ai)))
-                })
-                .map_err(|_| Error::CoseInvalidCert)?;
-
-            let mgf_ai_parameters = mgf_ai.parameters.ok_or(Error::CoseInvalidCert)?;
-            let mgf_ai_parameters = mgf_ai_parameters
-                .as_sequence()
-                .map_err(|_| Error::CoseInvalidCert)?;
-
-            let (_i, mgf_ai_params_algorithm) =
-                <Any as asn1_rs::FromDer>::from_der(&mgf_ai_parameters.content)
-                    .map_err(|_| Error::CoseInvalidCert)?;
-
-            let mgf_ai_params_algorithm = mgf_ai_params_algorithm
-                .as_oid()
-                .map_err(|_| Error::CoseInvalidCert)?;
-
-            // must be the same
-            if ha_alg.algorithm.to_id_string() != mgf_ai_params_algorithm.to_id_string() {
-                log_item!(
-                    "Cose_Sign1",
-                    "certificate algorithm error",
-                    "check_cert_alg"
-                )
-                .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-                .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-                return Err(Error::CoseInvalidCert);
-            }
-
-            // check for one of the mandatory types
-            if !(ha_alg.algorithm == SHA256_OID
-                || ha_alg.algorithm == SHA384_OID
-                || ha_alg.algorithm == SHA512_OID)
-            {
-                log_item!(
-                    "Cose_Sign1",
-                    "certificate hash algorithm not supported",
-                    "check_cert_alg"
-                )
-                .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-                .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-                return Err(Error::CoseInvalidCert);
-            }
-        } else {
-            log_item!(
-                "Cose_Sign1",
-                "certificate missing algorithm parameters",
-                "check_cert_alg"
-            )
-            .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-            .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-            return Err(Error::CoseInvalidCert);
-        }
-    }
-
-    // check curves for SPKI EC algorithms
-    let pk = signcert.public_key();
-    let skpi_alg = &pk.algorithm;
-
-    if skpi_alg.algorithm == EC_PUBLICKEY_OID {
-        if let Some(parameters) = &skpi_alg.parameters {
-            let named_curve_oid = parameters.as_oid().map_err(|_err| Error::CoseInvalidCert)?;
-
-            // must be one of these named curves
-            if !(named_curve_oid == PRIME256V1_OID
-                || named_curve_oid == SECP384R1_OID
-                || named_curve_oid == SECP521R1_OID)
-            {
-                log_item!(
-                    "Cose_Sign1",
-                    "certificate unsupported EC curve",
-                    "check_cert_alg"
-                )
-                .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-                .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-                return Err(Error::CoseInvalidCert);
-            }
-        } else {
-            return Err(Error::CoseInvalidCert);
-        }
-    }
-
-    // check modulus minimum length (for RSA & PSS algorithms)
-    if skpi_alg.algorithm == RSA_OID || skpi_alg.algorithm == RSASSA_PSS_OID {
-        let (_, skpi_ber) = parse_ber_sequence(&pk.subject_public_key.data)
-            .map_err(|_err| Error::CoseInvalidCert)?;
-
-        let seq = skpi_ber
-            .as_sequence()
-            .map_err(|_err| Error::CoseInvalidCert)?;
-        if seq.len() < 2 {
-            return Err(Error::CoseInvalidCert);
-        }
-
-        let modulus = seq[0].as_bigint().map_err(|_| Error::CoseInvalidCert)?;
-
-        if modulus.bits() < 2048 {
-            log_item!(
-                "Cose_Sign1",
-                "certificate key length too short",
-                "check_cert_alg"
-            )
-            .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-            .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-            return Err(Error::CoseInvalidCert);
-        }
-    }
-
-    // check cert values
-    let tbscert = &signcert.tbs_certificate;
-
-    let is_self_signed = tbscert.is_ca() && tbscert.issuer() == tbscert.subject();
-
-    // self signed certs are disallowed
-    if is_self_signed {
-        log_item!(
-            "Cose_Sign1",
-            "certificate issuer and subject cannot be the same {self-signed disallowed}",
-            "check_cert_alg"
-        )
-        .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-        .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-        return Err(Error::CoseInvalidCert);
-    }
-
-    // unique ids are not allowed
-    if signcert.issuer_uid.is_some() || signcert.subject_uid.is_some() {
-        log_item!(
-            "Cose_Sign1",
-            "certificate issuer/subject unique ids are not allowed",
-            "check_cert_alg"
-        )
-        .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-        .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-        return Err(Error::CoseInvalidCert);
-    }
-
-    let mut aki_good = false;
-    let mut ski_good = false;
-    let mut key_usage_good = false;
-    let mut handled_all_critical = true;
-    let extended_key_usage_good = match tbscert
-        .extended_key_usage()
-        .map_err(|_| Error::CoseInvalidCert)?
-    {
-        Some(BasicExtension { value: eku, .. }) => {
-            if eku.any {
-                log_item!(
-                    "Cose_Sign1",
-                    "certificate 'any' EKU not allowed",
-                    "check_cert_alg"
-                )
-                .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-                .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-                return Err(Error::CoseInvalidCert);
-            }
-
-            if has_allowed_oid(eku, &th.get_auxillary_ekus()).is_none() {
-                log_item!(
-                    "Cose_Sign1",
-                    "certificate missing required EKU",
-                    "check_cert_alg"
-                )
-                .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-                .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-                return Err(Error::CoseInvalidCert);
-            }
-
-            // one or the other || either of these two, and no others field
-            if (eku.ocsp_signing && eku.time_stamping)
-                || ((eku.ocsp_signing ^ eku.time_stamping)
-                    && (eku.client_auth
-                        | eku.code_signing
-                        | eku.email_protection
-                        | eku.server_auth
-                        | !eku.other.is_empty()))
-            {
-                log_item!(
-                    "Cose_Sign1",
-                    "certificate invalid set of EKUs",
-                    "check_cert_alg"
-                )
-                .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-                .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-                return Err(Error::CoseInvalidCert);
-            }
-
-            true
-        }
-        None => tbscert.is_ca(), // if is not ca it must be present
-    };
-
-    // populate needed extension info
-    for e in signcert.extensions() {
-        match e.parsed_extension() {
-            ParsedExtension::AuthorityKeyIdentifier(_aki) => {
-                aki_good = true;
-            }
-            ParsedExtension::SubjectKeyIdentifier(_spki) => {
-                ski_good = true;
-            }
-            ParsedExtension::KeyUsage(ku) => {
-                if ku.digital_signature() {
-                    if ku.key_cert_sign() && !tbscert.is_ca() {
-                        log_item!(
-                            "Cose_Sign1",
-                            "certificate missing digitalSignature EKU",
-                            "check_cert_alg"
-                        )
-                        .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-                        .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-                        return Err(Error::CoseInvalidCert);
-                    }
-                    key_usage_good = true;
-                }
-                if ku.key_cert_sign() || ku.non_repudiation() {
-                    key_usage_good = true;
-                }
-                // todo: warn if not marked critical
-                // if !e.critical { // warn here somehow}
-            }
-            ParsedExtension::CertificatePolicies(_) => (),
-            ParsedExtension::PolicyMappings(_) => (),
-            ParsedExtension::SubjectAlternativeName(_) => (),
-            ParsedExtension::BasicConstraints(_) => (),
-            ParsedExtension::NameConstraints(_) => (),
-            ParsedExtension::PolicyConstraints(_) => (),
-            ParsedExtension::ExtendedKeyUsage(_) => (),
-            ParsedExtension::CRLDistributionPoints(_) => (),
-            ParsedExtension::InhibitAnyPolicy(_) => (),
-            ParsedExtension::AuthorityInfoAccess(_) => (),
-            ParsedExtension::NSCertType(_) => (),
-            ParsedExtension::CRLNumber(_) => (),
-            ParsedExtension::ReasonCode(_) => (),
-            ParsedExtension::InvalidityDate(_) => (),
-            ParsedExtension::Unparsed => {
-                if e.critical {
-                    // unhandled critical extension
-                    handled_all_critical = false;
-                }
-            }
-            _ => {
-                if e.critical {
-                    // unhandled critical extension
-                    handled_all_critical = false;
-                }
-            }
-        }
-    }
-
-    // if cert is a CA must have valid SubjectKeyIdentifier
-    ski_good = if tbscert.is_ca() { ski_good } else { true };
-
-    // check all flags
-    if aki_good && ski_good && key_usage_good && extended_key_usage_good && handled_all_critical {
-        Ok(())
-    } else {
-        log_item!(
-            "Cose_Sign1",
-            "certificate params incorrect",
-            "check_cert_alg"
-        )
-        .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-        .failure_no_throw(validation_log, Error::CoseInvalidCert);
-
-        Err(Error::CoseInvalidCert)
-    }
-}
-
-pub(crate) fn get_signing_alg(cs1: &coset::CoseSign1) -> Result<SigningAlg> {
-    // find the supported handler for the algorithm
-    match cs1.protected.header.alg {
-        Some(ref alg) => match alg {
-            coset::RegisteredLabelWithPrivate::PrivateUse(a) => match a {
-                -39 => Ok(SigningAlg::Ps512),
-                -38 => Ok(SigningAlg::Ps384),
-                -37 => Ok(SigningAlg::Ps256),
-                -36 => Ok(SigningAlg::Es512),
-                -35 => Ok(SigningAlg::Es384),
-                -7 => Ok(SigningAlg::Es256),
-                -8 => Ok(SigningAlg::Ed25519),
-                _ => Err(Error::CoseSignatureAlgorithmNotSupported),
-            },
-            coset::RegisteredLabelWithPrivate::Assigned(a) => match a {
-                coset::iana::Algorithm::PS512 => Ok(SigningAlg::Ps512),
-                coset::iana::Algorithm::PS384 => Ok(SigningAlg::Ps384),
-                coset::iana::Algorithm::PS256 => Ok(SigningAlg::Ps256),
-                coset::iana::Algorithm::ES512 => Ok(SigningAlg::Es512),
-                coset::iana::Algorithm::ES384 => Ok(SigningAlg::Es384),
-                coset::iana::Algorithm::ES256 => Ok(SigningAlg::Es256),
-                coset::iana::Algorithm::EdDSA => Ok(SigningAlg::Ed25519),
-                _ => Err(Error::CoseSignatureAlgorithmNotSupported),
-            },
-            coset::RegisteredLabelWithPrivate::Text(a) => a
-                .parse()
-                .map_err(|_| Error::CoseSignatureAlgorithmNotSupported),
-        },
-        None => Err(Error::CoseSignatureAlgorithmNotSupported),
-    }
-}
-
 fn get_sign_cert(sign1: &coset::CoseSign1) -> Result<Vec<u8>> {
     // element 0 is the signing cert
-    let certs = get_sign_certs(sign1)?;
+    let certs = cert_chain_from_sign1(sign1)?;
     Ok(certs[0].clone())
 }
 
-fn get_unprotected_header_certs(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>> {
-    if let Some(der) = sign1
-        .unprotected
-        .rest
-        .iter()
-        .find_map(|x: &(Label, Value)| {
-            if x.0 == Label::Text("x5chain".to_string()) {
-                Some(x.1.clone())
-            } else {
-                None
-            }
-        })
-    {
-        let mut certs: Vec<Vec<u8>> = Vec::new();
-
-        match der {
-            Value::Array(cert_chain) => {
-                // handle array of certs
-                for c in cert_chain {
-                    if let Value::Bytes(der_bytes) = c {
-                        certs.push(der_bytes.clone());
-                    }
-                }
-
-                if certs.is_empty() {
-                    Err(Error::CoseMissingKey)
-                } else {
-                    Ok(certs)
-                }
-            }
-            Value::Bytes(ref der_bytes) => {
-                // handle single cert case
-                certs.push(der_bytes.clone());
-                Ok(certs)
-            }
-            _ => Err(Error::CoseX5ChainMissing),
-        }
-    } else {
-        Err(Error::CoseX5ChainMissing)
-    }
-}
-// get the public key der
-fn get_sign_certs(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>> {
-    // check for protected header int, then protected header x5chain,
-    // then the legacy unprotected x5chain to get the public key der
-
-    // check the protected header
-    if let Some(der) = sign1
-        .protected
-        .header
-        .rest
-        .iter()
-        .find_map(|x: &(Label, Value)| {
-            if x.0 == Label::Text("x5chain".to_string())
-                || x.0 == Label::Int(iana::HeaderParameter::X5Chain.to_i64())
-            {
-                Some(x.1.clone())
-            } else {
-                None
-            }
-        })
-    {
-        // make sure there are no certs in the legacy unprotected header, certs
-        // are only allowing in protect OR unprotected header
-        if get_unprotected_header_certs(sign1).is_ok() {
-            return Err(Error::CoseVerifier);
-        }
-
-        let mut certs: Vec<Vec<u8>> = Vec::new();
-
-        match der {
-            Value::Array(cert_chain) => {
-                // handle array of certs
-                for c in cert_chain {
-                    if let Value::Bytes(der_bytes) = c {
-                        certs.push(der_bytes.clone());
-                    }
-                }
-
-                if certs.is_empty() {
-                    return Err(Error::CoseX5ChainMissing);
-                } else {
-                    return Ok(certs);
-                }
-            }
-            Value::Bytes(ref der_bytes) => {
-                // handle single cert case
-                certs.push(der_bytes.clone());
-                return Ok(certs);
-            }
-            _ => return Err(Error::CoseX5ChainMissing),
-        }
-    }
-
-    // check the unprotected header if necessary
-    get_unprotected_header_certs(sign1)
-}
-
-// get OCSP der
-fn get_ocsp_der(sign1: &coset::CoseSign1) -> Option<Vec<u8>> {
-    if let Some(der) = sign1
-        .unprotected
-        .rest
-        .iter()
-        .find_map(|x: &(Label, Value)| {
-            if x.0 == Label::Text("rVals".to_string()) {
-                Some(x.1.clone())
-            } else {
-                None
-            }
-        })
-    {
-        match der {
-            Value::Map(rvals_map) => {
-                // find OCSP value if available
-                rvals_map.iter().find_map(|x: &(Value, Value)| {
-                    if x.0 == Value::Text("ocspVals".to_string()) {
-                        x.1.as_array()
-                            .and_then(|ocsp_rsp_val| ocsp_rsp_val.first())
-                            .and_then(Value::as_bytes)
-                            .cloned()
-                    } else {
-                        None
-                    }
-                })
-            }
-            _ => None,
-        }
-    } else {
-        None
-    }
-}
-
-#[allow(dead_code)]
+/// Validate a COSE_SIGN1 byte vector and verify against expected data
+/// cose_bytes - byte array containing the raw COSE_SIGN1 data
+/// data:  data that was used to create the cose_bytes, these must match
+/// addition_data: additional optional data that may have been used during signing
+/// returns - Ok on success
 #[async_generic]
-pub(crate) fn check_ocsp_status(
+pub(crate) fn verify_cose(
     cose_bytes: &[u8],
     data: &[u8],
-    th: &dyn TrustHandlerConfig,
+    additional_data: &[u8],
+    cert_check: bool,
+    ctp: &CertificateTrustPolicy,
     validation_log: &mut impl StatusTracker,
-) -> Result<OcspResponse> {
-    let sign1 = get_cose_sign1(cose_bytes, data, validation_log)?;
-
-    let mut result = Ok(OcspResponse::default());
-
-    if let Some(ocsp_response_der) = get_ocsp_der(&sign1) {
-        let time_stamp_info = if _sync {
-            get_timestamp_info(&sign1, data)
-        } else {
-            get_timestamp_info_async(&sign1, data).await
-        };
-
-        // check stapled OCSP response, must have timestamp
-        if let Ok(tst_info) = &time_stamp_info {
-            let signing_time = gt_to_datetime(tst_info.gen_time.clone());
-
-            // Check the OCSP response, only use if not malformed.  Revocation errors are reported in the validation log
-            if let Ok(ocsp_data) = OcspResponse::from_der_checked(
-                &ocsp_response_der,
-                Some(signing_time),
-                validation_log,
-            ) {
-                // if we get a valid response validate the certs
-                if ocsp_data.revoked_at.is_none() {
-                    if let Some(ocsp_certs) = &ocsp_data.ocsp_certs {
-                        check_cert(&ocsp_certs[0], th, validation_log, Some(tst_info))?;
-                    }
-                }
-                result = Ok(ocsp_data);
-            }
+) -> Result<ValidationInfo> {
+    let verifier = if cert_check {
+        match get_settings_value::<bool>("verify.verify_trust") {
+            Ok(true) => Verifier::VerifyTrustPolicy(ctp),
+            _ => Verifier::VerifyCertificateProfileOnly(ctp),
         }
     } else {
-        #[cfg(not(target_arch = "wasm32"))]
-        {
-            // only support fetching with the enabled
-            if let Ok(ocsp_fetch) = get_settings_value::<bool>("verify.ocsp_fetch") {
-                if ocsp_fetch {
-                    // get the cert chain
-                    let certs = get_sign_certs(&sign1)?;
-
-                    if let Some(ocsp_der) = c2pa_crypto::ocsp::fetch_ocsp_response(&certs) {
-                        // fetch_ocsp_response(&certs) {
-                        let ocsp_response_der = ocsp_der;
-
-                        let time_stamp_info = get_timestamp_info(&sign1, data);
-
-                        let signing_time = match &time_stamp_info {
-                            Ok(tst_info) => {
-                                let signing_time = gt_to_datetime(tst_info.gen_time.clone());
-                                Some(signing_time)
-                            }
-                            Err(_) => None,
-                        };
-
-                        // Check the OCSP response, only use if not malformed.  Revocation errors are reported in the validation log
-                        if let Ok(ocsp_data) = OcspResponse::from_der_checked(
-                            &ocsp_response_der,
-                            signing_time,
-                            validation_log,
-                        ) {
-                            // if we get a valid response validate the certs
-                            if ocsp_data.revoked_at.is_none() {
-                                if let Some(ocsp_certs) = &ocsp_data.ocsp_certs {
-                                    check_cert(&ocsp_certs[0], th, validation_log, None)?;
-                                }
-                            }
-                            result = Ok(ocsp_data);
-                        }
-                    }
-                }
-            }
-        }
-    }
+        Verifier::IgnoreProfileAndTrustPolicy
+    };
 
-    result
+    Ok(verifier.verify_signature(cose_bytes, data, additional_data, validation_log)?)
 }
 
 // internal util function to dump the cert chain in PEM format
@@ -774,172 +75,6 @@ fn dump_cert_chain(certs: &[Vec<u8>]) -> Result<Vec<u8>> {
     Ok(out_buf)
 }
 
-// Note: this function is only used to get the display string and not for cert validation.
-#[async_generic]
-fn get_signing_time(
-    sign1: &coset::CoseSign1,
-    data: &[u8],
-) -> Option<chrono::DateTime<chrono::Utc>> {
-    // get timestamp info if available
-
-    let time_stamp_info = if _sync {
-        get_timestamp_info(sign1, data)
-    } else {
-        get_timestamp_info_async(sign1, data).await
-    };
-
-    if let Ok(tst_info) = time_stamp_info {
-        Some(gt_to_datetime(tst_info.gen_time))
-    } else {
-        None
-    }
-}
-
-// return appropriate TstInfo if available
-#[async_generic]
-fn get_timestamp_info(sign1: &coset::CoseSign1, data: &[u8]) -> Result<TstInfo> {
-    // parse the temp timestamp
-    if let Some((t, v)) = &sign1
-        .unprotected
-        .rest
-        .iter()
-        .find_map(|x: &(Label, Value)| {
-            if x.0 == Label::Text("sigTst2".to_string()) {
-                Some((x.1.clone(), 2))
-            } else if x.0 == Label::Text("sigTst".to_string()) {
-                Some((x.1.clone(), 1))
-            } else {
-                None
-            }
-        })
-    {
-        let buf;
-        let tbs = if *v == 1 {
-            data
-        } else {
-            let sig_data = ByteBuf::from(sign1.signature.clone());
-            buf = serde_cbor::to_vec(&sig_data)?;
-            buf.as_slice()
-        };
-
-        let time_cbor = serde_cbor::to_vec(t)?;
-        let tst_infos = if _sync {
-            crate::time_stamp::cose_sigtst_to_tstinfos(&time_cbor, tbs, &sign1.protected)?
-        } else {
-            crate::time_stamp::cose_sigtst_to_tstinfos_async(&time_cbor, tbs, &sign1.protected)
-                .await?
-        };
-
-        // there should only be one but consider handling more in the future since it is technically ok
-        if !tst_infos.is_empty() {
-            return Ok(tst_infos[0].clone());
-        }
-    }
-    Err(Error::NotFound)
-}
-
-#[async_generic(async_signature( th: &dyn TrustHandlerConfig, chain_der: &[Vec<u8>], cert_der: &[u8], signing_time_epoc: Option<i64>, validation_log: &mut impl StatusTracker))]
-#[allow(unused)]
-fn check_trust(
-    th: &dyn TrustHandlerConfig,
-    chain_der: &[Vec<u8>],
-    cert_der: &[u8],
-    signing_time_epoc: Option<i64>,
-    validation_log: &mut impl StatusTracker,
-) -> Result<()> {
-    // just return is trust checks are disabled or misconfigured
-    match get_settings_value::<bool>("verify.verify_trust") {
-        Ok(verify_trust) => {
-            if !verify_trust {
-                return Ok(());
-            }
-        }
-        Err(e) => return Err(e),
-    }
-
-    // is the certificate trusted
-
-    let verify_result: Result<bool> = if _sync {
-        #[cfg(not(feature = "openssl"))]
-        {
-            Err(Error::NotImplemented(
-                "no trust handler for this feature".to_string(),
-            ))
-        }
-
-        #[cfg(feature = "openssl")]
-        {
-            verify_trust(th, chain_der, cert_der, signing_time_epoc)
-        }
-    } else {
-        #[cfg(target_arch = "wasm32")]
-        {
-            verify_trust_async(th, chain_der, cert_der, signing_time_epoc).await
-        }
-
-        #[cfg(feature = "openssl")]
-        {
-            verify_trust(th, chain_der, cert_der, signing_time_epoc)
-        }
-
-        #[cfg(all(not(feature = "openssl"), not(target_arch = "wasm32")))]
-        {
-            Err(Error::NotImplemented(
-                "no trust handler for this feature".to_string(),
-            ))
-        }
-    };
-
-    match verify_result {
-        Ok(trusted) => {
-            if trusted {
-                log_item!("Cose_Sign1", "signing certificate trusted", "verify_cose")
-                    .validation_status(validation_status::SIGNING_CREDENTIAL_TRUSTED)
-                    .success(validation_log);
-
-                Ok(())
-            } else {
-                log_item!("Cose_Sign1", "signing certificate untrusted", "verify_cose")
-                    .validation_status(validation_status::SIGNING_CREDENTIAL_UNTRUSTED)
-                    .failure_no_throw(validation_log, Error::CoseCertUntrusted);
-
-                Err(Error::CoseCertUntrusted)
-            }
-        }
-        Err(e) => {
-            log_item!("Cose_Sign1", "signing certificate untrusted", "verify_cose")
-                .validation_status(validation_status::SIGNING_CREDENTIAL_UNTRUSTED)
-                .failure_no_throw(validation_log, &e);
-
-            // TO REVIEW: Mixed message: Are we using CoseCertUntrusted in log or &e from above?
-            // validation_log.log(log_item, Error::CoseCertUntrusted)?;
-            Err(e)
-        }
-    }
-}
-
-// test for unrecognized signatures
-fn check_sig(sig: &[u8], alg: SigningAlg) -> Result<()> {
-    match alg {
-        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
-            if parse_ec_der_sig(sig).is_ok() {
-                // expected P1363 format
-                return Err(Error::InvalidEcdsaSignature);
-            }
-        }
-        _ => (),
-    }
-    Ok(())
-}
-
-/// A wrapper containing information of the signing cert.
-pub(crate) struct CertInfo {
-    /// The name of the identity the certificate is issued to.
-    pub subject: String,
-    /// The serial number of the cert. Will be unique to the CA.
-    pub serial_number: BigUint,
-}
-
 fn extract_subject_from_cert(cert: &X509Certificate) -> Result<String> {
     cert.subject()
         .iter_organization()
@@ -955,162 +90,6 @@ fn extract_serial_from_cert(cert: &X509Certificate) -> BigUint {
     cert.serial.clone()
 }
 
-fn tst_info_result_to_timestamp(tst_info_res: &Result<TstInfo>) -> Option<i64> {
-    match &tst_info_res {
-        Ok(tst_info) => {
-            let dt: chrono::DateTime<chrono::Utc> = tst_info.gen_time.clone().into();
-            Some(dt.timestamp())
-        }
-        Err(_) => None,
-    }
-}
-
-/// Asynchronously validate a COSE_SIGN1 byte vector and verify against expected data
-/// cose_bytes - byte array containing the raw COSE_SIGN1 data
-/// data:  data that was used to create the cose_bytes, these must match
-/// addition_data: additional optional data that may have been used during signing
-/// returns - Ok on success
-pub(crate) async fn verify_cose_async(
-    cose_bytes: Vec<u8>,
-    data: Vec<u8>,
-    additional_data: Vec<u8>,
-    cert_check: bool,
-    th: &dyn TrustHandlerConfig,
-    validation_log: &mut impl StatusTracker,
-) -> Result<ValidationInfo> {
-    let mut sign1 = get_cose_sign1(&cose_bytes, &data, validation_log)?;
-
-    let alg = match get_signing_alg(&sign1) {
-        Ok(a) => a,
-        Err(_) => {
-            log_item!(
-                "Cose_Sign1",
-                "unsupported or missing Cose algorithm",
-                "verify_cose_async"
-            )
-            .validation_status(validation_status::ALGORITHM_UNSUPPORTED)
-            .failure_no_throw(validation_log, Error::CoseSignatureAlgorithmNotSupported);
-
-            // one of these must exist
-            return Err(Error::CoseSignatureAlgorithmNotSupported);
-        }
-    };
-
-    // build result structure
-    let mut result = ValidationInfo::default();
-
-    // get the cert chain
-    let certs = get_sign_certs(&sign1)?;
-
-    // get the public key der
-    let der_bytes = &certs[0];
-
-    let tst_info_res = get_timestamp_info_async(&sign1, &data).await;
-
-    // verify cert matches requested algorithm
-    if cert_check {
-        // verify certs
-        match &tst_info_res {
-            Ok(tst_info) => check_cert(der_bytes, th, validation_log, Some(tst_info))?,
-            Err(e) => {
-                // log timestamp errors
-                match e {
-                    Error::NotFound => check_cert(der_bytes, th, validation_log, None)?,
-
-                    Error::TimeStampError(TimeStampError::InvalidData) => {
-                        log_item!(
-                            "Cose_Sign1",
-                            "timestamp message imprint did not match",
-                            "verify_cose"
-                        )
-                        .validation_status(validation_status::TIMESTAMP_MISMATCH)
-                        .failure(validation_log, Error::CoseTimeStampMismatch)?;
-                    }
-
-                    Error::CoseTimeStampValidity => {
-                        log_item!("Cose_Sign1", "timestamp outside of validity", "verify_cose")
-                            .validation_status(validation_status::TIMESTAMP_OUTSIDE_VALIDITY)
-                            .failure(validation_log, Error::CoseTimeStampValidity)?;
-                    }
-
-                    _ => {
-                        log_item!("Cose_Sign1", "error parsing timestamp", "verify_cose")
-                            .failure_no_throw(validation_log, Error::CoseInvalidTimeStamp);
-
-                        return Err(Error::CoseInvalidTimeStamp);
-                    }
-                }
-            }
-        }
-
-        // is the certificate trusted
-        #[cfg(target_arch = "wasm32")]
-        check_trust_async(
-            th,
-            &certs[1..],
-            der_bytes,
-            tst_info_result_to_timestamp(&tst_info_res),
-            validation_log,
-        )
-        .await?;
-
-        #[cfg(not(target_arch = "wasm32"))]
-        check_trust(
-            th,
-            &certs[1..],
-            der_bytes,
-            tst_info_result_to_timestamp(&tst_info_res),
-            validation_log,
-        )?;
-
-        // todo: check TSA certs against trust list
-    }
-
-    // check signature format
-    if let Err(_e) = check_sig(&sign1.signature, alg) {
-        log_item!("Cose_Sign1", "unsupported signature format", "verify_cose")
-            .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-            .failure_no_throw(validation_log, Error::CoseSignatureAlgorithmNotSupported);
-
-        // TO REVIEW: This could return e if OneShotStatusTracker is used. Hmmm.
-        // validation_log.log(log_item, e)?;
-
-        return Err(Error::CoseSignatureAlgorithmNotSupported);
-    }
-
-    // Check the signature, which needs to have the same `additional_data` provided, by
-    // providing a closure that can do the verify operation.
-    sign1.payload = Some(data.clone()); // restore payload
-
-    let p_header = sign1.protected.clone();
-
-    let tbs = sig_structure_data(
-        coset::SignatureContext::CoseSign1,
-        p_header,
-        None,
-        &additional_data,
-        sign1.payload.as_ref().unwrap_or(&vec![]),
-    ); // get "to be signed" bytes
-
-    if let Ok(CertInfo {
-        subject,
-        serial_number,
-    }) = validate_with_cert_async(alg, &sign1.signature, &tbs, der_bytes).await
-    {
-        result.issuer_org = Some(subject);
-        result.cert_serial_number = Some(serial_number);
-        result.validated = true;
-        result.alg = Some(alg);
-
-        result.date = tst_info_res.map(|t| gt_to_datetime(t.gen_time)).ok();
-
-        // return cert chain
-        result.cert_chain = dump_cert_chain(&get_sign_certs(&sign1)?)?;
-    }
-
-    Ok(result)
-}
-
 #[allow(unused_variables)]
 #[async_generic]
 pub(crate) fn get_signing_info(
@@ -1123,20 +102,20 @@ pub(crate) fn get_signing_info(
     let mut alg: Option<SigningAlg> = None;
     let mut cert_serial_number = None;
 
-    let sign1 = match get_cose_sign1(cose_bytes, data, validation_log) {
+    let sign1 = match parse_cose_sign1(cose_bytes, data, validation_log) {
         Ok(sign1) => {
             // get the public key der
             match get_sign_cert(&sign1) {
                 Ok(der_bytes) => {
                     if let Ok((_rem, signcert)) = X509Certificate::from_der(&der_bytes) {
                         date = if _sync {
-                            get_signing_time(&sign1, data)
+                            signing_time_from_sign1(&sign1, data)
                         } else {
-                            get_signing_time_async(&sign1, data).await
+                            signing_time_from_sign1_async(&sign1, data).await
                         };
                         issuer_org = extract_subject_from_cert(&signcert).ok();
                         cert_serial_number = Some(extract_serial_from_cert(&signcert));
-                        if let Ok(a) = get_signing_alg(&sign1) {
+                        if let Ok(a) = signing_alg_from_sign1(&sign1) {
                             alg = Some(a);
                         }
                     };
@@ -1146,11 +125,11 @@ pub(crate) fn get_signing_info(
                 Err(e) => Err(e),
             }
         }
-        Err(e) => Err(e),
+        Err(e) => Err(e.into()),
     };
 
     let certs = match sign1 {
-        Ok(s) => match get_sign_certs(&s) {
+        Ok(s) => match cert_chain_from_sign1(&s) {
             Ok(c) => dump_cert_chain(&c).unwrap_or_default(),
             Err(_) => Vec::new(),
         },
@@ -1168,288 +147,20 @@ pub(crate) fn get_signing_info(
     }
 }
 
-/// Validate a COSE_SIGN1 byte vector and verify against expected data
-/// cose_bytes - byte array containing the raw COSE_SIGN1 data
-/// data:  data that was used to create the cose_bytes, these must match
-/// addition_data: additional optional data that may have been used during signing
-/// returns - Ok on success
-pub(crate) fn verify_cose(
-    cose_bytes: &[u8],
-    data: &[u8],
-    additional_data: &[u8],
-    cert_check: bool,
-    th: &dyn TrustHandlerConfig,
-    validation_log: &mut impl StatusTracker,
-) -> Result<ValidationInfo> {
-    let sign1 = get_cose_sign1(cose_bytes, data, validation_log)?;
-
-    let alg = match get_signing_alg(&sign1) {
-        Ok(a) => a,
-        Err(_) => {
-            log_item!(
-                "Cose_Sign1",
-                "unsupported or missing Cose algorithm",
-                "verify_cose"
-            )
-            .validation_status(validation_status::ALGORITHM_UNSUPPORTED)
-            .failure_no_throw(validation_log, Error::CoseSignatureAlgorithmNotSupported);
-
-            return Err(Error::CoseSignatureAlgorithmNotSupported);
-        }
-    };
-
-    let Some(validator) = validator_for_signing_alg(alg) else {
-        return Err(Error::CoseSignatureAlgorithmNotSupported);
-    };
-
-    // build result structure
-    let mut result = ValidationInfo::default();
-
-    // get the cert chain
-    let certs = get_sign_certs(&sign1)?;
-
-    // get the public key der
-    let der_bytes = &certs[0];
-
-    let tst_info_res = get_timestamp_info(&sign1, data);
-
-    // check signature format
-    if let Err(_e) = check_sig(&sign1.signature, alg) {
-        log_item!("Cose_Sign1", "unsupported signature format", "verify_cose")
-            .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-            .failure_no_throw(validation_log, Error::CoseSignatureAlgorithmNotSupported);
-
-        // TO REVIEW: This could return e if OneShotStatusTracker is used. Hmmm.
-        // validation_log.log(log_item, e)?;
-
-        return Err(Error::CoseSignatureAlgorithmNotSupported);
-    }
-
-    if cert_check {
-        // verify certs
-        match &tst_info_res {
-            Ok(tst_info) => check_cert(der_bytes, th, validation_log, Some(tst_info))?,
-            Err(e) => {
-                // log timestamp errors
-                match e {
-                    Error::NotFound => check_cert(der_bytes, th, validation_log, None)?,
-
-                    Error::TimeStampError(TimeStampError::InvalidData) => {
-                        log_item!(
-                            "Cose_Sign1",
-                            "timestamp did not match signed data",
-                            "verify_cose"
-                        )
-                        .validation_status(validation_status::TIMESTAMP_MISMATCH)
-                        .failure_no_throw(validation_log, Error::CoseTimeStampMismatch);
-
-                        return Err(Error::CoseTimeStampMismatch);
-                    }
-
-                    Error::CoseTimeStampValidity => {
-                        log_item!(
-                            "Cose_Sign1",
-                            "timestamp certificate outside of validity",
-                            "verify_cose"
-                        )
-                        .validation_status(validation_status::TIMESTAMP_OUTSIDE_VALIDITY)
-                        .failure_no_throw(validation_log, Error::CoseTimeStampValidity);
-
-                        return Err(Error::CoseTimeStampValidity);
-                    }
-
-                    _ => {
-                        log_item!("Cose_Sign1", "error parsing timestamp", "verify_cose")
-                            .failure_no_throw(validation_log, Error::CoseInvalidTimeStamp);
-
-                        return Err(Error::CoseInvalidTimeStamp);
-                    }
-                }
-            }
-        }
-
-        // is the certificate trusted
-        check_trust(
-            th,
-            &certs[1..],
-            der_bytes,
-            tst_info_result_to_timestamp(&tst_info_res),
-            validation_log,
-        )?;
-
-        // todo: check TSA certs against trust list
-    }
-
-    // check signature format
-    if let Err(e) = check_sig(&sign1.signature, alg) {
-        log_item!("Cose_Sign1", "unsupported signature format", "verify_cose")
-            .validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
-            .failure_no_throw(validation_log, e);
-
-        return Err(Error::CoseSignatureAlgorithmNotSupported);
-    }
-
-    // Check the signature, which needs to have the same `additional_data` provided, by
-    // providing a closure that can do the verify operation.
-    sign1.verify_signature(additional_data, |sig, verify_data| -> Result<()> {
-        if let Ok(CertInfo {
-            subject,
-            serial_number,
-        }) = validate_with_cert(validator, sig, verify_data, der_bytes)
-        {
-            result.issuer_org = Some(subject);
-            result.cert_serial_number = Some(serial_number);
-            result.validated = true;
-            result.alg = Some(alg);
-
-            result.date = tst_info_res.map(|t| gt_to_datetime(t.gen_time)).ok();
-
-            // return cert chain
-            result.cert_chain = dump_cert_chain(&certs)?;
-
-            result.revocation_status = Some(true);
-        }
-        // Note: not adding validation_log entry here since caller will supply claim specific info to log
-        Ok(())
-    })?;
-
-    Ok(result)
-}
-
-fn validate_with_cert(
-    validator: Box<dyn RawSignatureValidator>,
-    sig: &[u8],
-    data: &[u8],
-    der_bytes: &[u8],
-) -> Result<CertInfo> {
-    // get the cert in der format
-    let (_rem, signcert) =
-        X509Certificate::from_der(der_bytes).map_err(|_err| Error::CoseInvalidCert)?;
-    let pk = signcert.public_key();
-    let pk_der = pk.raw;
-
-    validator.validate(sig, data, pk_der)?;
-
-    Ok(CertInfo {
-        subject: extract_subject_from_cert(&signcert).unwrap_or_default(),
-        serial_number: extract_serial_from_cert(&signcert),
-    })
-}
-
-#[cfg(target_arch = "wasm32")]
-async fn validate_with_cert_async(
-    signing_alg: SigningAlg,
-    sig: &[u8],
-    data: &[u8],
-    der_bytes: &[u8],
-) -> Result<CertInfo> {
-    let (_rem, signcert) =
-        X509Certificate::from_der(der_bytes).map_err(|_err| Error::CoseMissingKey)?;
-    let pk = signcert.public_key();
-    let pk_der = pk.raw;
-
-    let Some(validator) = c2pa_crypto::webcrypto::async_validator_for_signing_alg(signing_alg)
-    else {
-        return Err(Error::UnknownAlgorithm);
-    };
-
-    validator.validate_async(sig, data, pk_der).await?;
-
-    Ok(CertInfo {
-        subject: extract_subject_from_cert(&signcert).unwrap_or_default(),
-        serial_number: extract_serial_from_cert(&signcert),
-    })
-}
-
-#[cfg(not(target_arch = "wasm32"))]
-async fn validate_with_cert_async(
-    signing_alg: SigningAlg,
-    sig: &[u8],
-    data: &[u8],
-    der_bytes: &[u8],
-) -> Result<CertInfo> {
-    let Some(validator) = validator_for_signing_alg(signing_alg) else {
-        return Err(Error::CoseSignatureAlgorithmNotSupported);
-    };
-
-    validate_with_cert(validator, sig, data, der_bytes)
-}
-
 #[allow(unused_imports)]
 #[allow(clippy::unwrap_used)]
 #[cfg(feature = "openssl_sign")]
 #[cfg(test)]
 pub mod tests {
+    use c2pa_crypto::raw_signature::SigningAlg;
     use c2pa_status_tracker::DetailedStatusTracker;
+    use ciborium::Value;
+    use coset::Label;
     use sha2::digest::generic_array::sequence::Shorten;
+    use x509_parser::{certificate::X509Certificate, pem::Pem};
 
     use super::*;
-    use crate::{openssl::temp_signer, signer::ConfigurableSigner, Signer, SigningAlg};
-
-    #[test]
-    #[cfg(feature = "file_io")]
-    fn test_expired_cert() {
-        let mut validation_log = DetailedStatusTracker::default();
-        let th = crate::openssl::OpenSSLTrustHandlerConfig::new();
-
-        let mut cert_path = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR"));
-        cert_path.push("tests/fixtures/rsa-pss256_key-expired.pub");
-
-        let expired_cert = std::fs::read(&cert_path).unwrap();
-
-        if let Ok(signcert) = openssl::x509::X509::from_pem(&expired_cert) {
-            let der_bytes = signcert.to_der().unwrap();
-            assert!(check_cert(&der_bytes, &th, &mut validation_log, None).is_err());
-
-            assert!(!validation_log.logged_items().is_empty());
-
-            assert_eq!(
-                validation_log.logged_items()[0].validation_status,
-                Some(validation_status::SIGNING_CREDENTIAL_EXPIRED.into())
-            );
-        }
-    }
-
-    #[test]
-    #[cfg(feature = "openssl_sign")]
-    fn test_cert_algorithms() {
-        let cert_dir = crate::utils::test::fixture_path("certs");
-        let th = crate::openssl::OpenSSLTrustHandlerConfig::new();
-
-        let mut validation_log = DetailedStatusTracker::default();
-
-        let (_, cert_path) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es256, None);
-        let es256_cert = std::fs::read(cert_path).unwrap();
-
-        let (_, cert_path) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es384, None);
-        let es384_cert = std::fs::read(cert_path).unwrap();
-
-        let (_, cert_path) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es512, None);
-        let es512_cert = std::fs::read(cert_path).unwrap();
-
-        let (_, cert_path) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps256, None);
-        let rsa_pss256_cert = std::fs::read(cert_path).unwrap();
-
-        if let Ok(signcert) = openssl::x509::X509::from_pem(&es256_cert) {
-            let der_bytes = signcert.to_der().unwrap();
-            assert!(check_cert(&der_bytes, &th, &mut validation_log, None).is_ok());
-        }
-
-        if let Ok(signcert) = openssl::x509::X509::from_pem(&es384_cert) {
-            let der_bytes = signcert.to_der().unwrap();
-            assert!(check_cert(&der_bytes, &th, &mut validation_log, None).is_ok());
-        }
-
-        if let Ok(signcert) = openssl::x509::X509::from_pem(&es512_cert) {
-            let der_bytes = signcert.to_der().unwrap();
-            assert!(check_cert(&der_bytes, &th, &mut validation_log, None).is_ok());
-        }
-
-        if let Ok(signcert) = openssl::x509::X509::from_pem(&rsa_pss256_cert) {
-            let der_bytes = signcert.to_der().unwrap();
-            assert!(check_cert(&der_bytes, &th, &mut validation_log, None).is_ok());
-        }
-    }
+    use crate::{utils::test_signer::test_signer, Signer};
 
     #[test]
     fn test_no_timestamp() {
@@ -1462,20 +173,25 @@ pub mod tests {
 
         let box_size = 10000;
 
-        let signer = crate::utils::test::temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let cose_bytes =
             crate::cose_sign::sign_claim(&claim_bytes, signer.as_ref(), box_size).unwrap();
 
-        let cose_sign1 = get_cose_sign1(&cose_bytes, &claim_bytes, &mut validation_log).unwrap();
+        let cose_sign1 = parse_cose_sign1(&cose_bytes, &claim_bytes, &mut validation_log).unwrap();
 
-        let signing_time = get_signing_time(&cose_sign1, &claim_bytes);
+        let signing_time = signing_time_from_sign1(&cose_sign1, &claim_bytes);
 
         assert_eq!(signing_time, None);
     }
     #[test]
     #[cfg(feature = "openssl_sign")]
     fn test_stapled_ocsp() {
+        use c2pa_crypto::{
+            raw_signature::{signer_from_cert_chain_and_private_key, RawSigner, RawSignerError},
+            time_stamp::{TimeStampError, TimeStampProvider},
+        };
+
         let mut validation_log = DetailedStatusTracker::default();
 
         let mut claim = crate::claim::Claim::new("ocsp_sign_test", Some("contentauth"), 1);
@@ -1487,23 +203,19 @@ pub mod tests {
         let pem_key = include_bytes!("../tests/fixtures/certs/ps256.pem").to_vec();
         let ocsp_rsp_data = include_bytes!("../tests/fixtures/ocsp_good.data");
 
-        let signer = crate::openssl::RsaSigner::from_signcert_and_pkey(
-            &sign_cert,
-            &pem_key,
-            SigningAlg::Ps256,
-            None,
-        )
-        .unwrap();
+        let raw_signer =
+            signer_from_cert_chain_and_private_key(&sign_cert, &pem_key, SigningAlg::Ps256, None)
+                .unwrap();
 
         // create a test signer that supports stapling
         struct OcspSigner {
-            pub signer: Box<dyn crate::Signer>,
+            pub raw_signer: Box<dyn RawSigner>,
             pub ocsp_rsp: Vec<u8>,
         }
 
         impl crate::Signer for OcspSigner {
             fn sign(&self, data: &[u8]) -> Result<Vec<u8>> {
-                self.signer.sign(data)
+                Ok(self.raw_signer.sign(data)?)
             }
 
             fn alg(&self) -> SigningAlg {
@@ -1511,33 +223,120 @@ pub mod tests {
             }
 
             fn certs(&self) -> Result<Vec<Vec<u8>>> {
-                self.signer.certs()
+                Ok(self.raw_signer.cert_chain()?)
             }
 
             fn reserve_size(&self) -> usize {
-                self.signer.reserve_size()
+                self.raw_signer.reserve_size()
             }
 
             fn ocsp_val(&self) -> Option<Vec<u8>> {
                 Some(self.ocsp_rsp.clone())
             }
+
+            fn raw_signer(&self) -> Box<&dyn RawSigner> {
+                Box::new(self)
+            }
         }
 
-        impl c2pa_crypto::time_stamp::TimeStampProvider for OcspSigner {}
+        impl RawSigner for OcspSigner {
+            fn sign(&self, data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+                self.raw_signer.sign(data)
+            }
+
+            fn alg(&self) -> SigningAlg {
+                self.raw_signer.alg()
+            }
+
+            fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+                self.raw_signer.cert_chain()
+            }
+
+            fn reserve_size(&self) -> usize {
+                self.raw_signer.reserve_size()
+            }
+
+            fn ocsp_response(&self) -> Option<Vec<u8>> {
+                eprintln!("THE ONE I WANTED @ 287");
+                Some(self.ocsp_rsp.clone())
+            }
+        }
+
+        impl TimeStampProvider for OcspSigner {
+            fn time_stamp_service_url(&self) -> Option<String> {
+                self.raw_signer.time_stamp_service_url()
+            }
+
+            fn time_stamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+                self.raw_signer.time_stamp_request_headers()
+            }
+
+            fn time_stamp_request_body(
+                &self,
+                message: &[u8],
+            ) -> std::result::Result<Vec<u8>, TimeStampError> {
+                self.raw_signer.time_stamp_request_body(message)
+            }
+
+            fn send_time_stamp_request(
+                &self,
+                message: &[u8],
+            ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
+                self.raw_signer.send_time_stamp_request(message)
+            }
+        }
 
         let ocsp_signer = OcspSigner {
-            signer: Box::new(signer),
+            raw_signer,
             ocsp_rsp: ocsp_rsp_data.to_vec(),
         };
 
         // sign and staple
-        let cose_bytes =
-            crate::cose_sign::sign_claim(&claim_bytes, &ocsp_signer, ocsp_signer.reserve_size())
-                .unwrap();
+        let cose_bytes = crate::cose_sign::sign_claim(
+            &claim_bytes,
+            &ocsp_signer,
+            RawSigner::reserve_size(&ocsp_signer),
+        )
+        .unwrap();
 
-        let cose_sign1 = get_cose_sign1(&cose_bytes, &claim_bytes, &mut validation_log).unwrap();
+        let cose_sign1 = parse_cose_sign1(&cose_bytes, &claim_bytes, &mut validation_log).unwrap();
         let ocsp_stapled = get_ocsp_der(&cose_sign1).unwrap();
 
         assert_eq!(ocsp_rsp_data, ocsp_stapled.as_slice());
     }
+
+    // get OCSP der
+    fn get_ocsp_der(sign1: &coset::CoseSign1) -> Option<Vec<u8>> {
+        if let Some(der) = sign1
+            .unprotected
+            .rest
+            .iter()
+            .find_map(|x: &(Label, Value)| {
+                if x.0 == Label::Text("rVals".to_string()) {
+                    Some(x.1.clone())
+                } else {
+                    None
+                }
+            })
+        {
+            match der {
+                Value::Map(rvals_map) => {
+                    // find OCSP value if available
+                    rvals_map.iter().find_map(|x: &(Value, Value)| {
+                        if x.0 == Value::Text("ocspVals".to_string()) {
+                            x.1.as_array()
+                                .and_then(|ocsp_rsp_val| ocsp_rsp_val.first())
+                                .and_then(Value::as_bytes)
+                                .cloned()
+                        } else {
+                            None
+                        }
+                    })
+                }
+                _ => None,
+            }
+        } else {
+            None
+        }
+    }
 }
diff --git a/sdk/src/create_signer.rs b/sdk/src/create_signer.rs
index 176cfdf07..111a5333b 100644
--- a/sdk/src/create_signer.rs
+++ b/sdk/src/create_signer.rs
@@ -18,14 +18,9 @@
 #[cfg(feature = "file_io")]
 use std::path::Path;
 
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::{signer_from_cert_chain_and_private_key, SigningAlg};
 
-use crate::{
-    error::Result,
-    openssl::{EcSigner, EdSigner, RsaSigner},
-    signer::ConfigurableSigner,
-    Signer,
-};
+use crate::{error::Result, signer::RawSignerWrapper, Signer};
 
 /// Creates a [`Signer`] instance using signing certificate and private key
 /// as byte slices.
@@ -45,17 +40,9 @@ pub fn from_keys(
     alg: SigningAlg,
     tsa_url: Option<String>,
 ) -> Result<Box<dyn Signer>> {
-    Ok(match alg {
-        SigningAlg::Ps256 | SigningAlg::Ps384 | SigningAlg::Ps512 => Box::new(
-            RsaSigner::from_signcert_and_pkey(signcert, pkey, alg, tsa_url)?,
-        ),
-        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => Box::new(
-            EcSigner::from_signcert_and_pkey(signcert, pkey, alg, tsa_url)?,
-        ),
-        SigningAlg::Ed25519 => Box::new(EdSigner::from_signcert_and_pkey(
-            signcert, pkey, alg, tsa_url,
-        )?),
-    })
+    Ok(Box::new(RawSignerWrapper(
+        signer_from_cert_chain_and_private_key(signcert, pkey, alg, tsa_url)?,
+    )))
 }
 
 /// Creates a [`Signer`] instance using signing certificate and
@@ -74,18 +61,8 @@ pub fn from_files<P: AsRef<Path>>(
     alg: SigningAlg,
     tsa_url: Option<String>,
 ) -> Result<Box<dyn Signer>> {
-    Ok(match alg {
-        SigningAlg::Ps256 | SigningAlg::Ps384 | SigningAlg::Ps512 => Box::new(
-            RsaSigner::from_files(&signcert_path, &pkey_path, alg, tsa_url)?,
-        ),
-        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => Box::new(
-            EcSigner::from_files(&signcert_path, &pkey_path, alg, tsa_url)?,
-        ),
-        SigningAlg::Ed25519 => Box::new(EdSigner::from_files(
-            &signcert_path,
-            &pkey_path,
-            alg,
-            tsa_url,
-        )?),
-    })
+    let cert_chain = std::fs::read(signcert_path)?;
+    let private_key = std::fs::read(pkey_path)?;
+
+    from_keys(&cert_chain, &private_key, alg, tsa_url)
 }
diff --git a/sdk/src/error.rs b/sdk/src/error.rs
index 4142b8f19..cef643ccf 100644
--- a/sdk/src/error.rs
+++ b/sdk/src/error.rs
@@ -13,6 +13,7 @@
 
 // #![deny(missing_docs)] (we'll turn this on once fully documented)
 
+use c2pa_crypto::{cose::CoseError, raw_signature::RawSignerError, time_stamp::TimeStampError};
 use thiserror::Error;
 
 /// `Error` enumerates errors returned by most C2PA toolkit operations.
@@ -264,6 +265,9 @@ pub enum Error {
     #[error("unknown algorithm")]
     UnknownAlgorithm,
 
+    #[error("invalid signing key")]
+    InvalidSigningKey,
+
     // --- third-party errors ---
     #[error(transparent)]
     Utf8Error(#[from] std::str::Utf8Error),
@@ -288,10 +292,6 @@ pub enum Error {
     #[error("could not acquire OpenSSL FFI mutex")]
     OpenSslMutexError,
 
-    #[cfg(feature = "openssl")]
-    #[error(transparent)]
-    OpenSslError(#[from] openssl::error::ErrorStack),
-
     #[error(transparent)]
     OtherError(#[from] Box<dyn std::error::Error + Send + Sync + 'static>),
 
@@ -312,6 +312,23 @@ pub enum Error {
 
     #[error(transparent)]
     RawSignatureValidationError(#[from] c2pa_crypto::raw_signature::RawSignatureValidationError),
+
+    #[error(transparent)]
+    RawSignerError(#[from] c2pa_crypto::raw_signature::RawSignerError),
+
+    #[error(transparent)]
+    CertificateProfileError(#[from] c2pa_crypto::cose::CertificateProfileError),
+
+    #[error(transparent)]
+    CertificateTrustError(#[from] c2pa_crypto::cose::CertificateTrustError),
+
+    #[error(transparent)]
+    InvalidCertificateError(#[from] c2pa_crypto::cose::InvalidCertificateError),
+
+    /// An unexpected internal error occured while requesting the time stamp
+    /// response.
+    #[error("internal error ({0})")]
+    InternalError(String),
 }
 
 /// A specialized `Result` type for C2PA toolkit operations.
@@ -333,3 +350,58 @@ impl From<c2pa_crypto::webcrypto::WasmCryptoError> for Error {
         }
     }
 }
+
+impl From<CoseError> for Error {
+    fn from(err: CoseError) -> Self {
+        match err {
+            CoseError::MissingSigningCertificateChain => Self::CoseX5ChainMissing,
+            CoseError::MultipleSigningCertificateChains => Self::CoseVerifier,
+            CoseError::NoTimeStampToken => Self::NotFound,
+            CoseError::UnsupportedSigningAlgorithm => Self::CoseSignatureAlgorithmNotSupported,
+            CoseError::InvalidEcdsaSignature => Self::InvalidEcdsaSignature,
+            CoseError::CborParsingError(_) => Self::CoseTimeStampGeneration,
+            CoseError::CborGenerationError(_) => Self::CoseTimeStampGeneration,
+            CoseError::TimeStampError(e) => e.into(),
+            CoseError::CertificateProfileError(e) => e.into(),
+            CoseError::CertificateTrustError(e) => e.into(),
+            CoseError::BoxSizeTooSmall => Self::CoseSigboxTooSmall,
+            CoseError::RawSignerError(e) => e.into(),
+            CoseError::RawSignatureValidationError(e) => e.into(),
+            CoseError::InternalError(e) => Self::InternalError(e),
+        }
+    }
+}
+
+impl From<Error> for CoseError {
+    fn from(err: Error) -> Self {
+        match err {
+            Error::CoseX5ChainMissing => Self::MissingSigningCertificateChain,
+            Error::CoseVerifier => Self::MultipleSigningCertificateChains,
+            Error::NotFound => Self::NoTimeStampToken,
+            Error::CoseSignatureAlgorithmNotSupported => Self::UnsupportedSigningAlgorithm,
+            Error::InvalidEcdsaSignature => Self::InvalidEcdsaSignature,
+            Error::CoseTimeStampGeneration => Self::CborGenerationError(err.to_string()),
+            Error::TimeStampError(e) => Self::TimeStampError(e),
+            Error::CertificateProfileError(e) => Self::CertificateProfileError(e),
+            Error::CertificateTrustError(e) => Self::CertificateTrustError(e),
+            Error::CoseSigboxTooSmall => Self::BoxSizeTooSmall,
+            Error::RawSignerError(e) => Self::RawSignerError(e),
+            Error::RawSignatureValidationError(e) => Self::RawSignatureValidationError(e),
+            _ => Self::InternalError(err.to_string()),
+        }
+    }
+}
+
+impl From<Error> for RawSignerError {
+    fn from(err: Error) -> Self {
+        // See if better mappings exist, but I doubt it.
+        Self::InternalError(err.to_string())
+    }
+}
+
+impl From<Error> for TimeStampError {
+    fn from(err: Error) -> Self {
+        // See if better mappings exist, but I doubt it.
+        Self::InternalError(err.to_string())
+    }
+}
diff --git a/sdk/src/ingredient.rs b/sdk/src/ingredient.rs
index f9acf62b3..63e7fb8c7 100644
--- a/sdk/src/ingredient.rs
+++ b/sdk/src/ingredient.rs
@@ -1559,6 +1559,7 @@ mod tests {
 
     #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
     async fn test_stream_async_jpg() {
         let image_bytes = include_bytes!("../tests/fixtures/CA.jpg");
         let title = "Test Image";
@@ -1572,18 +1573,18 @@ mod tests {
         assert_eq!(ingredient.title(), Some(title));
         assert_eq!(ingredient.format(), Some(format));
         assert!(ingredient.manifest_data().is_some());
-        assert!(ingredient.metadata().is_none());
+        assert_eq!(ingredient.metadata(), None);
         #[cfg(target_arch = "wasm32")]
         web_sys::console::debug_2(
             &"ingredient_from_memory_async:".into(),
             &ingredient.to_string().into(),
         );
-        assert!(ingredient.validation_status().is_none());
+        assert_eq!(ingredient.validation_status(), None);
     }
 
-    #[cfg_attr(not(target_arch = "wasm32"), test)]
+    #[test]
+    #[cfg_attr(any(target_arch = "wasm32", not(feature = "openssl")), ignore)]
     // Note this does not work from wasm32, due to validation issues
-    #[cfg(not(target_arch = "wasm32"))]
     fn test_stream_jpg() {
         let image_bytes = include_bytes!("../tests/fixtures/CA.jpg");
         let title = "Test Image";
@@ -1595,12 +1596,13 @@ mod tests {
         assert_eq!(ingredient.title(), Some(title));
         assert_eq!(ingredient.format(), Some(format));
         assert!(ingredient.manifest_data().is_some());
-        assert!(ingredient.metadata().is_none());
-        assert!(ingredient.validation_status().is_none());
+        assert_eq!(ingredient.metadata(), None);
+        assert_eq!(ingredient.validation_status(), None);
     }
 
     #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
     async fn test_stream_ogp() {
         let image_bytes = include_bytes!("../tests/fixtures/XCA.jpg");
         let title = "XCA.jpg";
@@ -1616,7 +1618,7 @@ mod tests {
         #[cfg(feature = "add_thumbnails")]
         assert!(ingredient.thumbnail().is_some());
         assert!(ingredient.manifest_data().is_some());
-        assert!(ingredient.metadata().is_none());
+        assert_eq!(ingredient.metadata(), None);
         assert!(ingredient.validation_status().is_some());
         assert_eq!(
             ingredient.validation_status().unwrap()[0].code(),
@@ -1625,8 +1627,11 @@ mod tests {
     }
 
     #[allow(dead_code)]
-    #[cfg_attr(not(any(target_arch = "wasm32", feature = "file_io")), actix::test)]
-    #[cfg(not(target_arch = "wasm32"))]
+    #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
+    #[cfg_attr(
+        not(all(feature = "openssl", feature = "fetch_remote_manifests")),
+        ignore
+    )]
     async fn test_jpg_cloud_from_memory() {
         let image_bytes = include_bytes!("../tests/fixtures/cloud.jpg");
         let format = "image/jpeg";
@@ -1639,7 +1644,7 @@ mod tests {
         assert!(ingredient.provenance().is_some());
         assert!(ingredient.provenance().unwrap().starts_with("https:"));
         assert!(ingredient.manifest_data().is_some());
-        assert!(ingredient.validation_status().is_none());
+        assert_eq!(ingredient.validation_status(), None);
     }
 
     #[allow(dead_code)]
@@ -1661,11 +1666,12 @@ mod tests {
             .url()
             .unwrap()
             .starts_with("http"));
-        assert!(ingredient.manifest_data().is_none());
+        assert_eq!(ingredient.manifest_data(), None);
     }
 
     #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
     async fn test_jpg_cloud_from_memory_and_manifest() {
         let asset_bytes = include_bytes!("../tests/fixtures/cloud.jpg");
         let manifest_bytes = include_bytes!("../tests/fixtures/cloud_manifest.c2pa");
@@ -1682,7 +1688,7 @@ mod tests {
             &"ingredient_from_memory_async:".into(),
             &ingredient.to_string().into(),
         );
-        assert!(ingredient.validation_status().is_none());
+        assert_eq!(ingredient.validation_status(), None);
         assert!(ingredient.manifest_data().is_some());
         assert!(ingredient.provenance().is_some());
     }
@@ -1730,7 +1736,7 @@ mod tests_file_io {
             assert!(ingredient.thumbnail().is_some());
             assert_eq!(ingredient.thumbnail().unwrap().0, format);
         } else {
-            assert!(ingredient.thumbnail().is_none());
+            assert_eq!(ingredient.thumbnail(), None);
         }
     }
 
@@ -1767,7 +1773,7 @@ mod tests_file_io {
             .identifier
             .starts_with("self#jumbf="));
         assert!(ingredient.manifest_data().is_some());
-        assert!(ingredient.metadata().is_none());
+        assert_eq!(ingredient.metadata(), None);
     }
 
     #[test]
@@ -1781,9 +1787,9 @@ mod tests_file_io {
         assert_eq!(ingredient.title(), Some(NO_MANIFEST_JPEG));
         assert_eq!(ingredient.format(), Some("image/jpeg"));
         test_thumbnail(&ingredient, "image/jpeg");
-        assert!(ingredient.provenance().is_none());
-        assert!(ingredient.manifest_data().is_none());
-        assert!(ingredient.metadata().is_none());
+        assert_eq!(ingredient.provenance(), None);
+        assert_eq!(ingredient.manifest_data(), None);
+        assert_eq!(ingredient.metadata(), None);
         assert!(ingredient.instance_id().starts_with("xmp.iid:"));
         #[cfg(feature = "add_thumbnails")]
         assert!(ingredient
@@ -1819,8 +1825,8 @@ mod tests_file_io {
         assert_eq!(ingredient.format(), Some("image/jpeg"));
         assert_eq!(ingredient.hash(), Some("1234568abcdef"));
         assert_eq!(ingredient.thumbnail_ref().unwrap().format, "image/foo"); // always generated
-        assert!(ingredient.manifest_data().is_none());
-        assert!(ingredient.metadata().is_none());
+        assert_eq!(ingredient.manifest_data(), None);
+        assert_eq!(ingredient.metadata(), None);
     }
 
     #[test]
@@ -1833,8 +1839,8 @@ mod tests_file_io {
         println!("ingredient = {ingredient}");
         assert_eq!(ingredient.title(), Some("libpng-test.png"));
         test_thumbnail(&ingredient, "image/png");
-        assert!(ingredient.provenance().is_none());
-        assert!(ingredient.manifest_data.is_none());
+        assert_eq!(ingredient.provenance(), None);
+        assert_eq!(ingredient.manifest_data, None);
     }
 
     #[test]
@@ -1869,7 +1875,7 @@ mod tests_file_io {
         assert_eq!(ingredient.format(), Some("image/jpeg"));
         test_thumbnail(&ingredient, "image/jpeg");
         assert!(ingredient.provenance().is_some());
-        assert!(ingredient.manifest_data().is_none());
+        assert_eq!(ingredient.manifest_data(), None);
         assert!(ingredient.validation_status().is_some());
         assert_eq!(
             ingredient.validation_status().unwrap()[0].code(),
@@ -1883,7 +1889,7 @@ mod tests_file_io {
         let ap = fixture_path("CIE-sig-CA.jpg");
         let ingredient = Ingredient::from_file(ap).expect("from_file");
         // println!("ingredient = {ingredient}");
-        assert!(ingredient.validation_status().is_none());
+        assert_eq!(ingredient.validation_status(), None);
         assert!(ingredient.manifest_data().is_some());
     }
 
@@ -1935,11 +1941,11 @@ mod tests_file_io {
         let mut ingredient = Ingredient::new("title", "format", "instance_id");
         ingredient.resources.set_base_path(folder);
 
-        assert!(ingredient.thumbnail_ref().is_none());
+        assert_eq!(ingredient.thumbnail_ref(), None);
         // assert!(ingredient
         //     .set_manifest_data_ref(ResourceRef::new("image/jpg", "foo"))
         //     .is_err());
-        assert!(ingredient.manifest_data_ref().is_none());
+        assert_eq!(ingredient.manifest_data_ref(), None);
         // verify we can set a reference
         assert!(ingredient
             .set_thumbnail_ref(ResourceRef::new("image/jpg", "C.jpg"))
diff --git a/sdk/src/jumbf/boxes.rs b/sdk/src/jumbf/boxes.rs
index 35f979840..46ba6b295 100644
--- a/sdk/src/jumbf/boxes.rs
+++ b/sdk/src/jumbf/boxes.rs
@@ -282,67 +282,74 @@ impl JUMBFSuperBox {
         self.data_boxes.len()
     }
 
-    pub fn data_box(&self, index: usize) -> &dyn BMFFBox {
-        self.data_boxes[index].as_ref()
+    pub fn data_box(&self, index: usize) -> Option<&dyn BMFFBox> {
+        self.data_boxes.get(index).map(|b| b.as_ref())
     }
 
     pub fn data_box_as_superbox(&self, index: usize) -> Option<&JUMBFSuperBox> {
-        let da_box = &self.data_boxes[index];
-        da_box.as_ref().as_any().downcast_ref::<JUMBFSuperBox>()
+        self.data_boxes
+            .get(index)
+            .and_then(|da_box| da_box.as_ref().as_any().downcast_ref::<JUMBFSuperBox>())
     }
 
     pub fn data_box_as_json_box(&self, index: usize) -> Option<&JUMBFJSONContentBox> {
-        let da_box = &self.data_boxes[index];
-        da_box
-            .as_ref()
-            .as_any()
-            .downcast_ref::<JUMBFJSONContentBox>()
+        self.data_boxes.get(index).and_then(|da_box| {
+            da_box
+                .as_ref()
+                .as_any()
+                .downcast_ref::<JUMBFJSONContentBox>()
+        })
     }
 
     pub fn data_box_as_cbor_box(&self, index: usize) -> Option<&JUMBFCBORContentBox> {
-        let da_box = &self.data_boxes[index];
-        da_box
-            .as_ref()
-            .as_any()
-            .downcast_ref::<JUMBFCBORContentBox>()
+        self.data_boxes.get(index).and_then(|da_box| {
+            da_box
+                .as_ref()
+                .as_any()
+                .downcast_ref::<JUMBFCBORContentBox>()
+        })
     }
 
     pub fn data_box_as_jp2c_box(&self, index: usize) -> Option<&JUMBFCodestreamContentBox> {
-        let da_box = &self.data_boxes[index];
-        da_box
-            .as_ref()
-            .as_any()
-            .downcast_ref::<JUMBFCodestreamContentBox>()
+        self.data_boxes.get(index).and_then(|da_box| {
+            da_box
+                .as_ref()
+                .as_any()
+                .downcast_ref::<JUMBFCodestreamContentBox>()
+        })
     }
 
     pub fn data_box_as_uuid_box(&self, index: usize) -> Option<&JUMBFUUIDContentBox> {
-        let da_box = &self.data_boxes[index];
-        da_box
-            .as_ref()
-            .as_any()
-            .downcast_ref::<JUMBFUUIDContentBox>()
+        self.data_boxes.get(index).and_then(|da_box| {
+            da_box
+                .as_ref()
+                .as_any()
+                .downcast_ref::<JUMBFUUIDContentBox>()
+        })
     }
 
     pub fn data_box_as_embedded_file_content_box(
         &self,
         index: usize,
     ) -> Option<&JUMBFEmbeddedFileContentBox> {
-        let da_box = &self.data_boxes[index];
-        da_box
-            .as_ref()
-            .as_any()
-            .downcast_ref::<JUMBFEmbeddedFileContentBox>()
+        self.data_boxes.get(index).and_then(|da_box| {
+            da_box
+                .as_ref()
+                .as_any()
+                .downcast_ref::<JUMBFEmbeddedFileContentBox>()
+        })
     }
 
     pub fn data_box_as_embedded_media_type_box(
         &self,
         index: usize,
     ) -> Option<&JUMBFEmbeddedFileDescriptionBox> {
-        let da_box = &self.data_boxes[index];
-        da_box
-            .as_ref()
-            .as_any()
-            .downcast_ref::<JUMBFEmbeddedFileDescriptionBox>()
+        self.data_boxes.get(index).and_then(|da_box| {
+            da_box
+                .as_ref()
+                .as_any()
+                .downcast_ref::<JUMBFEmbeddedFileDescriptionBox>()
+        })
     }
 }
 
@@ -1438,8 +1445,11 @@ impl CAIStore {
         self.store.data_boxes.len()
     }
 
-    pub fn data_box(&self, index: usize) -> &dyn BMFFBox {
-        self.store.data_boxes[index].as_ref()
+    pub fn data_box(&self, index: usize) -> Option<&dyn BMFFBox> {
+        self.store
+            .data_boxes
+            .get(index)
+            .map(|da_box| da_box.as_ref())
     }
 
     pub fn assertion_store(&self) -> Option<&JUMBFSuperBox> {
@@ -1512,13 +1522,18 @@ impl Cai {
         self.sbox.data_boxes.len()
     }
 
-    pub fn data_box(&self, index: usize) -> &dyn BMFFBox {
-        self.sbox.data_boxes[index].as_ref()
+    pub fn data_box(&self, index: usize) -> Option<&dyn BMFFBox> {
+        self.sbox
+            .data_boxes
+            .get(index)
+            .map(|da_box| da_box.as_ref())
     }
 
     pub fn data_box_as_superbox(&self, index: usize) -> Option<&JUMBFSuperBox> {
-        let da_box = &self.sbox.data_boxes[index];
-        da_box.as_ref().as_any().downcast_ref::<JUMBFSuperBox>()
+        self.sbox
+            .data_boxes
+            .get(index)
+            .and_then(|da_box| da_box.as_ref().as_any().downcast_ref::<JUMBFSuperBox>())
     }
 
     pub fn store(&self) -> Option<&JUMBFSuperBox> {
@@ -1581,19 +1596,21 @@ impl JumbfEmbeddedFileBox {
     }
 
     pub fn media_type_box(&self) -> Option<&JUMBFEmbeddedFileDescriptionBox> {
-        let efd_box = &self.embedding_box.data_boxes[0];
-        efd_box
-            .as_ref()
-            .as_any()
-            .downcast_ref::<JUMBFEmbeddedFileDescriptionBox>()
+        self.embedding_box.data_boxes.first().and_then(|efd_box| {
+            efd_box
+                .as_ref()
+                .as_any()
+                .downcast_ref::<JUMBFEmbeddedFileDescriptionBox>()
+        })
     }
 
     pub fn data_box(&self) -> Option<&JUMBFEmbeddedFileContentBox> {
-        let efc_box = &self.embedding_box.data_boxes[1];
-        efc_box
-            .as_ref()
-            .as_any()
-            .downcast_ref::<JUMBFEmbeddedFileContentBox>()
+        self.embedding_box.data_boxes.get(1).and_then(|efc_box| {
+            efc_box
+                .as_ref()
+                .as_any()
+                .downcast_ref::<JUMBFEmbeddedFileContentBox>()
+        })
     }
 
     pub fn set_salt(&mut self, salt: Vec<u8>) -> JumbfParseResult<()> {
diff --git a/sdk/src/jumbf/labels.rs b/sdk/src/jumbf/labels.rs
index c02cfc4cc..6bc17d697 100644
--- a/sdk/src/jumbf/labels.rs
+++ b/sdk/src/jumbf/labels.rs
@@ -327,7 +327,7 @@ pub mod tests {
             Some(assertion.to_string()),
             assertion_label_from_uri(&assertion_uri)
         );
-        assert_eq!(None, assertion_label_from_uri(&absolute_uri));
+        assert_eq!(assertion_label_from_uri(&absolute_uri), None);
 
         let assertion_relative = to_relative_uri(&assertion_uri);
 
diff --git a/sdk/src/jumbf_io.rs b/sdk/src/jumbf_io.rs
index 677ec9be7..baaf7f12f 100644
--- a/sdk/src/jumbf_io.rs
+++ b/sdk/src/jumbf_io.rs
@@ -349,10 +349,12 @@ pub mod tests {
 
     use std::io::Seek;
 
+    use c2pa_crypto::raw_signature::SigningAlg;
+
     use super::*;
     use crate::{
         asset_io::RemoteRefEmbedType,
-        utils::test::{create_test_store, temp_signer},
+        utils::{test::create_test_store, test_signer::test_signer},
     };
 
     #[test]
@@ -447,7 +449,7 @@ pub mod tests {
     fn test_jumbf(asset_type: &str, reader: &mut dyn CAIRead) {
         let mut writer = Cursor::new(Vec::new());
         let store = create_test_store().unwrap();
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         let jumbf = store.to_jumbf(&*signer).unwrap();
         save_jumbf_to_stream(asset_type, reader, &mut writer, &jumbf).unwrap();
         writer.set_position(0);
diff --git a/sdk/src/lib.rs b/sdk/src/lib.rs
index 2bb42c038..ce72065be 100644
--- a/sdk/src/lib.rs
+++ b/sdk/src/lib.rs
@@ -119,7 +119,7 @@ pub use assertions::Relationship;
 pub use asset_io::{CAIRead, CAIReadWrite};
 #[cfg(feature = "unstable_api")]
 pub use builder::{Builder, ManifestDefinition};
-pub use c2pa_crypto::SigningAlg;
+pub use c2pa_crypto::raw_signature::SigningAlg;
 pub use callback_signer::{CallbackFunc, CallbackSigner};
 pub use claim_generator_info::ClaimGeneratorInfo;
 pub use dynamic_assertion::DynamicAssertion;
@@ -136,10 +136,11 @@ pub use manifest_store::ManifestStore;
 #[cfg(feature = "v1_api")]
 pub use manifest_store_report::ManifestStoreReport;
 #[cfg(feature = "unstable_api")]
-pub use reader::{Reader, ValidationState};
+pub use reader::Reader;
 pub use resource_store::{ResourceRef, ResourceStore};
 pub use signer::{AsyncSigner, RemoteSigner, Signer};
 pub use utils::mime::format_from_path;
+pub use validation_results::{ValidationResultsMap, ValidationState};
 
 // Internal modules
 pub(crate) mod assertion;
@@ -164,8 +165,6 @@ pub(crate) mod manifest;
 pub(crate) mod manifest_assertion;
 pub(crate) mod manifest_store;
 pub(crate) mod manifest_store_report;
-#[cfg(feature = "openssl")]
-pub(crate) mod openssl;
 #[allow(dead_code)]
 // TODO: Remove this when the feature is released (used in tests only for some builds now)
 pub(crate) mod reader;
@@ -173,10 +172,6 @@ pub(crate) mod resource_store;
 pub(crate) mod salt;
 pub(crate) mod signer;
 pub(crate) mod store;
-pub(crate) mod time_stamp;
-pub(crate) mod trust_handler;
 
 pub(crate) mod utils;
 pub(crate) use utils::{cbor_types, hash_utils};
-
-pub(crate) mod validator;
diff --git a/sdk/src/manifest.rs b/sdk/src/manifest.rs
index a1f4122b5..d78c4562f 100644
--- a/sdk/src/manifest.rs
+++ b/sdk/src/manifest.rs
@@ -16,7 +16,7 @@ use std::{borrow::Cow, collections::HashMap, io::Cursor, slice::Iter};
 use std::{fs::create_dir_all, path::Path};
 
 use async_generic::async_generic;
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::SigningAlg;
 use log::{debug, error};
 #[cfg(feature = "json_schema")]
 use schemars::JsonSchema;
@@ -1516,6 +1516,8 @@ pub(crate) mod tests {
 
     use std::io::Cursor;
 
+    #[cfg(any(feature = "file_io", target_arch = "wasm32"))]
+    use c2pa_crypto::raw_signature::SigningAlg;
     #[cfg(feature = "file_io")]
     use c2pa_status_tracker::{DetailedStatusTracker, StatusTracker};
     #[cfg(feature = "file_io")]
@@ -1532,7 +1534,8 @@ pub(crate) mod tests {
         ingredient::Ingredient,
         reader::Reader,
         store::Store,
-        utils::test::{static_test_uuid, temp_remote_signer, temp_signer, TEST_VC},
+        utils::test::{static_test_uuid, temp_remote_signer, TEST_VC},
+        utils::test_signer::{async_test_signer, test_signer},
         Manifest, Result,
     };
     #[cfg(feature = "file_io")]
@@ -1613,7 +1616,7 @@ pub(crate) mod tests {
         let test_output = dir.path().join("wc_embed_test.jpg");
 
         //embed a claim generated from this manifest
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let _store = manifest
             .embed(&source_path, &test_output, signer.as_ref())
@@ -1624,7 +1627,7 @@ pub(crate) mod tests {
         if cfg!(feature = "add_thumbnails") {
             assert!(manifest.thumbnail().is_some());
         } else {
-            assert!(manifest.thumbnail().is_none());
+            assert_eq!(manifest.thumbnail(), None);
         }
         let ingredient = Ingredient::from_file(&test_output).expect("load_from_asset");
         assert!(ingredient.active_manifest().is_some());
@@ -1784,7 +1787,7 @@ pub(crate) mod tests {
             )
             .expect("add_assertion");
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let c2pa_data = manifest
             .embed(&output, &output, signer.as_ref())
@@ -1809,7 +1812,7 @@ pub(crate) mod tests {
             .expect("add_redaction");
 
         //embed a claim in output2
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         let _store2 = manifest2
             .embed(&output2, &output2, signer.as_ref())
             .expect("embed");
@@ -1828,7 +1831,7 @@ pub(crate) mod tests {
         let redacted_uri = &claim2.redactions().unwrap()[0];
 
         let claim1 = store3.get_claim(&claim1_label).unwrap();
-        assert!(claim1.get_claim_assertion(redacted_uri, 0).is_none());
+        assert_eq!(claim1.get_claim_assertion(redacted_uri, 0), None);
     }
 
     #[test]
@@ -1850,7 +1853,7 @@ pub(crate) mod tests {
             .add_assertion(&actions)
             .expect("add_assertion");
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         parent_manifest
             .embed(&parent_output, &parent_output, signer.as_ref())
             .expect("embed");
@@ -1907,8 +1910,7 @@ pub(crate) mod tests {
         let temp_dir = tempdir().expect("temp dir");
         let output = temp_fixture_path(&temp_dir, TEST_SMALL_JPEG);
 
-        let async_signer =
-            crate::openssl::temp_signer_async::AsyncSignerAdapter::new(crate::SigningAlg::Ps256);
+        let async_signer = async_test_signer(SigningAlg::Ps256);
 
         let mut manifest = test_manifest();
         manifest
@@ -1949,10 +1951,8 @@ pub(crate) mod tests {
     fn test_embed_user_label() {
         let temp_dir = tempdir().expect("temp dir");
         let output = temp_fixture_path(&temp_dir, TEST_SMALL_JPEG);
-
         let my_guid = static_test_uuid();
-
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let mut manifest = test_manifest();
         manifest.set_label(my_guid);
@@ -1977,7 +1977,7 @@ pub(crate) mod tests {
         let fp = format!("file:/{}", sidecar.to_str().unwrap());
         let url = url::Url::parse(&fp).unwrap();
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let mut manifest = test_manifest();
         manifest.set_label(static_test_uuid());
@@ -1997,6 +1997,7 @@ pub(crate) mod tests {
     #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
     #[allow(deprecated)]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl_sign")), ignore)]
     async fn test_embed_jpeg_stream_wasm() {
         use crate::assertions::User;
         let image = include_bytes!("../tests/fixtures/earth_apollo17.jpg");
@@ -2037,6 +2038,7 @@ pub(crate) mod tests {
     #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
     #[allow(deprecated)]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl_sign")), ignore)]
     async fn test_embed_png_stream_wasm() {
         use crate::assertions::User;
         let image = include_bytes!("../tests/fixtures/libpng-test.png");
@@ -2070,6 +2072,7 @@ pub(crate) mod tests {
     #[cfg_attr(not(target_arch = "wasm32"), actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
     #[allow(deprecated)]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl_sign")), ignore)]
     async fn test_embed_webp_stream_wasm() {
         use crate::assertions::User;
         let image = include_bytes!("../tests/fixtures/mars.webp");
@@ -2101,6 +2104,7 @@ pub(crate) mod tests {
     }
 
     #[test]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl_sign")), ignore)]
     fn test_embed_stream() {
         use crate::assertions::User;
         let image = include_bytes!("../tests/fixtures/earth_apollo17.jpg");
@@ -2118,7 +2122,8 @@ pub(crate) mod tests {
             ))
             .unwrap();
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
+
         let mut output = Cursor::new(Vec::new());
         // Embed a manifest using the signer.
         manifest
@@ -2136,11 +2141,14 @@ pub(crate) mod tests {
         //println!("{manifest_store}");main
     }
 
-    #[cfg(any(target_arch = "wasm32", feature = "openssl_sign"))]
     #[cfg_attr(feature = "openssl_sign", actix::test)]
     #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
+    #[cfg(any(
+        target_arch = "wasm32",
+        all(feature = "openssl_sign", feature = "file_io")
+    ))]
     async fn test_embed_from_memory_async() {
-        use crate::{assertions::User, utils::test::temp_async_signer};
+        use crate::assertions::User;
         let image = include_bytes!("../tests/fixtures/earth_apollo17.jpg");
         // convert buffer to cursor with Read/Write/Seek capability
         let mut stream = std::io::Cursor::new(image.to_vec());
@@ -2156,8 +2164,9 @@ pub(crate) mod tests {
             ))
             .unwrap();
 
-        let signer = temp_async_signer();
+        let signer = async_test_signer(SigningAlg::Ed25519);
         let mut output = Cursor::new(Vec::new());
+
         // Embed a manifest using the signer.
         manifest
             .embed_to_stream_async("jpeg", &mut stream, &mut output, signer.as_ref())
@@ -2185,7 +2194,7 @@ pub(crate) mod tests {
         let temp_dir = tempdir().expect("temp dir");
         let output = temp_fixture_path(&temp_dir, TEST_SMALL_JPEG);
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let mut manifest = test_manifest();
         let ingredient =
@@ -2222,7 +2231,7 @@ pub(crate) mod tests {
         let fp = format!("file:/{}", sidecar.to_str().unwrap());
         let url = url::Url::parse(&fp).unwrap();
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let parent = Ingredient::from_file(fixture_path("XCA.jpg")).expect("getting parent");
         let mut manifest = test_manifest();
@@ -2249,7 +2258,7 @@ pub(crate) mod tests {
         let temp_dir = tempdir().expect("temp dir");
         let output = temp_fixture_path(&temp_dir, TEST_SMALL_JPEG);
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let mut manifest = test_manifest();
         let thumb_data = vec![1, 2, 3];
@@ -2266,7 +2275,7 @@ pub(crate) mod tests {
         assert_eq!(image.into_owned(), thumb_data);
     }
 
-    #[cfg(feature = "file_io")]
+    #[cfg(feature = "openssl_sign")]
     const MANIFEST_JSON: &str = r#"{
         "claim_generator": "test",
         "claim_generator_info": [
@@ -2411,7 +2420,8 @@ pub(crate) mod tests {
         // convert buffer to cursor with Read/Write/Seek capability
         let mut input = std::io::Cursor::new(image.to_vec());
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
+
         // Embed a manifest using the signer.
         let mut output = Cursor::new(Vec::new());
         manifest
@@ -2478,7 +2488,8 @@ pub(crate) mod tests {
 
         let image = include_bytes!("../tests/fixtures/earth_apollo17.jpg");
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
+
         // Embed a manifest using the signer.
         let output_image = manifest
             .embed_from_memory("jpeg", image, signer.as_ref())
@@ -2543,7 +2554,7 @@ pub(crate) mod tests {
         let temp_dir = tempdir().expect("temp dir");
         let output = temp_fixture_path(&temp_dir, TEST_SMALL_JPEG);
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let mut manifest = Manifest::from_json(MANIFEST_JSON).expect("from_json");
         manifest.with_base_path(fixtures).expect("with_base");
@@ -2570,7 +2581,7 @@ pub(crate) mod tests {
         let temp_dir = tempdir().expect("temp dir");
         let output = temp_fixture_path(&temp_dir, TEST_WEBP);
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let mut manifest = Manifest::from_json(MANIFEST_JSON).expect("from_json");
         manifest.with_base_path(fixtures).expect("with_base");
@@ -2601,14 +2612,14 @@ pub(crate) mod tests {
         assert!(manifest
             .set_thumbnail_ref(ResourceRef::new("image/jpg", "foo"))
             .is_err());
-        assert!(manifest.thumbnail_ref().is_none());
+        assert_eq!(manifest.thumbnail_ref(), None);
         // verify we can set a references that do exist
         assert!(manifest
             .set_thumbnail_ref(ResourceRef::new("image/jpeg", "C.jpg"))
             .is_ok());
         assert!(manifest.thumbnail_ref().is_some());
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         manifest
             .embed(&output, &output, signer.as_ref())
             .expect("embed");
@@ -2633,9 +2644,9 @@ pub(crate) mod tests {
         // verify there is a thumbnail ref
         assert!(manifest.thumbnail_ref().is_some());
         // verify there is no thumbnail
-        assert!(manifest.thumbnail().is_none());
+        assert_eq!(manifest.thumbnail(), None);
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
         manifest
             .embed(&output, &output, signer.as_ref())
             .expect("embed");
@@ -2643,8 +2654,8 @@ pub(crate) mod tests {
         let manifest_store = Reader::from_file(&output).expect("from_file");
         println!("{manifest_store}");
         let active_manifest = manifest_store.active_manifest().unwrap();
-        assert!(active_manifest.thumbnail_ref().is_none());
-        assert!(active_manifest.thumbnail().is_none());
+        assert_eq!(active_manifest.thumbnail_ref(), None);
+        assert_eq!(active_manifest.thumbnail(), None);
     }
 
     #[test]
@@ -2664,9 +2675,11 @@ pub(crate) mod tests {
 
         let mut source = std::io::Cursor::new(vec![1, 2, 3]);
         let mut dest = std::io::Cursor::new(Vec::new());
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
+
         let result =
             manifest.embed_to_stream("image/jpeg", &mut source, &mut dest, signer.as_ref());
+
         assert!(result.is_err());
         assert!(result
             .unwrap_err()
@@ -2680,7 +2693,7 @@ pub(crate) mod tests {
     fn test_data_hash_embeddable_manifest() {
         let ap = fixture_path("cloud.jpg");
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let mut manifest = Manifest::new("claim_generator");
 
@@ -2729,7 +2742,7 @@ pub(crate) mod tests {
 
         let manifest_store = Reader::from_file(&output).expect("from_file");
         println!("{manifest_store}");
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
     }
 
     #[cfg(all(feature = "file_io", feature = "openssl_sign"))]
@@ -2788,7 +2801,7 @@ pub(crate) mod tests {
 
         let manifest_store = Reader::from_file(&output).expect("from_file");
         println!("{manifest_store}");
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
     }
 
     #[test]
@@ -2806,7 +2819,7 @@ pub(crate) mod tests {
             .add_labeled_assertion(crate::assertions::labels::BOX_HASH, &box_hash)
             .unwrap();
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let embeddable = manifest
             .box_hash_embeddable_manifest(signer.as_ref(), None)
@@ -2821,6 +2834,6 @@ pub(crate) mod tests {
         .unwrap();
         println!("{reader}");
         assert!(reader.active_manifest().is_some());
-        assert!(reader.validation_status().is_none());
+        assert_eq!(reader.validation_status(), None);
     }
 }
diff --git a/sdk/src/manifest_store.rs b/sdk/src/manifest_store.rs
index 75d8bf664..4afc5fc7b 100644
--- a/sdk/src/manifest_store.rs
+++ b/sdk/src/manifest_store.rs
@@ -140,6 +140,10 @@ impl ManifestStore {
         self.validation_status.as_deref()
     }
 
+    pub fn validation_results(&self) -> Option<&ValidationResultsMap> {
+        self.validation_results.as_ref()
+    }
+
     /// creates a ManifestStore from a Store with validation
     #[async_generic]
     pub(crate) fn from_store(store: Store, validation_log: &impl StatusTracker) -> ManifestStore {
@@ -584,7 +588,7 @@ impl std::fmt::Display for ManifestStore {
     }
 }
 
-#[cfg(test)]
+#[cfg(all(test, any(target_arch = "wasm32", feature = "openssl")))]
 mod tests {
     #![allow(clippy::expect_used)]
     #![allow(clippy::unwrap_used)]
@@ -632,7 +636,7 @@ mod tests {
         assert!(manifest_store.active_label().is_some());
         assert!(manifest_store.get_active().is_some());
         assert!(!manifest_store.manifests().is_empty());
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
         let manifest = manifest_store.get_active().unwrap();
         assert!(!manifest.ingredients().is_empty());
         assert_eq!(manifest.issuer().unwrap(), "C2PA Test Signing Cert");
@@ -654,7 +658,7 @@ mod tests {
         assert!(manifest_store.active_label().is_some());
         assert!(manifest_store.get_active().is_some());
         assert!(!manifest_store.manifests().is_empty());
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
         let manifest = manifest_store.get_active().unwrap();
         assert!(!manifest.ingredients().is_empty());
         assert_eq!(manifest.issuer().unwrap(), "C2PA Test Signing Cert");
@@ -672,7 +676,7 @@ mod tests {
         assert!(manifest_store.active_label().is_some());
         assert!(manifest_store.get_active().is_some());
         assert!(!manifest_store.manifests().is_empty());
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
         let manifest = manifest_store.get_active().unwrap();
         assert!(!manifest.ingredients().is_empty());
         assert_eq!(manifest.issuer().unwrap(), "C2PA Test Signing Cert");
@@ -695,7 +699,7 @@ mod tests {
         .await
         .unwrap();
         assert!(!manifest_store.manifests().is_empty());
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
         println!("{manifest_store}");
     }
 
@@ -714,7 +718,7 @@ mod tests {
         assert!(manifest_store.active_label().is_some());
         assert!(manifest_store.get_active().is_some());
         assert!(!manifest_store.manifests().is_empty());
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
         let manifest = manifest_store.get_active().unwrap();
         assert!(!manifest.ingredients().is_empty());
         assert_eq!(manifest.issuer().unwrap(), "C2PA Test Signing Cert");
@@ -733,7 +737,7 @@ mod tests {
         assert!(manifest_store.active_label().is_some());
         assert!(manifest_store.get_active().is_some());
         assert!(!manifest_store.manifests().is_empty());
-        assert!(manifest_store.validation_status().is_none());
+        assert_eq!(manifest_store.validation_status(), None);
         let manifest = manifest_store.get_active().unwrap();
         assert!(!manifest.ingredients().is_empty());
         assert_eq!(manifest.issuer().unwrap(), "C2PA Test Signing Cert");
diff --git a/sdk/src/manifest_store_report.rs b/sdk/src/manifest_store_report.rs
index 14bfc27b9..bec435f9a 100644
--- a/sdk/src/manifest_store_report.rs
+++ b/sdk/src/manifest_store_report.rs
@@ -229,30 +229,36 @@ impl ManifestStoreReport {
             // is this an ingredient
             if let Some(ref c2pa_manifest) = &ingredient_assertion.c2pa_manifest {
                 let label = Store::manifest_label_from_path(&c2pa_manifest.url());
-                let hash = &c2pa_manifest.hash()[..5];
 
-                if let Some(ingredient_claim) = store.get_claim(&label) {
-                    // create new node
-                    let title = if let Some(title) = &ingredient_assertion.title {
-                        title.to_owned()
-                    } else {
-                        "No title".into()
-                    };
-                    let data = if name_only {
-                        format!("{}_{}", title, Hexlify(hash))
-                    } else {
-                        format!("Asset:{}, Manifest:{}", title, label)
-                    };
-
-                    let new_token = current_token.append(tree, data);
-
-                    ManifestStoreReport::populate_node(
-                        tree,
-                        store,
-                        ingredient_claim,
-                        &new_token,
-                        name_only,
-                    )?;
+                if let Some(hash) = c2pa_manifest.hash().get(0..5) {
+                    if let Some(ingredient_claim) = store.get_claim(&label) {
+                        // create new node
+                        let title = if let Some(title) = &ingredient_assertion.title {
+                            title.to_owned()
+                        } else {
+                            "No title".into()
+                        };
+
+                        let data = if name_only {
+                            format!("{}_{}", title, Hexlify(hash))
+                        } else {
+                            format!("Asset:{}, Manifest:{}", title, label)
+                        };
+
+                        let new_token = current_token.append(tree, data);
+
+                        ManifestStoreReport::populate_node(
+                            tree,
+                            store,
+                            ingredient_claim,
+                            &new_token,
+                            name_only,
+                        )?;
+                    }
+                } else {
+                    return Err(crate::Error::InvalidAsset(
+                        "Manifest hash too short".to_string(),
+                    ));
                 }
             } else {
                 let asset_name = if let Some(title) = &ingredient_assertion.title {
diff --git a/sdk/src/openssl/ec_signer.rs b/sdk/src/openssl/ec_signer.rs
deleted file mode 100644
index 99908c520..000000000
--- a/sdk/src/openssl/ec_signer.rs
+++ /dev/null
@@ -1,173 +0,0 @@
-// Copyright 2022 Adobe. All rights reserved.
-// This file is licensed to you under the Apache License,
-// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
-// or the MIT license (http://opensource.org/licenses/MIT),
-// at your option.
-
-// Unless required by applicable law or agreed to in writing,
-// this software is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
-// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
-// specific language governing permissions and limitations under
-// each license.
-
-use c2pa_crypto::{openssl::OpenSslMutex, time_stamp::TimeStampProvider, SigningAlg};
-use openssl::{
-    ec::EcKey,
-    hash::MessageDigest,
-    pkey::{PKey, Private},
-    x509::X509,
-};
-
-use super::check_chain_order;
-use crate::{
-    error::{Error, Result},
-    signer::ConfigurableSigner,
-    utils::sig_utils::der_to_p1363,
-    Signer,
-};
-
-/// Implements `Signer` trait using OpenSSL's implementation of
-/// ECDSA encryption.
-pub struct EcSigner {
-    signcerts: Vec<X509>,
-    pkey: EcKey<Private>,
-
-    certs_size: usize,
-    timestamp_size: usize,
-
-    alg: SigningAlg,
-    tsa_url: Option<String>,
-}
-
-impl ConfigurableSigner for EcSigner {
-    fn from_signcert_and_pkey(
-        signcert: &[u8],
-        pkey: &[u8],
-        alg: SigningAlg,
-        tsa_url: Option<String>,
-    ) -> Result<Self> {
-        let _openssl = OpenSslMutex::acquire()?;
-
-        let certs_size = signcert.len();
-        let pkey = EcKey::private_key_from_pem(pkey).map_err(Error::OpenSslError)?;
-        let signcerts = X509::stack_from_pem(signcert).map_err(Error::OpenSslError)?;
-
-        // make sure cert chains are in order
-        if !check_chain_order(&signcerts) {
-            return Err(Error::BadParam(
-                "certificate chain is not in correct order".to_string(),
-            ));
-        }
-
-        Ok(EcSigner {
-            signcerts,
-            pkey,
-            certs_size,
-            timestamp_size: 10000, /* todo: call out to TSA to get actual timestamp and use that size */
-            alg,
-            tsa_url,
-        })
-    }
-}
-
-impl Signer for EcSigner {
-    fn sign(&self, data: &[u8]) -> Result<Vec<u8>> {
-        let _openssl = OpenSslMutex::acquire()?;
-
-        let key = PKey::from_ec_key(self.pkey.clone()).map_err(Error::OpenSslError)?;
-
-        let mut signer = match self.alg {
-            SigningAlg::Es256 => openssl::sign::Signer::new(MessageDigest::sha256(), &key)?,
-            SigningAlg::Es384 => openssl::sign::Signer::new(MessageDigest::sha384(), &key)?,
-            SigningAlg::Es512 => openssl::sign::Signer::new(MessageDigest::sha512(), &key)?,
-            _ => return Err(Error::UnsupportedType),
-        };
-
-        signer.update(data).map_err(Error::OpenSslError)?;
-        let der_sig = signer.sign_to_vec().map_err(Error::OpenSslError)?;
-
-        der_to_p1363(&der_sig, self.alg)
-    }
-
-    fn alg(&self) -> SigningAlg {
-        self.alg
-    }
-
-    fn certs(&self) -> Result<Vec<Vec<u8>>> {
-        let _openssl = OpenSslMutex::acquire()?;
-
-        let mut certs: Vec<Vec<u8>> = Vec::new();
-
-        for c in &self.signcerts {
-            let cert = c.to_der().map_err(Error::OpenSslError)?;
-            certs.push(cert);
-        }
-
-        Ok(certs)
-    }
-
-    fn reserve_size(&self) -> usize {
-        1024 + self.certs_size + self.timestamp_size // the Cose_Sign1 contains complete certs and timestamps so account for size
-    }
-}
-
-impl TimeStampProvider for EcSigner {
-    fn time_stamp_service_url(&self) -> Option<String> {
-        self.tsa_url.clone()
-    }
-}
-
-#[cfg(test)]
-#[cfg(feature = "file_io")]
-mod tests {
-    #![allow(clippy::unwrap_used)]
-
-    use super::*;
-    use crate::{openssl::temp_signer, utils::test::fixture_path};
-
-    #[test]
-    fn es256_signer() {
-        let cert_dir = fixture_path("certs");
-
-        let (signer, _) = temp_signer::get_ec_signer(cert_dir, SigningAlg::Es256, None);
-
-        let data = b"some sample content to sign";
-        println!("data len = {}", data.len());
-
-        let signature = signer.sign(data).unwrap();
-        println!("signature.len = {}", signature.len());
-        assert!(signature.len() >= 64);
-        assert!(signature.len() <= signer.reserve_size());
-    }
-
-    #[test]
-    fn es384_signer() {
-        let cert_dir = fixture_path("certs");
-
-        let (signer, _) = temp_signer::get_ec_signer(cert_dir, SigningAlg::Es384, None);
-
-        let data = b"some sample content to sign";
-        println!("data len = {}", data.len());
-
-        let signature = signer.sign(data).unwrap();
-        println!("signature.len = {}", signature.len());
-        assert!(signature.len() >= 64);
-        assert!(signature.len() <= signer.reserve_size());
-    }
-
-    #[test]
-    fn es512_signer() {
-        let cert_dir = fixture_path("certs");
-
-        let (signer, _) = temp_signer::get_ec_signer(cert_dir, SigningAlg::Es512, None);
-
-        let data = b"some sample content to sign";
-        println!("data len = {}", data.len());
-
-        let signature = signer.sign(data).unwrap();
-        println!("signature.len = {}", signature.len());
-        assert!(signature.len() >= 64);
-        assert!(signature.len() <= signer.reserve_size());
-    }
-}
diff --git a/sdk/src/openssl/ed_signer.rs b/sdk/src/openssl/ed_signer.rs
deleted file mode 100644
index cceb38d34..000000000
--- a/sdk/src/openssl/ed_signer.rs
+++ /dev/null
@@ -1,132 +0,0 @@
-// Copyright 2022 Adobe. All rights reserved.
-// This file is licensed to you under the Apache License,
-// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
-// or the MIT license (http://opensource.org/licenses/MIT),
-// at your option.
-
-// Unless required by applicable law or agreed to in writing,
-// this software is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
-// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
-// specific language governing permissions and limitations under
-// each license.
-
-use c2pa_crypto::{openssl::OpenSslMutex, time_stamp::TimeStampProvider, SigningAlg};
-use openssl::{
-    pkey::{PKey, Private},
-    x509::X509,
-};
-
-use super::check_chain_order;
-use crate::{signer::ConfigurableSigner, Error, Result, Signer};
-
-/// Implements `Signer` trait using OpenSSL's implementation of
-/// Edwards Curve encryption.
-pub struct EdSigner {
-    signcerts: Vec<X509>,
-    pkey: PKey<Private>,
-
-    certs_size: usize,
-    timestamp_size: usize,
-
-    alg: SigningAlg,
-    tsa_url: Option<String>,
-}
-
-impl ConfigurableSigner for EdSigner {
-    fn from_signcert_and_pkey(
-        signcert: &[u8],
-        pkey: &[u8],
-        alg: SigningAlg,
-        tsa_url: Option<String>,
-    ) -> Result<Self> {
-        let _openssl = OpenSslMutex::acquire()?;
-
-        let certs_size = signcert.len();
-        let signcerts = X509::stack_from_pem(signcert).map_err(Error::OpenSslError)?;
-        let pkey = PKey::private_key_from_pem(pkey).map_err(Error::OpenSslError)?;
-
-        if alg != SigningAlg::Ed25519 {
-            return Err(Error::UnsupportedType); // only ed25519 is supported by C2PA
-        }
-
-        // make sure cert chains are in order
-        if !check_chain_order(&signcerts) {
-            return Err(Error::BadParam(
-                "certificate chain is not in correct order".to_string(),
-            ));
-        }
-
-        Ok(EdSigner {
-            signcerts,
-            pkey,
-            certs_size,
-            timestamp_size: 10000, /* todo: call out to TSA to get actual timestamp and use that size */
-            alg,
-            tsa_url,
-        })
-    }
-}
-
-impl Signer for EdSigner {
-    fn sign(&self, data: &[u8]) -> Result<Vec<u8>> {
-        let _openssl = OpenSslMutex::acquire()?;
-
-        let mut signer =
-            openssl::sign::Signer::new_without_digest(&self.pkey).map_err(Error::OpenSslError)?;
-
-        let signed_data = signer.sign_oneshot_to_vec(data)?;
-
-        Ok(signed_data)
-    }
-
-    fn alg(&self) -> SigningAlg {
-        self.alg
-    }
-
-    fn certs(&self) -> Result<Vec<Vec<u8>>> {
-        let _openssl = OpenSslMutex::acquire()?;
-
-        let mut certs: Vec<Vec<u8>> = Vec::new();
-
-        for c in &self.signcerts {
-            let cert = c.to_der().map_err(Error::OpenSslError)?;
-            certs.push(cert);
-        }
-
-        Ok(certs)
-    }
-
-    fn reserve_size(&self) -> usize {
-        1024 + self.certs_size + self.timestamp_size // the Cose_Sign1 contains complete certs and timestamps so account for size
-    }
-}
-
-impl TimeStampProvider for EdSigner {
-    fn time_stamp_service_url(&self) -> Option<String> {
-        self.tsa_url.clone()
-    }
-}
-
-#[cfg(test)]
-#[cfg(feature = "file_io")]
-mod tests {
-    #![allow(clippy::unwrap_used)]
-    use super::*;
-    use crate::{openssl::temp_signer, utils::test::fixture_path};
-
-    #[test]
-    fn ed25519_signer() {
-        let cert_dir = fixture_path("certs");
-
-        let (signer, _) = temp_signer::get_ed_signer(cert_dir, SigningAlg::Ed25519, None);
-
-        let data = b"some sample content to sign";
-        println!("data len = {}", data.len());
-
-        let signature = signer.sign(data).unwrap();
-        println!("signature.len = {}", signature.len());
-        assert!(signature.len() >= 64);
-        assert!(signature.len() <= signer.reserve_size());
-    }
-}
diff --git a/sdk/src/openssl/mod.rs b/sdk/src/openssl/mod.rs
deleted file mode 100644
index 13dbaeb83..000000000
--- a/sdk/src/openssl/mod.rs
+++ /dev/null
@@ -1,104 +0,0 @@
-// Copyright 2022 Adobe. All rights reserved.
-// This file is licensed to you under the Apache License,
-// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
-// or the MIT license (http://opensource.org/licenses/MIT),
-// at your option.
-
-// Unless required by applicable law or agreed to in writing,
-// this software is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
-// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
-// specific language governing permissions and limitations under
-// each license.
-
-#[cfg(feature = "openssl_sign")]
-mod rsa_signer;
-#[cfg(feature = "openssl_sign")]
-pub(crate) use rsa_signer::RsaSigner;
-
-#[cfg(feature = "openssl_sign")]
-mod ec_signer;
-#[cfg(feature = "openssl_sign")]
-pub(crate) use ec_signer::EcSigner;
-
-#[cfg(feature = "openssl_sign")]
-mod ed_signer;
-#[cfg(feature = "openssl_sign")]
-pub(crate) use ed_signer::EdSigner;
-
-#[cfg(feature = "openssl")]
-mod openssl_trust_handler;
-#[cfg(test)]
-pub(crate) mod temp_signer;
-
-#[cfg(feature = "openssl")]
-pub(crate) use openssl_trust_handler::verify_trust;
-#[cfg(feature = "openssl")]
-pub(crate) use openssl_trust_handler::OpenSSLTrustHandlerConfig;
-
-#[cfg(test)]
-pub(crate) mod temp_signer_async;
-
-#[cfg(feature = "openssl")]
-use openssl::x509::X509;
-#[cfg(test)]
-#[allow(unused_imports)]
-#[cfg(feature = "openssl")]
-pub(crate) use temp_signer_async::AsyncSignerAdapter;
-
-#[cfg(feature = "openssl")]
-fn check_chain_order(certs: &[X509]) -> bool {
-    // IMPORTANT: ffi_mutex::acquire() should have been called by calling fn. Please
-    // don't make this pub or pub(crate) without finding a way to ensure that
-    // precondition.
-
-    {
-        if certs.len() > 1 {
-            for (i, c) in certs.iter().enumerate() {
-                if let Some(next_c) = certs.get(i + 1) {
-                    if let Ok(pkey) = next_c.public_key() {
-                        if let Ok(verified) = c.verify(&pkey) {
-                            if !verified {
-                                return false;
-                            }
-                        } else {
-                            return false;
-                        }
-                    } else {
-                        return false;
-                    }
-                }
-            }
-        }
-        true
-    }
-}
-
-#[cfg(not(feature = "openssl"))]
-fn check_chain_order(certs: &[X509]) -> bool {
-    true
-}
-
-#[cfg(feature = "openssl")]
-#[allow(dead_code)]
-fn check_chain_order_der(cert_ders: &[Vec<u8>]) -> bool {
-    // IMPORTANT: ffi_mutex::acquire() should have been called by calling fn. Please
-    // don't make this pub or pub(crate) without finding a way to ensure that
-    // precondition.
-
-    let mut certs: Vec<X509> = Vec::new();
-    for cert_der in cert_ders {
-        if let Ok(cert) = X509::from_der(cert_der) {
-            certs.push(cert);
-        } else {
-            return false;
-        }
-    }
-
-    check_chain_order(&certs)
-}
-
-#[cfg(not(feature = "openssl"))]
-fn check_chain_order_der(cert_ders: &[Vec<u8>]) -> bool {
-    true
-}
diff --git a/sdk/src/openssl/openssl_trust_handler.rs b/sdk/src/openssl/openssl_trust_handler.rs
index f51a2ab7e..5c734399a 100644
--- a/sdk/src/openssl/openssl_trust_handler.rs
+++ b/sdk/src/openssl/openssl_trust_handler.rs
@@ -11,23 +11,12 @@
 // specific language governing permissions and limitations under
 // each license.
 
-use std::{
-    collections::HashSet,
-    io::{BufRead, BufReader, Cursor, Read},
-    str::FromStr,
-};
-
-use asn1_rs::Oid;
-use c2pa_crypto::{base64, openssl::OpenSslMutex};
+use c2pa_crypto::{cose::CertificateAcceptancePolicy, openssl::OpenSslMutex};
 use openssl::x509::verify::X509VerifyFlags;
 
-use crate::{
-    hash_utils::hash_sha256,
-    trust_handler::{load_eku_configuration, TrustHandlerConfig},
-    Error, Result,
-};
+use crate::Error;
 
-fn certs_der_to_x509(ders: &[Vec<u8>]) -> Result<Vec<openssl::x509::X509>> {
+fn certs_der_to_x509(ders: &[Vec<u8>]) -> crate::Result<Vec<openssl::x509::X509>> {
     // IMPORTANT: ffi_mutex::acquire() should have been called by calling fn. Please
     // don't make this pub or pub(crate) without finding a way to ensure that
     // precondition.
@@ -35,217 +24,23 @@ fn certs_der_to_x509(ders: &[Vec<u8>]) -> Result<Vec<openssl::x509::X509>> {
     let mut certs: Vec<openssl::x509::X509> = Vec::new();
 
     for d in ders {
-        let cert = openssl::x509::X509::from_der(d).map_err(Error::OpenSslError)?;
+        let cert = openssl::x509::X509::from_der(d)?;
         certs.push(cert);
     }
 
     Ok(certs)
 }
 
-fn load_trust_from_pem_data(trust_data: &[u8]) -> Result<Vec<openssl::x509::X509>> {
-    let _openssl = OpenSslMutex::acquire()?;
-    openssl::x509::X509::stack_from_pem(trust_data).map_err(Error::OpenSslError)
-}
-
-// Struct to handle verification of trust chains
-pub(crate) struct OpenSSLTrustHandlerConfig {
-    trust_anchors: Vec<openssl::x509::X509>,
-    private_anchors: Vec<openssl::x509::X509>,
-    allowed_cert_set: HashSet<String>,
-    trust_store: Option<openssl::x509::store::X509Store>,
-    config_store: Vec<u8>,
-}
-
-impl OpenSSLTrustHandlerConfig {
-    pub fn load_default_trust(&mut self) -> Result<()> {
-        // load config store
-        let config = include_bytes!("./store.cfg");
-        let mut config_reader = Cursor::new(config);
-        self.load_configuration(&mut config_reader)?;
-
-        // load debug/test private trust anchors
-        if cfg!(test) {
-            let pa = include_bytes!("./test_cert_root_bundle.pem");
-            let mut pa_reader = Cursor::new(pa);
-
-            self.append_private_trust_data(&mut pa_reader)?;
-        }
-
-        Ok(())
-    }
-
-    fn update_store(&mut self) -> Result<()> {
-        let _openssl = OpenSslMutex::acquire()?;
-
-        let mut builder =
-            openssl::x509::store::X509StoreBuilder::new().map_err(Error::OpenSslError)?;
-
-        // add trust anchors
-        for t in &self.trust_anchors {
-            builder.add_cert(t.clone())?;
-        }
-
-        // add private anchors
-        for t in &self.private_anchors {
-            builder.add_cert(t.clone())?;
-        }
-
-        self.trust_store = Some(builder.build());
-
-        Ok(())
-    }
-}
-
-impl std::fmt::Debug for OpenSSLTrustHandlerConfig {
-    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
-        write!(
-            f,
-            "{} trust anchors, {} private anchors.",
-            self.trust_anchors.len(),
-            self.private_anchors.len()
-        )
-    }
-}
-
-#[allow(dead_code)]
-impl TrustHandlerConfig for OpenSSLTrustHandlerConfig {
-    fn new() -> Self {
-        let mut th = OpenSSLTrustHandlerConfig {
-            trust_anchors: Vec::new(),
-            private_anchors: Vec::new(),
-            allowed_cert_set: HashSet::new(),
-            trust_store: None,
-            config_store: Vec::new(),
-        };
-        if th.load_default_trust().is_err() {
-            th.clear(); // just use empty trust handler to fail automatically
-        }
-
-        th
-    }
-
-    // add trust anchors
-    fn load_trust_anchors_from_data(&mut self, trust_data_reader: &mut dyn Read) -> Result<()> {
-        let mut trust_data = Vec::new();
-        trust_data_reader.read_to_end(&mut trust_data)?;
-
-        self.trust_anchors = load_trust_from_pem_data(&trust_data)?;
-        if self.trust_anchors.is_empty() {
-            return Err(Error::NotFound); // catch silent failure
-        }
-
-        self.update_store()
-    }
-
-    // add allowed list entries
-    fn load_allowed_list(&mut self, allowed_list: &mut dyn Read) -> Result<()> {
-        let mut buffer = Vec::new();
-        allowed_list.read_to_end(&mut buffer)?;
-
-        {
-            let _openssl = OpenSslMutex::acquire()?;
-            if let Ok(cert_list) = openssl::x509::X509::stack_from_pem(&buffer) {
-                for cert in &cert_list {
-                    let cert_der = cert.to_der().map_err(Error::OpenSslError)?;
-                    let cert_sha256 = hash_sha256(&cert_der);
-                    let cert_hash_base64 = base64::encode(&cert_sha256);
-
-                    self.allowed_cert_set.insert(cert_hash_base64);
-                }
-            }
-        }
-
-        // try to load the of base64 encoded encoding of the sha256 hash of the certificate DER encoding
-        let reader = Cursor::new(buffer);
-        let buf_reader = BufReader::new(reader);
-
-        let mut inside_cert_block = false;
-        for l in buf_reader.lines().map_while(|v| v.ok()) {
-            if l.contains("-----BEGIN") {
-                inside_cert_block = true;
-            }
-            if l.contains("-----END") {
-                inside_cert_block = false;
-            }
-
-            // sanity check that that is is base64 encoded and outside of certificate block
-            if !inside_cert_block && base64::decode(&l).is_ok() && !l.is_empty() {
-                self.allowed_cert_set.insert(l);
-            }
-        }
-
-        Ok(())
-    }
-
-    // append private trust anchors
-    fn append_private_trust_data(&mut self, private_anchors_reader: &mut dyn Read) -> Result<()> {
-        let mut private_anchors_data = Vec::new();
-        private_anchors_reader.read_to_end(&mut private_anchors_data)?;
-
-        let mut pa = load_trust_from_pem_data(&private_anchors_data)?;
-        self.private_anchors.append(&mut pa);
-        self.update_store()
-    }
-
-    fn clear(&mut self) {
-        self.trust_anchors = Vec::new();
-        self.private_anchors = Vec::new();
-        self.trust_store = None;
-    }
-
-    // load EKU configuration
-    fn load_configuration(&mut self, config_data: &mut dyn Read) -> Result<()> {
-        config_data.read_to_end(&mut self.config_store)?;
-        Ok(())
-    }
-
-    // list off auxillary allowed EKU Oid
-    fn get_auxillary_ekus(&self) -> Vec<Oid> {
-        let mut oids = Vec::new();
-        if let Ok(oid_strings) = load_eku_configuration(&mut Cursor::new(&self.config_store)) {
-            for oid_str in &oid_strings {
-                if let Ok(oid) = Oid::from_str(oid_str) {
-                    oids.push(oid);
-                }
-            }
-        }
-        oids
-    }
-
-    fn get_anchors(&self) -> Vec<Vec<u8>> {
-        let mut anchors = Vec::new();
-
-        for a in &self.private_anchors {
-            if let Ok(der) = a.to_der() {
-                anchors.push(der)
-            }
-        }
-
-        for a in &self.trust_anchors {
-            if let Ok(der) = a.to_der() {
-                anchors.push(der)
-            }
-        }
-        anchors
-    }
-
-    // set of allowed cert hashes
-    fn get_allowed_list(&self) -> &HashSet<String> {
-        &self.allowed_cert_set
-    }
-}
-
 // verify certificate and trust chain
 pub(crate) fn verify_trust(
-    th: &dyn TrustHandlerConfig,
+    cap: &CertificateAcceptancePolicy,
     chain_der: &[Vec<u8>],
     cert_der: &[u8],
     signing_time_epoc: Option<i64>,
-) -> Result<bool> {
+) -> crate::Result<bool> {
     // check the cert against the allowed list first
-    let cert_sha256 = hash_sha256(cert_der);
-    let cert_hash_base64 = base64::encode(&cert_sha256);
-    if th.get_allowed_list().contains(&cert_hash_base64) {
+    // TO DO: optimize by hashing the cert?
+    if cap.end_entity_cert_ders().any(|der| der == cert_der) {
         return Ok(true);
     }
 
@@ -283,19 +78,21 @@ pub(crate) fn verify_trust(
         .set_param(&verify_param)
         .map_err(Error::OpenSslError)?;
 
-    // todo: figure out the passthrough case
-    if th.get_anchors().is_empty() {
-        return Ok(false);
-    }
-
     // add trust anchors
-    for d in th.get_anchors() {
-        let c = openssl::x509::X509::from_der(&d).map_err(Error::OpenSslError)?;
+    let mut has_anchors = false;
+    for der in cap.trust_anchor_ders() {
+        let c = openssl::x509::X509::from_der(der).map_err(Error::OpenSslError)?;
         builder.add_cert(c)?;
+        has_anchors = true
     }
+
     // finalize store
     let store = builder.build();
 
+    if !has_anchors {
+        return Ok(false);
+    }
+
     match store_ctx.init(&store, cert.as_ref(), &cert_chain, |f| f.verify_cert()) {
         Ok(trust) => Ok(trust),
         Err(_) => Ok(false),
@@ -303,6 +100,7 @@ pub(crate) fn verify_trust(
 }
 
 #[cfg(test)]
+#[cfg(feature = "file_io")]
 pub mod tests {
     #![allow(clippy::expect_used)]
     #![allow(clippy::panic)]
@@ -311,28 +109,20 @@ pub mod tests {
     use c2pa_crypto::SigningAlg;
 
     use super::*;
-    use crate::{
-        openssl::temp_signer::{self},
-        Signer,
-    };
+    use crate::{utils::test_signer::test_signer, Signer};
 
     #[test]
     fn test_trust_store() {
-        let cert_dir = crate::utils::test::fixture_path("certs");
-
-        let mut th = OpenSSLTrustHandlerConfig::new();
-        th.clear();
-
-        th.load_default_trust().unwrap();
+        let cap = crate::utils::test::test_certificate_acceptance_policy();
 
         // test all the certs
-        let (ps256, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps256, None);
-        let (ps384, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps384, None);
-        let (ps512, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps512, None);
-        let (es256, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es256, None);
-        let (es384, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es384, None);
-        let (es512, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es512, None);
-        let (ed25519, _) = temp_signer::get_ed_signer(&cert_dir, SigningAlg::Ed25519, None);
+        let ps256 = test_signer(SigningAlg::Ps256);
+        let ps384 = test_signer(SigningAlg::Ps384);
+        let ps512 = test_signer(SigningAlg::Ps512);
+        let es256 = test_signer(SigningAlg::Es256);
+        let es384 = test_signer(SigningAlg::Es384);
+        let es512 = test_signer(SigningAlg::Es512);
+        let ed25519 = test_signer(SigningAlg::Ed25519);
 
         let ps256_certs = ps256.certs().unwrap();
         let ps384_certs = ps384.certs().unwrap();
@@ -342,35 +132,27 @@ pub mod tests {
         let es512_certs = es512.certs().unwrap();
         let ed25519_certs = ed25519.certs().unwrap();
 
-        assert!(verify_trust(&th, &ps256_certs[1..], &ps256_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &ps384_certs[1..], &ps384_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &ps512_certs[1..], &ps512_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &es256_certs[1..], &es256_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &es384_certs[1..], &es384_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &es512_certs[1..], &es512_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &ed25519_certs[1..], &ed25519_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &ps256_certs[1..], &ps256_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &ps384_certs[1..], &ps384_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &ps512_certs[1..], &ps512_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &es256_certs[1..], &es256_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &es384_certs[1..], &es384_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &es512_certs[1..], &es512_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &ed25519_certs[1..], &ed25519_certs[0], None).unwrap());
     }
 
     #[test]
     fn test_broken_trust_chain() {
-        let cert_dir = crate::utils::test::fixture_path("certs");
-        let ta = include_bytes!("../../tests/fixtures/certs/trust/test_cert_root_bundle.pem");
-
-        let mut th = OpenSSLTrustHandlerConfig::new();
-        th.clear();
-
-        // load the trust store
-        let mut reader = Cursor::new(ta);
-        th.load_trust_anchors_from_data(&mut reader).unwrap();
+        let cap = CertificateAcceptancePolicy::default();
 
         // test all the certs
-        let (ps256, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps256, None);
-        let (ps384, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps384, None);
-        let (ps512, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps512, None);
-        let (es256, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es256, None);
-        let (es384, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es384, None);
-        let (es512, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es512, None);
-        let (ed25519, _) = temp_signer::get_ed_signer(&cert_dir, SigningAlg::Ed25519, None);
+        let ps256 = test_signer(SigningAlg::Ps256);
+        let ps384 = test_signer(SigningAlg::Ps384);
+        let ps512 = test_signer(SigningAlg::Ps512);
+        let es256 = test_signer(SigningAlg::Es256);
+        let es384 = test_signer(SigningAlg::Es384);
+        let es512 = test_signer(SigningAlg::Es512);
+        let ed25519 = test_signer(SigningAlg::Ed25519);
 
         let ps256_certs = ps256.certs().unwrap();
         let ps384_certs = ps384.certs().unwrap();
@@ -380,39 +162,28 @@ pub mod tests {
         let es512_certs = es512.certs().unwrap();
         let ed25519_certs = ed25519.certs().unwrap();
 
-        assert!(!verify_trust(&th, &ps256_certs[2..], &ps256_certs[0], None).unwrap());
-        assert!(!verify_trust(&th, &ps384_certs[2..], &ps384_certs[0], None).unwrap());
-        assert!(!verify_trust(&th, &ps384_certs[2..], &ps384_certs[0], None).unwrap());
-        assert!(!verify_trust(&th, &ps512_certs[2..], &ps512_certs[0], None).unwrap());
-        assert!(!verify_trust(&th, &es256_certs[2..], &es256_certs[0], None).unwrap());
-        assert!(!verify_trust(&th, &es384_certs[2..], &es384_certs[0], None).unwrap());
-        assert!(!verify_trust(&th, &es512_certs[2..], &es512_certs[0], None).unwrap());
-        assert!(!verify_trust(&th, &ed25519_certs[2..], &ed25519_certs[0], None).unwrap());
+        assert!(!verify_trust(&cap, &ps256_certs[2..], &ps256_certs[0], None).unwrap());
+        assert!(!verify_trust(&cap, &ps384_certs[2..], &ps384_certs[0], None).unwrap());
+        assert!(!verify_trust(&cap, &ps384_certs[2..], &ps384_certs[0], None).unwrap());
+        assert!(!verify_trust(&cap, &ps512_certs[2..], &ps512_certs[0], None).unwrap());
+        assert!(!verify_trust(&cap, &es256_certs[2..], &es256_certs[0], None).unwrap());
+        assert!(!verify_trust(&cap, &es384_certs[2..], &es384_certs[0], None).unwrap());
+        assert!(!verify_trust(&cap, &es512_certs[2..], &es512_certs[0], None).unwrap());
+        assert!(!verify_trust(&cap, &ed25519_certs[2..], &ed25519_certs[0], None).unwrap());
     }
 
     #[test]
     fn test_allowed_list() {
-        let cert_dir = crate::utils::test::fixture_path("certs");
-
-        let mut th = OpenSSLTrustHandlerConfig::new();
-        th.clear();
-
-        let mut allowed_list_path = crate::utils::test::fixture_path("certs");
-        allowed_list_path = allowed_list_path.join("trust");
-        allowed_list_path = allowed_list_path.join("allowed_list.pem");
-
-        let mut allowed_list = std::fs::File::open(&allowed_list_path).unwrap();
-
-        th.load_allowed_list(&mut allowed_list).unwrap();
+        let cap = crate::utils::test::test_certificate_acceptance_policy();
 
         // test all the certs
-        let (ps256, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps256, None);
-        let (ps384, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps384, None);
-        let (ps512, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps512, None);
-        let (es256, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es256, None);
-        let (es384, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es384, None);
-        let (es512, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es512, None);
-        let (ed25519, _) = temp_signer::get_ed_signer(&cert_dir, SigningAlg::Ed25519, None);
+        let ps256 = test_signer(SigningAlg::Ps256);
+        let ps384 = test_signer(SigningAlg::Ps384);
+        let ps512 = test_signer(SigningAlg::Ps512);
+        let es256 = test_signer(SigningAlg::Es256);
+        let es384 = test_signer(SigningAlg::Es384);
+        let es512 = test_signer(SigningAlg::Es512);
+        let ed25519 = test_signer(SigningAlg::Ed25519);
 
         let ps256_certs = ps256.certs().unwrap();
         let ps384_certs = ps384.certs().unwrap();
@@ -422,53 +193,48 @@ pub mod tests {
         let es512_certs = es512.certs().unwrap();
         let ed25519_certs = ed25519.certs().unwrap();
 
-        assert!(verify_trust(&th, &ps256_certs[1..], &ps256_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &ps384_certs[1..], &ps384_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &ps512_certs[1..], &ps512_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &es256_certs[1..], &es256_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &es384_certs[1..], &es384_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &es512_certs[1..], &es512_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &ed25519_certs[1..], &ed25519_certs[0], None).unwrap());
-    }
-
-    #[test]
-    fn test_allowed_list_hashes() {
-        let cert_dir = crate::utils::test::fixture_path("certs");
-
-        let mut th = OpenSSLTrustHandlerConfig::new();
-        th.clear();
-
-        let mut allowed_list_path = crate::utils::test::fixture_path("certs");
-        allowed_list_path = allowed_list_path.join("trust");
-        allowed_list_path = allowed_list_path.join("allowed_list.hash");
-
-        let mut allowed_list = std::fs::File::open(&allowed_list_path).unwrap();
-
-        th.load_allowed_list(&mut allowed_list).unwrap();
-
-        // test all the certs
-        let (ps256, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps256, None);
-        let (ps384, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps384, None);
-        let (ps512, _) = temp_signer::get_rsa_signer(&cert_dir, SigningAlg::Ps512, None);
-        let (es256, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es256, None);
-        let (es384, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es384, None);
-        let (es512, _) = temp_signer::get_ec_signer(&cert_dir, SigningAlg::Es512, None);
-        let (ed25519, _) = temp_signer::get_ed_signer(&cert_dir, SigningAlg::Ed25519, None);
-
-        let ps256_certs = ps256.certs().unwrap();
-        let ps384_certs = ps384.certs().unwrap();
-        let ps512_certs = ps512.certs().unwrap();
-        let es256_certs = es256.certs().unwrap();
-        let es384_certs = es384.certs().unwrap();
-        let es512_certs = es512.certs().unwrap();
-        let ed25519_certs = ed25519.certs().unwrap();
-
-        assert!(verify_trust(&th, &ps256_certs[1..], &ps256_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &ps384_certs[1..], &ps384_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &ps512_certs[1..], &ps512_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &es256_certs[1..], &es256_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &es384_certs[1..], &es384_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &es512_certs[1..], &es512_certs[0], None).unwrap());
-        assert!(verify_trust(&th, &ed25519_certs[1..], &ed25519_certs[0], None).unwrap());
-    }
+        assert!(verify_trust(&cap, &ps256_certs[1..], &ps256_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &ps384_certs[1..], &ps384_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &ps512_certs[1..], &ps512_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &es256_certs[1..], &es256_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &es384_certs[1..], &es384_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &es512_certs[1..], &es512_certs[0], None).unwrap());
+        assert!(verify_trust(&cap, &ed25519_certs[1..], &ed25519_certs[0], None).unwrap());
+    }
+
+    // TO REVIEW: Do we need this? Considering removing support for hashed certs.
+    // #[test]
+    // fn test_allowed_list_hashes() {
+    //     let mut cap = CertificateAcceptancePolicy::default();
+
+    //     cap.add_end_entity_credentials(include_bytes!(
+    //         "../../tests/fixtures/certs/trust/allowed_list.hash"
+    //     ))
+    //     .unwrap();
+
+    //     // test all the certs
+    //     let ps256 = test_signer(SigningAlg::Ps256);
+    //     let ps384 = test_signer(SigningAlg::Ps384);
+    //     let ps512 = test_signer(SigningAlg::Ps512);
+    //     let es256 = test_signer(SigningAlg::Es256);
+    //     let es384 = test_signer(SigningAlg::Es384);
+    //     let es512 = test_signer(SigningAlg::Es512);
+    //     let ed25519 = test_signer(SigningAlg::Ed25519);
+
+    //     let ps256_certs = ps256.certs().unwrap();
+    //     let ps384_certs = ps384.certs().unwrap();
+    //     let ps512_certs = ps512.certs().unwrap();
+    //     let es256_certs = es256.certs().unwrap();
+    //     let es384_certs = es384.certs().unwrap();
+    //     let es512_certs = es512.certs().unwrap();
+    //     let ed25519_certs = ed25519.certs().unwrap();
+
+    //     assert!(verify_trust(&cap, &ps256_certs[1..], &ps256_certs[0], None).unwrap());
+    //     assert!(verify_trust(&cap, &ps384_certs[1..], &ps384_certs[0], None).unwrap());
+    //     assert!(verify_trust(&cap, &ps512_certs[1..], &ps512_certs[0], None).unwrap());
+    //     assert!(verify_trust(&cap, &es256_certs[1..], &es256_certs[0], None).unwrap());
+    //     assert!(verify_trust(&cap, &es384_certs[1..], &es384_certs[0], None).unwrap());
+    //     assert!(verify_trust(&cap, &es512_certs[1..], &es512_certs[0], None).unwrap());
+    //     assert!(verify_trust(&cap, &ed25519_certs[1..], &ed25519_certs[0], None).unwrap());
+    // }
 }
diff --git a/sdk/src/openssl/rsa_signer.rs b/sdk/src/openssl/rsa_signer.rs
deleted file mode 100644
index ce19a5004..000000000
--- a/sdk/src/openssl/rsa_signer.rs
+++ /dev/null
@@ -1,303 +0,0 @@
-// Copyright 2022 Adobe. All rights reserved.
-// This file is licensed to you under the Apache License,
-// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
-// or the MIT license (http://opensource.org/licenses/MIT),
-// at your option.
-
-// Unless required by applicable law or agreed to in writing,
-// this software is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
-// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
-// specific language governing permissions and limitations under
-// each license.
-
-use std::cell::Cell;
-
-use c2pa_crypto::{
-    ocsp::OcspResponse, openssl::OpenSslMutex, time_stamp::TimeStampProvider, SigningAlg,
-};
-use openssl::{
-    hash::MessageDigest,
-    pkey::{PKey, Private},
-    rsa::{Rsa, RsaPrivateKeyBuilder},
-    x509::X509,
-};
-
-use super::check_chain_order;
-use crate::{signer::ConfigurableSigner, Error, Result, Signer};
-
-/// Implements `Signer` trait using OpenSSL's implementation of
-/// SHA256 + RSA encryption.
-pub struct RsaSigner {
-    signcerts: Vec<X509>,
-    pkey: PKey<Private>,
-
-    certs_size: usize,
-    timestamp_size: usize,
-    ocsp_size: Cell<usize>,
-
-    alg: SigningAlg,
-    tsa_url: Option<String>,
-    ocsp_rsp: Cell<OcspResponse>,
-}
-
-impl RsaSigner {
-    // Sample of OCSP stapling while signing. This code is only for demo purposes and not for
-    // production use since there is no caching in the SDK and fetching is expensive. This is behind the
-    // feature flag 'psxxx_ocsp_stapling_experimental'
-    fn update_ocsp(&self) {
-        // IMPORTANT: ffi_mutex::acquire() should have been called by calling fn. Please
-        // don't make this pub or pub(crate) without finding a way to ensure that
-        // precondition.
-
-        // do we need an update
-        let now = chrono::offset::Utc::now();
-
-        // is it time for an OCSP update
-        let ocsp_data = self.ocsp_rsp.take();
-        let next_update = ocsp_data.next_update;
-        self.ocsp_rsp.set(ocsp_data);
-        if now > next_update {
-            #[cfg(feature = "psxxx_ocsp_stapling_experimental")]
-            {
-                if let Ok(certs) = self.certs_internal() {
-                    if let Some(ocsp_rsp) = c2pa_crypto::ocsp::fetch_ocsp_response(&certs) {
-                        self.ocsp_size.set(ocsp_rsp.len());
-                        let mut validation_log =
-                            c2pa_status_tracker::DetailedStatusTracker::default();
-                        if let Ok(ocsp_response) =
-                            OcspResponse::from_der_checked(&ocsp_rsp, None, &mut validation_log)
-                        {
-                            self.ocsp_rsp.set(ocsp_response);
-                        }
-                    }
-                }
-            }
-        }
-    }
-
-    fn certs_internal(&self) -> Result<Vec<Vec<u8>>> {
-        // IMPORTANT: ffi_mutex::acquire() should have been called by calling fn. Please
-        // don't make this pub or pub(crate) without finding a way to ensure that
-        // precondition.
-
-        let mut certs: Vec<Vec<u8>> = Vec::new();
-
-        for c in &self.signcerts {
-            let cert = c.to_der().map_err(wrap_openssl_err)?;
-            certs.push(cert);
-        }
-
-        Ok(certs)
-    }
-}
-
-impl ConfigurableSigner for RsaSigner {
-    fn from_signcert_and_pkey(
-        signcert: &[u8],
-        pkey: &[u8],
-        alg: SigningAlg,
-        tsa_url: Option<String>,
-    ) -> Result<Self> {
-        let _openssl = OpenSslMutex::acquire()?;
-
-        let signcerts = X509::stack_from_pem(signcert).map_err(wrap_openssl_err)?;
-        let rsa = Rsa::private_key_from_pem(pkey).map_err(wrap_openssl_err)?;
-
-        // make sure cert chains are in order
-        if !check_chain_order(&signcerts) {
-            return Err(Error::BadParam(
-                "certificate chain is not in correct order".to_string(),
-            ));
-        }
-
-        // rebuild RSA keys to eliminate incompatible values
-        let n = rsa.n().to_owned().map_err(wrap_openssl_err)?;
-        let e = rsa.e().to_owned().map_err(wrap_openssl_err)?;
-        let d = rsa.d().to_owned().map_err(wrap_openssl_err)?;
-        let po = rsa.p();
-        let qo = rsa.q();
-        let dmp1o = rsa.dmp1();
-        let dmq1o = rsa.dmq1();
-        let iqmpo = rsa.iqmp();
-        let mut builder = RsaPrivateKeyBuilder::new(n, e, d).map_err(wrap_openssl_err)?;
-
-        if let Some(p) = po {
-            if let Some(q) = qo {
-                builder = builder
-                    .set_factors(p.to_owned()?, q.to_owned()?)
-                    .map_err(wrap_openssl_err)?;
-            }
-        }
-
-        if let Some(dmp1) = dmp1o {
-            if let Some(dmq1) = dmq1o {
-                if let Some(iqmp) = iqmpo {
-                    builder = builder
-                        .set_crt_params(dmp1.to_owned()?, dmq1.to_owned()?, iqmp.to_owned()?)
-                        .map_err(wrap_openssl_err)?;
-                }
-            }
-        }
-
-        let new_rsa = builder.build();
-
-        let pkey = PKey::from_rsa(new_rsa).map_err(wrap_openssl_err)?;
-
-        let signer = RsaSigner {
-            signcerts,
-            pkey,
-            certs_size: signcert.len(),
-            timestamp_size: 10000, /* todo: call out to TSA to get actual timestamp and use that size */
-            ocsp_size: Cell::new(0),
-            alg,
-            tsa_url,
-            ocsp_rsp: Cell::new(OcspResponse::default()),
-        };
-
-        // get OCSP if possible
-        signer.update_ocsp();
-
-        Ok(signer)
-    }
-}
-
-impl Signer for RsaSigner {
-    fn sign(&self, data: &[u8]) -> Result<Vec<u8>> {
-        let mut signer = match self.alg {
-            SigningAlg::Ps256 => {
-                let mut signer = openssl::sign::Signer::new(MessageDigest::sha256(), &self.pkey)
-                    .map_err(wrap_openssl_err)?;
-
-                signer.set_rsa_padding(openssl::rsa::Padding::PKCS1_PSS)?; // use C2PA recommended padding
-                signer.set_rsa_mgf1_md(MessageDigest::sha256())?;
-                signer.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?;
-                signer
-            }
-            SigningAlg::Ps384 => {
-                let mut signer = openssl::sign::Signer::new(MessageDigest::sha384(), &self.pkey)
-                    .map_err(wrap_openssl_err)?;
-
-                signer.set_rsa_padding(openssl::rsa::Padding::PKCS1_PSS)?; // use C2PA recommended padding
-                signer.set_rsa_mgf1_md(MessageDigest::sha384())?;
-                signer.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?;
-                signer
-            }
-            SigningAlg::Ps512 => {
-                let mut signer = openssl::sign::Signer::new(MessageDigest::sha512(), &self.pkey)
-                    .map_err(wrap_openssl_err)?;
-
-                signer.set_rsa_padding(openssl::rsa::Padding::PKCS1_PSS)?; // use C2PA recommended padding
-                signer.set_rsa_mgf1_md(MessageDigest::sha512())?;
-                signer.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?;
-                signer
-            }
-            // "rs256" => openssl::sign::Signer::new(MessageDigest::sha256(), &self.pkey)
-            //     .map_err(wrap_openssl_err)?,
-            // "rs384" => openssl::sign::Signer::new(MessageDigest::sha384(), &self.pkey)
-            //     .map_err(wrap_openssl_err)?,
-            // "rs512" => openssl::sign::Signer::new(MessageDigest::sha512(), &self.pkey)
-            //     .map_err(wrap_openssl_err)?,
-            _ => return Err(Error::UnsupportedType),
-        };
-
-        let signed_data = signer.sign_oneshot_to_vec(data)?;
-
-        // println!("sig: {}", Hexlify(&signed_data));
-
-        Ok(signed_data)
-    }
-
-    fn reserve_size(&self) -> usize {
-        1024 + self.certs_size + self.timestamp_size + self.ocsp_size.get() // the Cose_Sign1 contains complete certs, timestamps and ocsp so account for size
-    }
-
-    fn certs(&self) -> Result<Vec<Vec<u8>>> {
-        let _openssl = OpenSslMutex::acquire()?;
-        self.certs_internal()
-    }
-
-    fn alg(&self) -> SigningAlg {
-        self.alg
-    }
-
-    fn ocsp_val(&self) -> Option<Vec<u8>> {
-        let _openssl = OpenSslMutex::acquire().ok()?;
-
-        // update OCSP if needed
-        self.update_ocsp();
-
-        let ocsp_data = self.ocsp_rsp.take();
-        let ocsp_rsp = ocsp_data.ocsp_der.clone();
-        self.ocsp_rsp.set(ocsp_data);
-        if !ocsp_rsp.is_empty() {
-            Some(ocsp_rsp)
-        } else {
-            None
-        }
-    }
-}
-
-impl TimeStampProvider for RsaSigner {
-    fn time_stamp_service_url(&self) -> Option<String> {
-        self.tsa_url.clone()
-    }
-}
-
-fn wrap_openssl_err(err: openssl::error::ErrorStack) -> Error {
-    Error::OpenSslError(err)
-}
-
-#[allow(unused_imports)]
-#[allow(clippy::unwrap_used)]
-#[cfg(test)]
-mod tests {
-
-    use super::*;
-    use crate::{
-        utils::test::{fixture_path, temp_signer},
-        Signer, SigningAlg,
-    };
-
-    #[test]
-    fn signer_from_files() {
-        let signer = temp_signer();
-        let data = b"some sample content to sign";
-
-        let signature = signer.sign(data).unwrap();
-        println!("signature len = {}", signature.len());
-        assert!(signature.len() <= signer.reserve_size());
-    }
-
-    #[test]
-    fn sign_ps256() {
-        let cert_bytes = include_bytes!("../../tests/fixtures/temp_cert.data");
-        let key_bytes = include_bytes!("../../tests/fixtures/temp_priv_key.data");
-
-        let signer =
-            RsaSigner::from_signcert_and_pkey(cert_bytes, key_bytes, SigningAlg::Ps256, None)
-                .unwrap();
-
-        let data = b"some sample content to sign";
-
-        let signature = signer.sign(data).unwrap();
-        println!("signature len = {}", signature.len());
-        assert!(signature.len() <= signer.reserve_size());
-    }
-
-    // #[test]
-    // fn sign_rs256() {
-    //     let cert_bytes = include_bytes!("../../tests/fixtures/temp_cert.data");
-    //     let key_bytes = include_bytes!("../../tests/fixtures/temp_priv_key.data");
-
-    //     let signer =
-    //         RsaSigner::from_signcert_and_pkey(cert_bytes, key_bytes, "rs256".to_string(), None)
-    //             .unwrap();
-
-    //     let data = b"some sample content to sign";
-
-    //     let signature = signer.sign(data).unwrap();
-    //     println!("signature len = {}", signature.len());
-    //     assert!(signature.len() <= signer.reserve_size());
-    // }
-}
diff --git a/sdk/src/openssl/temp_signer.rs b/sdk/src/openssl/temp_signer.rs
deleted file mode 100644
index 411615cdf..000000000
--- a/sdk/src/openssl/temp_signer.rs
+++ /dev/null
@@ -1,184 +0,0 @@
-// Copyright 2022 Adobe. All rights reserved.
-// This file is licensed to you under the Apache License,
-// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
-// or the MIT license (http://opensource.org/licenses/MIT),
-// at your option.
-
-// Unless required by applicable law or agreed to in writing,
-// this software is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
-// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
-// specific language governing permissions and limitations under
-// each license.
-
-#![deny(missing_docs)]
-
-//! Temporary signing instances for testing purposes.
-//!
-//! This module contains functions to create self-signed certificates
-//! and provision [`Signer`] instances for each of the supported signature
-//! formats.
-//!
-//! Private-key and signing certificate pairs are created in a directory
-//! provided by the caller. It is recommended to use a temporary directory
-//! that is deleted upon completion of the test. (We recommend using
-//! the [tempfile](https://crates.io/crates/tempfile) crate.)
-//!
-//! This module should be used only for testing purposes.
-
-// Since this module is intended for testing purposes, all of
-// its functions are allowed to panic.
-#![allow(clippy::panic)]
-#![allow(clippy::unwrap_used)]
-
-#[cfg(feature = "file_io")]
-use std::path::{Path, PathBuf};
-
-#[cfg(feature = "file_io")]
-use c2pa_crypto::SigningAlg;
-
-#[cfg(feature = "file_io")]
-use crate::{
-    openssl::{EcSigner, EdSigner, RsaSigner},
-    signer::ConfigurableSigner,
-};
-
-/// Create an OpenSSL ES256 signer that can be used for testing purposes.
-///
-/// # Arguments
-///
-/// * `path` - A directory (which must already exist) to receive the temporary
-///   private key / certificate pair.
-/// * `alg` - A format for signing. Must be one of the `SigningAlg::Es*` variants.
-/// * `tsa_url` - Optional URL for a timestamp authority.
-///
-/// # Returns
-///
-/// Returns a tuple of `(signer, sign_cert_path)` where `signer` is
-/// the [`Signer`] instance and `sign_cert_path` is the path to the
-/// signing certificate.
-///
-/// # Panics
-///
-/// Can panic if unable to invoke OpenSSL executable properly.
-#[cfg(feature = "file_io")]
-pub fn get_ec_signer<P: AsRef<Path>>(
-    path: P,
-    alg: SigningAlg,
-    tsa_url: Option<String>,
-) -> (EcSigner, PathBuf) {
-    match alg {
-        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => (),
-        _ => {
-            panic!("Unknown EC signer alg {alg:#?}");
-        }
-    }
-
-    let mut sign_cert_path = path.as_ref().to_path_buf();
-    sign_cert_path.push(alg.to_string());
-    sign_cert_path.set_extension("pub");
-
-    let mut pem_key_path = path.as_ref().to_path_buf();
-    pem_key_path.push(alg.to_string());
-    pem_key_path.set_extension("pem");
-
-    (
-        EcSigner::from_files(&sign_cert_path, &pem_key_path, alg, tsa_url).unwrap(),
-        sign_cert_path,
-    )
-}
-
-/// Create an OpenSSL ES256 signer that can be used for testing purposes.
-///
-/// # Arguments
-///
-/// * `path` - A directory (which must already exist) to look for
-///   private key / certificate pair.
-/// * `alg` - A format for signing. Must be `ed25519`.
-/// * `tsa_url` - Optional URL for a timestamp authority.
-///
-/// # Returns
-///
-/// Returns a tuple of `(signer, sign_cert_path)` where `signer` is
-/// the [`Signer`] instance and `sign_cert_path` is the path to the
-/// signing certificate.
-///
-/// # Panics
-///
-/// Can panic if unable to invoke OpenSSL executable properly.
-#[cfg(feature = "file_io")]
-pub fn get_ed_signer<P: AsRef<Path>>(
-    path: P,
-    alg: SigningAlg,
-    tsa_url: Option<String>,
-) -> (EdSigner, PathBuf) {
-    if alg != SigningAlg::Ed25519 {
-        panic!("Unknown ED signer alg {alg:#?}");
-    }
-
-    let mut sign_cert_path = path.as_ref().to_path_buf();
-    sign_cert_path.push(alg.to_string());
-    sign_cert_path.set_extension("pub");
-
-    let mut pem_key_path = path.as_ref().to_path_buf();
-    pem_key_path.push(alg.to_string());
-    pem_key_path.set_extension("pem");
-
-    (
-        EdSigner::from_files(&sign_cert_path, &pem_key_path, alg, tsa_url).unwrap(),
-        sign_cert_path,
-    )
-}
-
-/// Create an OpenSSL SHA+RSA signer that can be used for testing purposes.
-///
-/// # Arguments
-///
-/// * `path` - A directory (which must already exist) to receive the temporary
-///   private key / certificate pair.
-/// * `alg` - A format for signing. Must be one of the `SignerAlg::Ps*` options.
-/// * `tsa_url` - Optional URL for a timestamp authority.
-///
-/// # Returns
-///
-/// Returns a tuple of `(signer, sign_cert_path)` where `signer` is
-/// the [`Signer`] instance and `sign_cert_path` is the path to the
-/// signing certificate.
-///
-/// # Panics
-///
-/// Can panic if unable to invoke OpenSSL executable properly.
-#[cfg(feature = "file_io")]
-pub fn get_rsa_signer<P: AsRef<Path>>(
-    path: P,
-    alg: SigningAlg,
-    tsa_url: Option<String>,
-) -> (RsaSigner, PathBuf) {
-    match alg {
-        SigningAlg::Ps256 | SigningAlg::Ps384 | SigningAlg::Ps512 => (),
-        _ => {
-            panic!("Unknown RSA signer alg {alg:#?}");
-        }
-    }
-
-    let mut sign_cert_path = path.as_ref().to_path_buf();
-    sign_cert_path.push(alg.to_string());
-    sign_cert_path.set_extension("pub");
-
-    let mut pem_key_path = path.as_ref().to_path_buf();
-    pem_key_path.push(alg.to_string());
-    pem_key_path.set_extension("pem");
-
-    if !sign_cert_path.exists() || !pem_key_path.exists() {
-        panic!(
-            "path found: {}, {}",
-            sign_cert_path.display(),
-            pem_key_path.display()
-        );
-    }
-
-    (
-        RsaSigner::from_files(&sign_cert_path, &pem_key_path, alg, tsa_url).unwrap(),
-        sign_cert_path,
-    )
-}
diff --git a/sdk/src/openssl/temp_signer_async.rs b/sdk/src/openssl/temp_signer_async.rs
deleted file mode 100644
index e11bdde23..000000000
--- a/sdk/src/openssl/temp_signer_async.rs
+++ /dev/null
@@ -1,106 +0,0 @@
-// Copyright 2022 Adobe. All rights reserved.
-// This file is licensed to you under the Apache License,
-// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
-// or the MIT license (http://opensource.org/licenses/MIT),
-// at your option.
-
-// Unless required by applicable law or agreed to in writing,
-// this software is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
-// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
-// specific language governing permissions and limitations under
-// each license.
-
-#![deny(missing_docs)]
-
-//! Temporary async signing instances for testing purposes.
-//!
-//! This is only a demonstration async Signer that is used to test
-//! the asynchronous signing of claims.
-//! This module should be used only for testing purposes.
-
-#[cfg(feature = "openssl_sign")]
-use c2pa_crypto::SigningAlg;
-
-#[cfg(feature = "openssl_sign")]
-fn get_local_signer(alg: SigningAlg) -> Box<dyn crate::Signer> {
-    let cert_dir = crate::utils::test::fixture_path("certs");
-
-    match alg {
-        SigningAlg::Ps256 | SigningAlg::Ps384 | SigningAlg::Ps512 => {
-            let (s, _k) = super::temp_signer::get_rsa_signer(&cert_dir, alg, None);
-            Box::new(s)
-        }
-        SigningAlg::Es256 | SigningAlg::Es384 | SigningAlg::Es512 => {
-            let (s, _k) = super::temp_signer::get_ec_signer(&cert_dir, alg, None);
-            Box::new(s)
-        }
-        SigningAlg::Ed25519 => {
-            let (s, _k) = super::temp_signer::get_ed_signer(&cert_dir, alg, None);
-            Box::new(s)
-        }
-    }
-}
-
-#[cfg(feature = "openssl_sign")]
-pub struct AsyncSignerAdapter {
-    alg: SigningAlg,
-    certs: Vec<Vec<u8>>,
-    reserve_size: usize,
-    tsa_url: Option<String>,
-    ocsp_val: Option<Vec<u8>>,
-}
-
-#[cfg(feature = "openssl_sign")]
-impl AsyncSignerAdapter {
-    pub fn new(alg: SigningAlg) -> Self {
-        let signer = get_local_signer(alg);
-
-        AsyncSignerAdapter {
-            alg,
-            certs: signer.certs().unwrap_or_default(),
-            reserve_size: signer.reserve_size(),
-            tsa_url: signer.time_stamp_service_url(),
-            ocsp_val: signer.ocsp_val(),
-        }
-    }
-}
-
-#[cfg(test)]
-#[cfg(feature = "openssl_sign")]
-#[async_trait::async_trait]
-impl crate::AsyncSigner for AsyncSignerAdapter {
-    async fn sign(&self, data: Vec<u8>) -> crate::error::Result<Vec<u8>> {
-        let signer = get_local_signer(self.alg);
-        signer.sign(&data)
-    }
-
-    fn alg(&self) -> SigningAlg {
-        self.alg
-    }
-
-    fn certs(&self) -> crate::Result<Vec<Vec<u8>>> {
-        let mut output: Vec<Vec<u8>> = Vec::new();
-        for v in &self.certs {
-            output.push(v.clone());
-        }
-        Ok(output)
-    }
-
-    fn reserve_size(&self) -> usize {
-        self.reserve_size
-    }
-
-    async fn ocsp_val(&self) -> Option<Vec<u8>> {
-        self.ocsp_val.clone()
-    }
-}
-
-#[cfg(test)]
-#[cfg(feature = "openssl_sign")]
-#[async_trait::async_trait]
-impl c2pa_crypto::time_stamp::AsyncTimeStampProvider for AsyncSignerAdapter {
-    fn time_stamp_service_url(&self) -> Option<String> {
-        self.tsa_url.clone()
-    }
-}
diff --git a/sdk/src/reader.rs b/sdk/src/reader.rs
index 98f09029c..7f1e2a837 100644
--- a/sdk/src/reader.rs
+++ b/sdk/src/reader.rs
@@ -28,21 +28,10 @@ use serde::{Deserialize, Serialize};
 use crate::error::Error;
 use crate::{
     claim::ClaimAssetData, error::Result, manifest_store::ManifestStore,
-    settings::get_settings_value, store::Store, validation_status::ValidationStatus, Manifest,
-    ManifestStoreReport,
+    settings::get_settings_value, store::Store, validation_results::ValidationState,
+    validation_status::ValidationStatus, Manifest, ManifestStoreReport,
 };
 
-#[derive(Copy, Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
-#[cfg_attr(feature = "json_schema", derive(JsonSchema))]
-pub enum ValidationState {
-    /// Errors were found in the manifest store.
-    Invalid,
-    /// No errors were found in validation, but the active signature is not trusted.
-    Valid,
-    /// The manifest store is valid and the active signature is trusted.
-    Trusted,
-}
-
 /// A reader for the manifest store.
 #[derive(Serialize, Deserialize)]
 #[cfg_attr(feature = "json_schema", derive(JsonSchema))]
@@ -272,6 +261,9 @@ impl Reader {
     /// Get the [`ValidationState`] of the manifest store.
     pub fn validation_state(&self) -> ValidationState {
         let verify_trust = get_settings_value("verify.trusted").unwrap_or(false);
+        if let Some(validation_results) = self.manifest_store.validation_results() {
+            return validation_results.validation_state();
+        }
         match self.validation_status() {
             Some(status) => {
                 // if there are any errors, the state is invalid unless the only error is an untrusted credential
@@ -487,8 +479,8 @@ pub mod tests {
         let manifest = reader.active_manifest().unwrap();
         let ingredient = manifest.ingredients().iter().next().unwrap();
         let uri = ingredient.thumbnail_ref().unwrap().identifier.clone();
-        let mut stream = std::io::Cursor::new(Vec::new());
-        let bytes_written = reader.resource_to_stream(&uri, &mut stream)?;
+        let stream = std::io::Cursor::new(Vec::new());
+        let bytes_written = reader.resource_to_stream(&uri, stream)?;
         assert_eq!(bytes_written, 41810);
         Ok(())
     }
diff --git a/sdk/src/resource_store.rs b/sdk/src/resource_store.rs
index 6d6eff8f4..0d75c36ec 100644
--- a/sdk/src/resource_store.rs
+++ b/sdk/src/resource_store.rs
@@ -404,8 +404,10 @@ mod tests {
 
     use std::io::Cursor;
 
+    use c2pa_crypto::raw_signature::SigningAlg;
+
     use super::*;
-    use crate::{utils::test::temp_signer, Builder, Reader};
+    use crate::{utils::test_signer::test_signer, Builder, Reader};
 
     #[test]
     #[cfg(feature = "openssl_sign")]
@@ -451,7 +453,8 @@ mod tests {
 
         let image = include_bytes!("../tests/fixtures/earth_apollo17.jpg");
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
+
         // Embed a manifest using the signer.
         let mut output_image = Cursor::new(Vec::new());
         builder
diff --git a/sdk/src/salt.rs b/sdk/src/salt.rs
index c84508d5f..09aa1e3c8 100644
--- a/sdk/src/salt.rs
+++ b/sdk/src/salt.rs
@@ -55,20 +55,11 @@ impl Default for DefaultSalt {
 
 impl SaltGenerator for DefaultSalt {
     fn generate_salt(&self) -> Option<Vec<u8>> {
-        #[cfg(feature = "openssl_sign")]
+        #[cfg(target_arch = "wasm32")]
         {
-            let mut salt = vec![0u8; self.salt_len];
-            openssl::rand::rand_bytes(&mut salt).ok()?;
-
-            Some(salt)
-        }
-        #[cfg(all(not(feature = "openssl_sign"), target_arch = "wasm32"))]
-        {
-            let salt = crate::wasm::util::get_random_values(self.salt_len).ok()?;
-
-            Some(salt)
+            Some(crate::wasm::util::get_random_values(self.salt_len).ok()?)
         }
-        #[cfg(all(not(feature = "openssl_sign"), not(target_arch = "wasm32")))]
+        #[cfg(not(target_arch = "wasm32"))]
         {
             use rand::prelude::*;
 
diff --git a/sdk/src/signer.rs b/sdk/src/signer.rs
index 71062d22e..9e8bc680d 100644
--- a/sdk/src/signer.rs
+++ b/sdk/src/signer.rs
@@ -11,16 +11,18 @@
 // specific language governing permissions and limitations under
 // each license.
 
+use async_trait::async_trait;
 use c2pa_crypto::{
-    time_stamp::{AsyncTimeStampProvider, TimeStampError, TimeStampProvider},
-    SigningAlg,
+    raw_signature::{AsyncRawSigner, RawSigner, RawSignerError, SigningAlg},
+    time_stamp::{TimeStampError, TimeStampProvider},
 };
 
 use crate::{DynamicAssertion, Result};
+
 /// The `Signer` trait generates a cryptographic signature over a byte array.
 ///
 /// This trait exists to allow the signature mechanism to be extended.
-pub trait Signer: TimeStampProvider {
+pub trait Signer {
     /// Returns a new byte array which is a signature over the original.
     fn sign(&self, data: &[u8]) -> Result<Vec<u8>>;
 
@@ -35,6 +37,46 @@ pub trait Signer: TimeStampProvider {
     /// than this value.
     fn reserve_size(&self) -> usize;
 
+    /// URL for time authority to time stamp the signature
+    fn time_authority_url(&self) -> Option<String> {
+        None
+    }
+
+    /// Additional request headers to pass to the time stamp authority.
+    ///
+    /// IMPORTANT: You should not include the "Content-type" header here.
+    /// That is provided by default.
+    fn timestamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        None
+    }
+
+    fn timestamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>> {
+        c2pa_crypto::time_stamp::default_rfc3161_message(message).map_err(|e| e.into())
+    }
+
+    /// Request RFC 3161 timestamp to be included in the manifest data
+    /// structure.
+    ///
+    /// `message` is a preliminary hash of the claim
+    ///
+    /// The default implementation will send the request to the URL
+    /// provided by [`Self::time_authority_url()`], if any.
+    #[allow(unused)] // message not used on WASM
+    fn send_timestamp_request(&self, message: &[u8]) -> Option<Result<Vec<u8>>> {
+        #[cfg(not(target_arch = "wasm32"))]
+        if let Some(url) = self.time_authority_url() {
+            if let Ok(body) = self.timestamp_request_body(message) {
+                let headers: Option<Vec<(String, String)>> = self.timestamp_request_headers();
+                return Some(
+                    c2pa_crypto::time_stamp::default_rfc3161_request(&url, headers, &body, message)
+                        .map_err(|e| e.into()),
+                );
+            }
+        }
+
+        None
+    }
+
     /// OCSP response for the signing cert if available
     /// This is the only C2PA supported cert revocation method.
     /// By pre-querying the value for a your signing cert the value can
@@ -55,6 +97,16 @@ pub trait Signer: TimeStampProvider {
     fn dynamic_assertions(&self) -> Vec<Box<dyn DynamicAssertion>> {
         Vec::new()
     }
+
+    /// This struct must also implement [`RawSigner`]. Return a reference
+    /// to that trait implementation.
+    ///
+    /// NOTE: Due to limitations in some of the FFI tooling that we use to bridge
+    /// c2pa-rs to other languages, we can not make [`RawSigner`] a supertrait of
+    /// this trait. This API is a workaround for that limitation.
+    ///
+    /// [`RawSigner`]: c2pa_crypto::raw_signature::RawSigner
+    fn raw_signer(&self) -> Box<&dyn RawSigner>;
 }
 
 /// Trait to allow loading of signing credential from external sources
@@ -68,10 +120,8 @@ pub(crate) trait ConfigurableSigner: Signer + Sized {
         alg: SigningAlg,
         tsa_url: Option<String>,
     ) -> Result<Self> {
-        use crate::Error;
-
-        let signcert = std::fs::read(signcert_path).map_err(Error::IoError)?;
-        let pkey = std::fs::read(pkey_path).map_err(Error::IoError)?;
+        let signcert = std::fs::read(signcert_path).map_err(crate::Error::IoError)?;
+        let pkey = std::fs::read(pkey_path).map_err(crate::Error::IoError)?;
 
         Self::from_signcert_and_pkey(&signcert, &pkey, alg, tsa_url)
     }
@@ -85,8 +135,6 @@ pub(crate) trait ConfigurableSigner: Signer + Sized {
     ) -> Result<Self>;
 }
 
-use async_trait::async_trait;
-
 /// The `AsyncSigner` trait generates a cryptographic signature over a byte array.
 ///
 /// This trait exists to allow the signature mechanism to be extended.
@@ -94,7 +142,7 @@ use async_trait::async_trait;
 /// Use this when the implementation is asynchronous.
 #[cfg(not(target_arch = "wasm32"))]
 #[async_trait]
-pub trait AsyncSigner: Sync + AsyncTimeStampProvider {
+pub trait AsyncSigner: Sync {
     /// Returns a new byte array which is a signature over the original.
     async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>>;
 
@@ -109,6 +157,49 @@ pub trait AsyncSigner: Sync + AsyncTimeStampProvider {
     /// than this value.
     fn reserve_size(&self) -> usize;
 
+    /// URL for time authority to time stamp the signature
+    fn time_authority_url(&self) -> Option<String> {
+        None
+    }
+
+    /// Additional request headers to pass to the time stamp authority.
+    ///
+    /// IMPORTANT: You should not include the "Content-type" header here.
+    /// That is provided by default.
+    fn timestamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        None
+    }
+
+    fn timestamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>> {
+        c2pa_crypto::time_stamp::default_rfc3161_message(message).map_err(|e| e.into())
+    }
+
+    /// Request RFC 3161 timestamp to be included in the manifest data
+    /// structure.
+    ///
+    /// `message` is a preliminary hash of the claim
+    ///
+    /// The default implementation will send the request to the URL
+    /// provided by [`Self::time_authority_url()`], if any.
+    async fn send_timestamp_request(&self, message: &[u8]) -> Option<Result<Vec<u8>>> {
+        // NOTE: This is currently synchronous, but may become
+        // async in the future.
+        if let Some(url) = self.time_authority_url() {
+            if let Ok(body) = self.timestamp_request_body(message) {
+                let headers: Option<Vec<(String, String)>> = self.timestamp_request_headers();
+                return Some(
+                    c2pa_crypto::time_stamp::default_rfc3161_request_async(
+                        &url, headers, &body, message,
+                    )
+                    .await
+                    .map_err(|e| e.into()),
+                );
+            }
+        }
+
+        None
+    }
+
     /// OCSP response for the signing cert if available
     /// This is the only C2PA supported cert revocation method.
     /// By pre-querying the value for a your signing cert the value can
@@ -129,11 +220,26 @@ pub trait AsyncSigner: Sync + AsyncTimeStampProvider {
     fn dynamic_assertions(&self) -> Vec<Box<dyn DynamicAssertion>> {
         Vec::new()
     }
+
+    /// This struct must also implement [`AsyncRawSigner`]. Return a reference
+    /// to that trait implementation.
+    ///
+    /// NOTE: Due to limitations in some of the FFI tooling that we use to bridge
+    /// c2pa-rs to other languages, we can not make [`AsyncRawSigner`] a supertrait
+    /// of this trait. This API is a workaround for that limitation.
+    ///
+    /// [`AsyncRawSigner`]: c2pa_crypto::raw_signature::AsyncRawSigner
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner>;
 }
 
+/// The `AsyncSigner` trait generates a cryptographic signature over a byte array.
+///
+/// This trait exists to allow the signature mechanism to be extended.
+///
+/// Use this when the implementation is asynchronous.
 #[cfg(target_arch = "wasm32")]
 #[async_trait(?Send)]
-pub trait AsyncSigner: AsyncTimeStampProvider {
+pub trait AsyncSigner {
     /// Returns a new byte array which is a signature over the original.
     async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>>;
 
@@ -148,6 +254,34 @@ pub trait AsyncSigner: AsyncTimeStampProvider {
     /// than this value.
     fn reserve_size(&self) -> usize;
 
+    /// URL for time authority to time stamp the signature
+    fn time_authority_url(&self) -> Option<String> {
+        None
+    }
+
+    /// Additional request headers to pass to the time stamp authority.
+    ///
+    /// IMPORTANT: You should not include the "Content-type" header here.
+    /// That is provided by default.
+    fn timestamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        None
+    }
+
+    fn timestamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>> {
+        c2pa_crypto::time_stamp::default_rfc3161_message(message).map_err(|e| e.into())
+    }
+
+    /// Request RFC 3161 timestamp to be included in the manifest data
+    /// structure.
+    ///
+    /// `message` is a preliminary hash of the claim
+    ///
+    /// The default implementation will send the request to the URL
+    /// provided by [`Self::time_authority_url()`], if any.
+    async fn send_timestamp_request(&self, _message: &[u8]) -> Option<Result<Vec<u8>>> {
+        None
+    }
+
     /// OCSP response for the signing cert if available
     /// This is the only C2PA supported cert revocation method.
     /// By pre-querying the value for a your signing cert the value can
@@ -168,6 +302,16 @@ pub trait AsyncSigner: AsyncTimeStampProvider {
     fn dynamic_assertions(&self) -> Vec<Box<dyn DynamicAssertion>> {
         Vec::new()
     }
+
+    /// This struct must also implement [`AsyncRawSigner`]. Return a reference
+    /// to that trait implementation.
+    ///
+    /// NOTE: Due to limitations in some of the FFI tooling that we use to bridge
+    /// c2pa-rs to other languages, we can not make [`AsyncRawSigner`] a supertrait
+    /// of this trait. This API is a workaround for that limitation.
+    ///
+    /// [`AsyncRawSigner`]: c2pa_crypto::raw_signature::AsyncRawSigner
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner>;
 }
 
 #[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
@@ -187,7 +331,7 @@ pub trait RemoteSigner: Sync {
     fn reserve_size(&self) -> usize;
 }
 
-impl Signer for Box<dyn Signer + Send + Sync> {
+impl Signer for Box<dyn Signer> {
     fn sign(&self, data: &[u8]) -> Result<Vec<u8>> {
         (**self).sign(data)
     }
@@ -215,28 +359,226 @@ impl Signer for Box<dyn Signer + Send + Sync> {
     fn dynamic_assertions(&self) -> Vec<Box<dyn DynamicAssertion>> {
         (**self).dynamic_assertions()
     }
+
+    fn time_authority_url(&self) -> Option<String> {
+        (**self).time_authority_url()
+    }
+
+    fn timestamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        (**self).timestamp_request_headers()
+    }
+
+    fn timestamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>> {
+        (**self).timestamp_request_body(message)
+    }
+
+    fn send_timestamp_request(&self, message: &[u8]) -> Option<Result<Vec<u8>>> {
+        (**self).send_timestamp_request(message)
+    }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        (**self).raw_signer()
+    }
 }
 
-impl TimeStampProvider for Box<dyn Signer + Send + Sync> {
+impl RawSigner for Box<dyn Signer> {
+    fn sign(&self, data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+        Ok(self.as_ref().sign(data)?)
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.as_ref().alg()
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(self.as_ref().certs()?)
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.as_ref().reserve_size()
+    }
+
+    fn ocsp_response(&self) -> Option<Vec<u8>> {
+        eprintln!("HUH, A DIFFERENT I WANTED @ 397");
+        self.as_ref().ocsp_val()
+    }
+}
+
+impl TimeStampProvider for Box<dyn Signer> {
     fn time_stamp_service_url(&self) -> Option<String> {
-        (**self).time_stamp_service_url()
+        self.as_ref().time_authority_url()
     }
 
     fn time_stamp_request_headers(&self) -> Option<Vec<(String, String)>> {
-        (**self).time_stamp_request_headers()
+        self.as_ref().timestamp_request_headers()
     }
 
     fn time_stamp_request_body(
         &self,
         message: &[u8],
     ) -> std::result::Result<Vec<u8>, TimeStampError> {
-        (**self).time_stamp_request_body(message)
+        Ok(self.as_ref().sign(message)?)
     }
 
     fn send_time_stamp_request(
         &self,
         message: &[u8],
     ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
-        (**self).send_time_stamp_request(message)
+        self.as_ref()
+            .send_timestamp_request(message)
+            .map(|r| Ok(r?))
+    }
+}
+
+#[cfg(not(target_arch = "wasm32"))]
+#[async_trait]
+impl AsyncSigner for Box<dyn AsyncSigner + Send + Sync> {
+    async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>> {
+        (**self).sign(data).await
+    }
+
+    fn alg(&self) -> SigningAlg {
+        (**self).alg()
+    }
+
+    fn certs(&self) -> Result<Vec<Vec<u8>>> {
+        (**self).certs()
+    }
+
+    fn reserve_size(&self) -> usize {
+        (**self).reserve_size()
+    }
+
+    fn time_authority_url(&self) -> Option<String> {
+        (**self).time_authority_url()
+    }
+
+    fn timestamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        (**self).timestamp_request_headers()
+    }
+
+    fn timestamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>> {
+        (**self).timestamp_request_body(message)
+    }
+
+    async fn send_timestamp_request(&self, message: &[u8]) -> Option<Result<Vec<u8>>> {
+        (**self).send_timestamp_request(message).await
+    }
+
+    async fn ocsp_val(&self) -> Option<Vec<u8>> {
+        (**self).ocsp_val().await
+    }
+
+    fn direct_cose_handling(&self) -> bool {
+        (**self).direct_cose_handling()
+    }
+
+    fn dynamic_assertions(&self) -> Vec<Box<dyn DynamicAssertion>> {
+        (**self).dynamic_assertions()
+    }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        (**self).async_raw_signer()
+    }
+}
+
+#[cfg(target_arch = "wasm32")]
+#[async_trait(?Send)]
+impl AsyncSigner for Box<dyn AsyncSigner> {
+    async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>> {
+        (**self).sign(data).await
+    }
+
+    fn alg(&self) -> SigningAlg {
+        (**self).alg()
+    }
+
+    fn certs(&self) -> Result<Vec<Vec<u8>>> {
+        (**self).certs()
+    }
+
+    fn reserve_size(&self) -> usize {
+        (**self).reserve_size()
+    }
+
+    fn time_authority_url(&self) -> Option<String> {
+        (**self).time_authority_url()
+    }
+
+    fn timestamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        (**self).timestamp_request_headers()
+    }
+
+    fn timestamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>> {
+        (**self).timestamp_request_body(message)
+    }
+
+    async fn send_timestamp_request(&self, message: &[u8]) -> Option<Result<Vec<u8>>> {
+        (**self).send_timestamp_request(message).await
+    }
+
+    async fn ocsp_val(&self) -> Option<Vec<u8>> {
+        (**self).ocsp_val().await
+    }
+
+    fn direct_cose_handling(&self) -> bool {
+        (**self).direct_cose_handling()
+    }
+
+    fn dynamic_assertions(&self) -> Vec<Box<dyn DynamicAssertion>> {
+        (**self).dynamic_assertions()
+    }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        (**self).async_raw_signer()
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", allow(dead_code))]
+pub(crate) struct RawSignerWrapper(pub(crate) Box<dyn RawSigner>);
+
+impl Signer for RawSignerWrapper {
+    fn sign(&self, data: &[u8]) -> Result<Vec<u8>> {
+        self.0.sign(data).map_err(|e| e.into())
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.0.alg()
+    }
+
+    fn certs(&self) -> Result<Vec<Vec<u8>>> {
+        self.0.cert_chain().map_err(|e| e.into())
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.0.reserve_size()
+    }
+
+    fn ocsp_val(&self) -> Option<Vec<u8>> {
+        self.0.ocsp_response()
+    }
+
+    fn time_authority_url(&self) -> Option<String> {
+        self.0.time_stamp_service_url()
+    }
+
+    fn timestamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        self.0.time_stamp_request_headers()
+    }
+
+    fn timestamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>> {
+        self.0
+            .time_stamp_request_body(message)
+            .map_err(|e| e.into())
+    }
+
+    fn send_timestamp_request(&self, message: &[u8]) -> Option<Result<Vec<u8>>> {
+        self.0
+            .send_time_stamp_request(message)
+            .map(|r| r.map_err(|e| e.into()))
+    }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(&*self.0)
     }
 }
diff --git a/sdk/src/store.rs b/sdk/src/store.rs
index 4ee8b3525..217398388 100644
--- a/sdk/src/store.rs
+++ b/sdk/src/store.rs
@@ -23,6 +23,10 @@ use std::{
 
 use async_generic::async_generic;
 use async_recursion::async_recursion;
+use c2pa_crypto::{
+    cose::{parse_cose_sign1, CertificateTrustPolicy, TimeStampStorage},
+    hash::sha256,
+};
 use c2pa_status_tracker::{log_item, DetailedStatusTracker, OneShotStatusTracker, StatusTracker};
 use log::error;
 
@@ -43,9 +47,12 @@ use crate::{
     asset_io::{
         CAIRead, CAIReadWrite, HashBlockObjectType, HashObjectPositions, RemoteRefEmbedType,
     },
-    claim::{Claim, ClaimAssertion, ClaimAssertionType, ClaimAssetData, RemoteManifest},
+    claim::{
+        check_ocsp_status, Claim, ClaimAssertion, ClaimAssertionType, ClaimAssetData,
+        RemoteManifest,
+    },
     cose_sign::{cose_sign, cose_sign_async},
-    cose_validator::{check_ocsp_status, verify_cose, verify_cose_async},
+    cose_validator::{verify_cose, verify_cose_async},
     dynamic_assertion::{DynamicAssertion, PreliminaryClaim},
     error::{Error, Result},
     external_manifest::ManifestPatchCallback,
@@ -63,12 +70,7 @@ use crate::{
     manifest_store_report::ManifestStoreReport,
     salt::DefaultSalt,
     settings::get_settings_value,
-    trust_handler::TrustHandlerConfig,
-    utils::{
-        hash_utils::{hash_sha256, HashRange},
-        io_utils::stream_len,
-        patch::patch_bytes,
-    },
+    utils::{hash_utils::HashRange, io_utils::stream_len, patch::patch_bytes},
     validation_status, AsyncSigner, RemoteSigner, Signer,
 };
 
@@ -89,7 +91,7 @@ pub struct Store {
     claims: Vec<Claim>,
     label: String,
     provenance_path: Option<String>,
-    trust_handler: Box<dyn TrustHandlerConfig>,
+    ctp: CertificateTrustPolicy,
 }
 
 struct ManifestInfo<'a> {
@@ -133,12 +135,7 @@ impl Store {
             manifest_box_hash_cache: HashMap::new(),
             claims: Vec::new(),
             label: label.to_string(),
-            #[cfg(feature = "openssl")]
-            trust_handler: Box::new(crate::openssl::OpenSSLTrustHandlerConfig::new()),
-            #[cfg(all(not(feature = "openssl"), target_arch = "wasm32"))]
-            trust_handler: Box::new(crate::wasm::WebTrustHandlerConfig::new()),
-            #[cfg(all(not(feature = "openssl"), not(target_arch = "wasm32")))]
-            trust_handler: Box::new(crate::trust_handler::TrustPassThrough::new()),
+            ctp: CertificateTrustPolicy::default(),
             provenance_path: None,
             //dynamic_assertions: Vec::new(),
         };
@@ -179,37 +176,28 @@ impl Store {
     /// Load set of trust anchors used for certificate validation. [u8] containing the
     /// trust anchors is passed in the trust_vec variable.
     pub fn add_trust(&mut self, trust_vec: &[u8]) -> Result<()> {
-        let mut trust_reader = Cursor::new(trust_vec);
-        self.trust_handler
-            .load_trust_anchors_from_data(&mut trust_reader)
+        Ok(self.ctp.add_trust_anchors(trust_vec)?)
     }
 
     // Load set of private trust anchors used for certificate validation. [u8] to the
     /// private trust anchors is passed in the trust_vec variable.  This can be called multiple times
     /// if there are additional trust stores.
     pub fn add_private_trust_anchors(&mut self, trust_vec: &[u8]) -> Result<()> {
-        let mut trust_reader = Cursor::new(trust_vec);
-        self.trust_handler
-            .append_private_trust_data(&mut trust_reader)
+        Ok(self.ctp.add_trust_anchors(trust_vec)?)
     }
 
     pub fn add_trust_config(&mut self, trust_vec: &[u8]) -> Result<()> {
-        let mut trust_reader = Cursor::new(trust_vec);
-        self.trust_handler.load_configuration(&mut trust_reader)
+        self.ctp.add_valid_ekus(trust_vec);
+        Ok(())
     }
 
     pub fn add_trust_allowed_list(&mut self, allowed_vec: &[u8]) -> Result<()> {
-        let mut trust_reader = Cursor::new(allowed_vec);
-        self.trust_handler.load_allowed_list(&mut trust_reader)
+        Ok(self.ctp.add_end_entity_credentials(allowed_vec)?)
     }
 
     /// Clear all existing trust anchors
     pub fn clear_trust_anchors(&mut self) {
-        self.trust_handler.clear();
-    }
-
-    fn trust_handler(&self) -> &dyn TrustHandlerConfig {
-        self.trust_handler.as_ref()
+        self.ctp.clear();
     }
 
     /// Get the provenance if available.
@@ -451,7 +439,7 @@ impl Store {
     // with actual signature data.
     fn sign_claim_placeholder(claim: &Claim, min_reserve_size: usize) -> Vec<u8> {
         let placeholder_str = format!("signature placeholder:{}", claim.label());
-        let mut placeholder = hash_sha256(placeholder_str.as_bytes());
+        let mut placeholder = sha256(placeholder_str.as_bytes());
 
         use std::cmp::max;
         placeholder.resize(max(placeholder.len(), min_reserve_size), 0);
@@ -484,7 +472,8 @@ impl Store {
         let data = claim.data().ok()?;
         let mut validation_log = OneShotStatusTracker::default();
 
-        if let Ok(info) = check_ocsp_status(sig, &data, self.trust_handler(), &mut validation_log) {
+        let sign1 = parse_cose_sign1(sig, &data, &mut validation_log).ok()?;
+        if let Ok(info) = check_ocsp_status(&sign1, &data, &self.ctp, &mut validation_log) {
             if let Some(revoked_at) = &info.revoked_at {
                 Some(format!(
                     "Certificate Status: Revoked, revoked at: {}",
@@ -516,19 +505,26 @@ impl Store {
     ) -> Result<Vec<u8>> {
         let claim_bytes = claim.data()?;
 
+        let tss = if claim.version() > 1 {
+            TimeStampStorage::V2_sigTst2_CTT
+        } else {
+            TimeStampStorage::V1_sigTst
+        };
+
         let result = if _sync {
             if signer.direct_cose_handling() {
                 // Let the signer do all the COSE processing and return the structured COSE data.
                 return signer.sign(&claim_bytes); // do not verify remote signers (we never did)
             } else {
-                cose_sign(signer, &claim_bytes, box_size, claim.version())
+                cose_sign(signer, &claim_bytes, box_size, tss)
             }
         } else {
             if signer.direct_cose_handling() {
                 // Let the signer do all the COSE processing and return the structured COSE data.
-                return signer.sign(claim_bytes.clone()).await; // do not verify remote signers (we never did)
+                return signer.sign(claim_bytes.clone()).await;
+            // do not verify remote signers (we never did)
             } else {
-                cose_sign_async(signer, &claim_bytes, box_size, claim.version()).await
+                cose_sign_async(signer, &claim_bytes, box_size, tss).await
             }
         };
         match result {
@@ -541,21 +537,14 @@ impl Store {
                         let mut cose_log = OneShotStatusTracker::default();
 
                         let result = if _sync {
-                            verify_cose(
+                            verify_cose(&sig, &claim_bytes, b"", false, &self.ctp, &mut cose_log)
+                        } else {
+                            verify_cose_async(
                                 &sig,
                                 &claim_bytes,
                                 b"",
                                 false,
-                                self.trust_handler(),
-                                &mut cose_log,
-                            )
-                        } else {
-                            verify_cose_async(
-                                sig.clone(),
-                                claim_bytes,
-                                b"".to_vec(),
-                                false,
-                                self.trust_handler(),
+                                &self.ctp,
                                 &mut cose_log,
                             )
                             .await
@@ -1297,6 +1286,9 @@ impl Store {
         for i in claim.ingredient_assertions() {
             let ingredient_assertion = Ingredient::from_assertion(i)?;
 
+            validation_log
+                .push_ingredient_uri(jumbf::labels::to_assertion_uri(claim.label(), &i.label()));
+
             // is this an ingredient
             if let Some(ref c2pa_manifest) = &ingredient_assertion.c2pa_manifest {
                 let label = Store::manifest_label_from_path(&c2pa_manifest.url());
@@ -1342,7 +1334,7 @@ impl Store {
                         asset_data,
                         false,
                         check_ingredient_trust,
-                        store.trust_handler(),
+                        &store.ctp,
                         validation_log,
                     )?;
 
@@ -1361,6 +1353,7 @@ impl Store {
                     )?;
                 }
             }
+            validation_log.pop_ingredient_uri();
         }
 
         // check ingredient rules
@@ -1406,6 +1399,9 @@ impl Store {
         for i in claim.ingredient_assertions() {
             let ingredient_assertion = Ingredient::from_assertion(i)?;
 
+            validation_log
+                .push_ingredient_uri(jumbf::labels::to_assertion_uri(claim.label(), &i.label()));
+
             // is this an ingredient
             if let Some(ref c2pa_manifest) = &ingredient_assertion.c2pa_manifest {
                 let label = Store::manifest_label_from_path(&c2pa_manifest.url());
@@ -1446,7 +1442,7 @@ impl Store {
                         asset_data,
                         false,
                         check_ingredient_trust,
-                        store.trust_handler(),
+                        &store.ctp,
                         validation_log,
                     )
                     .await?;
@@ -1467,6 +1463,7 @@ impl Store {
                     )?;
                 }
             }
+            validation_log.pop_ingredient_uri();
         }
 
         Ok(())
@@ -1494,15 +1491,8 @@ impl Store {
         };
 
         // verify the provenance claim
-        Claim::verify_claim_async(
-            claim,
-            asset_data,
-            true,
-            true,
-            store.trust_handler(),
-            validation_log,
-        )
-        .await?;
+        Claim::verify_claim_async(claim, asset_data, true, true, &store.ctp, validation_log)
+            .await?;
 
         Store::ingredient_checks_async(store, claim, asset_data, validation_log).await?;
 
@@ -1531,14 +1521,7 @@ impl Store {
         };
 
         // verify the provenance claim
-        Claim::verify_claim(
-            claim,
-            asset_data,
-            true,
-            true,
-            store.trust_handler(),
-            validation_log,
-        )?;
+        Claim::verify_claim(claim, asset_data, true, true, &store.ctp, validation_log)?;
 
         Store::ingredient_checks(store, claim, asset_data, validation_log)?;
 
@@ -3690,7 +3673,10 @@ pub mod tests {
 
     use std::io::Write;
 
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::{
+        raw_signature::{RawSigner, RawSignerError, SigningAlg},
+        time_stamp::TimeStampProvider,
+    };
     use c2pa_status_tracker::StatusTracker;
     use memchr::memmem;
     use serde::Serialize;
@@ -3708,9 +3694,10 @@ pub mod tests {
             hash_utils::Hasher,
             patch::patch_file,
             test::{
-                create_test_claim, fixture_path, temp_dir_path, temp_fixture_path, temp_signer,
+                create_test_claim, fixture_path, temp_dir_path, temp_fixture_path,
                 write_jpeg_placeholder_file,
             },
+            test_signer::{async_test_signer, test_signer},
         },
     };
 
@@ -3761,7 +3748,7 @@ pub mod tests {
         create_capture_claim(&mut claim_capture).unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Test generate JUMBF
         // Get labels for label test
@@ -3881,7 +3868,7 @@ pub mod tests {
         claimv2.add_claim_generator_info(cgi);
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Test generate JUMBF
         // Get labels for label test
@@ -3992,7 +3979,7 @@ pub mod tests {
         create_capture_claim(&mut claim_capture).unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commits
         store.commit_claim(claim1).unwrap();
@@ -4032,7 +4019,7 @@ pub mod tests {
 
     struct BadSigner {}
 
-    impl crate::Signer for BadSigner {
+    impl Signer for BadSigner {
         fn sign(&self, _data: &[u8]) -> Result<Vec<u8>> {
             Ok(b"not a valid signature".to_vec())
         }
@@ -4048,9 +4035,31 @@ pub mod tests {
         fn reserve_size(&self) -> usize {
             42
         }
+
+        fn raw_signer(&self) -> Box<&dyn RawSigner> {
+            Box::new(self)
+        }
     }
 
-    impl c2pa_crypto::time_stamp::TimeStampProvider for BadSigner {}
+    impl RawSigner for BadSigner {
+        fn sign(&self, _data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+            Ok(b"not a valid signature".to_vec())
+        }
+
+        fn alg(&self) -> SigningAlg {
+            SigningAlg::Ps256
+        }
+
+        fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+            Ok(Vec::new())
+        }
+
+        fn reserve_size(&self) -> usize {
+            42
+        }
+    }
+
+    impl TimeStampProvider for BadSigner {}
 
     #[test]
     #[cfg(feature = "file_io")]
@@ -4079,7 +4088,9 @@ pub mod tests {
     #[test]
     #[cfg(feature = "file_io")]
     fn test_sign_with_expired_cert() {
-        use crate::{openssl::RsaSigner, signer::ConfigurableSigner, SigningAlg};
+        use c2pa_crypto::raw_signature::SigningAlg;
+
+        use crate::create_signer;
 
         // test adding to actual image
         let ap = fixture_path("earth_apollo17.jpg");
@@ -4093,13 +4104,16 @@ pub mod tests {
         let signcert_path = fixture_path("rsa-pss256_key-expired.pub");
         let pkey_path = fixture_path("rsa-pss256-expired.pem");
         let signer =
-            RsaSigner::from_files(signcert_path, pkey_path, SigningAlg::Ps256, None).unwrap();
+            create_signer::from_files(signcert_path, pkey_path, SigningAlg::Ps256, None).unwrap();
 
         store.commit_claim(claim).unwrap();
 
         let r = store.save_to_asset(&ap, &signer, &op);
         assert!(r.is_err());
-        assert_eq!(r.err().unwrap().to_string(), "COSE certificate has expired");
+        assert_eq!(
+            r.err().unwrap().to_string(),
+            "the certificate was not valid at time of signing"
+        );
     }
 
     #[test]
@@ -4134,12 +4148,12 @@ pub mod tests {
 
         // original data should not be in file anymore check for first 1k
         let buf = fs::read(&op).unwrap();
-        assert!(memmem::find(&buf, &original_jumbf[0..1024]).is_none());
+        assert_eq!(memmem::find(&buf, &original_jumbf[0..1024]), None);
     }
 
     #[actix::test]
     async fn test_jumbf_generation_async() {
-        let signer = crate::openssl::temp_signer_async::AsyncSignerAdapter::new(SigningAlg::Ps256);
+        let signer = async_test_signer(SigningAlg::Ps256);
 
         // test adding to actual image
         let ap = fixture_path("earth_apollo17.jpg");
@@ -4264,7 +4278,7 @@ pub mod tests {
         create_capture_claim(&mut claim_capture).unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commits
         store.commit_claim(claim1).unwrap();
@@ -4360,7 +4374,7 @@ pub mod tests {
             create_capture_claim(&mut claim_capture).unwrap();
 
             // Do we generate JUMBF?
-            let signer = temp_signer();
+            let signer = test_signer(SigningAlg::Ps256);
 
             // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commmits
             store.commit_claim(claim1).unwrap();
@@ -4433,7 +4447,7 @@ pub mod tests {
             create_capture_claim(&mut claim_capture).unwrap();
 
             // Do we generate JUMBF?
-            let signer = temp_signer();
+            let signer = test_signer(SigningAlg::Ps256);
 
             // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commmits
             store.commit_claim(claim1).unwrap();
@@ -4507,7 +4521,7 @@ pub mod tests {
         create_capture_claim(&mut claim_capture).unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commits
         store.commit_claim(claim1).unwrap();
@@ -4581,7 +4595,7 @@ pub mod tests {
         create_capture_claim(&mut claim_capture).unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commits
         store.commit_claim(claim1).unwrap();
@@ -4655,7 +4669,7 @@ pub mod tests {
         create_capture_claim(&mut claim_capture).unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commits
         store.commit_claim(claim1).unwrap();
@@ -4721,7 +4735,7 @@ pub mod tests {
         let claim1 = create_test_claim().unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commits
         store.commit_claim(claim1).unwrap();
@@ -4765,7 +4779,7 @@ pub mod tests {
         let claim1 = create_test_claim().unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commits
         store.commit_claim(claim1).unwrap();
@@ -4809,7 +4823,7 @@ pub mod tests {
         let claim1 = create_test_claim().unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commits
         store.commit_claim(claim1).unwrap();
@@ -4935,7 +4949,7 @@ pub mod tests {
     fn test_verifiable_credentials() {
         use crate::utils::test::create_test_store;
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // test adding to actual image
         let ap = fixture_path("earth_apollo17.jpg");
@@ -4973,7 +4987,7 @@ pub mod tests {
     fn test_data_box_creation() {
         use crate::utils::test::create_test_store;
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // test adding to actual image
         let ap = fixture_path("earth_apollo17.jpg");
@@ -5028,7 +5042,7 @@ pub mod tests {
     fn test_update_manifest() {
         use crate::{hashed_uri::HashedUri, utils::test::create_test_store};
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // test adding to actual image
         let ap = fixture_path("earth_apollo17.jpg");
@@ -5104,7 +5118,9 @@ pub mod tests {
         // replace the title that is inside the claim data - should cause signature to not match
         let report = patch_and_report("C.jpg", b"C.jpg", b"X.jpg");
         assert!(!report.logged_items().is_empty());
-        assert!(report.has_error(Error::CoseTimeStampMismatch));
+        assert!(report.has_error(Error::TimeStampError(
+            c2pa_crypto::time_stamp::TimeStampError::InvalidData
+        )));
         assert!(report.has_status(validation_status::TIMESTAMP_MISMATCH));
     }
 
@@ -5203,7 +5219,7 @@ pub mod tests {
         // Create a new claim.
         let claim1 = create_test_claim().unwrap();
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list.
         store.commit_claim(claim1).unwrap();
@@ -5233,7 +5249,7 @@ pub mod tests {
         // Create a new claim.
         let claim1 = create_test_claim().unwrap();
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         let result: Vec<u8> = Vec::new();
         let mut output_stream = Cursor::new(result);
@@ -5295,7 +5311,7 @@ pub mod tests {
         claim.set_external_manifest();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         store.commit_claim(claim).unwrap();
 
@@ -5332,7 +5348,7 @@ pub mod tests {
         let mut claim = create_test_claim().unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // start with base url
         let fp = format!("file:/{}", sidecar.to_str().unwrap());
@@ -5400,7 +5416,7 @@ pub mod tests {
         let mut claim = create_test_claim().unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // start with base url
         let fp = format!("file:/{}", sidecar.to_str().unwrap());
@@ -5452,7 +5468,7 @@ pub mod tests {
         let mut claim = create_test_claim().unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // start with base url
         let fp = format!("file:/{}", sidecar.to_str().unwrap());
@@ -5508,7 +5524,7 @@ pub mod tests {
         // Create a new claim.
         let claim1 = create_test_claim().unwrap();
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         store.commit_claim(claim1).unwrap();
 
@@ -5562,7 +5578,7 @@ pub mod tests {
         create_capture_claim(&mut claim_capture).unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Move the claim to claims list. Note this is not real, the claims would have to be signed in between commits
         store.commit_claim(claim1).unwrap();
@@ -5632,7 +5648,7 @@ pub mod tests {
         store.commit_claim(claim).unwrap();
 
         // Do we generate JUMBF?
-        let signer = crate::openssl::temp_signer_async::AsyncSignerAdapter::new(SigningAlg::Ps256);
+        let signer = async_test_signer(SigningAlg::Ps256);
 
         // get the embeddable manifest
         let em = store
@@ -5718,7 +5734,7 @@ pub mod tests {
         store.commit_claim(claim).unwrap();
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // get the embeddable manifest
         let em = store
@@ -5781,12 +5797,12 @@ pub mod tests {
     #[cfg(feature = "file_io")]
     async fn test_datahash_embeddable_manifest_async() {
         // test adding to actual image
-
         use std::io::SeekFrom;
+
         let ap = fixture_path("cloud.jpg");
 
         // Do we generate JUMBF?
-        let signer = crate::openssl::temp_signer_async::AsyncSignerAdapter::new(SigningAlg::Ps256);
+        let signer = async_test_signer(SigningAlg::Ps256);
 
         // Create claims store.
         let mut store = Store::new();
@@ -5855,7 +5871,7 @@ pub mod tests {
         let ap = fixture_path("cloud.jpg");
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Create claims store.
         let mut store = Store::new();
@@ -5867,7 +5883,7 @@ pub mod tests {
 
         // get a placeholder the manifest
         let placeholder = store
-            .get_data_hashed_manifest_placeholder(signer.reserve_size(), "jpeg")
+            .get_data_hashed_manifest_placeholder(Signer::reserve_size(&signer), "jpeg")
             .unwrap();
 
         let temp_dir = tempfile::tempdir().unwrap();
@@ -5926,7 +5942,7 @@ pub mod tests {
         let mut hasher = Hasher::SHA256(Sha256::new());
 
         // Do we generate JUMBF?
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // Create claims store.
         let mut store = Store::new();
@@ -5938,7 +5954,7 @@ pub mod tests {
 
         // get a placeholder for the manifest
         let placeholder = store
-            .get_data_hashed_manifest_placeholder(signer.reserve_size(), "jpeg")
+            .get_data_hashed_manifest_placeholder(Signer::reserve_size(&signer), "jpeg")
             .unwrap();
 
         let temp_dir = tempfile::tempdir().unwrap();
@@ -6032,7 +6048,7 @@ pub mod tests {
     fn test_placed_manifest() {
         use crate::jumbf::labels::to_normalized_uri;
 
-        let signer = temp_signer();
+        let signer = test_signer(SigningAlg::Ps256);
 
         // test adding to actual image
         let ap = fixture_path("C.jpg");
@@ -6056,7 +6072,7 @@ pub mod tests {
         // get the embeddable manifest
         let mut input_stream = std::fs::File::open(ap).unwrap();
         let placed_manifest = store
-            .get_placed_manifest(signer.reserve_size(), "jpg", &mut input_stream)
+            .get_placed_manifest(Signer::reserve_size(&signer), "jpg", &mut input_stream)
             .unwrap();
 
         // insert manifest into output asset
@@ -6104,6 +6120,7 @@ pub mod tests {
     #[cfg(feature = "openssl_sign")]
     async fn test_dynamic_assertions() {
         use async_trait::async_trait;
+        use c2pa_crypto::raw_signature::AsyncRawSigner;
 
         #[derive(Serialize)]
         struct TestAssertion {
@@ -6142,64 +6159,47 @@ pub mod tests {
 
         /// This is an async signer wrapped around a local temp signer,
         /// that implements the dynamic assertion trait.
-        struct DynamicSigner {
-            alg: SigningAlg,
-            certs: Vec<Vec<u8>>,
-            reserve_size: usize,
-            tsa_url: Option<String>,
-            ocsp_val: Option<Vec<u8>>,
-        }
+        struct DynamicSigner(Box<dyn AsyncSigner>);
 
         impl DynamicSigner {
             fn new() -> Self {
-                let signer = temp_signer();
-                DynamicSigner {
-                    alg: signer.alg(),
-                    certs: signer.certs().unwrap_or_default(),
-                    reserve_size: signer.reserve_size(),
-                    tsa_url: signer.time_stamp_service_url(),
-                    ocsp_val: signer.ocsp_val(),
-                }
+                Self(async_test_signer(SigningAlg::Ps256))
             }
         }
 
         #[async_trait::async_trait]
         impl crate::AsyncSigner for DynamicSigner {
             async fn sign(&self, data: Vec<u8>) -> crate::error::Result<Vec<u8>> {
-                let signer = temp_signer();
-                signer.sign(&data)
+                self.0.sign(data).await
             }
 
             fn alg(&self) -> SigningAlg {
-                self.alg
+                self.0.alg()
             }
 
             fn certs(&self) -> crate::Result<Vec<Vec<u8>>> {
-                let mut output: Vec<Vec<u8>> = Vec::new();
-                for v in &self.certs {
-                    output.push(v.clone());
-                }
-                Ok(output)
+                self.0.certs()
             }
 
             fn reserve_size(&self) -> usize {
-                self.reserve_size
+                self.0.reserve_size()
+            }
+
+            fn time_authority_url(&self) -> Option<String> {
+                self.0.time_authority_url()
             }
 
             async fn ocsp_val(&self) -> Option<Vec<u8>> {
-                self.ocsp_val.clone()
+                self.0.ocsp_val().await
             }
 
             // Returns our dynamic assertion here.
             fn dynamic_assertions(&self) -> Vec<Box<dyn crate::DynamicAssertion>> {
                 vec![Box::new(TestDynamicAssertion {})]
             }
-        }
 
-        #[async_trait::async_trait]
-        impl c2pa_crypto::time_stamp::AsyncTimeStampProvider for DynamicSigner {
-            fn time_stamp_service_url(&self) -> Option<String> {
-                self.tsa_url.clone()
+            fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+                self.0.async_raw_signer()
             }
         }
 
@@ -6282,7 +6282,7 @@ pub mod tests {
                     store.commit_claim(claim).unwrap();
 
                     // Do we generate JUMBF?
-                    let signer = temp_signer();
+                    let signer = test_signer(SigningAlg::Ps256);
 
                     // add manifest based on
                     let new_output_path = output_path.join(init_dir.file_name().unwrap());
diff --git a/sdk/src/time_stamp.rs b/sdk/src/time_stamp.rs
deleted file mode 100644
index 2e6672780..000000000
--- a/sdk/src/time_stamp.rs
+++ /dev/null
@@ -1,163 +0,0 @@
-// Copyright 2022 Adobe. All rights reserved.
-// This file is licensed to you under the Apache License,
-// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
-// or the MIT license (http://opensource.org/licenses/MIT),
-// at your option.
-
-// Unless required by applicable law or agreed to in writing,
-// this software is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
-// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
-// specific language governing permissions and limitations under
-// each license.
-
-use async_generic::async_generic;
-use c2pa_crypto::{
-    asn1::rfc3161::TstInfo,
-    time_stamp::{verify_time_stamp, verify_time_stamp_async},
-};
-use coset::{sig_structure_data, ProtectedHeader};
-use serde::{Deserialize, Serialize};
-
-use crate::{
-    error::{Error, Result},
-    AsyncSigner, Signer,
-};
-
-// Generate TimeStamp signature according to https://datatracker.ietf.org/doc/html/rfc3161
-// using the specified Time Authority
-
-#[allow(dead_code)]
-pub(crate) fn cose_countersign_data(data: &[u8], p_header: &ProtectedHeader) -> Vec<u8> {
-    let aad: Vec<u8> = Vec::new();
-
-    // create sig_structure_data to be signed
-    sig_structure_data(
-        coset::SignatureContext::CounterSignature,
-        p_header.clone(),
-        None,
-        &aad,
-        data,
-    )
-}
-
-#[async_generic(
-    async_signature(
-        signer: &dyn AsyncSigner,
-        data: &[u8],
-        p_header: &ProtectedHeader,
-    ))]
-pub(crate) fn cose_timestamp_countersign(
-    signer: &dyn Signer,
-    data: &[u8],
-    p_header: &ProtectedHeader,
-) -> Option<Result<Vec<u8>>> {
-    // create countersignature with TimeStampReq parameters
-    // payload: data
-    // context "CounterSigner"
-    // certReq true
-    // algorithm sha256
-
-    // create sig data structure to be time stamped
-    let sd = cose_countersign_data(data, p_header);
-
-    if _sync {
-        timestamp_data(signer, &sd)
-    } else {
-        timestamp_data_async(signer, &sd).await
-    }
-}
-
-#[async_generic]
-pub(crate) fn cose_sigtst_to_tstinfos(
-    sigtst_cbor: &[u8],
-    data: &[u8],
-    p_header: &ProtectedHeader,
-) -> Result<Vec<TstInfo>> {
-    let tst_container: TstContainer =
-        serde_cbor::from_slice(sigtst_cbor).map_err(|_err| Error::CoseTimeStampGeneration)?;
-
-    let mut tstinfos: Vec<TstInfo> = Vec::new();
-
-    for token in &tst_container.tst_tokens {
-        let tbs = cose_countersign_data(data, p_header);
-        let tst_info = if _sync {
-            verify_time_stamp(&token.val, &tbs)?
-        } else {
-            verify_time_stamp_async(&token.val, &tbs).await?
-        };
-
-        tstinfos.push(tst_info);
-    }
-
-    if tstinfos.is_empty() {
-        Err(Error::NotFound)
-    } else {
-        Ok(tstinfos)
-    }
-}
-
-// Generate TimeStamp based on rfc3161 using "data" as MessageImprint and return raw TimeStampRsp bytes
-#[async_generic(async_signature(signer: &dyn AsyncSigner, data: &[u8]))]
-pub fn timestamp_data(signer: &dyn Signer, data: &[u8]) -> Option<Result<Vec<u8>>> {
-    if _sync {
-        signer
-            .send_time_stamp_request(data)
-            .map(|r| r.map_err(|e| e.into()))
-    } else {
-        signer
-            .send_time_stamp_request(data)
-            .await
-            .map(|r| r.map_err(|e| e.into()))
-        // TO DO: Fix bug in async_generic. This .await
-        // should be automatically removed.
-    }
-}
-
-pub fn gt_to_datetime(
-    gt: x509_certificate::asn1time::GeneralizedTime,
-) -> chrono::DateTime<chrono::Utc> {
-    gt.into()
-}
-
-#[derive(Deserialize, Serialize, Debug, PartialEq, Eq, Clone)]
-pub struct TstToken {
-    #[serde(with = "serde_bytes")]
-    pub val: Vec<u8>,
-}
-
-#[derive(Deserialize, Serialize, Debug, PartialEq, Eq, Clone)]
-pub struct TstContainer {
-    #[serde(rename = "tstTokens")]
-    pub tst_tokens: Vec<TstToken>,
-}
-
-impl TstContainer {
-    pub fn new() -> Self {
-        TstContainer {
-            tst_tokens: Vec::new(),
-        }
-    }
-
-    pub fn add_token(&mut self, token: TstToken) {
-        self.tst_tokens.push(token);
-    }
-}
-
-impl Default for TstContainer {
-    fn default() -> Self {
-        Self::new()
-    }
-}
-
-// Wrap rfc3161 TimeStampRsp in COSE sigTst object
-pub(crate) fn make_cose_timestamp(ts_data: &[u8]) -> TstContainer {
-    let token = TstToken {
-        val: ts_data.to_vec(),
-    };
-
-    let mut container = TstContainer::new();
-    container.add_token(token);
-
-    container
-}
diff --git a/sdk/src/trust_handler.rs b/sdk/src/trust_handler.rs
deleted file mode 100644
index 698524d7c..000000000
--- a/sdk/src/trust_handler.rs
+++ /dev/null
@@ -1,210 +0,0 @@
-// Copyright 2023 Adobe. All rights reserved.
-// This file is licensed to you under the Apache License,
-// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
-// or the MIT license (http://opensource.org/licenses/MIT),
-// at your option.
-
-// Unless required by applicable law or agreed to in writing,
-// this software is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
-// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
-// specific language governing permissions and limitations under
-// each license.
-
-use std::{
-    collections::HashSet,
-    io::{read_to_string, Cursor, Read},
-    panic::{RefUnwindSafe, UnwindSafe},
-    str::FromStr,
-};
-
-use asn1_rs::{oid, Oid};
-use c2pa_crypto::base64;
-
-use crate::{hash_utils::hash_sha256, Error, Result};
-
-pub(crate) static EMAIL_PROTECTION_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .4);
-pub(crate) static TIMESTAMPING_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .8);
-pub(crate) static OCSP_SIGNING_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .9);
-pub(crate) static DOCUMENT_SIGNING_OID: Oid<'static> = oid!(1.3.6 .1 .5 .5 .7 .3 .36);
-
-// Trait for supply configuration and handling of trust lists and EKU configuration store
-//
-// `RefUnwindSafe` + `UnwindSafe` were added to ensure `Store` is unwind safe and to preserve
-// backwards compatibility.
-pub(crate) trait TrustHandlerConfig: RefUnwindSafe + UnwindSafe + Sync + Send {
-    fn new() -> Self
-    where
-        Self: Sized;
-
-    // add trust anchors
-    fn load_trust_anchors_from_data(&mut self, trust_data: &mut dyn Read) -> Result<()>;
-
-    // add allowed list
-    fn load_allowed_list(&mut self, allowed_list: &mut dyn Read) -> Result<()>;
-
-    // append private trust anchors
-    fn append_private_trust_data(&mut self, private_anchors_data: &mut dyn Read) -> Result<()>;
-
-    // clear all entries in trust handler list
-    fn clear(&mut self);
-
-    // load EKU configuration
-    fn load_configuration(&mut self, config_data: &mut dyn Read) -> Result<()>;
-
-    // list off auxillary allowed EKU Oid
-    fn get_auxillary_ekus(&self) -> Vec<Oid>;
-
-    // list of all anchors
-    #[allow(dead_code)] // Only used in calls with allow dead_code
-    fn get_anchors(&self) -> Vec<Vec<u8>>;
-
-    // set of allowed cert hashes
-    #[allow(dead_code)] // Only used in calls with allow dead_code
-    fn get_allowed_list(&self) -> &HashSet<String>;
-}
-
-impl std::fmt::Debug for dyn TrustHandlerConfig {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "TrustHandler Installed")
-    }
-}
-
-pub(crate) fn has_allowed_oid<'a>(
-    eku: &x509_parser::extensions::ExtendedKeyUsage,
-    allowed_ekus: &'a [Oid],
-) -> Option<&'a Oid<'a>> {
-    if eku.email_protection {
-        return Some(&EMAIL_PROTECTION_OID);
-    }
-
-    if eku.time_stamping {
-        return Some(&TIMESTAMPING_OID);
-    }
-
-    if eku.ocsp_signing {
-        return Some(&OCSP_SIGNING_OID);
-    }
-
-    let mut last_oid = None;
-    if eku.other.iter().any(|v| {
-        allowed_ekus.iter().any(|oid| {
-            if oid.to_id_string() == v.to_id_string() {
-                last_oid = Some(oid);
-                true
-            } else {
-                false
-            }
-        })
-    }) {
-        return last_oid;
-    }
-    None
-}
-
-// load set of validation EKUs, ignoring unrecognized Oid lines
-#[allow(dead_code)]
-pub(crate) fn load_eku_configuration(config_data: &mut dyn Read) -> Result<Vec<String>> {
-    let mut oid_vec = Vec::new();
-
-    for line in read_to_string(config_data)?.lines() {
-        if Oid::from_str(line).is_ok() {
-            oid_vec.push(line.to_owned());
-        }
-    }
-    Ok(oid_vec)
-}
-
-pub(crate) fn load_trust_from_data(trust_data: &[u8]) -> Result<Vec<Vec<u8>>> {
-    let mut certs = Vec::new();
-
-    for pem_result in x509_parser::pem::Pem::iter_from_buffer(trust_data) {
-        let pem = pem_result.map_err(|_e| Error::CoseInvalidCert)?;
-        certs.push(pem.contents);
-    }
-    Ok(certs)
-}
-
-// Pass through trust for the case of claim signer usage since it has known trust with context
-// configured to all email protection, timestamping, ocsp signing and document signing
-#[derive(Debug)]
-pub(crate) struct TrustPassThrough {
-    allowed_cert_set: HashSet<String>,
-    config_store: Vec<u8>,
-}
-
-impl TrustHandlerConfig for TrustPassThrough {
-    fn new() -> Self
-    where
-        Self: Sized,
-    {
-        TrustPassThrough {
-            allowed_cert_set: HashSet::new(),
-            config_store: Vec::new(),
-        }
-    }
-
-    fn load_trust_anchors_from_data(&mut self, _trust_data: &mut dyn std::io::Read) -> Result<()> {
-        Ok(())
-    }
-
-    fn append_private_trust_data(
-        &mut self,
-        _private_anchors_data: &mut dyn std::io::Read,
-    ) -> Result<()> {
-        Ok(())
-    }
-
-    fn clear(&mut self) {}
-
-    fn load_configuration(&mut self, config_data: &mut dyn Read) -> Result<()> {
-        config_data.read_to_end(&mut self.config_store)?;
-        Ok(())
-    }
-
-    // list off auxillary allowed EKU Oid
-    fn get_auxillary_ekus(&self) -> Vec<Oid> {
-        let mut oids = Vec::new();
-        if let Ok(oid_strings) = load_eku_configuration(&mut Cursor::new(&self.config_store)) {
-            for oid_str in &oid_strings {
-                if let Ok(oid) = Oid::from_str(oid_str) {
-                    oids.push(oid);
-                }
-            }
-        }
-        if oids.is_empty() {
-            // return default
-            vec![
-                EMAIL_PROTECTION_OID.to_owned(),
-                TIMESTAMPING_OID.to_owned(),
-                OCSP_SIGNING_OID.to_owned(),
-                DOCUMENT_SIGNING_OID.to_owned(),
-            ]
-        } else {
-            oids
-        }
-    }
-
-    fn get_anchors(&self) -> Vec<Vec<u8>> {
-        Vec::new()
-    }
-
-    fn load_allowed_list(&mut self, allowed_list: &mut dyn std::io::prelude::Read) -> Result<()> {
-        let mut buffer = Vec::new();
-        allowed_list.read_to_end(&mut buffer)?;
-
-        if let Ok(cert_list) = load_trust_from_data(&buffer) {
-            for cert_der in &cert_list {
-                let cert_sha256 = hash_sha256(cert_der);
-                let cert_hash_base64 = base64::encode(&cert_sha256);
-
-                self.allowed_cert_set.insert(cert_hash_base64);
-            }
-        }
-        Ok(())
-    }
-
-    fn get_allowed_list(&self) -> &std::collections::HashSet<String> {
-        &self.allowed_cert_set
-    }
-}
diff --git a/sdk/src/utils/hash_utils.rs b/sdk/src/utils/hash_utils.rs
index 205477a8f..fec958b18 100644
--- a/sdk/src/utils/hash_utils.rs
+++ b/sdk/src/utils/hash_utils.rs
@@ -442,14 +442,6 @@ where
     }
 }
 
-/// Return a Sha256 hash of array of bytes
-#[allow(dead_code)]
-pub fn hash_sha256(data: &[u8]) -> Vec<u8> {
-    let mut hasher = Hasher::SHA256(Sha256::new());
-    hasher.update(data);
-    Hasher::finalize(hasher)
-}
-
 // Used by Merkle tree calculations to generate the pair wise hash
 pub fn concat_and_hash(alg: &str, left: &[u8], right: Option<&[u8]>) -> Vec<u8> {
     let mut temp = left.to_vec();
diff --git a/sdk/src/utils/io_utils.rs b/sdk/src/utils/io_utils.rs
index 2a8b6c9fe..4e89c4268 100644
--- a/sdk/src/utils/io_utils.rs
+++ b/sdk/src/utils/io_utils.rs
@@ -41,6 +41,41 @@ pub(crate) fn insert_data_at<R: Read + Seek, W: Write>(
     Ok(())
 }
 
+// Replace data at arbitrary location and len in a stream.
+// start_location is where the replacement data will start
+// replace_len is how many bytes from source to replaced starting a start_location
+// data is the data that will be inserted at start_location
+#[allow(dead_code)]
+pub(crate) fn patch_stream<R: Read + Seek + ?Sized, W: Write + ?Sized>(
+    source: &mut R,
+    dest: &mut W,
+    start_location: u64,
+    replace_len: u64,
+    data: &[u8],
+) -> Result<()> {
+    source.rewind()?;
+    let source_len = stream_len(source)?;
+
+    if start_location + replace_len > source_len {
+        return Err(Error::BadParam("read past end of source stream".into()));
+    }
+
+    let mut before_handle = source.take(start_location);
+
+    // copy data before start location
+    std::io::copy(&mut before_handle, dest)?;
+
+    // write out new data
+    dest.write_all(data)?;
+
+    // write out the rest of the source skipping the bytes we wanted to replace
+    let source = before_handle.into_inner();
+    source.seek(SeekFrom::Start(start_location + replace_len))?;
+    std::io::copy(source, dest)?;
+
+    Ok(())
+}
+
 // Returns length of the stream, stream position is preserved
 #[allow(dead_code)]
 pub(crate) fn stream_len<R: Read + Seek + ?Sized>(reader: &mut R) -> Result<u64> {
@@ -91,10 +126,10 @@ impl<R: Read + Seek> ReaderUtils for R {
 
         if old_pos
             .checked_add(data_len)
-            .ok_or(Error::BadParam("file read out of range".into()))?
+            .ok_or(Error::BadParam("source stream read out of range".into()))?
             > len
         {
-            return Err(Error::BadParam("read past file end".into()));
+            return Err(Error::BadParam("read past end of source stream".into()));
         }
 
         // make sure we can allocate vec
@@ -105,3 +140,76 @@ impl<R: Read + Seek> ReaderUtils for R {
         Ok(output)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    #![allow(clippy::expect_used)]
+    #![allow(clippy::unwrap_used)]
+
+    use std::io::Cursor;
+
+    //use env_logger;
+    use super::*;
+
+    #[test]
+    fn test_patch_stream() {
+        let source = "this is a very very good test";
+
+        // test truncation
+        let mut output = Vec::new();
+        patch_stream(&mut Cursor::new(source.as_bytes()), &mut output, 10, 5, &[]).unwrap();
+        assert_eq!(&output, "this is a very good test".as_bytes());
+
+        // test truncation with new data
+        let mut output = Vec::new();
+        patch_stream(
+            &mut Cursor::new(source.as_bytes()),
+            &mut output,
+            10,
+            14,
+            "so so".as_bytes(),
+        )
+        .unwrap();
+        assert_eq!(&output, "this is a so so test".as_bytes());
+
+        // test insertion, leaving existing data
+        let mut output = Vec::new();
+        patch_stream(
+            &mut Cursor::new(source.as_bytes()),
+            &mut output,
+            10,
+            0,
+            "very ".as_bytes(),
+        )
+        .unwrap();
+        assert_eq!(&output, "this is a very very very good test".as_bytes());
+
+        // test replacement of data
+        let mut output = Vec::new();
+        patch_stream(
+            &mut Cursor::new(source.as_bytes()),
+            &mut output,
+            0,
+            29,
+            "all new data".as_bytes(),
+        )
+        .unwrap();
+        assert_eq!(&output, "all new data".as_bytes());
+
+        // test removal of all data
+        let mut output = Vec::new();
+        patch_stream(&mut Cursor::new(source.as_bytes()), &mut output, 0, 29, &[]).unwrap();
+        assert_eq!(&output, "".as_bytes());
+
+        // test replacement of too much data
+        let mut output = Vec::new();
+        assert!(patch_stream(
+            &mut Cursor::new(source.as_bytes()),
+            &mut output,
+            10,
+            29,
+            &[],
+        )
+        .is_err());
+    }
+}
diff --git a/sdk/src/utils/mod.rs b/sdk/src/utils/mod.rs
index e63b3a037..5c2887a31 100644
--- a/sdk/src/utils/mod.rs
+++ b/sdk/src/utils/mod.rs
@@ -19,7 +19,6 @@ pub(crate) mod merkle;
 pub(crate) mod mime;
 #[allow(dead_code)] // for wasm build
 pub(crate) mod patch;
-pub(crate) mod sig_utils;
 #[cfg(feature = "add_thumbnails")]
 pub(crate) mod thumbnail;
 pub(crate) mod time_it;
@@ -29,3 +28,6 @@ pub(crate) mod xmp_inmemory_utils;
 #[cfg(test)]
 #[allow(dead_code)] // for wasm build
 pub mod test;
+
+#[cfg(test)]
+pub(crate) mod test_signer;
diff --git a/sdk/src/utils/test.rs b/sdk/src/utils/test.rs
index 8f15dfd10..c87da459a 100644
--- a/sdk/src/utils/test.rs
+++ b/sdk/src/utils/test.rs
@@ -20,11 +20,14 @@ use std::{
     path::PathBuf,
 };
 
-use c2pa_crypto::SigningAlg;
+use async_trait::async_trait;
+use c2pa_crypto::{
+    cose::{CertificateTrustPolicy, TimeStampStorage},
+    raw_signature::{AsyncRawSigner, RawSigner, RawSignerError, SigningAlg},
+    time_stamp::{AsyncTimeStampProvider, TimeStampError, TimeStampProvider},
+};
 use tempfile::TempDir;
 
-#[cfg(feature = "file_io")]
-use crate::create_signer;
 use crate::{
     assertions::{labels, Action, Actions, Ingredient, ReviewRating, SchemaDotOrg, Thumbnail},
     asset_io::CAIReadWrite,
@@ -33,12 +36,7 @@ use crate::{
     jumbf_io::get_assetio_handler,
     salt::DefaultSalt,
     store::Store,
-    RemoteSigner, Result, Signer,
-};
-#[cfg(feature = "openssl_sign")]
-use crate::{
-    openssl::{AsyncSignerAdapter, RsaSigner},
-    signer::ConfigurableSigner,
+    AsyncSigner, RemoteSigner, Result,
 };
 
 pub const TEST_SMALL_JPEG: &str = "earth_apollo17.jpg";
@@ -226,7 +224,7 @@ pub fn temp_fixture_path(temp_dir: &TempDir, file_name: &str) -> PathBuf {
 /// Can panic if the certs cannot be read. (This function should only
 /// be used as part of testing infrastructure.)
 #[cfg(feature = "file_io")]
-pub fn temp_signer_file() -> RsaSigner {
+pub fn temp_signer_file() -> Box<dyn crate::Signer> {
     #![allow(clippy::expect_used)]
     let mut sign_cert_path = fixture_path("certs");
     sign_cert_path.push("ps256");
@@ -236,10 +234,22 @@ pub fn temp_signer_file() -> RsaSigner {
     pem_key_path.push("ps256");
     pem_key_path.set_extension("pem");
 
-    RsaSigner::from_files(&sign_cert_path, &pem_key_path, SigningAlg::Ps256, None)
+    crate::create_signer::from_files(&sign_cert_path, &pem_key_path, SigningAlg::Ps256, None)
         .expect("get_temp_signer")
 }
 
+/// Create a [`CertificateTrustPolicy`] instance that has the test certificate bundles included.
+///
+/// [`CertificateTrustPolicy`]: c2pa_crypto::cose::CertificateTrustPolicy
+pub fn test_certificate_acceptance_policy() -> CertificateTrustPolicy {
+    let mut ctp = CertificateTrustPolicy::default();
+    ctp.add_trust_anchors(include_bytes!(
+        "../../tests/fixtures/certs/trust/test_cert_root_bundle.pem"
+    ))
+    .unwrap();
+    ctp
+}
+
 #[cfg(feature = "file_io")]
 pub fn write_jpeg_placeholder_file(
     placeholder: &[u8],
@@ -315,13 +325,39 @@ impl crate::Signer for TestGoodSigner {
     fn reserve_size(&self) -> usize {
         1024
     }
+
+    fn send_timestamp_request(&self, _message: &[u8]) -> Option<crate::error::Result<Vec<u8>>> {
+        Some(Ok(Vec::new()))
+    }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(self)
+    }
+}
+
+impl RawSigner for TestGoodSigner {
+    fn sign(&self, _data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+        Ok(b"not a valid signature".to_vec())
+    }
+
+    fn alg(&self) -> SigningAlg {
+        SigningAlg::Ps256
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(Vec::new())
+    }
+
+    fn reserve_size(&self) -> usize {
+        1024
+    }
 }
 
-impl c2pa_crypto::time_stamp::TimeStampProvider for TestGoodSigner {
+impl TimeStampProvider for TestGoodSigner {
     fn send_time_stamp_request(
         &self,
         _message: &[u8],
-    ) -> Option<std::result::Result<Vec<u8>, c2pa_crypto::time_stamp::TimeStampError>> {
+    ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
         Some(Ok(Vec::new()))
     }
 }
@@ -330,7 +366,7 @@ pub(crate) struct AsyncTestGoodSigner {}
 
 #[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
 #[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
-impl crate::AsyncSigner for AsyncTestGoodSigner {
+impl AsyncSigner for AsyncTestGoodSigner {
     async fn sign(&self, _data: Vec<u8>) -> Result<Vec<u8>> {
         Ok(b"not a valid signature".to_vec())
     }
@@ -346,90 +382,48 @@ impl crate::AsyncSigner for AsyncTestGoodSigner {
     fn reserve_size(&self) -> usize {
         1024
     }
-}
 
-#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
-#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
-impl c2pa_crypto::time_stamp::AsyncTimeStampProvider for AsyncTestGoodSigner {
-    async fn send_time_stamp_request(
+    async fn send_timestamp_request(
         &self,
         _message: &[u8],
-    ) -> Option<std::result::Result<Vec<u8>, c2pa_crypto::time_stamp::TimeStampError>> {
+    ) -> Option<crate::error::Result<Vec<u8>>> {
         Some(Ok(Vec::new()))
     }
-}
 
-/// Create a [`Signer`] instance that can be used for testing purposes using ps256 alg.
-///
-/// # Returns
-///
-/// Returns a boxed [`Signer`] instance.
-#[cfg(test)]
-pub(crate) fn temp_signer() -> Box<dyn Signer> {
-    #[cfg(feature = "openssl_sign")]
-    {
-        #![allow(clippy::expect_used)]
-        let sign_cert = include_bytes!("../../tests/fixtures/certs/ps256.pub").to_vec();
-        let pem_key = include_bytes!("../../tests/fixtures/certs/ps256.pem").to_vec();
-
-        let signer = RsaSigner::from_signcert_and_pkey(
-            &sign_cert,
-            &pem_key,
-            SigningAlg::Ps256,
-            None, // Some("http://timestamp.digicert.com".into()),
-        )
-        .expect("get_temp_signer");
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(self)
+    }
+}
 
-        Box::new(signer)
+#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
+impl AsyncRawSigner for AsyncTestGoodSigner {
+    async fn sign(&self, _data: Vec<u8>) -> std::result::Result<Vec<u8>, RawSignerError> {
+        Ok(b"not a valid signature".to_vec())
     }
 
-    // todo: the will be a RustTLS signer shortly
-    #[cfg(not(feature = "openssl_sign"))]
-    {
-        Box::new(TestGoodSigner {})
+    fn alg(&self) -> SigningAlg {
+        SigningAlg::Ps256
     }
-}
 
-#[cfg(any(target_arch = "wasm32", feature = "openssl_sign"))]
-pub fn temp_async_signer() -> Box<dyn crate::signer::AsyncSigner> {
-    #[cfg(feature = "openssl_sign")]
-    {
-        Box::new(AsyncSignerAdapter::new(SigningAlg::Es256))
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(Vec::new())
     }
 
-    #[cfg(target_arch = "wasm32")]
-    {
-        let sign_cert = include_str!("../../tests/fixtures/certs/es256.pub");
-        let pem_key = include_str!("../../tests/fixtures/certs/es256.pem");
-        let signer = WebCryptoSigner::new("es256", sign_cert, pem_key);
-        Box::new(signer)
+    fn reserve_size(&self) -> usize {
+        1024
     }
 }
 
-/// Create a [`Signer`] instance for a specific algorithm that can be used for testing purposes.
-///
-/// # Returns
-///
-/// Returns a boxed [`Signer`] instance.
-///
-/// # Panics
-///
-/// Can panic if the certs cannot be read. (This function should only
-/// be used as part of testing infrastructure.)
-#[cfg(feature = "file_io")]
-pub fn temp_signer_with_alg(alg: SigningAlg) -> Box<dyn Signer> {
-    #![allow(clippy::expect_used)]
-    // sign and embed into the target file
-    let mut sign_cert_path = fixture_path("certs");
-    sign_cert_path.push(alg.to_string());
-    sign_cert_path.set_extension("pub");
-
-    let mut pem_key_path = fixture_path("certs");
-    pem_key_path.push(alg.to_string());
-    pem_key_path.set_extension("pem");
-
-    create_signer::from_files(sign_cert_path.clone(), pem_key_path, alg, None)
-        .expect("get_temp_signer_with_alg")
+#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
+impl AsyncTimeStampProvider for AsyncTestGoodSigner {
+    async fn send_time_stamp_request(
+        &self,
+        _message: &[u8],
+    ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
+        Some(Ok(Vec::new()))
+    }
 }
 
 struct TempRemoteSigner {}
@@ -438,15 +432,24 @@ struct TempRemoteSigner {}
 #[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
 impl crate::signer::RemoteSigner for TempRemoteSigner {
     async fn sign_remote(&self, claim_bytes: &[u8]) -> crate::error::Result<Vec<u8>> {
-        #[cfg(feature = "openssl_sign")]
+        #[cfg(all(feature = "openssl_sign", feature = "file_io"))]
         {
-            let signer =
-                crate::openssl::temp_signer_async::AsyncSignerAdapter::new(SigningAlg::Ps256);
+            let signer = crate::utils::test_signer::async_test_signer(SigningAlg::Ps256);
 
             // this would happen on some remote server
-            crate::cose_sign::cose_sign_async(&signer, claim_bytes, self.reserve_size(), 1).await
+            // TEMPORARY: Assume v1 until we plumb things through further.
+            crate::cose_sign::cose_sign_async(
+                &signer,
+                claim_bytes,
+                self.reserve_size(),
+                TimeStampStorage::V1_sigTst,
+            )
+            .await
         }
-        #[cfg(all(not(feature = "openssl"), not(target_arch = "wasm32")))]
+        #[cfg(not(any(
+            target_arch = "wasm32",
+            all(feature = "openssl_sign", feature = "file_io")
+        )))]
         {
             use std::io::{Seek, Write};
 
@@ -462,7 +465,14 @@ impl crate::signer::RemoteSigner for TempRemoteSigner {
         {
             let signer = crate::wasm::RsaWasmSignerAsync::new();
 
-            crate::cose_sign::cose_sign_async(&signer, claim_bytes, self.reserve_size(), 1).await
+            // TEMPORARY: Assume V1 until we plumb more through.
+            crate::cose_sign::cose_sign_async(
+                &signer,
+                claim_bytes,
+                self.reserve_size(),
+                TimeStampStorage::V1_sigTst,
+            )
+            .await
         }
     }
 
@@ -514,7 +524,7 @@ impl WebCryptoSigner {
 
 #[cfg(target_arch = "wasm32")]
 #[async_trait::async_trait(?Send)]
-impl crate::signer::AsyncSigner for WebCryptoSigner {
+impl AsyncSigner for WebCryptoSigner {
     fn alg(&self) -> SigningAlg {
         self.signing_alg
     }
@@ -564,17 +574,14 @@ impl crate::signer::AsyncSigner for WebCryptoSigner {
     fn reserve_size(&self) -> usize {
         10000
     }
-}
 
-#[cfg(target_arch = "wasm32")]
-#[async_trait::async_trait(?Send)]
-impl c2pa_crypto::time_stamp::AsyncTimeStampProvider for WebCryptoSigner {
-    async fn send_time_stamp_request(
-        &self,
-        _: &[u8],
-    ) -> Option<std::result::Result<Vec<u8>, c2pa_crypto::time_stamp::TimeStampError>> {
+    async fn send_timestamp_request(&self, _: &[u8]) -> Option<Result<Vec<u8>>> {
         None
     }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        unreachable!();
+    }
 }
 
 /// Create a [`RemoteSigner`] instance that can be used for testing purposes.
@@ -593,24 +600,41 @@ struct TempAsyncRemoteSigner {
 
 #[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
 #[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
-impl crate::signer::AsyncSigner for TempAsyncRemoteSigner {
+impl AsyncSigner for TempAsyncRemoteSigner {
     // this will not be called but requires an implementation
     async fn sign(&self, claim_bytes: Vec<u8>) -> Result<Vec<u8>> {
-        #[cfg(feature = "openssl_sign")]
+        #[cfg(all(feature = "openssl_sign", feature = "file_io"))]
         {
-            let signer =
-                crate::openssl::temp_signer_async::AsyncSignerAdapter::new(SigningAlg::Ps256);
+            let signer = crate::utils::test_signer::async_test_signer(SigningAlg::Ps256);
 
             // this would happen on some remote server
-            crate::cose_sign::cose_sign_async(&signer, &claim_bytes, self.reserve_size(), 1).await
+            // TEMPORARY: Assume V1 until we plumb through further.
+            crate::cose_sign::cose_sign_async(
+                &signer,
+                &claim_bytes,
+                AsyncSigner::reserve_size(self),
+                TimeStampStorage::V1_sigTst,
+            )
+            .await
         }
+
         #[cfg(target_arch = "wasm32")]
         {
             let signer = crate::wasm::rsa_wasm_signer::RsaWasmSignerAsync::new();
-            crate::cose_sign::cose_sign_async(&signer, &claim_bytes, self.reserve_size(), 1).await
+            // TEMPORARY: Assume V1 until we plumb through further.
+            crate::cose_sign::cose_sign_async(
+                &signer,
+                &claim_bytes,
+                AsyncRawSigner::reserve_size(self),
+                TimeStampStorage::V1_sigTst,
+            )
+            .await
         }
 
-        #[cfg(all(not(feature = "openssl"), not(target_arch = "wasm32")))]
+        #[cfg(not(any(
+            target_arch = "wasm32",
+            all(feature = "openssl_sign", feature = "file_io")
+        )))]
         {
             use std::io::{Seek, Write};
 
@@ -640,15 +664,46 @@ impl crate::signer::AsyncSigner for TempAsyncRemoteSigner {
     fn reserve_size(&self) -> usize {
         10000
     }
+
+    async fn send_timestamp_request(
+        &self,
+        _message: &[u8],
+    ) -> Option<crate::error::Result<Vec<u8>>> {
+        Some(Ok(Vec::new()))
+    }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(self)
+    }
 }
 
-#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
-#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
-impl c2pa_crypto::time_stamp::AsyncTimeStampProvider for TempAsyncRemoteSigner {
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl AsyncRawSigner for TempAsyncRemoteSigner {
+    async fn sign(&self, _claim_bytes: Vec<u8>) -> std::result::Result<Vec<u8>, RawSignerError> {
+        unreachable!("Should not be called");
+    }
+
+    fn alg(&self) -> SigningAlg {
+        SigningAlg::Ps256
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(Vec::new())
+    }
+
+    fn reserve_size(&self) -> usize {
+        10000
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl AsyncTimeStampProvider for TempAsyncRemoteSigner {
     async fn send_time_stamp_request(
         &self,
         _message: &[u8],
-    ) -> Option<std::result::Result<Vec<u8>, c2pa_crypto::time_stamp::TimeStampError>> {
+    ) -> Option<std::result::Result<Vec<u8>, TimeStampError>> {
         Some(Ok(Vec::new()))
     }
 }
diff --git a/sdk/src/utils/test_signer.rs b/sdk/src/utils/test_signer.rs
new file mode 100644
index 000000000..5f3885999
--- /dev/null
+++ b/sdk/src/utils/test_signer.rs
@@ -0,0 +1,149 @@
+// Copyright 2022 Adobe. All rights reserved.
+// This file is licensed to you under the Apache License,
+// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// or the MIT license (http://opensource.org/licenses/MIT),
+// at your option.
+
+// Unless required by applicable law or agreed to in writing,
+// this software is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
+// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
+// specific language governing permissions and limitations under
+// each license.
+
+#![allow(clippy::unwrap_used)] // This mod is only used in test code.
+
+use async_trait::async_trait;
+use c2pa_crypto::raw_signature::{
+    async_signer_from_cert_chain_and_private_key, signer_from_cert_chain_and_private_key,
+    AsyncRawSigner, SigningAlg,
+};
+
+use crate::{signer::RawSignerWrapper, AsyncSigner, Result, Signer};
+
+/// Creates a [`Signer`] instance for testing purposes using test credentials.
+pub(crate) fn test_signer(alg: SigningAlg) -> Box<dyn Signer> {
+    let (cert_chain, private_key) = cert_chain_and_private_key_for_alg(alg);
+
+    Box::new(RawSignerWrapper(
+        signer_from_cert_chain_and_private_key(&cert_chain, &private_key, alg, None).unwrap(),
+    ))
+}
+
+/// Creates an [`AsyncSigner`] instance for testing purposes using test credentials.
+#[cfg(not(target_arch = "wasm32"))]
+pub(crate) fn async_test_signer(alg: SigningAlg) -> Box<dyn AsyncSigner + Sync + Send> {
+    let (cert_chain, private_key) = cert_chain_and_private_key_for_alg(alg);
+
+    Box::new(AsyncRawSignerWrapper(
+        async_signer_from_cert_chain_and_private_key(&cert_chain, &private_key, alg, None).unwrap(),
+    ))
+}
+
+/// Creates an [`AsyncSigner`] instance for testing purposes using test credentials.
+#[cfg(target_arch = "wasm32")]
+pub(crate) fn async_test_signer(alg: SigningAlg) -> Box<dyn AsyncSigner> {
+    let (cert_chain, private_key) = cert_chain_and_private_key_for_alg(alg);
+
+    Box::new(AsyncRawSignerWrapper(
+        async_signer_from_cert_chain_and_private_key(&cert_chain, &private_key, alg, None).unwrap(),
+    ))
+}
+
+fn cert_chain_and_private_key_for_alg(alg: SigningAlg) -> (Vec<u8>, Vec<u8>) {
+    match alg {
+        SigningAlg::Ps256 => (
+            include_bytes!("../../tests/fixtures/certs/ps256.pub").to_vec(),
+            include_bytes!("../../tests/fixtures/certs/ps256.pem").to_vec(),
+        ),
+
+        SigningAlg::Ps384 => (
+            include_bytes!("../../tests/fixtures/certs/ps384.pub").to_vec(),
+            include_bytes!("../../tests/fixtures/certs/ps384.pem").to_vec(),
+        ),
+
+        SigningAlg::Ps512 => (
+            include_bytes!("../../tests/fixtures/certs/ps512.pub").to_vec(),
+            include_bytes!("../../tests/fixtures/certs/ps512.pem").to_vec(),
+        ),
+
+        SigningAlg::Es256 => (
+            include_bytes!("../../tests/fixtures/certs/es256.pub").to_vec(),
+            include_bytes!("../../tests/fixtures/certs/es256.pem").to_vec(),
+        ),
+
+        SigningAlg::Es384 => (
+            include_bytes!("../../tests/fixtures/certs/es384.pub").to_vec(),
+            include_bytes!("../../tests/fixtures/certs/es384.pem").to_vec(),
+        ),
+
+        SigningAlg::Es512 => (
+            include_bytes!("../../tests/fixtures/certs/es512.pub").to_vec(),
+            include_bytes!("../../tests/fixtures/certs/es512.pem").to_vec(),
+        ),
+
+        SigningAlg::Ed25519 => (
+            include_bytes!("../../tests/fixtures/certs/ed25519.pub").to_vec(),
+            include_bytes!("../../tests/fixtures/certs/ed25519.pem").to_vec(),
+        ),
+
+        _ => unimplemented!("Unknown SigningAlg variant {alg:#?}"),
+    }
+}
+
+#[cfg(not(target_arch = "wasm32"))]
+struct AsyncRawSignerWrapper(Box<dyn AsyncRawSigner + Sync + Send>);
+
+#[allow(dead_code)] // TEMPORARY: Not used on WASM
+#[cfg(target_arch = "wasm32")]
+struct AsyncRawSignerWrapper(Box<dyn AsyncRawSigner>);
+
+#[allow(dead_code)] // TEMPORARY: Not used on WASM
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl AsyncSigner for AsyncRawSignerWrapper {
+    async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>> {
+        self.0.sign(data).await.map_err(|e| e.into())
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.0.alg()
+    }
+
+    fn certs(&self) -> Result<Vec<Vec<u8>>> {
+        self.0.cert_chain().map_err(|e| e.into())
+    }
+
+    fn reserve_size(&self) -> usize {
+        self.0.reserve_size()
+    }
+
+    async fn ocsp_val(&self) -> Option<Vec<u8>> {
+        self.0.ocsp_response().await
+    }
+
+    fn time_authority_url(&self) -> Option<String> {
+        self.0.time_stamp_service_url()
+    }
+
+    fn timestamp_request_headers(&self) -> Option<Vec<(String, String)>> {
+        self.0.time_stamp_request_headers()
+    }
+
+    fn timestamp_request_body(&self, message: &[u8]) -> Result<Vec<u8>> {
+        self.0
+            .time_stamp_request_body(message)
+            .map_err(|e| e.into())
+    }
+
+    async fn send_timestamp_request(&self, message: &[u8]) -> Option<Result<Vec<u8>>> {
+        self.0
+            .send_time_stamp_request(message)
+            .await
+            .map(|r| r.map_err(|e| e.into()))
+    }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(&*self.0)
+    }
+}
diff --git a/sdk/src/utils/xmp_inmemory_utils.rs b/sdk/src/utils/xmp_inmemory_utils.rs
index 5c2d2348e..1ddaa6d7f 100644
--- a/sdk/src/utils/xmp_inmemory_utils.rs
+++ b/sdk/src/utils/xmp_inmemory_utils.rs
@@ -26,7 +26,7 @@ use crate::{
 
 const RDF_DESCRIPTION: &[u8] = b"rdf:Description";
 
-pub const MIN_XMP: &str = r#"<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 6.0.0"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="" > </rdf:Description></rdf:RDF> </x:xmpmeta> "#;
+pub const MIN_XMP: &str = r#"<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?><x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 6.0.0"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about=""  xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmpMM:DocumentID="xmp.did:cb9f5498-bb58-4572-8043-8c369e6bfb9b" xmpMM:InstanceID="xmp.iid:cb9f5498-bb58-4572-8043-8c369e6bfb9b"> </rdf:Description></rdf:RDF></x:xmpmeta><?xpacket end="w"?>"#;
 
 #[derive(Default)]
 pub struct XmpInfo {
diff --git a/sdk/src/validation_results.rs b/sdk/src/validation_results.rs
index db2cee9f6..e8d899b3d 100644
--- a/sdk/src/validation_results.rs
+++ b/sdk/src/validation_results.rs
@@ -135,9 +135,7 @@ impl ValidationResultsMap {
 
         // This closure returns true if the URI references the store's active manifest.
         let is_active_manifest = |uri: Option<&str>| {
-            uri.map_or(false, |uri| {
-                manifest_label_from_uri(uri) == Some(active_manifest_label)
-            })
+            uri.is_some_and(|uri| manifest_label_from_uri(uri) == Some(active_manifest_label))
         };
 
         if is_active_manifest(status.url()) {
@@ -146,7 +144,7 @@ impl ValidationResultsMap {
                 .get_or_insert_with(StatusCodesMap::default);
             scm.add_status(status);
         } else {
-            let ingredient_url = status.url().unwrap_or("");
+            let ingredient_url = status.ingredient_uri().unwrap_or("NOT FOUND!!!");
             let ingredient_vec = self.ingredient_deltas.get_or_insert_with(Vec::new);
             match ingredient_vec
                 .iter_mut()
diff --git a/sdk/src/validation_status.rs b/sdk/src/validation_status.rs
index 68db975f7..4b28862de 100644
--- a/sdk/src/validation_status.rs
+++ b/sdk/src/validation_status.rs
@@ -44,6 +44,9 @@ pub struct ValidationStatus {
     #[serde(skip_serializing)]
     #[allow(dead_code)]
     success: Option<bool>, // deprecated in 2.x, allow reading for compatibility
+
+    #[serde(skip)]
+    ingredient_uri: Option<String>,
 }
 
 impl ValidationStatus {
@@ -53,6 +56,7 @@ impl ValidationStatus {
             url: None,
             explanation: None,
             success: None,
+            ingredient_uri: None,
         }
     }
 
@@ -77,12 +81,23 @@ impl ValidationStatus {
         self.explanation.as_deref()
     }
 
+    /// Returns the internal JUMBF reference to the Ingredient that was validated.
+    pub fn ingredient_uri(&self) -> Option<&str> {
+        self.ingredient_uri.as_deref()
+    }
+
     /// Sets the internal JUMBF reference to the entity was validated.
     pub fn set_url<S: Into<String>>(mut self, url: S) -> Self {
         self.url = Some(url.into());
         self
     }
 
+    /// Sets the internal JUMBF reference to the Ingredient that was validated.
+    pub fn set_ingredient_uri<S: Into<String>>(mut self, uri: S) -> Self {
+        self.ingredient_uri = Some(uri.into());
+        self
+    }
+
     /// Sets the human-readable description of the validation that was performed.
     pub(crate) fn set_explanation(mut self, explanation: String) -> Self {
         self.explanation = Some(explanation);
@@ -131,11 +146,15 @@ impl ValidationStatus {
     /// Creates a ValidationStatus from a validation_log item.
     pub(crate) fn from_validation_item(item: &LogItem) -> Option<Self> {
         match item.validation_status.as_ref() {
-            Some(status) => Some(
-                Self::new(status.to_string())
+            Some(status) => Some({
+                let mut vi = Self::new(status.to_string())
                     .set_url(item.label.to_string())
-                    .set_explanation(item.description.to_string()),
-            ),
+                    .set_explanation(item.description.to_string());
+                if let Some(ingredient_uri) = &item.ingredient_uri {
+                    vi = vi.set_ingredient_uri(ingredient_uri.to_string());
+                }
+                vi
+            }),
             // If we don't have a validation_status, then make one from the err_val
             // using the description plus error text explanation.
             None => item.err_val.as_ref().map(|e| {
@@ -174,9 +193,7 @@ pub fn validation_results_for_store(
 
         // This closure returns true if the URI references the store's active manifest.
         let is_active_manifest = |uri: Option<&str>| {
-            uri.map_or(false, |uri| {
-                jumbf::labels::manifest_label_from_uri(uri) == active_manifest
-            })
+            uri.is_some_and(|uri| jumbf::labels::manifest_label_from_uri(uri) == active_manifest)
         };
 
         // Convert any relative manifest urls found in ingredient validation statuses to absolute.
@@ -242,17 +259,6 @@ pub fn status_for_store(
 ) -> Vec<ValidationStatus> {
     let validation_results = validation_results_for_store(store, validation_log);
     validation_results.validation_errors().unwrap_or_default()
-    // let results = validation_results
-    //     .active_manifest()
-    //     .map_or_else(Vec::new, |m| m.failure().clone());
-    // let results2 = validation_results
-    //     .ingredient_deltas()
-    //     .map_or_else(Vec::new, |v| {
-    //         v.iter()
-    //             .flat_map(|i| i.validation_deltas().failure().clone())
-    //             .collect()
-    //     });
-    // results.into_iter().chain(results2).collect()
 }
 
 // -- unofficial status code --
diff --git a/sdk/src/wasm/mod.rs b/sdk/src/wasm/mod.rs
index dc929a189..2524d8c62 100644
--- a/sdk/src/wasm/mod.rs
+++ b/sdk/src/wasm/mod.rs
@@ -18,7 +18,3 @@ pub(crate) mod rsa_wasm_signer;
 pub(crate) use rsa_wasm_signer::RsaWasmSignerAsync;
 #[cfg(target_arch = "wasm32")]
 pub(crate) mod util;
-#[cfg(target_arch = "wasm32")]
-pub(crate) mod webpki_trust_handler;
-#[cfg(target_arch = "wasm32")]
-pub(crate) use webpki_trust_handler::WebTrustHandlerConfig;
diff --git a/sdk/src/wasm/rsa_wasm_signer.rs b/sdk/src/wasm/rsa_wasm_signer.rs
index 7c8f9b9d6..9d5802433 100644
--- a/sdk/src/wasm/rsa_wasm_signer.rs
+++ b/sdk/src/wasm/rsa_wasm_signer.rs
@@ -15,8 +15,8 @@ use core::str;
 
 use async_trait::async_trait;
 use c2pa_crypto::{
+    raw_signature::{AsyncRawSigner, RawSigner, RawSignerError, SigningAlg},
     time_stamp::{AsyncTimeStampProvider, TimeStampError, TimeStampProvider},
-    SigningAlg,
 };
 use rsa::{
     pkcs8::DecodePrivateKey,
@@ -115,9 +115,68 @@ impl Signer for RsaWasmSigner {
         self.alg
     }
 
+    fn time_authority_url(&self) -> Option<String> {
+        self.tsa_url.clone()
+    }
+
     fn ocsp_val(&self) -> Option<Vec<u8>> {
         None
     }
+
+    fn raw_signer(&self) -> Box<&dyn RawSigner> {
+        Box::new(self)
+    }
+}
+
+impl RawSigner for RsaWasmSigner {
+    fn sign(&self, data: &[u8]) -> std::result::Result<Vec<u8>, RawSignerError> {
+        let mut rng = rand::thread_rng();
+
+        match self.alg {
+            SigningAlg::Ps256 => {
+                let s = rsa::pss::SigningKey::<Sha256>::new(self.pkey.clone());
+
+                let sig = s.sign_with_rng(&mut rng, data);
+
+                Ok(sig.to_bytes().to_vec())
+            }
+            SigningAlg::Ps384 => {
+                let s = SigningKey::<Sha384>::new(self.pkey.clone());
+
+                let sig = s.sign_with_rng(&mut rng, data);
+
+                Ok(sig.to_bytes().to_vec())
+            }
+            SigningAlg::Ps512 => {
+                let s = SigningKey::<Sha512>::new(self.pkey.clone());
+
+                let sig = s.sign_with_rng(&mut rng, data);
+
+                Ok(sig.to_bytes().to_vec())
+            }
+            _ => {
+                return Err(RawSignerError::InternalError(
+                    "unsupported signature algorithm".to_string(),
+                ))
+            }
+        }
+    }
+
+    fn reserve_size(&self) -> usize {
+        1024 + self.certs_size + self.timestamp_size // the Cose_Sign1 contains complete certs and timestamps so account for size
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(self.signcerts.clone())
+    }
+
+    fn alg(&self) -> SigningAlg {
+        self.alg
+    }
+
+    fn ocsp_response(&self) -> Option<Vec<u8>> {
+        None
+    }
 }
 
 impl TimeStampProvider for RsaWasmSigner {
@@ -279,14 +338,14 @@ impl RsaWasmSignerAsync {
     }
 }
 
-#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[async_trait(?Send)]
 impl AsyncSigner for RsaWasmSignerAsync {
     async fn sign(&self, data: Vec<u8>) -> Result<Vec<u8>> {
-        self.signer.sign(&data)
+        Signer::sign(&self.signer, &data)
     }
 
     fn alg(&self) -> SigningAlg {
-        self.signer.alg()
+        Signer::alg(&self.signer)
     }
 
     fn certs(&self) -> Result<Vec<Vec<u8>>> {
@@ -294,11 +353,38 @@ impl AsyncSigner for RsaWasmSignerAsync {
     }
 
     fn reserve_size(&self) -> usize {
-        self.signer.reserve_size()
+        Signer::reserve_size(&self.signer)
+    }
+
+    async fn send_timestamp_request(&self, _message: &[u8]) -> Option<Result<Vec<u8>>> {
+        None
+    }
+
+    fn async_raw_signer(&self) -> Box<&dyn AsyncRawSigner> {
+        Box::new(self)
+    }
+}
+
+#[async_trait(?Send)]
+impl AsyncRawSigner for RsaWasmSignerAsync {
+    async fn sign(&self, data: Vec<u8>) -> std::result::Result<Vec<u8>, RawSignerError> {
+        Signer::sign(&self.signer, &data).map_err(|e| RawSignerError::InternalError(e.to_string()))
+    }
+
+    fn alg(&self) -> SigningAlg {
+        Signer::alg(&self.signer)
+    }
+
+    fn cert_chain(&self) -> std::result::Result<Vec<Vec<u8>>, RawSignerError> {
+        Ok(self.signer.certs()?)
+    }
+
+    fn reserve_size(&self) -> usize {
+        Signer::reserve_size(&self.signer)
     }
 }
 
-#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[async_trait(?Send)]
 impl AsyncTimeStampProvider for RsaWasmSignerAsync {
     async fn send_time_stamp_request(
         &self,
@@ -308,12 +394,14 @@ impl AsyncTimeStampProvider for RsaWasmSignerAsync {
     }
 }
 
+unsafe impl Sync for RsaWasmSignerAsync {}
+
 #[allow(unused_imports)]
 #[allow(clippy::unwrap_used)]
 #[cfg(test)]
 mod tests {
     use asn1_rs::FromDer;
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     use rsa::{
         pss::{Signature, VerifyingKey},
         sha2::{Digest, Sha256},
@@ -322,10 +410,7 @@ mod tests {
     };
 
     use super::*;
-    use crate::{
-        utils::test::{fixture_path, temp_signer},
-        Signer,
-    };
+    use crate::{utils::test::fixture_path, Signer};
 
     #[test]
     fn sign_ps256() {
@@ -338,9 +423,9 @@ mod tests {
 
         let data = b"some sample content to sign";
 
-        let sig = signer.sign(data).unwrap();
+        let sig = Signer::sign(&signer, data).unwrap();
         println!("signature len = {}", sig.len());
-        assert!(sig.len() <= signer.reserve_size());
+        assert!(sig.len() <= Signer::reserve_size(&signer));
 
         let sk = rsa::pss::SigningKey::<Sha256>::new(signer.pkey.clone());
         let vk = sk.verifying_key();
diff --git a/sdk/src/wasm/test_cert_root_bundle.pem b/sdk/src/wasm/test_cert_root_bundle.pem
deleted file mode 100644
index f6f257d8d..000000000
--- a/sdk/src/wasm/test_cert_root_bundle.pem
+++ /dev/null
@@ -1,174 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICEzCCAcWgAwIBAgIUW4fUnS38162x10PCnB8qFsrQuZgwBQYDK2VwMHcxCzAJ
-BgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29tZXdoZXJlMRowGAYD
-VQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9SIFRFU1RJTkdfT05M
-WTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2NDFaFw0zMjA2MDcxODQ2
-NDFaMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29tZXdo
-ZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9SIFRF
-U1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAqMAUGAytlcAMhAGPUgK9q1H3D
-eKMGqLGjTXJSpsrLpe0kpxkaFMe7KUAuo2MwYTAdBgNVHQ4EFgQUXuZWArP1jiRM
-fgye6ZqRyGupTowwHwYDVR0jBBgwFoAUXuZWArP1jiRMfgye6ZqRyGupTowwDwYD
-VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwBQYDK2VwA0EA8E79g54u2fUy
-dfVLPyqKmtjenOUMvVQD7waNbetLY7kvUJZCd5eaDghk30/Q1RaNjiP/2RfA/it8
-zGxQnM2hCA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIC2jCCAjygAwIBAgIUYm+LFaltpWbS9kED6RRAamOdUHowCgYIKoZIzj0EAwQw
-dzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUx
-GjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElO
-R19PTkxZMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMDYxMDE4NDY0MFoXDTMyMDYw
-NzE4NDY0MFowdzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlT
-b21ld2hlcmUxGjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBG
-T1IgVEVTVElOR19PTkxZMRAwDgYDVQQDDAdSb290IENBMIGbMBAGByqGSM49AgEG
-BSuBBAAjA4GGAAQBaifSYJBkf5fgH3FWPxRdV84qwIsLd7RcIDcRJrRkan0xUYP5
-zco7R4fFGaQ9YJB8dauyqiNg00LVuPajvKmhgEMAT4eSfEhYC25F2ggXQlBIK3Q7
-mkXwJTIJSObnbw4S9Jy3W6OVKq351VpgWUcmhvGRRejW7S/D8L2tzqRW7JPI2uSj
-YzBhMB0GA1UdDgQWBBS6OykommTmfYoLJuPN4OU83wjPqjAfBgNVHSMEGDAWgBS6
-OykommTmfYoLJuPN4OU83wjPqjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIBhjAKBggqhkjOPQQDBAOBiwAwgYcCQV4B6uKKoCWecEDlzj2xQLFPmnBQIOzD
-nyiSEcYyrCKwMV+HYS39oM+T53NvukLKUTznHwdWc9++HNaqc+IjsDl6AkIB2lXd
-5+s3xf0ioU91GJ4E13o5rpAULDxVSrN34A7BlsaXYQLnSkLMqva6E7nq2JBYjkqf
-iwNQm1DDcQPtPTnddOs=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICkTCCAhagAwIBAgIUIngKvNC/BMF3TRIafgweprIbGgAwCgYIKoZIzj0EAwMw
-dzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUx
-GjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElO
-R19PTkxZMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMDYxMDE4NDY0MFoXDTMyMDYw
-NzE4NDY0MFowdzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlT
-b21ld2hlcmUxGjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBG
-T1IgVEVTVElOR19PTkxZMRAwDgYDVQQDDAdSb290IENBMHYwEAYHKoZIzj0CAQYF
-K4EEACIDYgAEX3FzSTnCcEAP3wteNaiy4GZzZ+ABd2Y7gJpfyZf3kkCuX/I3psFq
-QBRvb3/FEBaDT4VbDNlZ0WLwtw5d3PI42Zufgpxemgfjf31d8H51eU3/IfAz5AFX
-y/OarhObHgVvo2MwYTAdBgNVHQ4EFgQUe+FK5t6/bQGIcGY6kkeIKTX/bJ0wHwYD
-VR0jBBgwFoAUe+FK5t6/bQGIcGY6kkeIKTX/bJ0wDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwMDaQAwZgIxAPOgmJbVdhDh9KlgQXqE
-FzHiCt347JG4strk22MXzOgxQ0LnXStIh+viC3S1INzuBgIxAI1jiUBX/V7Gg0y6
-Y/p6a63Xp2w+ia7vlUaUBWsR3ex9NNSTPLNoDkoTCSDOE2O20w==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICUzCCAfmgAwIBAgIUdmkq4byvgk2FSnddHqB2yjoD68gwCgYIKoZIzj0EAwIw
-dzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUx
-GjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElO
-R19PTkxZMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMDYxMDE4NDY0MFoXDTMyMDYw
-NzE4NDY0MFowdzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlT
-b21ld2hlcmUxGjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBG
-T1IgVEVTVElOR19PTkxZMRAwDgYDVQQDDAdSb290IENBMFkwEwYHKoZIzj0CAQYI
-KoZIzj0DAQcDQgAEre/KpcWwGEHt+mD4xso3xotRnRx2IEsMoYwVIKI7iEJrDEye
-PcvJuBywA0qiMw2yvAvGOzW/fqUTu1jABrFIk6NjMGEwHQYDVR0OBBYEFF6ZuIbh
-eBvZVxVadQBStikOy6iMMB8GA1UdIwQYMBaAFF6ZuIbheBvZVxVadQBStikOy6iM
-MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0gA
-MEUCIHBC1xLwkCWSGhVXFlSnQBx9cGZivXzCbt8BuwRqPSUoAiEAteZQDk685yh9
-jgOTkp4H8oAmM1As+qlkRK2b+CHAQ3k=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIGezCCBC+gAwIBAgIUIYAhaM4iRhACFliU3bfLnLDvj3wwQQYJKoZIhvcNAQEK
-MDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMF
-AKIDAgFAMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
-ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
-IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MzVa
-Fw0zMjA2MDcxODQ2MzVaMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG
-A1UEBwwJU29tZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcG
-A1UECwwQRk9SIFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTCCAlYwQQYJ
-KoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglg
-hkgBZQMEAgMFAKIDAgFAA4ICDwAwggIKAoICAQCrjxW/KXQdtwOPKxjDFDxJaLvF
-Jz8EIG6EZZ1JG+SVo8FJlYjazbJWmyCEtmoKCb4pgeeLSltty+pgKHFqZug19eKk
-jb/fobN32iF3F3mKJ4/r9+VR5DSiXVMUGSI8i9s72OJu9iCGRsHftufDDVe+jGix
-BmacQMqYtmysRqo7tcAUPY8W4hrw5UhykjvJRNi9//nAMMm2BQdWyQj7JN4qnuhL
-1qtBZHJbNpo9U7DGHiZ5vE6rsJv68f1gM3RiVJsc71vm6gEDN5Rz3kXd1oMzsXwH
-8915SSx1hdmIwcikG5pZU4l9vBB+jTuev5Nm9u+WsMVYk6SE6fsTV3zKKQS67WKZ
-XvRkJmbkJf2xZgvUfPHuShQn0k810EFwimoA7kJtrzVE40PECHQwoq2kAs5M+6VY
-W2J1s1FQ49GaRH78WARSkV7SSpK+H1/L1oMbavtAoei81oLVrjPdCV4SoixSBzoR
-+64aQuSsBJD5vVjL1o37oizsc00mas+mR98TswAHtU4nVSxgZAPp9UuO64YdJ8e8
-bftwsoBKI+DTS+4xjQJhvYxI0Jya42PmP7mlwf7g8zTde1unI6TkaUnlvXdb3+2v
-EhhIQCKSN6HdXHQba9Q6/D1PhIaXBmp8ejziSXOoLfSKJ6cMsDOjIxyuM98admN6
-xjZJljVHAqZQynA2KQIDAQABo2MwYTAdBgNVHQ4EFgQUoa/88nSjWTf9DrvK0Imo
-kARXMYwwHwYDVR0jBBgwFoAUoa/88nSjWTf9DrvK0ImokARXMYwwDwYDVR0TAQH/
-BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgB
-ZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIDAgFAA4ICAQAH
-SCSccH59/JvIMh92cvudtZ4tFzk0+xHWtDqsWxAyYWV009Eg3T6ps/bVbWkiLxCW
-cuExWjQ6yLKwJxegSvTRzwJ4H5xkP837UYIWNRoR3rgPrysm1im3Hjo/3WRCfOJp
-PtgkiPbDn2TzsJQcBpfc7RIdx2bqX41Uz9/nfeQn60MUVJUbvCtCBIV30UfR+z3k
-+w4G5doB4nq6jvQHI364L0gSQcdVdvqgjGyarNTdMHpWFYoN9gPBMoVqSNs2U75d
-LrEQkOhjkE/Akw6q+biFmRWymCHjAU9l7qGEvVxLjFGc+DumCJ6gTunMz8GiXgbd
-9oiqTyanY8VPzr98MZpo+Ga4OiwiIAXAJExN2vCZVco2Tg5AYESpWOqoHlZANdlQ
-4bI25LcZUKuXe+NGRgFY0/8iSvy9Cs44uprUcjAMITODqYj8fCjF2P6qqKY2keGW
-mYBtNJqyYGBg6h+90o88XkgemeGX5vhpRLWyBaYpxanFDkXjmGN1QqjAE/x95Q/u
-y9McE9m1mxUQPJ3vnZRB6cCQBI95ZkTiJPEO8/eSD+0VWVJwLS2UrtWzCbJ+JPKF
-Yxtj/MRT8epTRPMpNZwUEih7MEby+05kziKmYF13OOu+K3jjM0rb7sVoFBSzpISC
-r9Fa3LCdekoRZAnjQHXUWko7zo6BLLnCgld97Yem1A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIGezCCBC+gAwIBAgIUA9/dd4gqhU9+6ncE2uFrS3s5xg8wQQYJKoZIhvcNAQEK
-MDSgDzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIF
-AKIDAgEwMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
-ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
-IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2Mjla
-Fw0zMjA2MDcxODQ2MjlaMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG
-A1UEBwwJU29tZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcG
-A1UECwwQRk9SIFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTCCAlYwQQYJ
-KoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglg
-hkgBZQMEAgIFAKIDAgEwA4ICDwAwggIKAoICAQCpWg62bB2Dn3W9PtLtkJivh8ng
-31ekgz0FYzelDag4gQkmJFkiWBiIbVTj3aJUt+1n5PrxkamzANq+xKxhP49/IbHF
-VptmHuGORtvGi5qa51i3ZRYeUPekqKIGY0z6t3CGmJxYt1mMsvY6L67/3AATGrsK
-Ubf+FFls+3FqbaWXL/oRuuBk6S2qH8NCfSMpaoQN9v0wipL2cl9XZrL1W/DzwQXT
-KIin/DdWhCFDRWwI6We3Pu52k/AH5VFHrJMLmm5dVnMvQQDxf/08ULQAbISPkOMm
-Ik3Wtn8xRAbnsw4BQw3RcaxYZHSikm5JA4AJcPMb8J/cfn5plXLoH0nJUAJfV+y5
-zVm6kshhDhfkOkJ0822B54yFfI1lkyFw9mmHt0cNkSHODbMmPbq78DZILA9RWubO
-3m7j8T3OmrilcH6S6BId1G/9mAzjhVSP9P/d/QJhADgWKjcQZQPHadaMbTFHpCFb
-klIOwqraYhxQt3E8yWjkgEjhfkAGwvp/bO8XMcu4XL6Z0uHtKiBFncASrgsR7/yN
-TpO0A6Grr9DTGFcwvvgvRmMPVntiCP+dyVv1EzlsYG/rkI79UJOg/UqyB2voshsI
-mFBuvvWcJYws87qZ6ZhEKuS9yjyTObOcXi0oYvAxDfv10mSjat3Uohm7Bt9VI1Xr
-nUBx0EhMKkhtUDaDzQIDAQABo2MwYTAdBgNVHQ4EFgQU1onD7yR1uK85o0RFeVCE
-QM11S58wHwYDVR0jBBgwFoAU1onD7yR1uK85o0RFeVCEQM11S58wDwYDVR0TAQH/
-BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgB
-ZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKIDAgEwA4ICAQBd
-N+WgIQV4l+U/qLoWZYoTXmxg6rzTl2zr4s2goc6CVYXXKoDkap8y4zZ9AdH8pbZn
-pMZrJSmNdfuNUFjnJAyKyOJWyx1oX2NCg8voIAdJxhPJNn4bRhDQ8gFv7OEhshEm
-V0O0xXc08473fzLJEq8hYPtWuPEtS65umJh4A0dENYsm50rnIut9bacmBXJjGgwe
-3sz5oCr9YVCNDG7JDfaMuwWWZKhKZBbY0DsacxSV7AYz/DoYdZ9qLCNNuMmLuV6E
-lrHo5imbQdcsBt11Fxq1AFz3Bfs9r6xBsnn7vGT6xqpBJIivo3BahsOI8Bunbze8
-N4rJyxbsJE3MImyBaYiwkh+oV5SwMzXQe2DUj4FWR7DfZNuwS9qXpaVQHRR74qfr
-w2RSj6nbxlIt/X193d8rqJDpsa/eaHiv2ihhvwnhI/c4TjUvDIefMmcNhqiH7A2G
-FwlsaCV6ngT1IyY8PT+Fb97f5Bzvwwfr4LfWsLOiY8znFcJ28YsrouJdca4Zaa7Q
-XwepSPbZ7rDvlVETM7Ut5tymDR3+7of47qIPLuCGxo21FELseJ+hYhSRXSgvMzDG
-sUxc9Tb1++E/Qf3bFfG5S2NSKkUuWtAveblQPfqDcyBhXDaC8qwuknb5gs1jNOku
-4NWbaM874WvCgmv8TLcqpR0n76bTkfppMRcD5MEFug==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIGezCCBC+gAwIBAgIUDAG5+sfGspprX+hlkn1SuB2f5VQwQQYJKoZIhvcNAQEK
-MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
-AKIDAgEgMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29t
-ZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcGA1UECwwQRk9S
-IFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjA2MTAxODQ2MjVa
-Fw0zMjA2MDcxODQ2MjVaMHcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG
-A1UEBwwJU29tZXdoZXJlMRowGAYDVQQKDBFDMlBBIFRlc3QgUm9vdCBDQTEZMBcG
-A1UECwwQRk9SIFRFU1RJTkdfT05MWTEQMA4GA1UEAwwHUm9vdCBDQTCCAlYwQQYJ
-KoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglg
-hkgBZQMEAgEFAKIDAgEgA4ICDwAwggIKAoICAQC4q3t327HRHDs7Y9NR+ZqernwU
-bZ1EiEBR8vKTZ9StXmSfkzgSnvVfsFanvrKuZvFIWq909t/gH2z0klI2ZtChwLi6
-TFYXQjzQt+x5CpRcdWnB9zfUhOpdUHAhRd03Q14H2MyAiI98mqcVreQOiLDydlhP
-Dla7Ign4PqedXBH+NwUCEcbQIEr2LvkZ5fzX1GzBtqymClT/Gqz75VO7zM1oV4gq
-ElFHLsTLgzv5PR7pydcHauoTvFWhZNgz5s3olXJDKG/n3h0M3vIsjn11OXkcwq99
-Ne5Nm9At2tC1w0Huu4iVdyTLNLIAfM368ookf7CJeNrVJuYdERwLwICpetYvOnid
-VTLSDt/YK131pR32XCkzGnrIuuYBm/k6IYgNoWqUhojGJai6o5hI1odAzFIWr9T0
-sa9f66P6RKl4SUqa/9A/uSS8Bx1gSbTPBruOVm6IKMbRZkSNN/O8dgDa1OftYCHD
-blCCQh9DtOSh6jlp9I6iOUruLls7d4wPDrstPefi0PuwsfWAg4NzBtQ3uGdzl/lm
-yusq6g94FVVq4RXHN/4QJcitE9VPpzVuP41aKWVRM3X/q11IH80rtaEQt54QMJwi
-sIv4eEYW3TYY9iQtq7Q7H9mcz60ClJGYQJvd1DR7lA9LtUrnQJIjNY9v6OuHVXEX
-EFoDH0viraraHozMdwIDAQABo2MwYTAdBgNVHQ4EFgQURW8b4nQuZgIteSw5+foy
-TZQrGVAwHwYDVR0jBBgwFoAURW8b4nQuZgIteSw5+foyTZQrGVAwDwYDVR0TAQH/
-BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgB
-ZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4ICAQBB
-WnUOG/EeQoisgC964H5+ns4SDIYFOsNeksJM3WAd0yG2L3CEjUksUYugQzB5hgh4
-BpsxOajrkKIRxXN97hgvoWwbA7aySGHLgfqH1vsGibOlA5tvRQX0WoQ+GMnuliVM
-pLjpHdYE2148DfgaDyIlGnHpc4gcXl7YHDYcvTN9NV5Y4P4x/2W/Lh11NC/VOSM9
-aT+jnFE7s7VoiRVfMN2iWssh2aihecdE9rs2w+Wt/E/sCrVClCQ1xaAO1+i4+mBS
-a7hW+9lrQKSx2bN9c8K/CyXgAcUtutcIh5rgLm2UWOaB9It3iw0NVaxwyAgWXC9F
-qYJsnia4D3AP0TJL4PbpNUaA4f2H76NODtynMfEoXSoG3TYYpOYKZ65lZy3mb26w
-fvBfrlASJMClqdiEFHfGhP/dTAZ9eC2cf40iY3ta84qSJybSYnqst8Vb/Gn+dYI9
-qQm0yVHtJtvkbZtgBK5Vg6f5q7I7DhVINQJUVlWzRo6/Vx+/VBz5tC5aVDdqtBAs
-q6ZcYS50ECvK/oGnVxjpeOafGvaV2UroZoGy7p7bEoJhqOPrW2yZ4JVNp9K6CCRg
-zR6jFN/gUe42P1lIOfcjLZAM1GHixtjP5gLAp6sJS8X05O8xQRBtnOsEwNLj5w0y
-MAdtwAzT/Vfv7b08qfx4FfQPFmtjvdu4s82gNatxSA==
------END CERTIFICATE-----
diff --git a/sdk/src/wasm/webpki_trust_handler.rs b/sdk/src/wasm/webpki_trust_handler.rs
deleted file mode 100644
index d8c3d8eeb..000000000
--- a/sdk/src/wasm/webpki_trust_handler.rs
+++ /dev/null
@@ -1,676 +0,0 @@
-// Copyright 2023 Adobe. All rights reserved.
-// This file is licensed to you under the Apache License,
-// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
-// or the MIT license (http://opensource.org/licenses/MIT),
-// at your option.
-
-// Unless required by applicable law or agreed to in writing,
-// this software is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
-// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
-// specific language governing permissions and limitations under
-// each license.
-
-use std::{
-    collections::HashSet,
-    io::{BufRead, BufReader, Cursor, Read},
-    str::FromStr,
-};
-
-use asn1_rs::{nom::AsBytes, Any, Class, Header, Tag};
-use c2pa_crypto::{
-    base64, raw_signature::RawSignatureValidationError, webcrypto::async_validator_for_signing_alg,
-    SigningAlg,
-};
-use x509_parser::{
-    der_parser::der::{parse_der_integer, parse_der_sequence_of},
-    prelude::*,
-};
-
-use crate::{
-    cose_validator::*,
-    error::{Error, Result},
-    hash_utils::{hash_sha256, vec_compare},
-    trust_handler::{
-        has_allowed_oid, load_eku_configuration, load_trust_from_data, TrustHandlerConfig,
-    },
-};
-
-// Struct to handle verification of trust chains using WebPki
-pub(crate) struct WebTrustHandlerConfig {
-    pub trust_anchors: Vec<Vec<u8>>,
-    pub private_anchors: Vec<Vec<u8>>,
-    allowed_cert_set: HashSet<String>,
-    config_store: Vec<u8>,
-}
-
-impl std::fmt::Debug for WebTrustHandlerConfig {
-    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
-        write!(
-            f,
-            "{} trust anchors, {} private anchors.",
-            self.trust_anchors.len(),
-            self.private_anchors.len()
-        )
-    }
-}
-
-impl WebTrustHandlerConfig {
-    pub fn load_default_trust(&mut self) -> Result<()> {
-        // load config store
-        let config = include_bytes!("./store.cfg");
-        let mut config_reader = Cursor::new(config);
-        self.load_configuration(&mut config_reader)?;
-
-        // load debug/test private trust anchors
-        if cfg!(test) {
-            let pa = include_bytes!("./test_cert_root_bundle.pem");
-            let mut pa_reader = Cursor::new(pa);
-
-            self.append_private_trust_data(&mut pa_reader)?;
-        }
-
-        Ok(())
-    }
-}
-
-impl TrustHandlerConfig for WebTrustHandlerConfig {
-    fn new() -> Self {
-        let mut th = WebTrustHandlerConfig {
-            trust_anchors: Vec::new(),
-            private_anchors: Vec::new(),
-            allowed_cert_set: HashSet::new(),
-            config_store: Vec::new(),
-        };
-
-        if th.load_default_trust().is_err() {
-            th.clear(); // just use empty trust handler to fail automatically
-        }
-
-        th
-    }
-
-    // add trust anchors
-    fn load_trust_anchors_from_data(&mut self, trust_data_reader: &mut dyn Read) -> Result<()> {
-        let mut trust_data = Vec::new();
-        trust_data_reader.read_to_end(&mut trust_data)?;
-
-        let mut anchors = load_trust_from_data(&trust_data)?;
-        self.trust_anchors.append(&mut anchors);
-        Ok(())
-    }
-
-    // append private trust anchors
-    fn append_private_trust_data(&mut self, private_anchors_reader: &mut dyn Read) -> Result<()> {
-        let mut private_anchors_data = Vec::new();
-        private_anchors_reader.read_to_end(&mut private_anchors_data)?;
-
-        let mut anchors = load_trust_from_data(&private_anchors_data)?;
-        self.private_anchors.append(&mut anchors);
-
-        Ok(())
-    }
-
-    fn clear(&mut self) {
-        self.trust_anchors = Vec::new();
-        self.private_anchors = Vec::new();
-    }
-
-    // load EKU configuration
-    fn load_configuration(&mut self, config_data: &mut dyn Read) -> Result<()> {
-        config_data.read_to_end(&mut self.config_store)?;
-        Ok(())
-    }
-
-    // list off auxillary allowed EKU Oid
-    fn get_auxillary_ekus(&self) -> Vec<asn1_rs::Oid> {
-        let mut oids = Vec::new();
-        if let Ok(oid_strings) = load_eku_configuration(&mut Cursor::new(&self.config_store)) {
-            for oid_str in &oid_strings {
-                if let Ok(oid) = asn1_rs::Oid::from_str(oid_str) {
-                    oids.push(oid);
-                }
-            }
-        }
-        oids
-    }
-
-    fn get_anchors(&self) -> Vec<Vec<u8>> {
-        let mut anchors = Vec::new();
-
-        anchors.append(&mut self.trust_anchors.clone());
-        anchors.append(&mut self.private_anchors.clone());
-
-        anchors
-    }
-
-    // add allowed list entries
-    fn load_allowed_list(&mut self, allowed_list: &mut dyn Read) -> Result<()> {
-        let mut buffer = Vec::new();
-        allowed_list.read_to_end(&mut buffer)?;
-
-        if let Ok(cert_list) = load_trust_from_data(&buffer) {
-            for cert_der in &cert_list {
-                let cert_sha256 = hash_sha256(cert_der);
-                let cert_hash_base64 = base64::encode(&cert_sha256);
-
-                self.allowed_cert_set.insert(cert_hash_base64);
-            }
-        }
-
-        // try to load the of base64 encoded encoding of the sha256 hash of the certificate DER encoding
-        let reader = Cursor::new(buffer);
-        let buf_reader = BufReader::new(reader);
-
-        let mut inside_cert_block = false;
-        for l in buf_reader.lines().flatten() {
-            if l.contains("-----BEGIN") {
-                inside_cert_block = true;
-            }
-            if l.contains("-----END") {
-                inside_cert_block = false;
-            }
-
-            // sanity check that data is base64 encoded and outside of certificate block
-            if !inside_cert_block && base64::decode(&l).is_ok() && !l.is_empty() {
-                self.allowed_cert_set.insert(l);
-            }
-        }
-
-        Ok(())
-    }
-
-    // set of allowed cert hashes
-    fn get_allowed_list(&self) -> &HashSet<String> {
-        &self.allowed_cert_set
-    }
-}
-
-fn find_allowed_eku<'a>(
-    cert_der: &'a [u8],
-    allowed_ekus: &'a Vec<asn1_rs::Oid<'a>>,
-) -> Option<&'a asn1_rs::Oid<'a>> {
-    if let Ok((_rem, cert)) = X509Certificate::from_der(cert_der) {
-        if let Ok(Some(eku)) = cert.extended_key_usage() {
-            if let Some(o) = has_allowed_oid(eku.value, allowed_ekus) {
-                return Some(o);
-            }
-        }
-    }
-    None
-}
-fn cert_signing_alg(cert: &x509_parser::certificate::X509Certificate) -> Option<String> {
-    let cert_alg = cert.signature_algorithm.algorithm.clone();
-
-    let signing_alg = if cert_alg == SHA256_WITH_RSAENCRYPTION_OID {
-        "rsa256".to_string()
-    } else if cert_alg == SHA384_WITH_RSAENCRYPTION_OID {
-        "rsa384".to_string()
-    } else if cert_alg == SHA512_WITH_RSAENCRYPTION_OID {
-        "rsa512".to_string()
-    } else if cert_alg == ECDSA_WITH_SHA256_OID {
-        SigningAlg::Es256.to_string()
-    } else if cert_alg == ECDSA_WITH_SHA384_OID {
-        SigningAlg::Es384.to_string()
-    } else if cert_alg == ECDSA_WITH_SHA512_OID {
-        SigningAlg::Es512.to_string()
-    } else if cert_alg == RSASSA_PSS_OID {
-        if let Some(parameters) = &cert.signature_algorithm.parameters {
-            let seq = match parameters.as_sequence() {
-                Ok(s) => s,
-                Err(_) => return None,
-            };
-
-            let (_i, (ha_alg, mgf_ai)) = match seq.parse(|i| {
-                let (i, h) = <Header as asn1_rs::FromDer>::from_der(i)?;
-                if h.class() != Class::ContextSpecific || h.tag() != Tag(0) {
-                    return Err(nom::Err::Error(asn1_rs::Error::BerValueError));
-                }
-
-                let (i, ha_alg) = AlgorithmIdentifier::from_der(i)
-                    .map_err(|_| nom::Err::Error(asn1_rs::Error::BerValueError))?;
-
-                let (i, h) = <Header as asn1_rs::FromDer>::from_der(i)?;
-                if h.class() != Class::ContextSpecific || h.tag() != Tag(1) {
-                    return Err(nom::Err::Error(asn1_rs::Error::BerValueError));
-                }
-
-                let (i, mgf_ai) = AlgorithmIdentifier::from_der(i)
-                    .map_err(|_| nom::Err::Error(asn1_rs::Error::BerValueError))?;
-
-                // Ignore anything that follows these two parameters.
-
-                Ok((i, (ha_alg, mgf_ai)))
-            }) {
-                Ok((ii, (h, m))) => (ii, (h, m)),
-                Err(_) => return None,
-            };
-
-            let mgf_ai_parameters = match mgf_ai.parameters {
-                Some(m) => m,
-                None => return None,
-            };
-
-            let mgf_ai_parameters = match mgf_ai_parameters.as_sequence() {
-                Ok(m) => m,
-                Err(_) => return None,
-            };
-
-            let (_i, mgf_ai_params_algorithm) =
-                match <Any as asn1_rs::FromDer>::from_der(&mgf_ai_parameters.content) {
-                    Ok((i, m)) => (i, m),
-                    Err(_) => return None,
-                };
-
-            let mgf_ai_params_algorithm = match mgf_ai_params_algorithm.as_oid() {
-                Ok(m) => m,
-                Err(_) => return None,
-            };
-
-            // must be the same
-            if ha_alg.algorithm.to_id_string() != mgf_ai_params_algorithm.to_id_string() {
-                return None;
-            }
-
-            // check for one of the mandatory types
-            if ha_alg.algorithm == SHA256_OID {
-                "ps256".to_string()
-            } else if ha_alg.algorithm == SHA384_OID {
-                "ps384".to_string()
-            } else if ha_alg.algorithm == SHA512_OID {
-                "ps512".to_string()
-            } else {
-                return None;
-            }
-        } else {
-            return None;
-        }
-    } else if cert_alg == ED25519_OID {
-        SigningAlg::Ed25519.to_string()
-    } else {
-        return None;
-    };
-
-    Some(signing_alg)
-}
-
-async fn verify_data(
-    cert_der: Vec<u8>,
-    sig_alg: Option<String>,
-    sig: Vec<u8>,
-    data: Vec<u8>,
-) -> Result<bool> {
-    use x509_parser::prelude::*;
-
-    let (_, cert) =
-        X509Certificate::from_der(cert_der.as_bytes()).map_err(|_e| Error::CoseCertUntrusted)?;
-
-    let certificate_public_key = cert.public_key();
-
-    let Some(cert_alg_string) = sig_alg else {
-        return Err(Error::BadParam("unknown alg processing cert".to_string()));
-    };
-
-    let signing_alg: SigningAlg = cert_alg_string
-        .parse()
-        .map_err(|_| Error::UnknownAlgorithm)?;
-
-    // Not sure this is needed any more. Leaving this for now, but I think this should be handled in c2pa_crypto's raw signature code.
-    let adjusted_sig = if cert_alg_string.starts_with("es") {
-        match der_to_p1363(&sig, signing_alg) {
-            Some(p1363) => p1363,
-            None => sig,
-        }
-    } else {
-        sig
-    };
-
-    let Some(validator) = async_validator_for_signing_alg(signing_alg) else {
-        return Err(Error::UnknownAlgorithm);
-    };
-
-    let result = validator
-        .validate_async(&adjusted_sig, &data, certificate_public_key.raw.as_ref())
-        .await;
-
-    match result {
-        Ok(()) => Ok(true),
-        Err(RawSignatureValidationError::SignatureMismatch) => Ok(false),
-        Err(err) => Err(err.into()),
-    }
-}
-
-// convert der signatures to P1363 format: r | s
-fn der_to_p1363(data: &[u8], alg: SigningAlg) -> Option<Vec<u8>> {
-    // handle if this is a der sequence
-    if let Ok((_, bo)) = parse_der_sequence_of(parse_der_integer)(data) {
-        let seq = bo.as_sequence().ok()?;
-
-        if seq.len() != 2 {
-            return None;
-        }
-
-        let rp = seq[0].as_bigint().ok()?;
-        let sp = seq[1].as_bigint().ok()?;
-
-        let mut r = rp.to_str_radix(16);
-        let mut s = sp.to_str_radix(16);
-
-        let sig_len: usize = match alg {
-            SigningAlg::Es256 => 64,
-            SigningAlg::Es384 => 96,
-            SigningAlg::Es512 => 132,
-            _ => return None,
-        };
-
-        // pad or truncate as needed
-        let rp = if r.len() > sig_len {
-            // truncate
-            let offset = r.len() - sig_len;
-            &r[offset..r.len()]
-        } else {
-            // pad
-            while r.len() != sig_len {
-                r.insert(0, '0');
-            }
-            r.as_ref()
-        };
-
-        let sp = if s.len() > sig_len {
-            // truncate
-            let offset = s.len() - sig_len;
-            &s[offset..s.len()]
-        } else {
-            // pad
-            while s.len() != sig_len {
-                s.insert(0, '0');
-            }
-            s.as_ref()
-        };
-
-        if rp.len() != sig_len || rp.len() != sp.len() {
-            return None;
-        }
-
-        // merge r and s strings
-        let mut new_sig = rp.to_string();
-        new_sig.push_str(sp);
-
-        // convert back from hex string to byte array
-        let result = (0..new_sig.len())
-            .step_by(2)
-            .map(|i| {
-                u8::from_str_radix(&new_sig[i..i + 2], 16)
-                    .map_err(|_err| crate::Error::InvalidEcdsaSignature)
-            })
-            .collect();
-
-        if let Ok(p1363) = result {
-            Some(p1363)
-        } else {
-            None
-        }
-    } else {
-        Some(data.to_vec())
-    }
-}
-
-async fn check_chain_order(certs: &[Vec<u8>]) -> Result<()> {
-    use x509_parser::prelude::*;
-
-    let chain_length = certs.len();
-    if chain_length < 2 {
-        return Ok(());
-    }
-
-    for i in 1..chain_length {
-        let (_, current_cert) =
-            X509Certificate::from_der(&certs[i - 1]).map_err(|_e| Error::CoseCertUntrusted)?;
-
-        let issuer_der = certs[i].to_vec();
-        let data = current_cert.tbs_certificate.as_ref();
-        let sig = current_cert.signature_value.as_ref();
-
-        let sig_alg = cert_signing_alg(&current_cert);
-
-        let result = verify_data(issuer_der, sig_alg, sig.to_vec(), data.to_vec()).await;
-
-        // keep going as long as it validate
-        match result {
-            Ok(b) => {
-                if !b {
-                    return Err(Error::OtherError("cert chain order invalid".into()));
-                }
-            }
-            Err(e) => return Err(e),
-        }
-    }
-    Ok(())
-}
-
-async fn on_trust_list(
-    th: &dyn TrustHandlerConfig,
-    certs: &[Vec<u8>],
-    ee_der: &[u8],
-) -> Result<bool> {
-    use x509_parser::prelude::*;
-
-    // check the cert against the allowed list first
-    let cert_sha256 = hash_sha256(ee_der);
-    let cert_hash_base64 = base64::encode(&cert_sha256);
-    if th.get_allowed_list().contains(&cert_hash_base64) {
-        return Ok(true);
-    }
-
-    // add ee cert if needed to the chain
-    let full_chain = if !certs.is_empty() && vec_compare(ee_der, &certs[0]) {
-        certs.to_vec()
-    } else {
-        let mut full_chain: Vec<Vec<u8>> = Vec::new();
-        full_chain.push(ee_der.to_vec());
-        let mut in_chain = certs.to_vec();
-        full_chain.append(&mut in_chain);
-        full_chain
-    };
-
-    // make sure chain is in the correct order and valid
-    check_chain_order(&full_chain).await?;
-
-    // build anchors and check against trust anchors,
-    let mut anchors: Vec<X509Certificate> = Vec::new();
-    let source_anchors = th.get_anchors();
-    for anchor_der in &source_anchors {
-        let (_, anchor) =
-            X509Certificate::from_der(anchor_der).map_err(|_e| Error::CoseCertUntrusted)?;
-        anchors.push(anchor);
-    }
-
-    if anchors.is_empty() {
-        return Ok(false);
-    }
-
-    // work back from last cert in chain against the trust anchors
-    for cert in certs.iter().rev() {
-        let (_, chain_cert) =
-            X509Certificate::from_der(cert).map_err(|_e| Error::CoseCertUntrusted)?;
-
-        for anchor in &source_anchors {
-            let data = chain_cert.tbs_certificate.as_ref();
-            let sig = chain_cert.signature_value.as_ref();
-
-            let sig_alg = cert_signing_alg(&chain_cert);
-
-            let (_, anchor_cert) =
-                X509Certificate::from_der(anchor).map_err(|_e| Error::CoseCertUntrusted)?;
-
-            if chain_cert.issuer() == anchor_cert.subject() {
-                let result =
-                    verify_data(anchor.clone(), sig_alg, sig.to_vec(), data.to_vec()).await;
-
-                match result {
-                    Ok(b) => {
-                        if b {
-                            return Ok(true);
-                        }
-                    }
-                    Err(_) => continue,
-                }
-            }
-        }
-    }
-    // todo: consider (path check and names restrictions)
-
-    Ok(false)
-}
-
-// verify certificate and trust chain
-pub(crate) async fn verify_trust_async(
-    th: &dyn TrustHandlerConfig,
-    chain_der: &[Vec<u8>],
-    cert_der: &[u8],
-    _signing_time_epoc: Option<i64>,
-) -> Result<bool> {
-    // check configured EKUs against end-entity cert
-    find_allowed_eku(cert_der, &th.get_auxillary_ekus()).ok_or(Error::CoseCertUntrusted)?;
-
-    on_trust_list(th, chain_der, cert_der).await
-}
-
-#[cfg(test)]
-pub mod tests {
-    #![allow(clippy::expect_used)]
-    #![allow(clippy::panic)]
-    #![allow(clippy::unwrap_used)]
-
-    #[cfg(target_arch = "wasm32")]
-    use wasm_bindgen_test::*;
-
-    use super::*;
-    #[cfg_attr(not(target_arch = "wasm32"), test)]
-    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
-    #[wasm_bindgen_test]
-    async fn test_trust_store() {
-        let mut th = WebTrustHandlerConfig::new();
-        th.clear();
-
-        th.load_default_trust().unwrap();
-
-        // test all the certs
-        let ps256 = include_bytes!("../../tests/fixtures/certs/ps256.pub");
-        let ps384 = include_bytes!("../../tests/fixtures/certs/ps384.pub");
-        let ps512 = include_bytes!("../../tests/fixtures/certs/ps512.pub");
-        let es256 = include_bytes!("../../tests/fixtures/certs/es256.pub");
-        let es384 = include_bytes!("../../tests/fixtures/certs/es384.pub");
-        let es512 = include_bytes!("../../tests/fixtures/certs/es512.pub");
-        let ed25519 = include_bytes!("../../tests/fixtures/certs/ed25519.pub");
-
-        let ps256_certs = load_trust_from_data(ps256).unwrap();
-        let ps384_certs = load_trust_from_data(ps384).unwrap();
-        let ps512_certs = load_trust_from_data(ps512).unwrap();
-        let es256_certs = load_trust_from_data(es256).unwrap();
-        let es384_certs = load_trust_from_data(es384).unwrap();
-        let es512_certs = load_trust_from_data(es512).unwrap();
-        let ed25519_certs = load_trust_from_data(ed25519).unwrap();
-
-        assert!(
-            verify_trust_async(&th, &ps256_certs[1..], &ps256_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            verify_trust_async(&th, &ps384_certs[1..], &ps384_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            verify_trust_async(&th, &ps512_certs[1..], &ps512_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            verify_trust_async(&th, &es256_certs[1..], &es256_certs[0], None)
-                .await
-                .unwrap()
-        );
-
-        assert!(
-            verify_trust_async(&th, &es384_certs[1..], &es384_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            verify_trust_async(&th, &es512_certs[1..], &es512_certs[0], None)
-                .await
-                .unwrap()
-        );
-
-        assert!(
-            verify_trust_async(&th, &ed25519_certs[1..], &ed25519_certs[0], None)
-                .await
-                .unwrap()
-        );
-    }
-
-    #[cfg_attr(not(target_arch = "wasm32"), test)]
-    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test)]
-    #[wasm_bindgen_test]
-    async fn test_broken_trust_chain() {
-        let mut th = WebTrustHandlerConfig::new();
-        th.clear();
-
-        th.load_default_trust().unwrap();
-
-        // test all the certs
-        let ps256 = include_bytes!("../../tests/fixtures/certs/ps256.pub");
-        let ps384 = include_bytes!("../../tests/fixtures/certs/ps384.pub");
-        let ps512 = include_bytes!("../../tests/fixtures/certs/ps512.pub");
-        let es256 = include_bytes!("../../tests/fixtures/certs/es256.pub");
-        let es384 = include_bytes!("../../tests/fixtures/certs/es384.pub");
-        let es512 = include_bytes!("../../tests/fixtures/certs/es512.pub");
-        let ed25519 = include_bytes!("../../tests/fixtures/certs/ed25519.pub");
-
-        let ps256_certs = load_trust_from_data(ps256).unwrap();
-        let ps384_certs = load_trust_from_data(ps384).unwrap();
-        let ps512_certs = load_trust_from_data(ps512).unwrap();
-        let es256_certs = load_trust_from_data(es256).unwrap();
-        let es384_certs = load_trust_from_data(es384).unwrap();
-        let es512_certs = load_trust_from_data(es512).unwrap();
-        let ed25519_certs = load_trust_from_data(ed25519).unwrap();
-
-        assert!(
-            !verify_trust_async(&th, &ps256_certs[2..], &ps256_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            !verify_trust_async(&th, &ps384_certs[2..], &ps384_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            !verify_trust_async(&th, &ps512_certs[2..], &ps512_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            !verify_trust_async(&th, &es256_certs[2..], &es256_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            !verify_trust_async(&th, &es384_certs[2..], &es384_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            !verify_trust_async(&th, &es512_certs[2..], &es512_certs[0], None)
-                .await
-                .unwrap()
-        );
-        assert!(
-            !verify_trust_async(&th, &ed25519_certs[2..], &ed25519_certs[0], None)
-                .await
-                .unwrap()
-        );
-    }
-}
diff --git a/sdk/tests/common/test_signer.rs b/sdk/tests/common/test_signer.rs
index c3bd1a2c1..45d94dfcb 100644
--- a/sdk/tests/common/test_signer.rs
+++ b/sdk/tests/common/test_signer.rs
@@ -12,7 +12,7 @@
 // each license.
 
 use c2pa::CallbackSigner;
-use c2pa_crypto::SigningAlg;
+use c2pa_crypto::raw_signature::{RawSignerError, SigningAlg};
 
 const CERTS: &[u8] = include_bytes!("../../tests/fixtures/certs/ed25519.pub");
 const PRIVATE_KEY: &[u8] = include_bytes!("../../tests/fixtures/certs/ed25519.pem");
@@ -29,12 +29,13 @@ fn ed_sign(data: &[u8], private_key: &[u8]) -> c2pa::Result<Vec<u8>> {
 
     // Parse the PEM data to get the private key
     let pem = parse(private_key).map_err(|e| c2pa::Error::OtherError(Box::new(e)))?;
+
     // For Ed25519, the key is 32 bytes long, so we skip the first 16 bytes of the PEM data
     let key_bytes = &pem.contents()[16..];
-    let signing_key =
-        SigningKey::try_from(key_bytes).map_err(|e| c2pa::Error::OtherError(Box::new(e)))?;
+    let signing_key = SigningKey::try_from(key_bytes)
+        .map_err(|e| RawSignerError::InternalError(e.to_string()))?;
+
     // Sign the data
     let signature: Signature = signing_key.sign(data);
-
     Ok(signature.to_bytes().to_vec())
 }
diff --git a/sdk/tests/fixtures/sample1.svg b/sdk/tests/fixtures/sample1.svg
index 8e3d77b77..5c49e9e33 100644
--- a/sdk/tests/fixtures/sample1.svg
+++ b/sdk/tests/fixtures/sample1.svg
@@ -1,7 +1,69 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE svg  PUBLIC '-//W3C//DTD SVG 1.1//EN'  'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>
 <svg enable-background="new 0 0 2014 1674.641" version="1.1" viewBox="0 0 2014 1674.641" xml:space="preserve" xmlns="http://www.w3.org/2000/svg">
-		<path d="m44.883 1173.3c0 169.58 92.136 317.37 229.08 396.59v-793.53c-136.94 79.216-229.08 227.37-229.08 396.94z"/>
+		<title>This is an XMP test</title>
+<metadata><?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
+<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 9.1-c002 165.59ab891, 2024/09/18-09:57:10        ">
+   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+      <rdf:Description rdf:about=""
+            xmlns:Iptc4xmpCore="http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/"
+            xmlns:dc="http://purl.org/dc/elements/1.1/"
+            xmlns:xmp="http://ns.adobe.com/xap/1.0/"
+            xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"
+            xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#">
+         <Iptc4xmpCore:ExtDescrAccessibility>
+            <rdf:Alt>
+               <rdf:li xml:lang="x-default">Headphone outline</rdf:li>
+            </rdf:Alt>
+         </Iptc4xmpCore:ExtDescrAccessibility>
+         <dc:title>
+            <rdf:Alt>
+               <rdf:li xml:lang="x-default">This is an XMP test</rdf:li>
+            </rdf:Alt>
+         </dc:title>
+         <xmp:MetadataDate>2024-12-09T09:35:43-05:00</xmp:MetadataDate>
+         <xmpMM:InstanceID>xmp.iid:f5ec1827-855b-4f69-b690-2bed159fa942</xmpMM:InstanceID>
+         <xmpMM:DocumentID>xmp.did:f5ec1827-855b-4f69-b690-2bed159fa942</xmpMM:DocumentID>
+         <xmpMM:OriginalDocumentID>xmp.did:f5ec1827-855b-4f69-b690-2bed159fa942</xmpMM:OriginalDocumentID>
+         <xmpMM:History>
+            <rdf:Seq>
+               <rdf:li>
+                  <rdf:Description>
+                     <stEvt:action>saved</stEvt:action>
+                     <stEvt:instanceID>xmp.iid:f5ec1827-855b-4f69-b690-2bed159fa942</stEvt:instanceID>
+                     <stEvt:when>2024-12-09T09:35:43-05:00</stEvt:when>
+                     <stEvt:softwareAgent>Adobe Bridge 2025</stEvt:softwareAgent>
+                     <stEvt:changed>/metadata</stEvt:changed>
+                  </rdf:Description>
+               </rdf:li>
+            </rdf:Seq>
+         </xmpMM:History>
+      </rdf:Description>
+   </rdf:RDF>
+</x:xmpmeta>
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                           
+<?xpacket end="w"?></metadata>
+<path d="m44.883 1173.3c0 169.58 92.136 317.37 229.08 396.59v-793.53c-136.94 79.216-229.08 227.37-229.08 396.94z"/>
 		<path d="m1496.5 173.21c-338.54-181.18-640.46-181.19-978.98 0-115.34 61.726-232.1 201.31-232.1 348.66v1048h125.99v-1048c0-100.78 121.24-229.18 225.54-272.38 280.15-116.04 460-116.04 740.11 0 104.3 43.203 225.54 171.6 225.54 272.38v1048h125.99v-1048c0-147.36-116.76-286.94-232.1-348.66z"/>
 		<path d="m1740 776.38v793.53c136.94-79.214 229.08-227 229.08-396.59 1e-3 -169.57-92.133-317.73-229.08-396.94z"/>
 		<path d="m541.72 709.03h-70.645c-27.201 0-49.252 22.051-49.252 49.253v829.79c0 27.201 22.05 49.252 49.252 49.252h70.645c27.201 0 49.252-22.051 49.252-49.252v-829.79c0-27.202-22.05-49.253-49.252-49.253z"/>
diff --git a/sdk/tests/fixtures/sample5.svg b/sdk/tests/fixtures/sample5.svg
new file mode 100644
index 000000000..8e3d77b77
--- /dev/null
+++ b/sdk/tests/fixtures/sample5.svg
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg  PUBLIC '-//W3C//DTD SVG 1.1//EN'  'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>
+<svg enable-background="new 0 0 2014 1674.641" version="1.1" viewBox="0 0 2014 1674.641" xml:space="preserve" xmlns="http://www.w3.org/2000/svg">
+		<path d="m44.883 1173.3c0 169.58 92.136 317.37 229.08 396.59v-793.53c-136.94 79.216-229.08 227.37-229.08 396.94z"/>
+		<path d="m1496.5 173.21c-338.54-181.18-640.46-181.19-978.98 0-115.34 61.726-232.1 201.31-232.1 348.66v1048h125.99v-1048c0-100.78 121.24-229.18 225.54-272.38 280.15-116.04 460-116.04 740.11 0 104.3 43.203 225.54 171.6 225.54 272.38v1048h125.99v-1048c0-147.36-116.76-286.94-232.1-348.66z"/>
+		<path d="m1740 776.38v793.53c136.94-79.214 229.08-227 229.08-396.59 1e-3 -169.57-92.133-317.73-229.08-396.94z"/>
+		<path d="m541.72 709.03h-70.645c-27.201 0-49.252 22.051-49.252 49.253v829.79c0 27.201 22.05 49.252 49.252 49.252h70.645c27.201 0 49.252-22.051 49.252-49.252v-829.79c0-27.202-22.05-49.253-49.252-49.253z"/>
+		<path d="m1542 709.03h-70.646c-27.2 0-49.252 22.051-49.252 49.253v829.79c0 27.201 22.052 49.252 49.252 49.252h70.646c27.2 0 49.252-22.051 49.252-49.252v-829.79c-1e-3 -27.202-22.052-49.253-49.252-49.253z"/>
+		<path d="m595.97 1132.8c4.322-0.219 8.643-0.184 12.965 0 0.197 4.557 3.624 24.404 4.471 95.602 0 1.438 0.298 2.849 0.728 4.225 0.691 13.2-0.668 21.337 0.868 26.298 0.386 12.904 0.053 25.834 0.158 38.746h10.467c10.735-37.493 8.785-86.788 9.941-115.01 1.07-3.103 0.614-6.426 0.868-9.634 0.615-2.041 1.597-9.992 1.753-11.519 0.368 0.377 1.113 1.131 1.481 1.508 0.079 4.827 0.295 5.098 2.007 12.833 0.342 0 1.034-9e-3 1.376-9e-3 0.421-1.771 0.877-3.515 1.315-5.277l0.657-9e-3c0.202 4.611-0.719 9.38 0.684 13.859 0.491 4.374-0.508 8.889 0.85 13.149 0.114 1.683 0.175 3.357 0.263 5.049 0.552-0.92 1.122-1.85 1.692-2.77 0.052-13.129 0.408 0.674 0.894-17.479 0.307 0.552 0.92 1.657 1.227 2.209 0.316 0.018 0.938 0.044 1.245 0.061 2.638-11.892 2.56-18.294 3.647-51.86 8.152-0.21 16.314-0.263 24.466 0.044 0.018 2.314-0.018 4.681 0.78 6.89 0.677 13.255 1.433 10.704 2.016 18.926 1.554 2.913 2.279 3.212 5.295 20.714 0.394 0 1.183 0 1.578 9e-3 0.454-9.931 0.998-1.96 0.964-13.184l0.868 9e-3c0.096 3.734-0.561 7.609 0.684 11.229 0.298 3.498-0.307 7.127 0.868 10.519 0.307 3.498-0.307 7.135 0.877 10.519 0.307 3.498-0.307 7.127 0.877 10.519 0.368 3.787-0.394 7.714 0.868 11.387 0.438 4.085-0.465 8.319 0.877 12.281 0.298 3.498-0.298 7.127 0.868 10.519 0.949 15.108 1.515 17.226 2.858 21.626 0.421-0.412 1.262-1.227 1.692-1.639-0.187-3.823 0.79-9.648 3.98-14.937 0.701 1.157 1.411 2.332 2.13 3.498 0.018 0.412 0.053 1.236 0.07 1.648 0.894 1.657 1.815 3.357 3.261 4.629 0.52-4.824 0.271-3.677 1.525-8.757 0.155-0.87 1.114-8.042 1.552-15.709 1.21-3.691 0.491-7.609 0.85-11.405 1.341-3.962 0.43-8.196 0.877-12.272 0 0 6.76-64.946 7.004-68.375 1.008-2.77 0.728-5.742 0.728-8.617 1.727 0 3.471 0 5.225-9e-3 0 3.173-0.377 6.443 0.701 9.494 0.152 3.522 0.148 41.365 1.753 46.478 0.447 4.076-0.473 8.31 0.877 12.272 0.289 3.498-0.281 7.118 0.85 10.51 0.612 11.986 0.925 9.898 2.016 17.383 0.43 0.403 1.289 1.21 1.718 1.613 0.386-0.395 1.157-1.175 1.543-1.569 1.113-3.427 2.27-6.908 2.06-10.572 0.351 0.377 1.043 1.122 1.394 1.49 0.307 0.982 0.631 1.972 0.982 2.954 9e-3 0.824 0.035 1.648 0.07 2.472 0.736 0.912 1.499 1.841 2.279 2.744 1.695-6.242 1.537-5.465 2.367-9.923 0.394-0.377 1.175-1.122 1.569-1.499-0.026 1.455-0.035 2.928-0.044 4.392 0.43 0.386 1.28 1.148 1.709 1.534 2.593-15.316 1.515-32.185 4.646-59.933h0.517c0.257 2.44 0.455 5.251 2.656 12.053 0.04 1.752 2.071 29.42 6.46 44.391 0.377-0.386 1.131-1.166 1.508-1.56 2.511-20.088 0.17 17.604 5.33-78.561l0.622 9e-3c0.403 1.569 0.842 3.13 1.28 4.699 0.395-0.377 1.175-1.148 1.569-1.534 0.153-5.981 0.067-4.293 1.201-9.362 6.539-0.281 13.079-0.289 19.627-0.018 1.093 6.281 3.062 17.853 3.831 24.948 0.403-0.377 1.219-1.14 1.631-1.525 0.133-3.59 1.852-14.417 2.919-17.453 0.377 0.377 1.14 1.122 1.516 1.499-0.034 12.962 0.097 3.675 0.947 13.657 0.421 9e-3 1.253 9e-3 1.674 9e-3 0-1.762 9e-3 -3.524 0.026-5.277h1.718c0.237 4.602-0.701 9.371 0.71 13.85 0.386 3.787-0.412 7.732 0.877 11.405 0.298 3.498-0.298 7.127 0.859 10.519 0.455 8.447 1.972 19.645 2.595 21.906-0.347 7.057 9.094 35.294 9.888 54.043 0.429-0.395 1.28-1.192 1.709-1.587 0.061-1.42 0.14-2.84 0.263-4.252 0.885-2.831 0.675-5.829 0.85-8.748 1.131-3.401 0.561-7.022 0.859-10.519 1.166-3.393 0.561-7.022 0.876-10.519 1.157-3.392 0.57-7.022 0.877-10.528 0.697-2.038 1.719-16.578 1.78-17.532 0.086-0.331 0.978-5.454 1.788-8.924 2.042-3.033 3.515-6.399 5.26-9.599 0.324 0.368 0.964 1.122 1.289 1.499 2.896 10.614 5.277 40.7 5.277 40.701 1.101 16.794 2.417 23.952 2.866 28.779 0.412 0.394 1.245 1.175 1.657 1.569 0.071-0.869 8.706-77.968 8.959-86.556 0.561-1.779 1.105-3.559 1.727-5.312 0.412 0.394 1.227 1.183 1.639 1.578 9e-3 0.57 0.017 1.701 0.017 2.27 0.403 0 1.219-9e-3 1.622-9e-3 1.24-7.203 1.236-3.14 2.121-13.342 1.017-3.41 0.5-7.013 0.798-10.51 0.666-1.929 0.745-3.971 0.85-5.987 1.981-0.017 3.98-0.017 5.987-0.061 0.738 15.014 3.226 81.388 5.452 98.881 2.794-5.344 3.327-18.194 3.313-23.046 0.526 0.92 1.061 1.841 1.604 2.779 1.005 8.595 1.291 4.766 1.955 12.124 0.412-0.386 1.236-1.166 1.657-1.56 0.07-1.131 0.167-2.253 0.29-3.375 3.077-10.573 4.023-80.044 5.303-85.767 11.203-0.333 22.415-0.307 33.618-0.026 2.519 9.333-0.185 1.64 3.165 10.651 1.008-0.035 2.025-0.07 3.059-0.105 3.706 11.86 4.661 36.592 6.136 41.086 0.237 3.743-0.228 7.618 1.324 11.159 1.832-0.973 3.532-4.164 5.768-2.27 0.311 1.769 1.139 5.743 1.674 7.74 0.096 1.99 0.052 4.006 0.342 5.987 0.955 1.779 3.182 1.078 4.839 1.35 2.515 9.18 4.175 17.629 4.865 22.318 3.942-2.424 4.424-5.052 6.049-11.527 1.105-1.981 2.621-3.682 4.252-5.251-9e-3 -1.131-9e-3 -2.262 9e-3 -3.384 0.386 0.377 1.149 1.131 1.534 1.508 0.333 1.797 0.754 3.577 1.21 5.365 0.359-0.386 1.087-1.166 1.446-1.552 0.649-2.376 1.403-4.716 2.183-7.048 0.316 0.377 0.947 1.148 1.262 1.525 1.645 7.111 0.322 3.568 2.06 21.065 0.429-0.395 1.271-1.175 1.692-1.56 0.026-1.999 0.07-3.997 0.21-5.987 1.481-4.83 0.263-9.949 0.868-14.902 1.639-6.285 0.123-12.877 0.877-19.285 1.683-7.451 0.07-15.218 0.877-22.792 1.674-7.451 0.07-15.227 0.868-22.8 1.219-3.62 0.596-7.495 0.684-11.229h4.979c2.486 11.696-0.075 13.584 1.867 20.004 0.438 4.076-0.456 8.31 0.859 12.281 0.71 13.915 2.152 15.948 2.875 21.74 0.403 0.395 1.201 1.192 1.604 1.587 2.183-6.047-0.403-11.103 3.024-22.283 0.316 0 0.964-9e-3 1.289-9e-3 0.07 1.339 1.748 15.516 3.112 20.688 3.189-6.785 3.21-47.072 3.2-54.051 9.432-0.307 18.882-0.272 28.323 0.026 0.079 1.105 0.202 2.297 0.833 3.27 1.219-0.359 1.613-2.13 1.201-3.226 0.684 0 2.042 0.017 2.726 0.017 0.193 1.701 0.421 3.401 0.912 5.049 0.745 6.11-0.754 12.422 0.877 18.417 0.622 4.944-0.64 10.081 0.885 14.902 0.438 4.076-0.464 8.31 0.859 12.272 0.587 5.786-0.649 11.747 1.157 17.392 0.342 0.359 1.017 1.087 1.35 1.455 0.973-1.806 2.025-3.576 3.296-5.207 2.899 9.94 3.548 20.233 4.146 30.129 2.753-4.301 1.495-7.983 6.198-43.26 1.07-1.122 2.156-2.227 3.261-3.331 1.546-13.203 1.281-18.245 4.804-28.139 0.719 1.183 1.42 2.384 2.139 3.594 6.049 34.545 2.934 63.483 10.432 89.607-0.114 5.067 1.359 9.993 1.052 15.06-0.079 2.016 0.035 4.059 0.719 5.978 0.359 6.487 0.088 12.991 0.131 19.496-0.026 3.813 1.113 7.53 1.017 11.361h1.639c0.973-2.533 1.026-5.233 0.991-7.898-0.096-2.682 0.728-5.26 0.842-7.907 0.149-3.305-0.272-6.627 0.342-9.897 1.052-4.874 0.254-9.879 0.719-14.806 1.306-3.962 0.421-8.188 0.859-12.264 1.069-3.103 0.631-6.426 0.885-9.634 0.71-2.034 0.736-4.199 0.763-6.329 0.535-0.92 1.087-1.841 1.657-2.753 9e-3 0.693 9e-3 2.078 9e-3 2.77 0.421 0.394 1.254 1.192 1.674 1.595 1.881-6.653 1.973-16.337 2.025-17.208 1.324-3.962 0.421-8.188 0.868-12.273 1.508-4.821 0.263-9.949 0.885-14.902 1.534-5.119 0.21-10.537 0.868-15.779 1.438-4.777 0.43-9.836 0.684-14.736l0.579 9e-3c4.58 20.94-1.764 21.194 8.003 57.654 0.035 3.743 0.315 7.477 1.14 11.133 0.771 1.227 1.56 2.446 2.375 3.664 2.187-18.959 0.397-16.093 1.254-24.413 1.525-5.119 0.228-10.537 0.876-15.779 1.525-5.119 0.219-10.537 0.876-15.779 1.482-5.155 0.351-10.607 0.728-15.884 3.781-1.853 5.985-19.261 6.241-23.449 11.896-0.298 23.809-0.289 35.704 0 0.018 2.314-0.044 4.69 0.789 6.899 1.385 15.795 1.043 17.456 1.034 20.679 0.438-0.386 1.297-1.14 1.727-1.525 0.313-2.188-1e-3 -0.959 1.21-4.953h1.157c7.495 34.264 1.885 96.567 10.537 107.57 4.66-9.896 5.508-48.83 5.75-50.764 0.339-1.036 7.792-66.458 7.846-67.323h0.719c0.315 5.479-0.815 11.133 0.701 16.48 0.219 3.217-0.175 6.522 0.833 9.634 0.096 1.35 0.175 2.709 0.263 4.076 1.113 1.78 2.262 3.55 3.349 5.356 0.07 1.85 0.202 3.717 0.806 5.487 0.237 3.208-0.21 6.539 0.877 9.643 0.438 4.076-0.456 8.301 0.868 12.264 0.64 5.233-0.666 10.659 0.868 15.779 0.666 5.531-0.693 11.238 0.877 16.656 0.617 10.342-0.612 22.781 0.868 27.175 0.123 1.99 0.167 3.989 0.21 5.987 0.429 0.394 1.28 1.183 1.7 1.578 3.526-23.595 3.006-33.165 5.417-44.234l0.526 0.026c2.215 9.395 0.757 4.828 3.042 12.623 0.377-0.377 1.14-1.14 1.517-1.516 2.464-9.857 5.395-72.486 5.408-73.354l0.71 9e-3c0.044 0.447 0.131 1.341 0.167 1.779 0.605-0.018 1.814-0.07 2.411-0.088 2.367 8.449 6.032 43.591 6.075 43.725 0.517 4.348-1.026 10.134 3.296 12.982 12.367-46.276 9.589-65.188 12.904-92.683 11.51-0.228 23.028-0.228 34.547-0.018 0.316 1.131 0.649 2.253 1.008 3.375 0 1e-3 5.242 57.934 5.242 57.935 2.528 35.686-1.458 8.139 4.62 49.809 0.412 0.395 1.227 1.175 1.639 1.56 0.117-0.869 4.225-26.319 4.576-34.135 3.883 7.547 1.348 7.067 5.198 13.465 0.955-0.395 1.964-0.64 3.016-0.745 0.631 0.833 1.245 1.701 1.832 2.604 0.465 0.044 1.394 0.131 1.859 0.175 0.631-1.087 1.262-2.165 1.92-3.243 1.331-5.87 3.349-16.952 3.752-22.327l0.71 0.018c0.324 6.355-0.877 12.877 0.666 19.11 0.64 5.242-0.666 10.659 0.885 15.788 0.281 3.498-0.272 7.109 0.842 10.511 0.105 1.525 0.175 3.059 0.263 4.593h1.683c0.03-0.868 2.321-25.659 4.655-35.354 0.359 0.368 1.069 1.113 1.42 1.481 0.018 2.183 0.026 4.409 0.763 6.496 0.184 2.928-0.088 5.943 0.894 8.766 0.257 4.097-0.504 3.463 2.165 21.81 1.771-3.524 1.604-7.469 1.744-11.299 1.411-4.55 0.307-9.362 0.868-14.026 1.604-5.996 0.149-12.299 0.877-18.409 1.63-6.285 0.114-12.877 0.868-19.285 1.587-5.698 0.158-11.711 0.868-17.532 1.56-6.399 0.324-13.114 0.693-19.645 0.429-0.377 1.28-1.14 1.709-1.525-0.026 2.393-0.105 4.856 0.728 7.153 0.193 2.919-0.096 5.943 0.885 8.757 0.456 4.076-0.473 8.319 0.877 12.281 0.447 4.076-0.473 8.31 0.877 12.264 0.368 3.796-0.386 7.723 0.868 11.405 1.036 17.235 1.642 16.652 2.972 21.792 0.43 0.438 1.297 1.306 1.727 1.736 0.815-1.21 1.63-2.419 2.446-3.638 2.923-13.017 5.323-15.63 6.426-33.039 1.186-4.545 6.856-57.745 6.873-58.619 13.114-0.333 26.237-0.298 39.351 0-0.07 25.539-0.242 25.33 0.701 27.92 0.701 5.83-0.737 11.843 0.868 17.541 0.622 4.944-0.64 10.072 0.885 14.902 0.491 4.374-0.517 8.898 0.859 13.158 0.545 12.053 0.783 6.687 1.964 16.629 1.858 1.052 3.901 1.981 5.076 3.892 10.959-1.859 6.983-29.405 13.724-64.092v-42.917c-0.174-0.927-0.341-1.93-0.488-3.102-0.544-0.947-1.069-1.885-1.578-2.823-3.578-19.889-0.465-3.857-2.901-38.229-0.302-0.87-2.483-19.751-2.542-20.46-0.701-0.894-1.359-1.788-2.051-2.665-2.62 8.857-4.816 32.1-4.97 37.869-0.885-1.192-1.736-2.411-2.56-3.62v-1.63c-0.991-1.744-1.946-3.489-2.928-5.216-0.438 0.517-1.306 1.543-1.745 2.06-0.955 0-1.885-9e-3 -2.796-9e-3 -0.71-0.71-1.394-1.42-2.069-2.13-0.827-5.187-0.922-3.934-1.999-19.093-1.271-3.673-0.465-7.609-0.877-11.405-1.201-3.384-0.535-7.013-0.877-10.51-0.824-2.7-0.728-5.54-1.166-8.293-0.21-0.359-0.622-1.078-0.833-1.438-0.622-3.147-0.456-6.373-0.631-9.555-1.056-2.973-1.705-15.787-1.762-16.656-1.704-4.872-1.165-33.567-5.321-44.54l-0.377 9e-3c-0.237 0.579-0.701 1.736-0.938 2.323-0.401 3.921-11.044 109.35-11.711 112.52l-0.71 9e-3c-0.251-7.498 9e-3 -3.82-1.201-9.651h-1.236c-1.98 7.546-1.844 6.61-2.121 9.073-0.254 0.622-0.771 1.867-1.026 2.481-1.078-0.421-2.121-0.85-3.156-1.271-3.451 12.972-2.154 26.149-5.549 58.154-5.163 0.21-10.326 0.272-15.472 9e-3 -2.367-4.585 0.263-10.046-1.674-14.788-5.048-49.685-2.675-22.48-9.038-64.474-0.368 0.368-1.096 1.104-1.464 1.473-3.2 24.397-3.796 53.375-3.866 54.244-0.902 2.444-0.812 2.981-0.71 23.546-4.628 0.21-9.257 0.202-13.877 9e-3 -0.062-1.098-0.753-10.145-3.41-19.96-1.609-6.088-2.241-34.338-5.531-45.399-0.386 0.403-1.157 1.218-1.543 1.622 0 2e-3 -2.428 17.821-2.428 17.821-1.87 7.96-2.043 7.751-2.209 12.123-0.894 1.359-1.823 2.682-2.779 3.989-1.026-0.78-2.016-1.552-3.024-2.297-4.94 16.27-1.404 25.036-3.831 32.049-1.745 9e-3 -3.48 0.018-5.198 0.07-0.149-4.059 0.605-8.249-0.693-12.176-0.596-4.664 0.579-9.494-0.877-14.026-0.543-4.365 0.509-8.897-0.868-13.149-0.245-2.98-0.219-5.97-0.184-8.959h-0.798c-0.097 1.525-0.175 3.051-0.281 4.585-1.043 3.042-0.675 6.285-0.666 9.441h-0.885c-0.454-35.146-2.288-72.71-9.792-140.65-0.693-1.175-1.359-2.332-2.043-3.489-1.043 1.411-2.042 2.84-2.954 4.33-0.744 4.308-0.526 3.106-1.56 7.153-3.447 12.335-8.898 66.727-8.898 66.727-0.359 3.498 0.307 7.135-0.877 10.519-2.297 22.912 0.443 23.804-2.604 35.932-0.184 2.639-0.044 5.347-0.894 7.89-0.228 3.051-0.158 6.101-0.368 9.152-1.499 4.83-0.237 9.949-0.877 14.902-1.569 5.409-0.167 11.124-0.877 16.647-0.517 1.683-0.728 3.427-0.912 5.172-6.645 0.202-13.289 0.254-19.925-0.044 0.064-10.529-0.526-4.443-0.973-12.334l-0.701 9e-3c-0.965 7.442-1.078 2.9-0.973 12.272-1.183-9e-3 -2.349-9e-3 -3.506 0 0.078-9.359-1.521-16.3-2.042-19.811-3.15 1.808-4.963 16.633-5.119 19.899-5.987 0.254-11.974 0.228-17.953-0.035-2.68-8.301 0.155-12.807-1.885-20.022-0.649-4.944 0.631-10.072-0.877-14.902-0.28-3.629-0.088-7.276-0.35-10.905-0.735-2.102-1.517-17.095-2.06-19.715-1.139-4.529-1.144-4.594-1.289-6.811-0.833-1.219-1.674-2.428-2.533-3.62-0.026-0.394-0.088-1.192-0.114-1.587-1.131-2.095-2.358-4.129-3.813-6.005-0.894 0.955-1.762 1.911-2.63 2.875-0.491 0-1.473-9e-3 -1.964-9e-3 -0.281 0.579-0.833 1.744-1.113 2.323-0.044 2.393 0.018 4.839-0.78 7.127-0.517 8.012 0.14 16.051-0.359 24.054-1.709 4.69 0.307 9.827-1.403 14.517-0.175 2.288-0.202 4.585-0.193 6.881-0.43 0.377-1.297 1.131-1.727 1.516 9e-3 -2.682 0.245-5.453-0.71-8.012-0.596-4.655 0.57-9.485-0.877-14.026-0.438-5.382 0.079-10.782-0.359-16.165-1.587-5.698-0.149-11.712-0.876-17.532-1.394-4.251-0.333-8.784-0.868-13.149-0.903-2.358-0.754-4.909-0.728-7.381-0.429-0.368-1.297-1.122-1.727-1.49-0.272 4.699 0.71 9.564-0.701 14.131-0.421 3.787 0.385 7.723-0.877 11.396-0.552 4.366 0.526 8.898-0.877 13.149-0.368 4.506 0.018 9.029-0.35 13.535-1.438 4.769-0.421 9.818-0.701 14.709h-0.868c-9e-3 -2.867 0.289-5.829-0.71-8.573-0.245-3.34-0.123-6.688-0.351-10.028-1.349-3.85-2.513-33.865-5.347-39.938-4.096 0.324-4.685-1.352-7.083-16.191-0.859-3.445-0.482-7.022-0.675-10.528-5.99-19.969-5.779-31.074-8.74-43.006-0.412 0.377-1.236 1.14-1.648 1.516-4.042 68.84-13.256 161-13.438 161.87-6.241 0.263-12.483 0.281-18.724-0.018-2.084-7.236 0.044-0.063-2.472-11.072-1.704 1.184-2.333 2.852-3.27 11.072-6.54 0.281-13.088 0.272-19.627 0.035-0.289-0.605-0.859-1.815-1.148-2.419-0.438-5.567 0.754-11.308-0.745-16.752-0.657-4.953 0.623-10.081-0.885-14.902-0.316-3.918-0.044-7.863-0.351-11.781-1.175-3.384-0.543-7.013-0.868-10.519-1.201-3.375-0.543-7.013-0.877-10.519-1.105-3.094-0.622-6.426-0.885-9.634-0.991-2.823-0.675-5.838-0.885-8.766-0.64-1.823-0.737-3.752-0.807-5.654-0.412-0.377-1.236-1.122-1.648-1.49-0.023 1.517 0.6 9.192-2.016 20.118-2.092-3.749-2.373-11.288-2.568-14.727-0.728-2.095-0.719-4.33-0.728-6.513-0.412-0.377-1.236-1.122-1.648-1.49-0.017 2.384 0.105 4.839-0.745 7.118-1.625 13.049-1.923 57.246-2.113 60.871-1.254 3.524 9e-3 7.513-2.086 10.808-3.055-13.191-3.982-41.883-4.041-42.752-0.195-0.562-2.542-23.345-2.577-24.352h-0.684c-0.074 0.87-1.059 13.181-1.639 14.709-0.324 3.927-0.052 7.863-0.359 11.79-1.806 5.26 0.403 10.993-1.403 16.261-0.333 4.444-0.14 8.906-0.175 13.359l-0.85-0.026c-9e-3 -2.402-0.035-4.804-0.21-7.197-1.955-6.715 0.561-13.929-1.394-20.644-0.421-5.093 0.061-10.212-0.359-15.297-1.534-5.119-0.202-10.546-0.877-15.779-1.341-3.962-0.386-8.196-0.868-12.272-1.473-4.856-0.368-10.02-0.745-15.007-0.281-0.587-0.85-1.753-1.131-2.332l-0.342-0.026c-2.383 6.384-1.846 9.872-4.725 15.043-1.087-0.053-2.156-0.097-3.217-0.14-0.297 2.566-0.568 6.574-3.226 12.614-1.078-0.456-2.139-0.912-3.173-1.385-0.903 1.043-1.753 2.121-2.568 3.226-1.541 14.346-1.612 25.276-6.522 59.863-0.64 1.394-1.613 2.568-2.902 3.384-0.643-9.977-2.268-14.232-2.901-20.381-0.395-0.368-1.192-1.113-1.587-1.482-3.995 25.967-3.614 31.519-5.628 38.86l-0.526 9e-3c-5.004-29.024-4.245-32.066-6.592-40.692-1.964 0.307-3.165 1.56-3.463 3.506-1.455 1.648-2.858 3.34-4.068 5.172-0.113 0.869-5.441 26.261-5.242 38.194-7.206 0.316-14.42 0.281-21.626 0-1.59-6.96-1.588-22.528-4.032-40.043-2.449 4.247-1.567 9.163-3.401 17.199h-0.622c-0.096-1.999-0.167-4.024-0.798-5.943-0.193-2.463-0.228-4.935-0.403-7.398-0.214-0.596-2.541-21.185-2.551-21.389-0.342-0.368-1.034-1.096-1.376-1.464-2.624 7.092-1.98 15.125-3.936 40.762-0.943 2.679-1.212 14.307-2.463 18.251l-0.579-9e-3c-0.263-0.587-0.797-1.762-1.069-2.349-0.044-2.393 0.018-4.839-0.798-7.127-0.482-4.076 0.456-8.31-0.877-12.264-0.543-4.374 0.526-8.906-0.876-13.149-0.272-3.629-0.088-7.276-0.351-10.905-2.209-6.347 1.236-13.623-2.226-19.618-1.659 10.114-0.922 6.007-1.289 12.115-1.324 3.962-0.395 8.196-0.868 12.272-1.648 4.401 0.228 9.24-1.394 13.64-0.263 3.27-0.202 6.557-0.184 9.835l-0.859 9e-3c0-2.7 9e-3 -5.409-0.202-8.091 0 0-1.894-14.814-3.559-26.64-1.025 2.161-2.494 6.353-3.419 11.457-0.71 1.201-1.42 2.411-2.148 3.603-3.406-7.194-4.001-15.55-4.295-17.699-5.625-12.505-4.562-25.342-7.67-33.671h-0.403c-3.503 9.782 0.435 1.884-6.005 38.317-0.184 0.359-0.552 1.087-0.728 1.446-0.324 1.727-0.57 3.463-0.841 5.198-0.947 3.717-0.395 7.583-0.719 11.361-1.289 3.664-0.473 7.6-0.885 11.396-0.594 1.9-1.634 10.122-1.718 10.993-1.122 0.745-2.244 1.473-3.349 2.218-0.386 5.626 0.13 1.269-1.175 7.714-3.953 0.175-7.907 0.175-11.852 0.044-0.105-2.051-0.158-4.129-0.842-6.075-0.412-3.796 0.395-7.732-0.885-11.396-0.333-3.498 0.307-7.127-0.859-10.51-0.491-6.548 0.123-13.123-0.368-19.671 0 0-5.516-54.514-8.845-67.306h-1.473c0.015 4.792-0.944 14.581-1.595 16.463-0.351 3.498 0.307 7.136-0.877 10.519-0.491 4.076 0.465 8.31-0.877 12.272-0.491 4.076 0.456 8.31-0.877 12.272-0.28 3.629-0.079 7.276-0.35 10.905-1.262 3.673-0.465 7.609-0.868 11.396-1.289 3.664-0.473 7.6-0.877 11.396-1.289 3.664-0.482 7.6-0.877 11.387-1.429 4.243-0.351 8.784-0.894 13.149-0.517 1.683-0.728 3.427-0.912 5.163-3.629 0.123-7.249 0.123-10.861 9e-3 -0.359-1.131-0.719-2.253-1.078-3.357-0.554-15.475 0.663-21.354-0.815-25.474-0.498-7.528-0.096-59.18-5.654-78.719-6.429-1.051-3.223-11.691-7.057-21.424l-0.438 0.018c-4.443 43.319-2.365 60.076-3.857 78.211-1.63 4.401 0.21 9.231-1.385 13.64-0.184 2.463-0.219 4.935-0.395 7.399-0.666 2.007-0.736 4.138-0.824 6.241-0.245 0.64-0.745 1.928-0.99 2.568-0.351-0.359-1.061-1.096-1.411-1.455-0.134-6.652-0.225-0.761-1.166-13-1.403-3.839 0.079-8.056-1.359-11.887-0.342-4.436-0.149-8.897-0.184-13.342h-1.622c-0.042 0.869-1.142 13.049-1.709 14.709-0.246 3.34-0.114 6.688-0.351 10.028-1.402 4.243-0.342 8.775-0.877 13.14-1.473 4.541-0.281 9.371-0.885 14.026-0.999 2.761-0.728 5.724-0.71 8.599-0.438-9e-3 -1.297-9e-3 -1.736-0.018-0.091-1.768-2.814-61.555-2.814-61.555-0.038-0.109-5.456-50.812-6.908-56.26-0.359 0.386-1.078 1.148-1.446 1.534-1.054 4.726-0.995 2.579-1.157 9.371-0.298-0.026-0.885-0.07-1.183-0.096-0.938-1.324-1.928-2.612-2.919-3.892-2.823 14.314-4.439 36.549-5.97 44.873-0.184 0.359-0.552 1.078-0.736 1.438-0.281 1.359-0.526 2.735-0.754 4.103h-0.657c0.028-7.733-1.59-17.163-2.849-24.896-0.517 0.877-1.026 1.762-1.516 2.647-0.018 2.972 0.315 6.049-0.71 8.906-0.605 4.655 0.561 9.485-0.876 14.026-0.754 6.11 0.71 12.404-0.868 18.409-0.131 1.63-0.202 3.279-0.254 4.918-0.544 0.938-1.087 1.876-1.613 2.814-0.987 9.186-0.327-1.6-1.14 11.931-1.245 3.673-0.473 7.6-0.859 11.396-1.201 3.34-0.657 6.934-0.701 10.397-6.732 0.254-13.456 0.298-20.179 9e-3 -0.044-3.471 0.473-7.057-0.684-10.405-0.649-4.944 0.622-10.072-0.885-14.894-0.307-3.927-0.052-7.863-0.351-11.782-1.613-5.996-0.149-12.316-0.868-18.435-1.339-5.048-0.518-5.014-3.603-14.981-1.154-4.75-0.731-4.479-2.621-9.59-0.351 0.368-1.069 1.105-1.429 1.473-3.59 28.719-2.637 24.356-5.26 29.112-0.601 4.918-1.642 5.918-2.831 13-0.71 1.183-1.403 2.358-2.113 3.533-0.281-0.684-0.833-2.051-1.113-2.735-0.247-4.495-0.408-4.871-1.166-8.196-0.386 0-1.175 0-1.569-9e-3 -0.044 1.359-0.105 2.717-0.158 4.076-3.067-6.436-0.91-7.799-1.823-18.286-1.446-4.541-0.272-9.371-0.868-14.026-1.026-2.849-0.71-5.908-0.745-8.871-0.289-0.587-0.868-1.744-1.166-2.332h-0.473c-0.83 6.893-1.628 7.466-1.876 15.209-0.421-0.377-1.262-1.131-1.683-1.499-9e-3 -2.306-0.035-4.602-0.193-6.89-1.183-3.384-0.535-7.013-0.877-10.51-1.192-3.384-0.535-7.022-0.868-10.519-1.201-3.384-0.543-7.022-0.885-10.519 0 0-3.515-26.665-3.515-26.666-0.324-0.368-0.982-1.096-1.306-1.455-2.09 10.391-0.875 47.421-5.628 75.94-0.395-0.377-1.175-1.122-1.56-1.499-2.507-9.819-2.672-28.963-2.717-29.831-0.561-0.894-1.113-1.788-1.657-2.682-0.07 2.13-0.053 4.313-0.806 6.347-0.412 3.787 0.395 7.723-0.859 11.396-0.71 5.531 0.675 11.247-0.877 16.656-0.473 5.961 0.096 11.957-0.368 17.918-1.613 5.996-0.123 12.299-0.877 18.409-1.446 4.532-0.281 9.362-0.868 14.017-1.096 3.051-0.701 6.32-0.701 9.485h-5.251c-0.333-5.488 0.78-11.133-0.701-16.489-0.719-5.531 0.692-11.256-0.885-16.656-0.543-4.365 0.508-8.898-0.868-13.149-0.219-3.051-0.158-6.11-0.368-9.152-0.622-2.007-0.771-4.103-0.947-6.171-3.738-17.029-1.37-12.706-7.022-45.645-4.711-15.28-4.495-46.356-6.978-58.128-0.324-0.359-0.964-1.096-1.28-1.464-0.28 1.481-0.544 2.972-0.85 4.444-0.085 0.868-3.823 36.378-5.198 42.901-1.571 7.218-1.593 19.441-2.788 22.87-0.351 3.498 0.307 7.127-0.877 10.51-0.491 4.076 0.465 8.31-0.877 12.272-0.596 4.655 0.579 9.485-0.877 14.026-0.342 4.216-9e-3 8.451-0.351 12.658-1.464 4.541-0.272 9.371-0.885 14.026-0.561 1.727-0.719 3.533-0.868 5.33-0.368-0.351-1.105-1.052-1.473-1.411-3.32 19.616-1.334 18.132-1.867 29.296-13.421 0.193-26.842 0.28-40.254-0.018-0.494-1.729-3.729-21.553-4.655-33.583-1.297-3.559-0.026-7.46-1.359-11.01-0.193-2.761-0.184-5.523-0.368-8.275-1.578-5.707-0.14-11.711-0.877-17.532-0.529-1.612-1.765-12.284-1.858-13.158-1.105-4.006-0.342-8.188-0.763-12.264-1.657-6.566-0.105-13.465-0.885-20.162-1.639-6.566-0.105-13.465-0.877-20.162-1.613-5.987-0.131-12.29-0.877-18.4-1.455-4.541-0.28-9.371-0.868-14.026-0.85-2.288-0.763-4.742-0.789-7.127-0.281-0.587-0.824-1.753-1.096-2.332h-0.403c-0.551 5.654-1.974 21.699-6.867 143.01v84.684c1.97-18.939 4.281-41.148 4.281-41.149 0.855-2.511 0.714-5.184 0.706-7.788z"/>
+</svg>
diff --git a/sdk/tests/integration.rs b/sdk/tests/integration.rs
index 48933f546..8adb8d12d 100644
--- a/sdk/tests/integration.rs
+++ b/sdk/tests/integration.rs
@@ -23,7 +23,7 @@ mod integration_1 {
         settings::load_settings_from_str,
         Builder, ClaimGeneratorInfo, Ingredient, Reader, Result, Signer,
     };
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     use tempfile::tempdir;
 
     //const GENERATOR: &str = "app";
diff --git a/sdk/tests/test_builder.rs b/sdk/tests/test_builder.rs
index c866573cd..9a47354a5 100644
--- a/sdk/tests/test_builder.rs
+++ b/sdk/tests/test_builder.rs
@@ -19,6 +19,7 @@ mod common;
 use common::{compare_stream_to_known_good, fixtures_path, test_signer};
 
 #[test]
+#[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
 fn test_builder_ca_jpg() -> Result<()> {
     let manifest_def = std::fs::read_to_string(fixtures_path("simple_manifest.json"))?;
     let mut builder = Builder::from_json(&manifest_def)?;
@@ -42,6 +43,7 @@ fn test_builder_ca_jpg() -> Result<()> {
 
 // Source: https://github.com/contentauth/c2pa-rs/issues/530
 #[test]
+#[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
 fn test_builder_riff() -> Result<()> {
     let manifest_def = include_str!("fixtures/simple_manifest.json");
     let mut source = Cursor::new(include_bytes!("fixtures/sample1.wav"));
@@ -119,6 +121,7 @@ fn test_builder_fragmented() -> Result<()> {
 }
 
 #[test]
+#[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
 fn test_builder_remote_url_no_embed() -> Result<()> {
     let manifest_def = std::fs::read_to_string(fixtures_path("simple_manifest.json"))?;
     let mut builder = Builder::from_json(&manifest_def)?;
diff --git a/sdk/tests/test_reader.rs b/sdk/tests/test_reader.rs
index c654b227d..ccbf6204b 100644
--- a/sdk/tests/test_reader.rs
+++ b/sdk/tests/test_reader.rs
@@ -32,6 +32,7 @@ fn test_reader_no_jumbf() -> Result<()> {
 }
 
 #[test]
+#[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
 fn test_reader_ca_jpg() -> Result<()> {
     let (format, mut stream) = fixture_stream("CA.jpg")?;
     let reader = Reader::from_stream(&format, &mut stream)?;
@@ -39,6 +40,7 @@ fn test_reader_ca_jpg() -> Result<()> {
 }
 
 #[test]
+#[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
 fn test_reader_c_jpg() -> Result<()> {
     let (format, mut stream) = fixture_stream("C.jpg")?;
     let reader = Reader::from_stream(&format, &mut stream)?;
@@ -46,6 +48,7 @@ fn test_reader_c_jpg() -> Result<()> {
 }
 
 #[test]
+#[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
 fn test_reader_xca_jpg() -> Result<()> {
     let (format, mut stream) = fixture_stream("XCA.jpg")?;
     let reader = Reader::from_stream(&format, &mut stream)?;
diff --git a/sdk/tests/v2_api_integration.rs b/sdk/tests/v2_api_integration.rs
index ce966138e..39189bd57 100644
--- a/sdk/tests/v2_api_integration.rs
+++ b/sdk/tests/v2_api_integration.rs
@@ -15,12 +15,11 @@
 //  Isolate from wasm by wrapping in module.
 #[cfg(not(target_arch = "wasm32"))] // wasm doesn't support ed25519 yet
 mod integration_v2 {
-
     use std::io::{Cursor, Seek};
 
     use anyhow::Result;
     use c2pa::{Builder, CallbackSigner, Reader};
-    use c2pa_crypto::SigningAlg;
+    use c2pa_crypto::raw_signature::SigningAlg;
     use serde_json::json;
 
     const PARENT_JSON: &str = r#"
@@ -108,6 +107,7 @@ mod integration_v2 {
     }
 
     #[test]
+    #[cfg_attr(not(any(target_arch = "wasm32", feature = "openssl")), ignore)]
     fn test_v2_integration() -> Result<()> {
         let title = "CA.jpg";
         let format = "image/jpeg";
@@ -169,7 +169,7 @@ mod integration_v2 {
         }
 
         println!("{}", reader.json());
-        assert!(reader.validation_status().is_none());
+        assert_eq!(reader.validation_status(), None);
         assert_eq!(reader.active_manifest().unwrap().title().unwrap(), title);
 
         Ok(())
@@ -181,13 +181,14 @@ mod integration_v2 {
 
         // Parse the PEM data to get the private key
         let pem = parse(private_key).map_err(|e| c2pa::Error::OtherError(Box::new(e)))?;
+
         // For Ed25519, the key is 32 bytes long, so we skip the first 16 bytes of the PEM data
         let key_bytes = &pem.contents()[16..];
         let signing_key =
             SigningKey::try_from(key_bytes).map_err(|e| c2pa::Error::OtherError(Box::new(e)))?;
+
         // Sign the data
         let signature: Signature = signing_key.sign(data);
-
         Ok(signature.to_bytes().to_vec())
     }
 }