From aae87376cf1cc27115bea375836cf3e79baf8e12 Mon Sep 17 00:00:00 2001
From: Philipp Auersperg-Castell <phil@bluedynamics.com>
Date: Thu, 5 Dec 2024 23:13:23 +0100
Subject: [PATCH 1/2] support for PKCS7_NO_VERIFY in test_support.pkcs7_verify

---
 src/cryptography/hazmat/primitives/serialization/pkcs7.py | 1 +
 src/rust/src/test_support.rs                              | 3 +++
 src/rust/src/types.rs                                     | 4 ++++
 3 files changed, 8 insertions(+)

diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py
index 882e345f2e7f..11c69b501be0 100644
--- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py
+++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py
@@ -43,6 +43,7 @@ class PKCS7Options(utils.Enum):
     NoCapabilities = "Don't embed SMIME capabilities"
     NoAttributes = "Don't embed authenticatedAttributes"
     NoCerts = "Don't embed signer certificate"
+    NoVerify = "Don't verify the signers certificate of a signed message"
 
 
 class PKCS7SignatureBuilder:
diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs
index 8f4599723680..497cbc9e9306 100644
--- a/src/rust/src/test_support.rs
+++ b/src/rust/src/test_support.rs
@@ -81,6 +81,9 @@ fn pkcs7_verify(
     if options.contains(types::PKCS7_TEXT.get(py)?)? {
         flags |= openssl::pkcs7::Pkcs7Flags::TEXT;
     }
+    if options.contains(types::PKCS7_NO_VERIFY.get(py)?)? {
+        flags |= openssl::pkcs7::Pkcs7Flags::NOVERIFY;
+    }
 
     let store = {
         let mut b = openssl::x509::store::X509StoreBuilder::new()?;
diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs
index 37ca3f424249..2ee88ac7b036 100644
--- a/src/rust/src/types.rs
+++ b/src/rust/src/types.rs
@@ -349,6 +349,10 @@ pub static PKCS7_DETACHED_SIGNATURE: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.serialization.pkcs7",
     &["PKCS7Options", "DetachedSignature"],
 );
+pub static PKCS7_NO_VERIFY: LazyPyImport = LazyPyImport::new(
+    "cryptography.hazmat.primitives.serialization.pkcs7",
+    &["PKCS7Options", "NoVerify"],
+);
 
 pub static SMIME_ENVELOPED_ENCODE: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.serialization.pkcs7",

From 915fc6bcb7a6ecaa6f18ab0aa74fc9b69f59cf00 Mon Sep 17 00:00:00 2001
From: Philipp Auersperg-Castell <phil@bluedynamics.com>
Date: Sat, 7 Dec 2024 00:49:14 +0100
Subject: [PATCH 2/2] define PKCS7_NO_VERIFY only if not built against
 boringssl

---
 .gitignore            | 1 +
 .vscode/settings.json | 7 +++++++
 src/rust/src/types.rs | 2 ++
 3 files changed, 10 insertions(+)
 create mode 100644 .vscode/settings.json

diff --git a/.gitignore b/.gitignore
index 1d4ebfbc597a..686927952b16 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,4 @@ target/
 .rust-cov/
 *.lcov
 *.profdata
+venv
diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 000000000000..9b388533ae2b
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,7 @@
+{
+    "python.testing.pytestArgs": [
+        "tests"
+    ],
+    "python.testing.unittestEnabled": false,
+    "python.testing.pytestEnabled": true
+}
\ No newline at end of file
diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs
index 2ee88ac7b036..504dfdbce8ba 100644
--- a/src/rust/src/types.rs
+++ b/src/rust/src/types.rs
@@ -349,6 +349,8 @@ pub static PKCS7_DETACHED_SIGNATURE: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.serialization.pkcs7",
     &["PKCS7Options", "DetachedSignature"],
 );
+
+#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
 pub static PKCS7_NO_VERIFY: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.serialization.pkcs7",
     &["PKCS7Options", "NoVerify"],