MatthiasValvekens
commented
1 year ago As a side note: I maintain a (by now considerably divergent) fork of certvalidator for one of my own projects, and there I moved my cryptographic operations to pyca/cryptography. I essentially only use oscrypto to interact with the system trust list now.
Both libraries have their strong and weak points, but I found that for the configurations and environments that I wanted to support, pyca/cryptography was a better fit. For me, the main arguments were: (a) pyca/cryptography has broader built-in algorithm support, in particular for EdDSA and parameterised RSASSA-PSS, (b) pyca/cryptography is a project with more resources behind it at this point in time. I also didn't mind only supporting recent Python versions or having direct native dependencies, but YMMV.
Switching the "mainline" modularcrypto suite to pyca/cryptography would be a massive breaking change and isn't likely to happen (it would also have many potentially undesirable side effects), but maybe it makes sense to make that change in your copy of the library.
Requires eddsa_verify support is oscrypto to work
Test material: RFC 9126: S/MIME Example Keys and Certificates