contentauth · scouten-adobe · Aug 14, 2025 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025
diff --git a/c2pa_c_ffi/src/c_api.rs b/c2pa_c_ffi/src/c_api.rs
@@ -1822,6 +1822,14 @@ mod tests {
     #[test]
     #[cfg(feature = "file_io")]
     fn test_reader_from_file_cawg_identity() {
+        let settings = CString::new(include_bytes!(
+            "../../cli/tests/fixtures/trust/cawg_test_settings.toml"
+        ))
+        .unwrap();
+        let format = CString::new("toml").unwrap();
+        let result = unsafe { c2pa_load_settings(settings.as_ptr(), format.as_ptr()) };
+        assert_eq!(result, 0);
+
         let base = env!("CARGO_MANIFEST_DIR");
         let path =
             CString::new(format!("{base}/../sdk/tests/fixtures/C_with_CAWG_data.jpg")).unwrap();

diff --git a/c2pa_c_ffi/src/json_api.rs b/c2pa_c_ffi/src/json_api.rs
@@ -76,9 +76,10 @@ pub fn sign_file(
 
 #[cfg(test)]
 mod tests {
-    use std::{fs::remove_dir_all, path::PathBuf};
+    use std::{ffi::CString, fs::remove_dir_all, path::PathBuf};
 
     use super::*;
+    use crate::c_api::c2pa_load_settings;
 
     /// returns a path to a file in the fixtures folder
     pub fn test_path(path: &str) -> String {
@@ -115,6 +116,14 @@ mod tests {
 
     #[test]
     fn test_verify_from_file_cawg_identity() {
+        let settings = CString::new(include_bytes!(
+            "../../cli/tests/fixtures/trust/cawg_test_settings.toml"
+        ))
+        .unwrap();
+        let format = CString::new("toml").unwrap();
+        let result = unsafe { c2pa_load_settings(settings.as_ptr(), format.as_ptr()) };
+        assert_eq!(result, 0);
+
         let path = test_path("tests/fixtures/C_with_CAWG_data.jpg");
         let result = read_file(&path, None);
         dbg!(&result);

diff --git a/cli/tests/fixtures/trust/cawg_test_settings.toml b/cli/tests/fixtures/trust/cawg_test_settings.toml
diff --git a/cli/tests/integration.rs b/cli/tests/integration.rs
@@ -586,9 +586,11 @@ fn tool_tree() -> Result<(), Box<dyn Error>> {
 }
 
 #[test]
-// c2patool C_with_CAWG_data.jpg
+// c2patool --settings .../trust/cawg_test_settings.toml C_with_CAWG_data.jpg
 fn tool_read_image_with_cawg_data() -> Result<(), Box<dyn Error>> {
     Command::cargo_bin("c2patool")?
+        .arg("--settings")
+        .arg(fixture_path("trust/cawg_test_settings.toml"))
         .arg(fixture_path("C_with_CAWG_data.jpg"))
         .assert()
         .success()
@@ -599,9 +601,11 @@ fn tool_read_image_with_cawg_data() -> Result<(), Box<dyn Error>> {
 }
 
 #[test]
-// c2patool --detailed C_with_CAWG_data.jpg
+// c2patool --settings .../trust/cawg_test_settings.toml --detailed C_with_CAWG_data.jpg
 fn tool_read_image_with_details_with_cawg_data() -> Result<(), Box<dyn Error>> {
     Command::cargo_bin("c2patool")?
+        .arg("--settings")
+        .arg(fixture_path("trust/cawg_test_settings.toml"))
         .arg(fixture_path("C_with_CAWG_data.jpg"))
         .arg("--detailed")
         .assert()

diff --git a/sdk/src/cose_sign.rs b/sdk/src/cose_sign.rs
@@ -150,7 +150,9 @@ fn signing_cert_valid(signing_cert: &[u8]) -> Result<()> {
     let mut cose_log = StatusTracker::with_error_behavior(ErrorBehavior::StopOnFirstError);
     let mut passthrough_cap = CertificateTrustPolicy::default();
 
-    // allow user EKUs through this check if configured
+    // Allow user EKUs through this check if configured.
+    // TODO (https://github.com/contentauth/c2pa-rs/issues/1313):
+    // Need to determine if we're using C2PA or CAWG trust config here.
     if let Ok(Some(trust_config)) = get_settings_value::<Option<String>>("trust.trust_config") {
         passthrough_cap.add_valid_ekus(trust_config.as_bytes());
     }

diff --git a/sdk/src/crypto/cose/certificate_trust_policy.rs b/sdk/src/crypto/cose/certificate_trust_policy.rs
@@ -294,6 +294,11 @@ impl CertificateTrustPolicy {
         Ok(())
     }
 
+    /// Add default extended key usage (EKU) values.
+    pub fn add_default_valid_ekus(&mut self) {
+        self.add_valid_ekus(include_bytes!("./valid_eku_oids.cfg"));
+    }
+
     /// Add extended key usage (EKU) values that shall be accepted when
     /// verifying COSE signatures.
     ///

diff --git a/sdk/src/crypto/cose/verifier.rs b/sdk/src/crypto/cose/verifier.rs
@@ -264,6 +264,12 @@ impl Verifier<'_> {
     }
 }
 
+impl Default for Verifier<'_> {
+    fn default() -> Self {
+        Self::VerifyTrustPolicy(Cow::Owned(CertificateTrustPolicy::default()))
+    }
+}
+
 fn dump_cert_chain(certs: &[Vec<u8>]) -> Result<Vec<u8>, CoseError> {
     let mut writer = Vec::new();
 

diff --git a/sdk/src/identity/identity_assertion/assertion.rs b/sdk/src/identity/identity_assertion/assertion.rs
@@ -12,6 +12,7 @@
 // each license.
 
 use std::{
+    borrow::Cow,
     collections::BTreeMap,
     fmt::{Debug, Formatter},
 };
@@ -20,6 +21,7 @@ use serde::{Deserialize, Serialize};
 use serde_bytes::ByteBuf;
 
 use crate::{
+    crypto::cose::{CertificateTrustPolicy, Verifier},
     dynamic_assertion::PartialClaim,
     identity::{
         claim_aggregation::IcaSignatureVerifier,
@@ -36,6 +38,7 @@ use crate::{
     },
     jumbf::labels::to_assertion_uri,
     log_current_item, log_item,
+    settings::get_settings_value,
     status_tracker::StatusTracker,
     Manifest, Reader,
 };
@@ -325,7 +328,30 @@ impl IdentityAssertion {
         let sig_type = self.signer_payload.sig_type.as_str();
 
         if sig_type == "cawg.x509.cose" {
-            let verifier = X509SignatureVerifier {};
+            let mut ctp = CertificateTrustPolicy::default();
+
+            // Load the trust handler settings. Don't worry about status as these
+            // are checked during setting generation.
+
+            if let Ok(Some(ta)) = get_settings_value::<Option<String>>("cawg_trust.trust_anchors") {
+                let _ = ctp.add_trust_anchors(ta.as_bytes());
+            }
+
+            if let Ok(Some(pa)) = get_settings_value::<Option<String>>("cawg_trust.user_anchors") {
+                let _ = ctp.add_user_trust_anchors(pa.as_bytes());
+            }
+
+            if let Ok(Some(tc)) = get_settings_value::<Option<String>>("cawg_trust.trust_config") {
+                ctp.add_valid_ekus(tc.as_bytes());
+            }
+
+            if let Ok(Some(al)) = get_settings_value::<Option<String>>("cawg_trust.allowed_list") {
+                let _ = ctp.add_end_entity_credentials(al.as_bytes());
+            }
+
+            let verifier = X509SignatureVerifier {
+                cose_verifier: Verifier::VerifyTrustPolicy(Cow::Owned(ctp)),
+            };
 
             let result = verifier
                 .check_signature(&self.signer_payload, &self.signature, status_tracker)

diff --git a/sdk/src/identity/identity_assertion/built_in_signature_verifier.rs b/sdk/src/identity/identity_assertion/built_in_signature_verifier.rs
@@ -30,18 +30,18 @@ use crate::{
 
 /// A `BuiltInSignatureVerifier` is an implementation of [`SignatureVerifier`]
 /// that can read all of the signature types that are supported by this SDK.
-pub struct BuiltInSignatureVerifier {
+pub struct BuiltInSignatureVerifier<'a> {
     /// Configuration to use when an identity claims aggregation credential is
     /// presented.
     pub ica_verifier: IcaSignatureVerifier,
 
     /// Configuration to use when an X.509 credential is presented.
-    pub x509_verifier: X509SignatureVerifier,
+    pub x509_verifier: X509SignatureVerifier<'a>,
 }
 
 #[cfg_attr(not(target_arch = "wasm32"), async_trait)]
 #[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
-impl SignatureVerifier for BuiltInSignatureVerifier {
+impl SignatureVerifier for BuiltInSignatureVerifier<'_> {
     type Error = BuiltInSignatureError;
     type Output = BuiltInCredential;
 

diff --git a/sdk/src/identity/tests/examples/x509_signing.rs b/sdk/src/identity/tests/examples/x509_signing.rs
@@ -20,7 +20,7 @@ use std::io::{Cursor, Seek};
 use c2pa_macros::c2pa_test_async;
 
 use crate::{
-    crypto::raw_signature,
+    crypto::{cose::Verifier, raw_signature},
     identity::{
         builder::{AsyncIdentityAssertionBuilder, AsyncIdentityAssertionSigner},
         tests::fixtures::{cert_chain_and_private_key_for_alg, manifest_json, parent_json},
@@ -96,7 +96,10 @@ async fn x509_signing() {
     assert!(ia_iter.next().is_none());
     drop(ia_iter);
 
-    let x509_verifier = X509SignatureVerifier {};
+    let x509_verifier = X509SignatureVerifier {
+        cose_verifier: Verifier::IgnoreProfileAndTrustPolicy,
+    };
+
     let sig_info = ia
         .validate(manifest, &mut st, &x509_verifier)
         .await

diff --git a/sdk/src/identity/tests/fixtures/default_built_in_signature_verifier.rs b/sdk/src/identity/tests/fixtures/default_built_in_signature_verifier.rs
@@ -17,9 +17,9 @@ use crate::identity::{
 
 /// Create a `BuiltInSignatureVerifier` that is configured to read the
 /// credentials used in test.
-pub(crate) fn default_built_in_signature_verifier() -> BuiltInSignatureVerifier {
+pub(crate) fn default_built_in_signature_verifier<'a>() -> BuiltInSignatureVerifier<'a> {
     BuiltInSignatureVerifier {
         ica_verifier: IcaSignatureVerifier {},
-        x509_verifier: X509SignatureVerifier {},
+        x509_verifier: X509SignatureVerifier::default(),
     }
 }