microsoft · JeromySt · Apr 3, 2026 · Apr 2, 2026 · Apr 2, 2026 · Apr 3, 2026
diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
@@ -155,14 +155,29 @@ jobs:
 
     - name: Rust format check
       shell: pwsh
+      working-directory: native/rust
       run: |
-        cargo fmt --manifest-path native/rust/Cargo.toml --all -- --check
+        # Per-package to avoid Windows OS error 206 (command line too long)
+        $members = (cargo metadata --no-deps --format-version 1 | ConvertFrom-Json).packages.name
+        foreach ($pkg in $members) {
+          cargo fmt -p $pkg -- --check
+          if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+        }
+        # FFI crates with test=false exclude test files from cargo fmt.
+        # Check them directly with rustfmt.
+        Get-ChildItem -Path . -Filter '*.rs' -Recurse |
+          Where-Object { $_.FullName -match 'ffi[\\/]tests[\\/]' } |
+          ForEach-Object {
+            rustfmt --check $_.FullName
+            if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
+          }
 
     - name: Rust clippy
       shell: pwsh
+      working-directory: native/rust
       run: |
         $env:PATH = "$env:VCPKG_ROOT\installed\x64-windows\bin;$env:PATH"
-        cargo clippy --manifest-path native/rust/Cargo.toml --workspace -- -D warnings
+        cargo clippy --workspace -- -D warnings
 
     - name: Setup Rust (nightly, for coverage)
       uses: dtolnay/rust-toolchain@nightly
@@ -186,23 +201,24 @@ jobs:
 
     - name: Build Rust workspace
       shell: pwsh
+      working-directory: native/rust
       run: |
         $env:PATH = "$env:VCPKG_ROOT\installed\x64-windows\bin;$env:PATH"
-        cargo build --manifest-path native/rust/Cargo.toml --workspace --exclude cose-openssl
+        cargo build --workspace --exclude cose-openssl
 
     - name: Test Rust workspace
       shell: pwsh
+      working-directory: native/rust
       run: |
         $env:PATH = "$env:VCPKG_ROOT\installed\x64-windows\bin;$env:PATH"
-        cargo test --manifest-path native/rust/Cargo.toml --workspace --exclude cose-openssl
+        cargo test --workspace --exclude cose-openssl
 
     - name: Rust coverage (90% line gate)
       shell: pwsh
+      working-directory: native/rust
       run: |
         $env:PATH = "$env:VCPKG_ROOT\installed\x64-windows\bin;$env:PATH"
-        Push-Location native/rust
         pwsh -NoProfile -File collect-coverage.ps1 -NoHtml
-        Pop-Location
 
   # ── Native C/C++: build, test, coverage (ASAN) ────────────────────
   native-c-cpp:

diff --git a/native/c/include/cose/crypto/openssl.h b/native/c/include/cose/crypto/openssl.h
@@ -95,6 +95,22 @@ cose_status_t cose_crypto_openssl_signer_from_der(
     cose_crypto_signer_t** out_signer
 );
 
+/**
+ * @brief Creates a signer from a PEM-encoded private key
+ *
+ * @param provider Provider handle
+ * @param private_key_pem Pointer to PEM-encoded private key bytes
+ * @param len Length of private key data in bytes
+ * @param out_signer Output pointer to receive the signer handle
+ * @return COSE_OK on success, error code otherwise
+ */
+cose_status_t cose_crypto_openssl_signer_from_pem(
+    const cose_crypto_provider_t* provider,
+    const uint8_t* private_key_pem,
+    size_t len,
+    cose_crypto_signer_t** out_signer
+);
+
 /**
  * @brief Sign data using the given signer
  * 
@@ -148,6 +164,22 @@ cose_status_t cose_crypto_openssl_verifier_from_der(
     cose_crypto_verifier_t** out_verifier
 );
 
+/**
+ * @brief Creates a verifier from a PEM-encoded public key
+ *
+ * @param provider Provider handle
+ * @param public_key_pem Pointer to PEM-encoded public key bytes
+ * @param len Length of public key data in bytes
+ * @param out_verifier Output pointer to receive the verifier handle
+ * @return COSE_OK on success, error code otherwise
+ */
+cose_status_t cose_crypto_openssl_verifier_from_pem(
+    const cose_crypto_provider_t* provider,
+    const uint8_t* public_key_pem,
+    size_t len,
+    cose_crypto_verifier_t** out_verifier
+);
+
 /**
  * @brief Verify a signature using the given verifier
  *