fn verify_ecdsa_p256(
canonical_bytes: &[u8],
signature: &[u8],
public_b64: &str,
) -> Result<(), VerifyError>Expand description
FOOTGUN: TPM2_Sign emits ~50% high-s ECDSA signatures; we MUST normalise to low-s before verifying or every other signature fails as BadSignature.