diff --git a/internal/pkcs7/certrep_test.go b/internal/pkcs7/certrep_test.go
index 50c4b3f..030f8b3 100644
--- a/internal/pkcs7/certrep_test.go
+++ b/internal/pkcs7/certrep_test.go
@@ -242,6 +242,3 @@ func selfSignedCertPEM(t *testing.T, cn string) string {
 // testRand returns the system random source. Wrapped here so tests can be
 // adapted to a deterministic source if golden-file tests need it later.
 func testRand() io.Reader { return rand.Reader }
-
-func nowMinus1Hour() time.Time { return time.Now().Add(-time.Hour) }
-func nowPlus30Days() time.Time { return time.Now().Add(30 * 24 * time.Hour) }
diff --git a/internal/pkcs7/envelopeddata.go b/internal/pkcs7/envelopeddata.go
index ed37c14..8f05d04 100644
--- a/internal/pkcs7/envelopeddata.go
+++ b/internal/pkcs7/envelopeddata.go
@@ -75,12 +75,13 @@ var (
 	OIDDESEDE3CBC = asn1.ObjectIdentifier{1, 2, 840, 113549, 3, 7}
 )
 
-// Sentinel decryption error. The caller (handler / service) maps this to
-// SCEPFailBadMessageCheck per RFC 8894 §3.3.2.2 + §3.2.2 (integrity-check
-// failure semantics). The error text is intentionally generic so the
-// padding-oracle / Bleichenbacher leak surfaces are closed: every failure
-// mode (RSA decrypt failure, content decrypt failure, padding malformed,
-// unknown algorithm) returns the SAME error message text.
+// ErrEnvelopedDataDecrypt is the sentinel decryption error. The caller
+// (handler / service) maps this to SCEPFailBadMessageCheck per RFC 8894
+// §3.3.2.2 + §3.2.2 (integrity-check failure semantics). The error text
+// is intentionally generic so the padding-oracle / Bleichenbacher leak
+// surfaces are closed: every failure mode (RSA decrypt failure, content
+// decrypt failure, padding malformed, unknown algorithm) returns the SAME
+// error message text.
 var ErrEnvelopedDataDecrypt = errors.New("envelopedData: decrypt failed")
 
 // EnvelopedData is the parsed RFC 5652 EnvelopedData structure ready for