Problem
<dsig11:ECKeyValue> is currently recognized only as a marker. Its named curve and public point are discarded, so DefaultKeyResolver cannot verify signatures that provide an embedded EC key without a certificate or preset key.
Implementation
- Parse ordered
<dsig11:NamedCurve URI="..."> and <dsig11:PublicKey> children under <dsig11:ECKeyValue>.
- Support named-curve OIDs for P-256 (
1.2.840.10045.3.1.7) and P-384 (1.3.132.0.34), accepting the XMLDSig urn:oid: URI form.
- Decode bounded
PublicKey CryptoBinary as an uncompressed SEC1 point (0x04 || x || y).
- Preserve parsed EC key material in
KeyValueInfo and resolve it through DefaultKeyResolver by constructing validated SubjectPublicKeyInfo DER.
- Reject malformed, missing, reordered, duplicated, unsupported, wrong-namespace, non-uncompressed, empty, and oversized ECKeyValue inputs with typed processing errors.
- Verify donor
xmldsig11-interop-2012 ECKeyValue signatures end-to-end without a preset key.
Acceptance criteria
- Valid P-256 and P-384 ECKeyValue inputs preserve exact curve OID and SEC1 public point bytes.
ds:ECKeyValue remains unsupported; only the XMLDSig 1.1 namespace is accepted.
ECParameters is rejected as unsupported, matching xmlsec donor behavior.
- ECDSA signatures with embedded ECKeyValue verify via
DefaultKeyResolver.
- RSA methods reject ECKeyValue with algorithm mismatch or no suitable key, not accidental fallback.
cargo check, clippy, nextest, doctests, and all-feature build pass.
Estimate
2d including parser/resolver implementation, donor end-to-end tests, review overhead, and documentation update if needed.
Problem
<dsig11:ECKeyValue>is currently recognized only as a marker. Its named curve and public point are discarded, soDefaultKeyResolvercannot verify signatures that provide an embedded EC key without a certificate or preset key.Implementation
<dsig11:NamedCurve URI="...">and<dsig11:PublicKey>children under<dsig11:ECKeyValue>.1.2.840.10045.3.1.7) and P-384 (1.3.132.0.34), accepting the XMLDSigurn:oid:URI form.PublicKeyCryptoBinary as an uncompressed SEC1 point (0x04 || x || y).KeyValueInfoand resolve it throughDefaultKeyResolverby constructing validated SubjectPublicKeyInfo DER.xmldsig11-interop-2012ECKeyValue signatures end-to-end without a preset key.Acceptance criteria
ds:ECKeyValueremains unsupported; only the XMLDSig 1.1 namespace is accepted.ECParametersis rejected as unsupported, matching xmlsec donor behavior.DefaultKeyResolver.cargo check, clippy, nextest, doctests, and all-feature build pass.Estimate
2dincluding parser/resolver implementation, donor end-to-end tests, review overhead, and documentation update if needed.