Skip to content

feat(xmldsig): parse ECKeyValue parameters #69

Description

@polaz

Problem

<dsig11:ECKeyValue> is currently recognized only as a marker. Its named curve and public point are discarded, so DefaultKeyResolver cannot verify signatures that provide an embedded EC key without a certificate or preset key.

Implementation

  • Parse ordered <dsig11:NamedCurve URI="..."> and <dsig11:PublicKey> children under <dsig11:ECKeyValue>.
  • Support named-curve OIDs for P-256 (1.2.840.10045.3.1.7) and P-384 (1.3.132.0.34), accepting the XMLDSig urn:oid: URI form.
  • Decode bounded PublicKey CryptoBinary as an uncompressed SEC1 point (0x04 || x || y).
  • Preserve parsed EC key material in KeyValueInfo and resolve it through DefaultKeyResolver by constructing validated SubjectPublicKeyInfo DER.
  • Reject malformed, missing, reordered, duplicated, unsupported, wrong-namespace, non-uncompressed, empty, and oversized ECKeyValue inputs with typed processing errors.
  • Verify donor xmldsig11-interop-2012 ECKeyValue signatures end-to-end without a preset key.

Acceptance criteria

  • Valid P-256 and P-384 ECKeyValue inputs preserve exact curve OID and SEC1 public point bytes.
  • ds:ECKeyValue remains unsupported; only the XMLDSig 1.1 namespace is accepted.
  • ECParameters is rejected as unsupported, matching xmlsec donor behavior.
  • ECDSA signatures with embedded ECKeyValue verify via DefaultKeyResolver.
  • RSA methods reject ECKeyValue with algorithm mismatch or no suitable key, not accidental fallback.
  • cargo check, clippy, nextest, doctests, and all-feature build pass.

Estimate

2d including parser/resolver implementation, donor end-to-end tests, review overhead, and documentation update if needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions