Problem
P2-009a requires supported Aleksey and Merlin XMLDSig vectors to verify through DefaultKeyResolver without a preset PEM key. Embedded X.509 resolution is wired, but the donor suite still supplies preset keys and selector-only X509Data cannot search configured certificates, leaving the Aleksey X509Digest vector skipped.
Implementation
- Match selector-only
X509Data against caller-provided trusted_certs by X509Digest, SubjectName, IssuerSerial, and SKI.
- Keep ordered KeyInfo resolution and signature-algorithm validation fail-closed.
- Add the Aleksey RSA X.509 chain vector and required anchor through a reproducible fixture import process.
- Verify supported embedded-certificate and embedded-chain donor vectors with
DefaultKeyResolver, without VerifyContext::key or preset PEM helpers.
- Update donor pass/skip accounting so only genuinely unsupported DSA and weak-key vectors remain skipped.
Acceptance criteria
- The Aleksey X509Digest-only RSA-SHA512 vector resolves from configured certificates and verifies.
- Embedded RSA X509Data vectors verify without preset keys.
- The Aleksey embedded RSA chain verifies in TOFU mode and with chain validation against its configured root.
- Non-matching selectors and algorithm-incompatible certificates do not resolve.
cargo check, clippy, all-feature build, nextest, and doctests pass.
Estimate
2d including resolver implementation, fixture import, donor integration tests, full validation, and review overhead.
Problem
P2-009a requires supported Aleksey and Merlin XMLDSig vectors to verify through
DefaultKeyResolverwithout a preset PEM key. Embedded X.509 resolution is wired, but the donor suite still supplies preset keys and selector-onlyX509Datacannot search configured certificates, leaving the AlekseyX509Digestvector skipped.Implementation
X509Dataagainst caller-providedtrusted_certsby X509Digest, SubjectName, IssuerSerial, and SKI.DefaultKeyResolver, withoutVerifyContext::keyor preset PEM helpers.Acceptance criteria
cargo check, clippy, all-feature build, nextest, and doctests pass.Estimate
2dincluding resolver implementation, fixture import, donor integration tests, full validation, and review overhead.