Skip to content

test(xmldsig): auto-resolve donor KeyInfo vectors #71

Description

@polaz

Problem

P2-009a requires supported Aleksey and Merlin XMLDSig vectors to verify through DefaultKeyResolver without a preset PEM key. Embedded X.509 resolution is wired, but the donor suite still supplies preset keys and selector-only X509Data cannot search configured certificates, leaving the Aleksey X509Digest vector skipped.

Implementation

  • Match selector-only X509Data against caller-provided trusted_certs by X509Digest, SubjectName, IssuerSerial, and SKI.
  • Keep ordered KeyInfo resolution and signature-algorithm validation fail-closed.
  • Add the Aleksey RSA X.509 chain vector and required anchor through a reproducible fixture import process.
  • Verify supported embedded-certificate and embedded-chain donor vectors with DefaultKeyResolver, without VerifyContext::key or preset PEM helpers.
  • Update donor pass/skip accounting so only genuinely unsupported DSA and weak-key vectors remain skipped.

Acceptance criteria

  • The Aleksey X509Digest-only RSA-SHA512 vector resolves from configured certificates and verifies.
  • Embedded RSA X509Data vectors verify without preset keys.
  • The Aleksey embedded RSA chain verifies in TOFU mode and with chain validation against its configured root.
  • Non-matching selectors and algorithm-incompatible certificates do not resolve.
  • cargo check, clippy, all-feature build, nextest, and doctests pass.

Estimate

2d including resolver implementation, fixture import, donor integration tests, full validation, and review overhead.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions