Problem
Signing needs a deterministic pure-Rust way to construct schema-valid XMLDSig Signature templates. The documented SignatureBuilder contract directly contains ReferenceBuilder values, so P2-010 and P2-011 must be delivered together.
Implementation
- Add SignatureBuilder and ReferenceBuilder public APIs using existing algorithm and transform types.
- Serialize namespace-correct XML with quick-xml.
- Enforce at least one reference and reject verify-only SHA-1 algorithms for signing templates.
- Preserve reference and transform insertion order.
- Support optional namespace prefix, Signature Id, Reference URI/Id/Type, and KeyInfo placeholder.
- Add parse-back, escaping, ordering, validation, and error-path tests.
- Update semver-compatible Rust dependencies in a separate commit.
Acceptance criteria
- Generated templates have XMLDSig namespace and required child ordering.
- Every Reference contains DigestMethod and empty DigestValue; Transforms remain ordered.
- Invalid XML prefixes, zero references, and SHA-1 signing algorithms fail explicitly.
- Unit, integration, doctest, clippy, check, and all-feature build are green.
Estimate
3d 4h (implementation 2d, tests/docs 1d, review overhead 4h)
Roadmap: P2-010, P2-011
Problem
Signing needs a deterministic pure-Rust way to construct schema-valid XMLDSig Signature templates. The documented SignatureBuilder contract directly contains ReferenceBuilder values, so P2-010 and P2-011 must be delivered together.
Implementation
Acceptance criteria
Estimate
3d 4h (implementation 2d, tests/docs 1d, review overhead 4h)
Roadmap: P2-010, P2-011