Skip to content

feat: add XMLDSig signature builders #73

Description

@polaz

Problem

Signing needs a deterministic pure-Rust way to construct schema-valid XMLDSig Signature templates. The documented SignatureBuilder contract directly contains ReferenceBuilder values, so P2-010 and P2-011 must be delivered together.

Implementation

  • Add SignatureBuilder and ReferenceBuilder public APIs using existing algorithm and transform types.
  • Serialize namespace-correct XML with quick-xml.
  • Enforce at least one reference and reject verify-only SHA-1 algorithms for signing templates.
  • Preserve reference and transform insertion order.
  • Support optional namespace prefix, Signature Id, Reference URI/Id/Type, and KeyInfo placeholder.
  • Add parse-back, escaping, ordering, validation, and error-path tests.
  • Update semver-compatible Rust dependencies in a separate commit.

Acceptance criteria

  • Generated templates have XMLDSig namespace and required child ordering.
  • Every Reference contains DigestMethod and empty DigestValue; Transforms remain ordered.
  • Invalid XML prefixes, zero references, and SHA-1 signing algorithms fail explicitly.
  • Unit, integration, doctest, clippy, check, and all-feature build are green.

Estimate

3d 4h (implementation 2d, tests/docs 1d, review overhead 4h)

Roadmap: P2-010, P2-011

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions