Skip to content

feat(xmldsig): add key resolver configuration#66

Merged
polaz merged 10 commits into
mainfrom
feat/#65-key-resolver-config
Jun 28, 2026
Merged

feat(xmldsig): add key resolver configuration#66
polaz merged 10 commits into
mainfrom
feat/#65-key-resolver-config

Conversation

@polaz

@polaz polaz commented Jun 27, 2026

Copy link
Copy Markdown
Member

Summary

  • Add a working configuration-driven XMLDSig key resolver, not only its configuration types.
  • Resolve embedded X.509 certificates, DSig 1.1 DER SPKI keys, and configured KeyName entries through VerifyContext.
  • Enforce signature-algorithm compatibility and optional X.509 chain policy with typed failures.
  • Exclude standalone test commits from release-plz changelogs.

Resolver behavior

DefaultKeyResolver consumes the already-parsed optional KeyInfo and declared SignatureAlgorithm, avoiding a second XML parse. Sources are tried in document order. Embedded X.509 certificates can be accepted directly or validated against configured trust anchors, verification time, and maximum path depth. Raw RSA/EC KeyValue markers remain unresolved because the current parser model does not retain their key parameters.

Release automation finding

Release-plz worked as configured for #64. PR #63 used merge-commit strategy, so every conventional commit in that branch became a separate changelog entry. One entry per PR requires squash-only repository merges. This repository setting is intentionally not changed by this PR; this PR does not add PR-title validation to CI.

Testing

  • Embedded X.509 end-to-end verification
  • DEREncodedKeyValue end-to-end verification
  • KeyName end-to-end verification
  • Untrusted-chain, malformed-key, and algorithm-mismatch fail-closed tests
  • cargo fmt --all -- --check
  • cargo check --workspace --all-features
  • cargo clippy --workspace --all-targets --all-features -- -D warnings
  • cargo nextest run --workspace --all-features (462/462)
  • cargo test --doc --workspace --all-features (3/3)
  • cargo build --workspace --all-features

Closes #65

polaz added 2 commits June 27, 2026 21:52
- Add caller-owned trust anchors and named verification keys
- Preserve documented chain policy, verification time, and depth defaults

Closes #65
- Require Conventional Commit pull request titles
- Test title validation in CI
- Exclude test-only commits from release changelogs

Refs #65
@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: aba9ea5b-503e-4a72-92ca-97881817b173

📥 Commits

Reviewing files that changed from the base of the PR and between a1f6520 and cff8cd2.

📒 Files selected for processing (1)
  • src/xmldsig/keys.rs

📝 Walkthrough

Summary by CodeRabbit

  • New Features
    • XMLDSig verification now supports configuration-driven key resolution with trusted certificate anchors, named keys, and embedded key data, including optional certificate chain validation and time/depth controls.
    • Improved key-resolution error reporting for clearer diagnosis of algorithm mismatches and malformed embedded key material.
  • Bug Fixes
    • Verification now resolves keys using the parsed <KeyInfo> and the negotiated signature algorithm, resulting in more accurate resolver behavior and consistent failure handling.
  • Chores
    • Test-related changelog entries are now omitted instead of grouped under a testing category.

Walkthrough

Adds XMLDSig key-resolution types and resolver wiring that consume parsed KeyInfo plus signature algorithms, and changes release-plz to skip ^test commits.

Changes

XMLDSig Key Resolver

Layer / File(s) Summary
VerificationKey, KeyResolutionError, and KeyResolverConfig contracts
src/xmldsig/keys.rs
VerificationKey carries algorithm, SPKI bytes, and optional certificate/name data. KeyResolutionError covers algorithm mismatch, invalid certificate DER, invalid public key DER, chain validation, and system time. KeyResolverConfig defines trust anchors, named keys, chain policy, verification time, and max depth.
DefaultKeyResolver and SPKI validation
src/xmldsig/keys.rs
DefaultKeyResolver resolves embedded X.509, KeyName, and DEREncodedKeyValue sources from parsed KeyInfo, optionally validates X.509 chains, and checks SPKI compatibility for RSA and ECDSA keys.
Verification pipeline and resolver API
src/xmldsig/verify.rs
VerifyContext now parses KeyInfo conditionally, passes Option<KeyInfo> plus SignatureAlgorithm into key resolution, and maps resolver failures into DsigError::KeyResolution. Test stubs were updated to the new resolver signature.
xmldsig module exports
src/xmldsig/mod.rs
The keys submodule is exported and DefaultKeyResolver, KeyResolutionError, KeyResolverConfig, and VerificationKey are re-exported at the module root.

Changelog Configuration

Layer / File(s) Summary
Skip test commits in changelog
.release-plz.toml
The ^test commit parser now skips matching commits instead of grouping them under Testing.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

  • structured-world/xml-sec#32: The verification refactor around parsed KeyInfo and SignatureAlgorithm extends this earlier XMLDSig resolver pipeline work.
  • structured-world/xml-sec#47: This PR builds on parsed KeyInfo handling and resolver consumption behavior already added in src/xmldsig/verify.rs.
  • structured-world/xml-sec#63: The new resolver’s X.509 chain-validation path uses the chain-verification APIs introduced in that PR.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 54.17% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: a configuration-driven XMLDSig key resolver.
Description check ✅ Passed The description is on-topic and accurately summarizes the resolver and changelog changes.
Linked Issues check ✅ Passed The PR covers the linked issue's resolver API, resolution paths, chain policy, and release-plz change.
Out of Scope Changes check ✅ Passed No unrelated code changes are evident beyond the resolver implementation and release-plz update.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/#65-key-resolver-config

Comment @coderabbitai help to get the list of available commands.

@greptile-apps

greptile-apps Bot commented Jun 27, 2026

Copy link
Copy Markdown

Greptile Summary

This PR adds configuration-driven XMLDSig key resolution. The main changes are:

  • Added DefaultKeyResolver and KeyResolverConfig for embedded X.509, DER SPKI, and KeyName sources.
  • Wired parsed KeyInfo and SignatureAlgorithm into VerifyContext key resolution.
  • Added typed key-resolution errors and algorithm/key-type compatibility checks.
  • Exported the new resolver types from xmldsig.
  • Updated release-plz changelog parsing to skip standalone test commits.

Confidence Score: 5/5

No blocking issues were identified in the XMLDSig key resolver changes.

The changes are focused, covered by the described resolver scenarios and failure cases, and no accepted review comments remain.

T-Rex T-Rex Logs

What T-Rex did

  • T-Rex ran cargo test --test key_resolver_validation on the base revision and observed a compile failure due to unresolved imports for DefaultKeyResolver, KeyResolverConfig, and VerificationKey (exit code 101).
  • T-Rex re-ran the same test on the head revision and the test suite compiled and passed 1/1 tests (exit code 0).
  • T-Rex performed an environment check for the failure-policy workflow and found cargo and rustc missing from PATH, with git present.
  • T-Rex exercised the release-plz test flow and observed that the base revision parsed a group action for Testing, while head revision parsed a skip action for the same message.

View all artifacts

T-Rex Ran code and verified through T-Rex

Reviews (6): Last reviewed commit: "test(xmldsig): assert malformed key vari..." | Re-trigger Greptile

@polaz

polaz commented Jun 28, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 13-23: The pr-title job currently checks out untrusted PR code and
then runs .github/scripts/test-validate-pr-title.sh and
.github/scripts/validate-pr-title.sh, so harden the job before those steps.
Update the workflow to grant only read-only contents permissions for this job
and configure actions/checkout to avoid persisting credentials in git config.
Keep the fix scoped to the pr-title job and the checkout step so the PR-branch
scripts cannot access an unnecessarily exposed GITHUB_TOKEN.
- Line 17: The workflow currently uses the mutable actions/checkout@v7
reference, which should be pinned to an immutable commit SHA. Update the
checkout step in the CI workflow to use the full SHA for actions/checkout so the
action version cannot drift. Keep the fix localized to the checkout entry in the
workflow file.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 471768ac-6c12-41e8-942c-92dfa80ee984

📥 Commits

Reviewing files that changed from the base of the PR and between 771ac22 and 7366b11.

📒 Files selected for processing (6)
  • .github/scripts/test-validate-pr-title.sh
  • .github/scripts/validate-pr-title.sh
  • .github/workflows/ci.yml
  • .release-plz.toml
  • src/xmldsig/keys.rs
  • src/xmldsig/mod.rs

Comment thread .github/workflows/ci.yml Outdated
Comment thread .github/workflows/ci.yml Outdated
@polaz

polaz commented Jun 28, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/xmldsig/keys.rs`:
- Around line 250-251: The EcdsaP384Sha384 branch in keys.rs is incorrectly
allowing a P-521 curve OID alongside P-384. Tighten the match in the
signature/public-key compatibility check so SignatureAlgorithm::EcdsaP384Sha384
only accepts the P-384 curve OID and no longer includes 1.3.132.0.35; leave the
other algorithm-to-curve branches unchanged and keep the logic centered in the
existing PublicKey::EC matching arm.
- Around line 198-202: The KeyName lookup path currently only checks
VerificationKey.algorithm before returning a cloned key, so invalid SPKI bytes
can slip through and fail later in crypto. Update the KeyName resolution flow
around the map/lookup in keys.rs to validate the named key’s SPKI bytes against
the requested algorithm before returning it, and surface any mismatch as a typed
key-resolution failure (for example by extending the existing KeyResolutionError
path) rather than handing back the misconfigured key.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f98e6bae-9631-4487-9416-146987947210

📥 Commits

Reviewing files that changed from the base of the PR and between 7366b11 and b92f618.

📒 Files selected for processing (3)
  • src/xmldsig/keys.rs
  • src/xmldsig/mod.rs
  • src/xmldsig/verify.rs

Comment thread src/xmldsig/keys.rs
Comment thread src/xmldsig/keys.rs

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/xmldsig/keys.rs`:
- Line 202: The named-key path in keys::validate should not surface malformed
SPKI as InvalidCertificate; instead, update the validation around
validate_spki_algorithm for configured public_key_bytes so malformed <KeyName>
and DEREncodedKeyValue inputs map to a public-key parse error. Adjust the typed
resolver API’s error handling in this flow so certificate-specific failures are
only used for real certificates, and keep the named-key parsing path distinct
via the relevant resolver/validation helpers in src/xmldsig/keys.rs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 2510f89d-ccb4-4ea4-a525-4368ef3789a3

📥 Commits

Reviewing files that changed from the base of the PR and between b92f618 and 48a0a13.

📒 Files selected for processing (1)
  • src/xmldsig/keys.rs

Comment thread src/xmldsig/keys.rs

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/xmldsig/keys.rs`:
- Around line 480-483: The test currently asserts the Display text for the key
resolution failure, but it should verify the typed error contract instead.
Update the assertion in the test around KeyResolutionError handling to match the
KeyResolutionError::InvalidPublicKey variant rather than comparing
error.to_string(), using the same error-producing path in keys.rs so the test
stays stable against wrapper ტექxt changes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6ac27ea9-6370-42bb-b552-f703913dc59e

📥 Commits

Reviewing files that changed from the base of the PR and between 48a0a13 and a1f6520.

📒 Files selected for processing (1)
  • src/xmldsig/keys.rs

Comment thread src/xmldsig/keys.rs Outdated
@polaz

polaz commented Jun 28, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@polaz polaz merged commit 400410b into main Jun 28, 2026
9 of 10 checks passed
@polaz polaz deleted the feat/#65-key-resolver-config branch June 28, 2026 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(xmldsig): add key resolver configuration

1 participant