Problem
Signing templates can emit an empty <KeyInfo/> placeholder, but SignContext
does not yet have a writer hook to populate it. SAML IdP signing needs embedded
X.509 certificate material so verifiers can resolve the public key from the
signature document.
Solution
Implement P2-018 from the roadmap:
- Add a
KeyInfoWriter trait used by signing.
- Add an X.509 certificate writer that emits
<X509Data>/<X509Certificate> with
base64 DER certificate content.
- Wire
SignContext so sign_template() and sign_with_builder() populate the
direct <Signature>/<KeyInfo> placeholder when a writer is configured.
- Preserve XMLDSig child order:
SignedInfo, SignatureValue, optional
KeyInfo, then Object*.
- Keep
KeyInfo outside SignedInfo so canonicalized signed bytes and digest
computation are unaffected by writer output.
Acceptance Criteria
- Signing with a builder that includes
key_info(true) can write an embedded
X.509 certificate into <KeyInfo>.
- Signed output verifies through the existing
DefaultKeyResolver using the
embedded certificate.
- Existing signing paths without a writer remain unchanged.
- Missing or duplicate direct signing
<KeyInfo> placeholders fail explicitly
when a writer is configured.
cargo fmt -- --check, cargo clippy --all-targets --all-features -- -D warnings,
cargo nextest run --all-features, and cargo test --doc --all-features pass.
Estimate
2d: 0.5d trait/API, 0.5d XML mutation, 0.5d X.509 writer, 0.5d tests and docs.
Problem
Signing templates can emit an empty
<KeyInfo/>placeholder, butSignContextdoes not yet have a writer hook to populate it. SAML IdP signing needs embedded
X.509 certificate material so verifiers can resolve the public key from the
signature document.
Solution
Implement P2-018 from the roadmap:
KeyInfoWritertrait used by signing.<X509Data>/<X509Certificate>withbase64 DER certificate content.
SignContextsosign_template()andsign_with_builder()populate thedirect
<Signature>/<KeyInfo>placeholder when a writer is configured.SignedInfo,SignatureValue, optionalKeyInfo, thenObject*.KeyInfooutsideSignedInfoso canonicalized signed bytes and digestcomputation are unaffected by writer output.
Acceptance Criteria
key_info(true)can write an embeddedX.509 certificate into
<KeyInfo>.DefaultKeyResolverusing theembedded certificate.
<KeyInfo>placeholders fail explicitlywhen a writer is configured.
cargo fmt -- --check,cargo clippy --all-targets --all-features -- -D warnings,cargo nextest run --all-features, andcargo test --doc --all-featurespass.Estimate
2d: 0.5d trait/API, 0.5d XML mutation, 0.5d X.509 writer, 0.5d tests and docs.