Skip to content

feat: write X509 KeyInfo during signing #80

Description

@polaz

Problem

Signing templates can emit an empty <KeyInfo/> placeholder, but SignContext
does not yet have a writer hook to populate it. SAML IdP signing needs embedded
X.509 certificate material so verifiers can resolve the public key from the
signature document.

Solution

Implement P2-018 from the roadmap:

  • Add a KeyInfoWriter trait used by signing.
  • Add an X.509 certificate writer that emits <X509Data>/<X509Certificate> with
    base64 DER certificate content.
  • Wire SignContext so sign_template() and sign_with_builder() populate the
    direct <Signature>/<KeyInfo> placeholder when a writer is configured.
  • Preserve XMLDSig child order: SignedInfo, SignatureValue, optional
    KeyInfo, then Object*.
  • Keep KeyInfo outside SignedInfo so canonicalized signed bytes and digest
    computation are unaffected by writer output.

Acceptance Criteria

  • Signing with a builder that includes key_info(true) can write an embedded
    X.509 certificate into <KeyInfo>.
  • Signed output verifies through the existing DefaultKeyResolver using the
    embedded certificate.
  • Existing signing paths without a writer remain unchanged.
  • Missing or duplicate direct signing <KeyInfo> placeholders fail explicitly
    when a writer is configured.
  • cargo fmt -- --check, cargo clippy --all-targets --all-features -- -D warnings,
    cargo nextest run --all-features, and cargo test --doc --all-features pass.

Estimate

2d: 0.5d trait/API, 0.5d XML mutation, 0.5d X.509 writer, 0.5d tests and docs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions