Skip to content

feat(xmldsig): parse X509Certificate with x509-parser#53

Merged
polaz merged 8 commits into
mainfrom
feat/p2-003-x509-parser
Jun 22, 2026
Merged

feat(xmldsig): parse X509Certificate with x509-parser#53
polaz merged 8 commits into
mainfrom
feat/p2-003-x509-parser

Conversation

@polaz

@polaz polaz commented Apr 9, 2026

Copy link
Copy Markdown
Member

Summary

  • parse X509Certificate DER bytes with x509-parser during KeyInfo/X509Data parsing
  • extract certificate metadata (subject DN, issuer DN, SKI) and SPKI key info (RSA/EC, plus unsupported algorithm OID marker)
  • keep unsupported key algorithms as parsed metadata instead of failing the whole KeyInfo parse
  • update and extend parse tests to use real fixture certificate DER and add invalid-DER regression

Verification

  • cargo check --workspace
  • cargo clippy --workspace --all-targets -- -D warnings
  • cargo nextest run --workspace
  • cargo test --doc --workspace
  • cargo build --workspace

Copilot AI review requested due to automatic review settings April 9, 2026 13:16
@coderabbitai

coderabbitai Bot commented Apr 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d02996a1-ed9a-4675-a738-67527a524bfc

📥 Commits

Reviewing files that changed from the base of the PR and between 2ae3a4e and 29bded1.

📒 Files selected for processing (1)
  • src/xmldsig/parse.rs

📝 Walkthrough

Summary by CodeRabbit

Release Notes

  • New Features
    • Enhanced X.509 certificate parsing now exposes certificate metadata, including subject/issuer details, optional Subject Key Identifier, and parsed public key information (RSA/EC).
  • Bug Fixes
    • Stricter handling of embedded certificates: invalid DER or certificates with trailing bytes are rejected.
    • Unsupported public key algorithms are now explicitly detected and reported as unsupported.

Walkthrough

Adds strict DER parsing of <X509Certificate> elements: extracts subject and issuer DNs, optional SubjectKeyIdentifier, and parses the certificate public key into RSA, EC, or unsupported variants; stores results in a new parsed_certificates field on X509DataInfo.

Changes

X.509 Certificate Parsing

Layer / File(s) Summary
Imports and dependencies
src/xmldsig/parse.rs
Add x509_parser imports for DER parsing, extension extraction, and SPKI handling.
Data types for parsed certificates
src/xmldsig/parse.rs
Add parsed_certificates: Vec<ParsedX509Certificate> to X509DataInfo. Introduce ParsedX509Certificate and X509PublicKeyInfo (RSA/EC/Unsupported).
Parsing wiring into X509Data dispatch
src/xmldsig/parse.rs
Update parse_x509_data_dispatch() to DER-parse decoded <X509Certificate> values and append ParsedX509Certificate while retaining raw DER certificates.
Certificate parser implementation
src/xmldsig/parse.rs
Implement parse_x509_certificate() with strict DER parsing (reject trailing bytes), extract subject/issuer DNs, optional SubjectKeyIdentifier, and parse SPKI into RSA (trim leading zeros), EC (curve OID + point), or Unsupported { algorithm_oid }.
Tests and fixture
src/xmldsig/parse.rs
Add fixture_rsa_cert_base64 helper; replace dummy <X509Certificate> in tests with real RSA fixture; assert parsed_certificates contains DN/SKI and RSA key parts; add tests for invalid DER rejection, trailing-byte rejection, and unsupported SPKI classification.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

  • structured-world/xml-sec#51: Both PRs modify X509Data parsing in xmldsig/parse.rs; PR #51 expands sub-element parsing and validation, while this PR builds on that work by adding strict DER certificate parsing and extracting typed certificate metadata.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: adding X509Certificate parsing with x509-parser library during KeyInfo/X509Data parsing.
Description check ✅ Passed The description is directly related to the changeset, detailing X509Certificate parsing, metadata extraction, SPKI key info parsing, and test updates.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/p2-003-x509-parser

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances XMLDSig <KeyInfo>/<X509Data> parsing by decoding <X509Certificate> DER bytes with x509-parser, extracting certificate metadata (DNs, SKI) and public key details while preserving metadata for unsupported key algorithms instead of failing the whole parse.

Changes:

  • Add ParsedX509Certificate and X509PublicKeyInfo types and store parsed certificate metadata in X509DataInfo.
  • Parse <X509Certificate> DER using x509-parser and extract subject/issuer DN, SKI, and SPKI key info (RSA/EC/Unsupported).
  • Update tests to use a real PEM fixture certificate and add an invalid-DER regression test.

Comment thread src/xmldsig/parse.rs Outdated
polaz added 2 commits April 9, 2026 16:40
- parse <X509Certificate> DER with x509-parser and extract subject/issuer DN, SKI, and SPKI key metadata

- keep unsupported SPKI algorithms as parsed metadata instead of hard parse failure

- extend KeyInfo/X509Data tests to use real fixture cert DER and cover invalid DER rejection
- move add_x509_data_usage call before parse_x509_certificate in X509Certificate branch

- reject oversized X509Data aggregate before expensive DER/X.509 parsing
@polaz polaz force-pushed the feat/p2-003-x509-parser branch from a591d4c to 89b6536 Compare April 9, 2026 13:42

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/xmldsig/parse.rs`:
- Around line 186-188: Add a clear doc comment documenting the parallel-array
invariant between the certificates and parsed_certificates fields: state that
both Vecs have equal length and that entries at the same index correspond to the
same certificate and its parsed representation. Put this comment near the struct
definition (above the struct or above both fields) referencing the field names
certificates and parsed_certificates and the ParsedX509Certificate type so
future maintainers know they must be updated together.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a3ab81db-0d88-42cc-bf29-948df54746ae

📥 Commits

Reviewing files that changed from the base of the PR and between a591d4c and 89b6536.

📒 Files selected for processing (1)
  • src/xmldsig/parse.rs

Comment thread src/xmldsig/parse.rs
- document 1:1 index correspondence between certificates and parsed_certificates
Copilot AI review requested due to automatic review settings April 9, 2026 14:04

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Comment thread src/xmldsig/parse.rs Outdated
Comment thread src/xmldsig/parse.rs
polaz added 2 commits April 9, 2026 20:11
- treat EC SPKI params that are present but non-OID as unsupported key algorithm

- keep missing EC params as InvalidStructure

- add regression test for unsupported SPKI algorithm marker using merlin x509 fixture
Copilot AI review requested due to automatic review settings May 11, 2026 12:50

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/xmldsig/parse.rs`:
- Around line 1383-1409: Update the test
parse_key_info_marks_unsupported_spki_algorithm_as_unsupported to assert the
preserved metadata on the unsupported public key instead of only checking the
Unsupported variant: after locating parsed_certificates[0] (from parse_key_info
/ KeyInfoSource::X509Data), assert that its X509PublicKeyInfo::Unsupported
contains the preserved fields (subject_dn, issuer_dn, and ski) and that they are
Some/contain the expected values (or non-empty) so the parser must retain those
values when returning Unsupported; adjust the match on
parsed_certificates[0].public_key to bind the Unsupported struct and add
assertions for subject_dn, issuer_dn, and ski.
- Around line 1370-1381: Add a regression test alongside
parse_key_info_rejects_x509_certificate_with_invalid_der that constructs a valid
DER X.509 fixture, base64-encodes it, appends a few extra bytes to the DER
payload (so X509Certificate::from_der returns Ok((_, rest)) with non-empty
rest), embeds that string into the same KeyInfo XML, calls
parse_key_info(doc.root_element()), and asserts it returns
Err(ParseError::InvalidStructure(_)); this ensures the parser branch in
parse_key_info that rejects non-empty rest after X509Certificate::from_der
cannot regress silently.
- Around line 219-224: The doc for X509PublicKeyInfo::Ec promises "uncompressed
point bytes" but code (parse.rs, X509PublicKeyInfo::Ec) currently accepts any
SEC1 encoding; either enforce the uncompressed form by validating the
public_key's first byte == 0x04 when constructing/parsing the Ec variant and
return an error if not, or change the field docstring to "encoded point bytes"
to reflect that compressed forms (0x02/0x03) are allowed; update the
constructor/parser that produces X509PublicKeyInfo::Ec and the doc comment on
the Ec variant accordingly so docs and behavior match.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7cf663fe-b6b4-4240-9bc1-0fca6a672c52

📥 Commits

Reviewing files that changed from the base of the PR and between 89b6536 and 2ae3a4e.

📒 Files selected for processing (1)
  • src/xmldsig/parse.rs

Comment thread src/xmldsig/parse.rs Outdated
Comment thread src/xmldsig/parse.rs
Comment thread src/xmldsig/parse.rs

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@balaatsky

Copy link
Copy Markdown

@polaz are you planning on merging this one?

@polaz polaz merged commit 4fb8503 into main Jun 22, 2026
9 checks passed
@polaz polaz deleted the feat/p2-003-x509-parser branch June 22, 2026 08:42
@polaz

polaz commented Jun 22, 2026

Copy link
Copy Markdown
Member Author

@polaz are you planning on merging this one?

ofc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants