Skip to content

test(xmldsig): expand signing interop coverage#91

Merged
polaz merged 5 commits into
mainfrom
test/#90-xmlsec1-interop
Jul 17, 2026
Merged

test(xmldsig): expand signing interop coverage#91
polaz merged 5 commits into
mainfrom
test/#90-xmlsec1-interop

Conversation

@polaz

@polaz polaz commented Jul 15, 2026

Copy link
Copy Markdown
Member

Summary

  • Verify RSA and ECDSA XMLDSig signatures between xml-sec and xmlsec1 in both directions.
  • Cover SAML Response template signing, embedded X.509 resolution, and assertion tampering.
  • Add XMLDSig 1.1, Second Edition, and Phaos donor-vector accounting with fail-closed regression coverage.
  • Add runnable signing and verification examples plus fixture provenance documentation.
  • Build the pinned XMLSec 1.3.12 upstream release asset in CI for mandatory interop coverage.

Validation

  • cargo check --workspace --all-features
  • cargo clippy --all-targets --all-features -- -D warnings
  • cargo nextest run --all-features (555 passed)
  • cargo test --doc --all-features (4 passed)

Closes #90

- Verify xml-sec and xmlsec1 signatures in both directions\n- Add SAML signing, donor corpus, and negative-vector coverage\n- Document signing and verification examples\n\nCloses #90
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@polaz, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 24 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5221369b-fd8b-41d8-bb5c-96231e2d09be

📥 Commits

Reviewing files that changed from the base of the PR and between 70c57bc and 59a63c5.

📒 Files selected for processing (1)
  • tests/xmlsec1_interop.rs
📝 Walkthrough

Walkthrough

The PR adds XMLDSig signing and verification examples, expands documentation, introduces donor and negative fixtures, adds SAML Response signing tests, validates interoperability with xmlsec1, and installs a pinned xmlsec1 build in the CI test matrix.

Changes

XMLDSig signing and verification

Layer / File(s) Summary
Usage documentation and examples
README.md, examples/*, src/xmldsig/mod.rs
Documents signing, verification statuses, resolver configuration, and SHA-256 expectations, with executable signing and verification examples.
Donor and SAML fixture corpus
tests/fixtures/xmldsig/*, tests/fixtures/saml/*, tests/fixtures_smoke.rs
Adds XMLDSig 1.1, 2nd Edition, Phaos, and SAML fixtures, documents fixture contracts, and updates expected fixture counts.
Donor and negative-vector validation
tests/donor_interop_suite.rs, tests/donor_negative_vectors.rs
Classifies donor vectors as valid or unsupported, verifies corpus accounting, and asserts malformed or inconsistent vectors fail closed.
SAML signing round trip
tests/saml_signing_integration.rs
Signs SAML Responses with embedded X.509 certificates, checks signature placement and values, verifies successful output, and detects tampered content at digest validation.
External XMLDSig interoperability
tests/xmlsec1_interop.rs, .github/workflows/ci.yml
Tests RSA and ECDSA interoperability and tamper rejection with xmlsec1, and installs a pinned, SHA-256-verified CLI build in CI.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant SignContext
  participant xmlsec1
  participant VerifyContext
  participant DefaultKeyResolver
  SignContext->>xmlsec1: submit generated signed XML
  xmlsec1-->>SignContext: report verification result
  xmlsec1->>VerifyContext: provide externally signed XML
  VerifyContext->>DefaultKeyResolver: resolve embedded certificate
  DefaultKeyResolver-->>VerifyContext: return verification key
  VerifyContext-->>xmlsec1: return valid or digest-mismatch status
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The PR also adds SAML signing, donor-vector fixtures, examples, and docs beyond #90's xmlsec1 interop scope. Split the unrelated SAML, donor-fixture, example, and documentation work into separate PRs or link the additional issues.
Docstring Coverage ⚠️ Warning Docstring coverage is 48.39% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and clearly reflects the interop coverage expansion.
Description check ✅ Passed The description matches the PR changes and mentions the interop, examples, docs, and CI updates.
Linked Issues check ✅ Passed The PR satisfies #90 with xmlsec1-based verification for RSA-SHA256, P-256/SHA-256, and P-384/SHA-384, plus tamper rejection and CI install.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch test/#90-xmlsec1-interop

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@polaz

polaz commented Jul 15, 2026

Copy link
Copy Markdown
Member Author

@codex review

@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown

Greptile Summary

This PR expands XMLDSig signing and interoperability coverage. The main changes are:

  • Reciprocal RSA and ECDSA tests with xmlsec1.
  • SAML Response signing and tamper checks.
  • XMLDSig donor-vector accounting and fixtures.
  • Runnable signing and verification examples.
  • A pinned xmlsec1 build in CI.

Confidence Score: 5/5

This looks safe to merge.

The xmlsec1 signing path now registers Id, matching every exercised template. The reciprocal verification path registers ID, matching the generated root element. No blocking issues remain in the reviewed fix.

T-Rex T-Rex Logs

What T-Rex did

  • Confirmed that xmlsec1 was unavailable before the setup (exit 127).
  • Installed and validated XMLSec 1.3.12 by verifying the release archive's SHA-256 checksum and completing a successful build and installation (exit code 0).
  • Executed xmlsec1 1.3.12 (openssl) against the focused target and observed 7 passed, 0 failed with exit code 0.
  • Collected three log artifacts to document the setup and test run.

View all artifacts

T-Rex Ran code and verified through T-Rex

Important Files Changed

Filename Overview
tests/xmlsec1_interop.rs Adds reciprocal xmlsec1 interoperability tests and correctly registers each case-sensitive ID attribute used by the exercised documents.
tests/saml_signing_integration.rs Adds end-to-end SAML Response signing, verification, schema-order, and assertion-tampering coverage.
tests/donor_interop_suite.rs Adds explicit valid and fail-closed accounting for the imported XMLDSig interoperability vectors.
.github/workflows/ci.yml Builds the checksum-pinned xmlsec1 1.3.12 release for mandatory interoperability coverage.

Reviews (5): Last reviewed commit: "fix(xmldsig): require xmlsec1 add-id sup..." | Re-trigger Greptile

Comment thread tests/xmlsec1_interop.rs

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3ba398585a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread tests/xmlsec1_interop.rs
Comment thread examples/sign.rs
Comment thread tests/xmlsec1_interop.rs Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/donor_negative_vectors.rs`:
- Around line 23-26: Update the `VerifyContext::new()` setup in the
inconsistent-X509Data test to configure `DefaultKeyResolver`, matching the
resolver configuration used by the subsequent `bad_sig` test while preserving
the existing expected parse failure.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e192f8f9-3573-4e5c-9102-bc5e38fc5993

📥 Commits

Reviewing files that changed from the base of the PR and between d712da1 and 3ba3985.

📒 Files selected for processing (69)
  • .github/workflows/ci.yml
  • README.md
  • examples/sign.rs
  • examples/verify.rs
  • src/xmldsig/mod.rs
  • tests/donor_interop_suite.rs
  • tests/donor_negative_vectors.rs
  • tests/fixtures/saml/response_signing_template.xml
  • tests/fixtures/xmldsig/README.md
  • tests/fixtures/xmldsig/phaos-xmldsig-three/signature-rsa-enveloped-bad-digest-val.xml
  • tests/fixtures/xmldsig/phaos-xmldsig-three/signature-rsa-enveloped-bad-sig.xml
  • tests/fixtures/xmldsig/phaos-xmldsig-three/signature-rsa-enveloped.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-derencoded-ec.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-derencoded-rsa.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-hmac-sha1-truncated160.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-hmac-sha1-truncated40.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-hmac-sha224.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-hmac-sha256.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-hmac-sha384.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-hmac-sha512.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-keyinforeference-rsa.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p256_sha1.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p256_sha1_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p256_sha224.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p256_sha256.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p256_sha256_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p256_sha384.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p256_sha384_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p256_sha512.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p256_sha512_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p384_sha1.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p384_sha1_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p384_sha224.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p384_sha256.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p384_sha256_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p384_sha384.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p384_sha384_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p384_sha512.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p384_sha512_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p521_sha1.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p521_sha1_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p521_sha224.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p521_sha256.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p521_sha256_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p521_sha384.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p521_sha384_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p521_sha512.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-p521_sha512_4050.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-rsa-sha224.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-rsa-sha256.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-rsa_sha384.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-rsa_sha512.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-sha224-rsa_sha256.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-sha256-rsa-sha256.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-sha384-rsa_sha256.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-sha512-rsa_sha256.xml
  • tests/fixtures/xmldsig/xmldsig11-interop-2012/signature-enveloping-x509digest-rsa.xml
  • tests/fixtures/xmldsig/xmldsig2ed-tests/defCan-1.xml
  • tests/fixtures/xmldsig/xmldsig2ed-tests/defCan-2.xml
  • tests/fixtures/xmldsig/xmldsig2ed-tests/defCan-3.xml
  • tests/fixtures/xmldsig/xmldsig2ed-tests/xpointer-1-SUN.xml
  • tests/fixtures/xmldsig/xmldsig2ed-tests/xpointer-2-SUN.xml
  • tests/fixtures/xmldsig/xmldsig2ed-tests/xpointer-3-SUN.xml
  • tests/fixtures/xmldsig/xmldsig2ed-tests/xpointer-4-SUN.xml
  • tests/fixtures/xmldsig/xmldsig2ed-tests/xpointer-5-SUN.xml
  • tests/fixtures/xmldsig/xmldsig2ed-tests/xpointer-6-SUN.xml
  • tests/fixtures_smoke.rs
  • tests/saml_signing_integration.rs
  • tests/xmlsec1_interop.rs

Comment thread tests/donor_negative_vectors.rs
- Build a pinned XMLSec release in CI\n- Register template IDs and emit KeyInfo in the signing example\n- Keep negative-vector resolver setup consistent

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: def992d953

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/xmldsig/mod.rs
Comment thread tests/xmlsec1_interop.rs
Comment thread tests/xmlsec1_interop.rs
Use the upstream release asset in CI, keep local Rust-only runs independent of xmlsec1, and cover an actual enveloped root reference.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 55: Update the curl download command for xmlsec1.tar.gz to include retry
behavior with three attempts, preserving the existing failure and
location-following options.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5397f8a3-d278-4e3f-9d95-59d9a16a970c

📥 Commits

Reviewing files that changed from the base of the PR and between def992d and de13e6f.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • src/xmldsig/mod.rs
  • tests/xmlsec1_interop.rs

Comment thread .github/workflows/ci.yml Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: de13e6fbbb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread tests/xmlsec1_interop.rs
Retry the pinned release download and skip local interop tests when the installed XMLSec CLI lacks required options.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 70c57bcd0b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread tests/xmlsec1_interop.rs Outdated
Skip local interop tests unless xmlsec1 is at least 1.3.8, the release that introduced the required add-id-attr option.
@polaz

polaz commented Jul 16, 2026

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Keep it up!

Reviewed commit: 59a63c5123

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@polaz
polaz merged commit e1d5d29 into main Jul 17, 2026
10 checks passed
@polaz
polaz deleted the test/#90-xmlsec1-interop branch July 17, 2026 07:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

test(xmldsig): verify generated signatures with xmlsec1

1 participant