xml-sec 0.1.2

Pure Rust XML Security: XMLDSig, XMLEnc, C14N. Drop-in replacement for libxmlsec1.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [0.1.2](https://github.com/structured-world/xml-sec/compare/v0.1.1...v0.1.2) - 2026-03-29

### Added

- *(xmldsig)* add VerifyResult status model
- *(xmldsig)* add VerifyContext builder policies
- *(xmldsig)* add full signature verify pipeline
- *(xmldsig)* add ecdsa signature verification

### Documentation

- *(xmldsig)* document verify ok/err contract
- *(xmldsig)* note fail-fast truncation in verify result
- *(xmldsig)* clarify resolver miss contract
- *(xmldsig)* clarify canonicalized SignedInfo pre-digest semantics
- *(xmldsig)* clarify external uri policy limitation
- *(xmldsig)* clarify manifest fail-closed behavior
- *(readme)* clarify xmldsig verify-only status
- *(xmldsig)* document pipeline structural constraints
- *(xmldsig)* clarify strict der parsing fallback

### Fixed

- *(xmldsig)* preserve decode errors before key lookup
- *(xmldsig)* carry reference index at mismatch source
- *(xmldsig)* fail closed on manifest-typed references
- *(xmldsig)* remove redundant builder must_use attrs
- *(xmldsig)* detect nested manifests in object subtree
- *(xmldsig)* address verifier policy review feedback
- *(xmldsig)* enforce URI and implicit C14N policies
- *(xmldsig)* tighten digest and signature child parsing
- *(xmldsig)* align DigestValue whitespace normalization
- *(xmldsig)* harden SignatureValue text parsing
- *(xmldsig)* tighten verify result and char handling
- *(xmldsig)* tighten signaturevalue limits and module docs
- *(xmldsig)* enforce xml whitespace set in signaturevalue
- *(xmldsig)* bound signaturevalue size and c14n node checks
- *(xmldsig)* return MissingElement when SignedInfo absent
- *(xmldsig)* treat malformed ecdsa signature bytes as invalid
- *(xmldsig)* align signaturevalue base64 whitespace rules
- *(xmldsig)* reject ambiguous signature selection
- *(xmldsig)* classify missing signedinfo as missing element
- *(xmldsig)* enforce signaturevalue structure
- *(xmldsig)* enforce SignedInfo position and uniqueness
- *(xmldsig)* normalize signature value text nodes
- *(xmldsig)* handle empty SignatureValue as present element
- *(xmldsig)* reject non-ecdsa algorithms early
- *(xmldsig)* tighten ecdsa der classification
- *(xmldsig)* cover spki happy path and der parsing
- *(xmldsig)* align signature format error mapping
- *(xmldsig)* retry fixed verifier for ambiguous ecdsa
- *(xmldsig)* prefer raw width and round ec bytes
- *(xmldsig)* harden ecdsa key validation
- *(xmldsig)* handle raw signatures with 0x30 prefix
- *(xmldsig)* harden ecdsa signature parsing

### Performance

- *(xmldsig)* defer key resolution to final verify step

### Refactored

- *(xmldsig)* require URI in ReferenceResult
- *(xmldsig)* reuse per-reference invalid status
- *(xmldsig)* re-export transform uri constants
- *(xmldsig)* mark uri policy type as must-use
- *(xmldsig)* share transform URI constants
- *(xmldsig)* mark verify context as must-use
- *(xmldsig)* relax key resolver object lifetime
- *(xmldsig)* make ascii narrowing explicit
- *(xmldsig)* simplify ascii whitespace byte path
- *(xmldsig)* clarify shared constants and ECDSA flow
- *(xmldsig)* unify signature child parsing

### Testing

- *(xmldsig)* harden verify result API and resolver-miss checks
- *(xmldsig)* assert mismatch reasons in tamper tests
- *(xmldsig)* rename key-not-found status test
- *(xmldsig)* align panic resolver with trait lifetime
- *(xmldsig)* cover nested manifest rejection
- *(xmldsig)* add verify context policy regressions
- *(xmldsig)* reject oversized SignatureValue payloads
- *(xmldsig)* cover non-empty signature without SignedInfo
- *(xmldsig)* make xml decl stripping line-ending agnostic
- *(xmldsig)* cover signature selection guards
- *(xmldsig)* relax ds tag opener parsing in fixtures
- *(xmldsig)* add ecdsa tamper pipeline coverage
- *(xmldsig)* reuse ds-aware helper for SignatureValue mutation
- *(xmldsig)* harden verify pipeline review fixes

## [0.1.1](https://github.com/structured-world/xml-sec/compare/v0.1.0...v0.1.1) - 2026-03-26

### Added

- *(xmldsig)* add RSA signature verification
- *(xmldsig)* add reference verification pipeline
- *(test)* add donor test fixtures and C14N golden file tests
- *(c14n)* add xml:* attr inheritance, C14N 1.1 mode, xml:base URI resolution
- *(xmldsig)* add URI dereference for Reference elements
- *(c14n)* implement XML canonicalization (inclusive + exclusive)
- initial scaffold — Cargo.toml, src/lib.rs, CI workflows, README

### Documentation

- *(readme)* add c14n 1.1 spec row
- *(xmldsig)* tighten review follow-ups
- *(xmldsig)* tighten review follow-ups
- *(test)* add xmllint with-comments note to golden test module doc
- *(c14n)* document schemeless base behavior in resolve_uri
- *(xmldsig)* clarify NodeSet::subtree doc re attribute/namespace tracking
- *(c14n)* add UTF-8 requirement doc, remove stale file reference
- *(c14n)* clarify with_prefix_list is exclusive-mode only

### Fixed

- *(release)* publish without generated lockfile
- *(release)* address remaining review threads
- *(release)* tighten workflow housekeeping
- *(release)* align release automation with crates.io
- *(release)* harden release workflows
- *(xmldsig)* harden verifier API usage
- *(xmldsig)* prevalidate RSA key constraints
- *(xmldsig)* harden RSA key parsing
- *(xmldsig)* tighten parser invariants
- *(review)* tighten remaining review follow-ups
- *(review)* address PR feedback
- *(xmldsig)* tighten compat xpath child parsing
- *(lint)* replace map_or with is_none_or (clippy::unnecessary_map_or)
- *(test)* panic on I/O errors in fixture file counter
- *(test)* use char-safe truncation in golden test error messages
- *(xmldsig)* validate Transforms element and reject unexpected children
- *(c14n)* replace expect() with ? in parse_base for clippy compliance
- *(c14n)* validate scheme in parse_base, merge paths for schemeless bases
- *(c14n)* preserve query/fragment from reference during URI resolution
- *(c14n)* merge_paths returns reference unchanged for non-hierarchical base
- *(c14n)* preserve relative leading .. segments, update stale docs
- *(c14n)* correct RFC 3986 URI recomposition and edge cases
- *(c14n)* skip xml:* inheritance for Exclusive C14N per Exc-C14N §3
- *(c14n)* seed xml:base walk with included ancestor, filter empty values
- *(c14n)* correct RFC 3986 URI parsing, skip empty xml:base values
- *(c14n)* stop xml:* ancestor walk at nearest included ancestor
- *(xmldsig)* reject empty xpointer id, document local-name matching
- *(xmldsig)* safe xpointer quote parsing, same-element dedup guard
- *(xmldsig)* prevent duplicate ID re-insertion on 3+ occurrences
- *(xmldsig)* reject duplicate IDs, guard foreign nodes, reject empty fragment
- *(xmldsig)* harden URI dereference error handling and DoS safety
- *(c14n)* treat default ns as visibly utilized for unprefixed elements
- *(c14n)* use Result in doctests, fix has_in_scope_default_namespace doc
- *(c14n)* correct xmlns="" suppression for document subsets
- *(c14n)* use lexical prefixes from source XML instead of lookup_prefix()
- *(c14n)* clarify UTF-8 error, fix inclusive ns doc, document subset edge case
- *(c14n)* escape CR in PI/node content, reject C14N 1.1

### Performance

- *(c14n)* document clone() cost and deferred optimization path

### Refactored

- *(xmldsig)* mark signature uri accessor as must_use
- *(xmldsig)* mark all_valid as must_use
- *(xmldsig)* mark signature lookup as must_use
- *(xmldsig)* mark signing_allowed as must_use
- *(xmldsig)* use expect() for hardcoded C14N URI invariant
- *(xmldsig)* use #[expect] over #[allow] in test module, trim doc comment
- *(c14n)* use as_deref/as_ref for Option<String> borrowing
- *(c14n)* restrict xml:* inheritance to spec whitelist, remove expect()
- *(c14n)* use impl Fn for ns predicate instead of &dyn Fn
- *(c14n)* extract shared namespace-declaration pipeline into ns_common
- *(xmldsig)* derive doc from element in NodeSet::subtree, consolidate test helpers
- *(xmldsig)* remove unused UriDeref error variant
- *(c14n)* encapsulate C14nAlgorithm fields, remove dead code

### Testing

- *(xmldsig)* vendor donor RSA fixtures
- *(xmldsig)* update digest parser fixtures
- *(c14n)* add schemeless base URI resolution test