Struct VerifyContext 

pub struct VerifyContext<'a> { /* private fields */ }

Verification builder/configuration.

Implementations

impl<'a> VerifyContext<'a>

pub fn new() -> Self

Create a context with conservative defaults.

Defaults:

• no pre-set key, no key resolver
• manifests disabled
• same-document URIs only
• all transforms allowed
• pre-digest buffers not stored

pub fn key(self, key: &'a dyn VerifyingKey) -> Self

Set a pre-resolved verification key.

pub fn key_resolver(self, resolver: &'a dyn KeyResolver) -> Self

Set a key resolver fallback used when key() is not provided.

pub fn process_manifests(self, enabled: bool) -> Self

Enable or disable <Manifest> processing.

When enabled, references in <ds:Manifest> elements that are direct element children of <ds:Object> are processed only when the direct-child <ds:Object> or <ds:Manifest> itself is referenced from <SignedInfo> by an ID-based same-document fragment URI such as #id or #xpointer(id('id')). Only those signed Manifest references are returned in VerifyResult::manifest_references. Nested <ds:Manifest> descendants under <ds:Object> are not processed. Direct-child unsigned/unreferenced Manifests are skipped and do not appear in VerifyResult::manifest_references. Whole-document same-document references such as URI="" or URI="#xpointer(/)" do not mark a specific direct-child <ds:Object>/<ds:Manifest> as signed for this option.

Manifest reference digest mismatches, policy violations, and processing failures are reported in VerifyResult::manifest_references and do not alter the final VerifyResult::status. Callers that enable process_manifests(true) must inspect VerifyResult::manifest_references in addition to VerifyResult::status when interpreting verify() results. Structural/parse errors in Manifest content abort verify() and are returned as Err(...).

pub fn allowed_uri_types(self, types: UriTypeSet) -> Self

Restrict allowed reference URI classes.

pub fn allowed_transforms<I, S>(self, transforms: I) -> Self

where I: IntoIterator<Item = S>, S: Into<String>,

Restrict allowed transform algorithms by URI.

Example values:

• http://www.w3.org/2000/09/xmldsig#enveloped-signature
• http://www.w3.org/2001/10/xml-exc-c14n#

When a <Reference> has no explicit canonicalization transform, XMLDSig applies implicit default C14N (http://www.w3.org/TR/2001/REC-xml-c14n-20010315). If an allowlist is configured, include that URI as well unless all references use explicit Transform::C14n(...).

pub fn store_pre_digest(self, enabled: bool) -> Self

Store pre-digest buffers for diagnostics.

pub fn verify(&self, xml: &str) -> Result<VerifyResult, DsigError>

Verify one XMLDSig signature using this context.

Returns Ok(VerifyResult) for both valid and invalid signatures; inspect VerifyResult::status for the verification outcome. Err(...) is reserved for pipeline failures.

Trait Implementations

impl Default for VerifyContext<'_>

fn default() -> Self

Returns the “default value” for a type.