Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ rsa = { version = "0.10.0-rc.18", optional = true }
sha1 = { version = "0.11", features = ["oid"], optional = true }
sha2 = { version = "0.11", features = ["oid"], optional = true }
p256 = { version = "0.14", features = ["ecdsa"], optional = true }
p384 = { version = "0.14.0-rc.15", features = ["ecdsa"], optional = true }
p384 = { version = "0.14", features = ["ecdsa"], optional = true }
Comment thread
greptile-apps[bot] marked this conversation as resolved.
p521 = { version = "0.14.0-rc.15", features = ["ecdsa"], optional = true }
signature = { version = "3", optional = true }
subtle = { version = "2", optional = true }
Expand All @@ -31,6 +31,7 @@ subtle = { version = "2", optional = true }
x509-parser = { version = "0.18", features = ["verify"], optional = true }
der = { version = "0.8", optional = true }
crypto-bigint = { version = "0.7", optional = true }
crypto-common = { version = "0.2", optional = true }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify the manifest enables crypto-common's getrandom feature when SysRng is imported.
rg -n 'crypto_common::getrandom::SysRng|crypto-common|getrandom' src Cargo.toml

Repository: structured-world/xml-sec

Length of output: 328


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== Cargo.toml ==\n'
cat -n Cargo.toml | sed -n '1,120p'

printf '\n== src/xmldsig/sign.rs ==\n'
cat -n src/xmldsig/sign.rs | sed -n '1,220p'

Repository: structured-world/xml-sec

Length of output: 11911


🌐 Web query:

crypto-common 0.2 SysRng getrandom feature Cargo.toml.orig

💡 Result:

In the crypto-common crate (specifically version 0.2 and later), the getrandom feature enables the usage of the getrandom crate, specifically leveraging its SysRng type [1][2]. This integration replaced older, vendored random number generator implementations within crypto-common [2]. The SysRng type, introduced in getrandom v0.4, acts as the system's preferred random number source, providing a cross-platform interface for retrieving cryptographically secure random data [3]. Within the Cargo.toml of crypto-common 0.2.x, this is configured as an optional dependency: getrandom = { version = "0.4", optional = true, features = ["sys_rng"] } And defined in the [features] section: getrandom = ["rand_core", "dep:getrandom"] When the getrandom feature is enabled in your project, it allows cryptographic traits within crypto-common to utilize SysRng for operations requiring entropy, such as key generation [2][4].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect any Cargo.lock entry and feature wiring for crypto-common.
rg -n '^name = "crypto-common"|^version = |getrandom|SysRng' Cargo.lock Cargo.toml src -n

Repository: structured-world/xml-sec

Length of output: 3367


🌐 Web query:

crypto-common 0.2 SysRng feature getrandom site:docs.rs

💡 Result:

In the crypto-common crate version 0.2, the getrandom feature enables integration with the getrandom crate, providing access to the system's ambient cryptographically secure random number generator [1][2]. Key details regarding this feature include: Integration: When the getrandom feature is enabled, the crypto-common crate re-exports the getrandom crate [3]. This allows developers to utilize system-provided randomness directly within cryptographic workflows [2]. Functionality: Enabling this feature grants access to the Generate trait's ambient generation methods, specifically try_generate and generate [2]. These methods allow types that implement Generate to be randomly initialized using the system's preferred entropy source without requiring the user to manually pass a random number generator (RNG) instance [2]. Usage Note: The generate method will panic if the system's ambient RNG experiences an internal failure, whereas try_generate returns a Result to handle such errors gracefully [2]. The SysRng mentioned in your query refers to the interface provided by the getrandom crate (which crypto-common facilitates) to interact with the system's primary random source [4]. As of version 0.2, usage of these features is the recommended approach for secure random generation, replacing older, now-deprecated methods that relied solely on passing an explicit CryptoRng [5][6].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== crypto-common lock entries ==\n'
awk '
  $0 ~ /^name = "crypto-common"$/ {show=1; start=NR-2}
  show {print NR ":" $0}
  show && $0 == "" {count++; if (count >= 2) exit}
' Cargo.lock

printf '\n== surrounding packages that depend on crypto-common ==\n'
python3 - <<'PY'
from pathlib import Path
text = Path("Cargo.lock").read_text().splitlines()
for i, line in enumerate(text):
    if line.strip() == 'name = "crypto-common"':
        for j in range(max(0, i-5), min(len(text), i+30)):
            print(f"{j+1}:{text[j]}")
        print("----")
PY

Repository: structured-world/xml-sec

Length of output: 1717


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== manifest features around xmldsig ==\n'
sed -n '46,62p' Cargo.toml

printf '\n== references to crypto-common feature names in repository ==\n'
rg -n 'crypto-common.*getrandom|getrandom.*crypto-common|feature.*getrandom|SysRng' .

Repository: structured-world/xml-sec

Length of output: 805


Enable crypto-common/getrandom for SysRng.
xmldsig enables dep:crypto-common, but src/xmldsig/sign.rs uses crypto_common::getrandom::SysRng. crypto-common gates that module behind its getrandom feature, so xmldsig can fail to compile until the dependency enables it.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Cargo.toml` at line 34, The xmldsig dependency on crypto-common is missing
the getrandom feature, which prevents crypto_common::getrandom::SysRng from
compiling in src/xmldsig/sign.rs. Update the crypto-common entry in Cargo.toml
to enable the getrandom feature alongside dep:crypto-common so the SysRng path
is available when xmldsig is built.


# Base64 encoding/decoding
base64 = "0.22"
Expand All @@ -47,6 +48,7 @@ default = ["xmldsig", "c14n"]
xmldsig = [ # XML Digital Signatures (sign + verify)
"dep:der",
"dep:crypto-bigint",
"dep:crypto-common",
"dep:p256",
"dep:p384",
"dep:p521",
Expand Down
6 changes: 4 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Pure Rust XML Security library. Drop-in replacement for libxmlsec1.
## Features

- **C14N** — XML Canonicalization (inclusive + exclusive, W3C compliant)
- **XMLDSig** — XML Digital Signatures (verify pipeline implemented; signing in progress, enveloped/enveloping/detached)
- **XMLDSig** — XML Digital Signatures (verify pipeline + template signing implemented; broader signing interop in progress)
- **XMLEnc** — XML Encryption (symmetric + asymmetric)
- **X.509** — Certificate-based key extraction and validation

Expand All @@ -39,13 +39,15 @@ Currently implemented (core paths):
- C14N 1.0, C14N 1.1, and Exclusive C14N
- XMLDSig parsing, same-document URI dereference, transform chains, and digest verification
- XMLDSig full verify pipeline (`SignedInfo` canonicalization + `SignatureValue` verification)
- XMLDSig template signing pipeline (`DigestValue` fill + `SignedInfo` canonicalization + `SignatureValue` fill)
- Built-in verification-key resolution from embedded X.509/DER/`KeyValue` sources and configured `KeyName`, X.509 subject, issuer/serial, SKI, or digest selectors
- RSA PKCS#1 v1.5 verification helpers for SHA-1 / SHA-256 / SHA-384 / SHA-512
- ECDSA verification helpers for P-256/SHA-256 and P-384/SHA-384
- RSA PKCS#1 v1.5 and ECDSA P-256/P-384 signing from PKCS#8 private keys
- Opt-in X.509 certificate-chain validation with explicit trust anchors, validity checks, CA constraints, and CRLs

Still in progress:
- XMLDSig signing pipeline
- XMLDSig signing KeyInfo writer, examples, and broader donor/CLI interop coverage
- XMLEnc encryption/decryption pipeline

Current toolchain target: latest stable Rust.
Expand Down
6 changes: 6 additions & 0 deletions src/xmldsig/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ pub mod digest;
pub mod keys;
pub mod mutation;
pub mod parse;
pub mod sign;
pub mod signature;
pub mod transforms;
pub mod types;
Expand All @@ -28,6 +29,11 @@ pub use parse::{
KeyInfo, KeyInfoSource, KeyValueInfo, ParseError, Reference, SignatureAlgorithm, SignedInfo,
X509DataInfo, find_signature_node, parse_key_info, parse_signed_info,
};
pub use sign::{
ComputedReferenceDigest, EcdsaP256SigningKey, EcdsaP384SigningKey, RsaSigningKey, SignContext,
SigningDigestError, SigningError, SigningKey, SigningKeyError, compute_reference_digest_values,
fill_reference_digest_values,
};
pub use signature::{
SignatureVerificationError, verify_ecdsa_signature_pem, verify_ecdsa_signature_spki,
verify_rsa_signature_pem, verify_rsa_signature_spki,
Expand Down
Loading