feat(test): add donor test fixtures and C14N golden file tests

[polaz]

Summary

• Add xmlsec1 donor test keys (RSA 2048/4096, EC P-256/P-384, CA chain, HMAC) and C14N reference vectors (Merlin C14N three, exclusive C14N one, C14N 1.1) into tests/fixtures/
• Add 13 fixture smoke tests validating PEM structure and file completeness
• Add 11 C14N golden file tests: 7 full-document byte-compare against xmllint reference outputs, 4 subtree SHA-1 digest tests against Merlin DigestValues

Technical Details

• Golden files for full-document C14N generated via xmllint --c14n / --c14n11 / --exc-c14n
• Exclusive C14N golden for exc-signature.xml generated by our implementation (not xmllint) because xmllint incorrectly renders xmlns:bar on <Foo> where bar is not visibly utilized — our implementation follows Exclusive C14N spec §3
• Subtree digest tests extract <dsig:Object Id="to-be-signed"> from Merlin exc-c14n-one, canonicalize with 4 exclusive C14N configurations, and compare SHA-1 digests against the original DigestValues embedded in the signed XML
• XPath-subset vectors (c14n-0..27) included in fixtures but tests deferred — require XPath evaluator planned for a future release

Known Limitations

• Merlin C14N three vectors are XPath-subset results — only full-document tests run currently
• exc-signature.tmpl included for future signing tests

Test Plan

• cargo test --workspace — 206 tests pass
• cargo clippy --all-targets --all-features -- -D warnings — clean
• cargo build — clean

Closes #15

Summary by CodeRabbit

• Tests
  • Added a comprehensive XML Canonicalization (C14N) test suite: C14N 1.0 & 1.1, inclusive/exclusive modes, with/without comments, subtree canonicalization, digest comparisons, and fixture smoke tests validating signatures, keys, and test assets.
• Documentation
  • Added README/test notes describing canonicalization scenarios and fixture conventions.
• Chores
  • Updated CI workflow checkout step to a newer version.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a Rust C14N golden-file test module and fixture smoke tests plus ~60 XML/text fixture assets (Merlin vectors, exclusive C14N one, C14N 1.1 xml:base inputs). Tests perform byte-for-byte canonicalization comparisons and subtree SHA‑1 digest checks against xmllint-generated golden outputs.

Changes

Cohort / File(s)	Summary
C14N Test Harness tests/c14n_golden.rs	New Rust test module: fixture loaders (text/bytes), SHA‑1/base64 helpers, byte-for-byte canonicalization comparisons for Inclusive 1.0/1.1 and Exclusive 1.0, subtree extraction and digest checks; XPath-subset vectors skipped.
Fixture Smoke Tests tests/fixtures_smoke.rs	New smoke tests verifying presence/readability and basic integrity of PEM keys/certs, HMAC file, C14N golden files, merlin/exc inputs, xml-base inputs, and total fixture count.
C14N 1.1 / xml:base Fixtures tests/fixtures/c14n/c14n11/full-doc-c14n10.xml, tests/fixtures/c14n/c14n11/full-doc-c14n11.xml, tests/fixtures/c14n/c14n11/xml-base-input.xml	Full-document fixtures exercising xml:base and C14N 1.1 behaviors used by canonicalization tests.
Merlin C14N Three (golden outputs & signatures) tests/fixtures/c14n/merlin-c14n-three/Readme.txt, tests/fixtures/c14n/merlin-c14n-three/c14n-{0..27}.txt, tests/fixtures/c14n/merlin-c14n-three/full-doc-*.xml, tests/fixtures/c14n/merlin-c14n-three/signature.xml	Golden fragment files and full XML Signature fixtures with complex XPath transforms, InclusiveNamespaces variants, DSA/X.509 blocks, and expected DigestValues.
Merlin Exclusive C14N One Fixtures tests/fixtures/c14n/merlin-exc-c14n-one/Readme.txt, .../exc-signature.tmpl, .../exc-signature.xml, .../full-doc-*.xml	Exclusive C14N templates and full-document fixtures covering InclusiveNamespaces and with/without-comments variants used in subtree digest tests.
Misc. C14N fixtures tests/fixtures/c14n/... (many new files)	Numerous additional static fixture assets (pure data) added to support canonicalization vectors and signature examples.
CI Workflows .github/workflows/ci.yml, .github/workflows/release.yml	Updated actions/checkout from v4 to v6 in relevant jobs.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(c14n): implement XML canonicalization (inclusive + exclusive) #6 — Adds core canonicalization implementation (canonicalize/canonicalize_xml, C14nAlgorithm) that these golden-file tests validate.
• feat(c14n): add xml:* attr inheritance, C14N 1.1 mode, xml:base URI resolution #12 — Implements C14N 1.1 xml:* inheritance and xml:base resolution behavior exercised by the new xml-base/full-document fixtures.
• feat(xmldsig): add URI dereference for Reference elements #9 — Implements URI dereferencing / NodeSet / TransformData used for extracting subtrees referenced by the new subtree digest tests.

Poem

🐰 I hopped through namespaces, bases, and signs,
Golden files gleam in tidy lines,
Merlin's fragments stacked, digests all neat,
Tests march forward on careful feet,
A small rabbit cheers—canonical and sweet!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: adding donor test fixtures and C14N golden file tests to the test suite.
Linked Issues check	✅ Passed	The PR fully addresses all coding objectives from issue #15: test fixtures are copied (P1-014a) and C14N golden file tests are implemented with correct coverage (P1-014b, 13 smoke tests + 11 C14N tests).
Out of Scope Changes check	✅ Passed	All changes are in scope: test fixtures, test implementations, and minor GitHub Actions version upgrades for CI/CD consistency. No unrelated code modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/#15-donor-test-fixtures

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR adds donor test fixtures from the xmlsec1 test suite (cryptographic keys and C14N reference vectors) and implements golden file tests to validate the C14N implementation against reference outputs.

Changes:

• Adds 62 test fixture files: RSA 2048/4096/expired keys, EC P-256/P-384 keys, CA chain certificates, HMAC key, Merlin C14N-three vectors (28 golden outputs + signature.xml), Merlin exclusive C14N-one vectors, and C14N 1.1 xml:base test vectors
• Adds tests/fixtures_smoke.rs with 13 smoke tests validating PEM structure, file existence, and fixture completeness
• Adds tests/c14n_golden.rs with 11 C14N golden file tests: 7 full-document byte-compare tests and 4 subtree SHA-1 digest tests against Merlin DigestValues

Reviewed changes

Copilot reviewed 61 out of 64 changed files in this pull request and generated 1 comment.

File	Description
tests/fixtures_smoke.rs	13 smoke tests verifying fixture files are present, readable, and structurally valid
tests/c14n_golden.rs	11 C14N golden file tests (7 full-doc byte-compare + 4 subtree digest)
tests/fixtures/keys/**	RSA, EC, CA chain, and HMAC key fixtures (21 files)
tests/fixtures/c14n/**	C14N reference vectors and golden outputs (41 files across 3 directories)

---

You can also share your feedback on Copilot code review. Take the survey.

[coderabbitai]

🧹 Nitpick comments (2)

tests/fixtures_smoke.rs (1)

172-182: Consider: File count assertion requires maintenance.

The hardcoded count of 62 files will fail when fixtures are added or removed, requiring manual updates. This is a reasonable integrity check to guard against accidental deletions, but consider:

1. Adding a comment near fixture additions reminding to update this count
2. Or using a more lenient lower-bound check: assert!(count >= 62, ...)

The current approach is acceptable if the maintenance burden is understood.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/fixtures_smoke.rs` around lines 172 - 182, The test
fixture_file_count_matches_expected currently asserts exact equality of count
returned by count_files_recursive(fixtures_dir(), &mut count) to 62 which is
brittle; change the assertion to a lenient lower-bound check (e.g.,
assert!(count >= 62, "expected at least 62 fixture files ...")) or add a clear
comment next to the test and any places that add fixtures reminding developers
to update the expected count; update the assertion call in
fixture_file_count_matches_expected (or add the comment above it) and keep the
existing explanatory message.

tests/c14n_golden.rs (1)

44-46: Clarify: assert_c14n_matches_golden defaults to with_comments=true.

The helper defaults to with_comments: true, but C14N without comments is the more common default. This works correctly for the current tests since the goldens were generated accordingly, but consider renaming to assert_c14n_matches_golden_with_comments or passing false by default for clarity.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/c14n_golden.rs` around lines 44 - 46, The helper
assert_c14n_matches_golden currently calls
assert_c14n_matches_golden_comments(xml, mode, true, golden, label) so it
defaults to with_comments=true; change this to the clearer behavior by either
renaming the wrapper to assert_c14n_matches_golden_with_comments or (preferred)
flip the default to false by calling assert_c14n_matches_golden_comments(xml,
mode, false, golden, label) and update any tests/golden expectations that rely
on the previous default; ensure you update all call sites of
assert_c14n_matches_golden (or rename usages if you choose the rename) and
adjust goldens if necessary so the tests remain consistent with the new default.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/c14n_golden.rs`:
- Around line 44-46: The helper assert_c14n_matches_golden currently calls
assert_c14n_matches_golden_comments(xml, mode, true, golden, label) so it
defaults to with_comments=true; change this to the clearer behavior by either
renaming the wrapper to assert_c14n_matches_golden_with_comments or (preferred)
flip the default to false by calling assert_c14n_matches_golden_comments(xml,
mode, false, golden, label) and update any tests/golden expectations that rely
on the previous default; ensure you update all call sites of
assert_c14n_matches_golden (or rename usages if you choose the rename) and
adjust goldens if necessary so the tests remain consistent with the new default.

In `@tests/fixtures_smoke.rs`:
- Around line 172-182: The test fixture_file_count_matches_expected currently
asserts exact equality of count returned by
count_files_recursive(fixtures_dir(), &mut count) to 62 which is brittle; change
the assertion to a lenient lower-bound check (e.g., assert!(count >= 62,
"expected at least 62 fixture files ...")) or add a clear comment next to the
test and any places that add fixtures reminding developers to update the
expected count; update the assertion call in fixture_file_count_matches_expected
(or add the comment above it) and keep the existing explanatory message.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 784957a4-8eb0-46fa-b157-649b20f10d4f

📥 Commits

Reviewing files that changed from the base of the PR and between 1e0535c and a31b9e9.

⛔ Files ignored due to path filters (21)

• tests/fixtures/keys/ca2cert.pem is excluded by !**/*.pem
• tests/fixtures/keys/ca2key.pem is excluded by !**/*.pem
• tests/fixtures/keys/cacert.pem is excluded by !**/*.pem
• tests/fixtures/keys/cakey.pem is excluded by !**/*.pem
• tests/fixtures/keys/ec/ec-prime256v1-cert.pem is excluded by !**/*.pem
• tests/fixtures/keys/ec/ec-prime256v1-key.pem is excluded by !**/*.pem
• tests/fixtures/keys/ec/ec-prime256v1-pubkey.pem is excluded by !**/*.pem
• tests/fixtures/keys/ec/ec-prime384v1-cert.pem is excluded by !**/*.pem
• tests/fixtures/keys/ec/ec-prime384v1-key.pem is excluded by !**/*.pem
• tests/fixtures/keys/ec/ec-prime384v1-pubkey.pem is excluded by !**/*.pem
• tests/fixtures/keys/hmackey.bin is excluded by !**/*.bin
• tests/fixtures/keys/rsa/rsa-2048-cert-revoked-crl.pem is excluded by !**/*.pem
• tests/fixtures/keys/rsa/rsa-2048-cert.pem is excluded by !**/*.pem
• tests/fixtures/keys/rsa/rsa-2048-key.pem is excluded by !**/*.pem
• tests/fixtures/keys/rsa/rsa-2048-pubkey.pem is excluded by !**/*.pem
• tests/fixtures/keys/rsa/rsa-4096-cert.pem is excluded by !**/*.pem
• tests/fixtures/keys/rsa/rsa-4096-key.pem is excluded by !**/*.pem
• tests/fixtures/keys/rsa/rsa-4096-pubkey.pem is excluded by !**/*.pem
• tests/fixtures/keys/rsa/rsa-expired-cert.pem is excluded by !**/*.pem
• tests/fixtures/keys/rsa/rsa-expired-key.pem is excluded by !**/*.pem
• tests/fixtures/keys/rsa/rsa-expired-pubkey.pem is excluded by !**/*.pem

📒 Files selected for processing (43)

• tests/c14n_golden.rs
• tests/fixtures/c14n/c14n11/full-doc-c14n10.xml
• tests/fixtures/c14n/c14n11/full-doc-c14n11.xml
• tests/fixtures/c14n/c14n11/xml-base-input.xml
• tests/fixtures/c14n/merlin-c14n-three/Readme.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-0.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-1.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-10.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-11.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-12.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-13.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-14.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-15.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-16.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-17.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-18.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-19.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-2.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-20.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-21.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-22.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-23.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-24.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-25.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-26.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-27.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-3.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-4.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-5.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-6.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-7.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-8.txt
• tests/fixtures/c14n/merlin-c14n-three/c14n-9.txt
• tests/fixtures/c14n/merlin-c14n-three/full-doc-c14n10.xml
• tests/fixtures/c14n/merlin-c14n-three/full-doc-c14n11.xml
• tests/fixtures/c14n/merlin-c14n-three/full-doc-exc-c14n.xml
• tests/fixtures/c14n/merlin-c14n-three/signature.xml
• tests/fixtures/c14n/merlin-exc-c14n-one/Readme.txt
• tests/fixtures/c14n/merlin-exc-c14n-one/exc-signature.tmpl
• tests/fixtures/c14n/merlin-exc-c14n-one/exc-signature.xml
• tests/fixtures/c14n/merlin-exc-c14n-one/full-doc-c14n10.xml
• tests/fixtures/c14n/merlin-exc-c14n-one/full-doc-exc-c14n.xml
• tests/fixtures_smoke.rs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/c14n_golden.rs`:
- Around line 66-69: The test slices result_str and golden_content by byte index
which can panic on multi-byte UTF-8 boundaries; replace the byte-slicing used in
the format call with char-safe previews by building short strings like let
preview_result = result_str.chars().take(500).collect::<String>(); and let
preview_golden = golden_content.chars().take(500).collect::<String>(); then use
preview_result and preview_golden in place of
&result_str[..result_str.len().min(500)] and
&golden_content[..golden_content.len().min(500)] in the failing message so
truncation never cuts a UTF-8 character (referencing result_str and
golden_content in the test).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e6259283-9285-4644-a21b-209927e7be16

📥 Commits

Reviewing files that changed from the base of the PR and between a31b9e9 and 5167ec9.

📒 Files selected for processing (1)

• tests/c14n_golden.rs

[Copilot]

Pull request overview

This PR adds donor test fixtures (keys, C14N reference vectors) and golden file tests for the C14N implementation. It provides a comprehensive test foundation for validating the canonicalization implementation against reference outputs from xmllint and Merlin's XML Security test suite.

Changes:

• Add test key fixtures (RSA 2048/4096, EC P-256/P-384, CA chain, HMAC) and C14N reference vectors (Merlin C14N three, exclusive C14N one, C14N 1.1) under tests/fixtures/
• Add 13 fixture smoke tests in tests/fixtures_smoke.rs validating PEM structure, file completeness, and structural integrity
• Add 11 C14N golden file tests in tests/c14n_golden.rs: 7 full-document byte-compare tests and 4 subtree SHA-1 digest tests against Merlin DigestValues

Reviewed changes

Copilot reviewed 63 out of 66 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/fixtures_smoke.rs	Smoke tests verifying fixture files are present, readable, and structurally valid
tests/c14n_golden.rs	Golden file tests comparing C14N output against xmllint references and subtree SHA-1 digests
tests/fixtures/keys/*	RSA, EC, CA chain, HMAC key fixtures from xmlsec1 test suite
tests/fixtures/c14n/merlin-c14n-three/*	Merlin C14N three test vectors (signature.xml, 28 golden outputs, 3 full-doc golden files)
tests/fixtures/c14n/merlin-exc-c14n-one/*	Merlin exclusive C14N one test vectors (exc-signature.xml/tmpl, 2 full-doc golden files)
tests/fixtures/c14n/c14n11/*	C14N 1.1 xml:base test vector (input XML, 2 full-doc golden files)

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR adds xmlsec1 donor test fixtures (RSA 2048/4096, EC P-256/P-384, CA chain, HMAC keys) and C14N reference vectors, along with comprehensive smoke tests and golden file tests validating the C14N implementation against xmllint reference outputs and Merlin DigestValues.

Changes:

• Added 62 test fixture files (21 key files + 41 C14N files) under tests/fixtures/
• Added 13 fixture smoke tests (tests/fixtures_smoke.rs) and 11 C14N golden file tests (tests/c14n_golden.rs)
• Bumped actions/checkout from v4 to v6 in CI and release workflows

Reviewed changes

Copilot reviewed 63 out of 66 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
tests/fixtures_smoke.rs	Smoke tests verifying fixture files exist and have valid PEM structure
tests/c14n_golden.rs	Golden file tests: 7 full-document byte-compare + 4 subtree SHA-1 digest tests
tests/fixtures/keys/*	RSA, EC, CA, HMAC test key files
tests/fixtures/c14n/*	C14N golden output files and source XML test vectors
.github/workflows/ci.yml	Bumps actions/checkout from v4 to v6
.github/workflows/release.yml	Bumps actions/checkout from v4 to v6

---

You can also share your feedback on Copilot code review. Take the survey.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/fixtures_smoke.rs`:
- Around line 111-117: The test loop in tests/fixtures_smoke.rs currently only
checks path.exists() for each golden file (variables name and path in the for i
in 0..28 loop), which won't fail on unreadable files; change the assertion to
actually open or read the file (e.g., call std::fs::File::open(&path) or
std::fs::read_to_string(&path)) and assert that the open/read succeeds,
including the error in the assertion message so permission/corruption issues
surface during the test run.
- Line 104: Change the five test functions to return Result<(), Box<dyn
std::error::Error>> and replace each fs::read_to_string(...).expect("...") with
the ? operator to propagate I/O errors; specifically update
merlin_c14n_three_non_empty_goldens_are_xml,
merlin_exc_c14n_one_input_files_present, c14n11_xml_base_input_present and the
test defining sig_xml so that all read_to_string calls use ? and each test ends
with Ok(()). Ensure signatures and returns are updated accordingly and no other
expect() calls remain for these fixture reads.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dab705f2-a1f2-4c34-aff3-b95042ec7801

📥 Commits

Reviewing files that changed from the base of the PR and between 99b59df and 8062d54.

📒 Files selected for processing (1)

• tests/fixtures_smoke.rs