feat(xmldsig): add RSA signature verification

[polaz]

Summary

Implement roadmap task P1-019: RSA signature verification for XMLDSig using ring::signature.

Scope

• add PKCS#1 v1.5 verification for RSA-SHA1, RSA-SHA256, RSA-SHA384, RSA-SHA512
• accept SubjectPublicKeyInfo PEM/DER public keys from vendored fixtures
• add regression tests for valid and invalid signatures
• keep public API aligned with the existing XMLDSig parsing/reference pipeline

Acceptance Criteria

• RSA verify path validates canonicalized SignedInfo bytes against SignatureValue
• algorithms map correctly to ring verification algorithms
• malformed/unsupported key material returns a typed error
• tests cover success and signature mismatch cases

Estimate

1d 4h

• research and API fit: 2h
• implementation: 5h
• tests and verification: 3h

Refs arch/ROADMAP.md P1-019
Refs arch/xmldsig.md
Refs .refs/features/03-xmldsig-verify.md

[coderabbitai]

🔗 Related PRs

#9 - feat(xmldsig): add URI dereference for Reference elements [merged]
#14 - feat(xmldsig): enveloped signature transform and pipeline executor [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!