feat: implement XMLDSig full verify pipeline (P1-021)

[polaz]

Summary

Implement roadmap task P1-021: end-to-end XMLDSig signature verification pipeline.

Scope

• add full verification pipeline API for a Signature node:
  • parse Signature/SignedInfo
  • verify SignedInfo Reference digests (fail-fast)
  • canonicalize SignedInfo
  • decode SignatureValue (base64)
  • verify cryptographic signature using RSA/ECDSA public key
• add integration tests for valid donor vectors (RSA + ECDSA)
• add negative integration tests (tampered DigestValue / SignatureValue)
• update README status to reflect that end-to-end XMLDSig signature verification is now implemented (while VerifyContext remains in progress)

Acceptance Criteria

• pipeline returns structured result distinguishing digest-stage and signature-stage validity
• donor RSA and ECDSA full-pipeline tests pass
• tampered digest fails before signature stage
• tampered signature fails after digest stage
• cargo check/clippy/nextest/doc-tests pass
• README status section updated consistently

Estimate

4h

[coderabbitai]

🔗 Related PRs

#9 - feat(xmldsig): add URI dereference for Reference elements [merged]
#14 - feat(xmldsig): enveloped signature transform and pipeline executor [merged]
#22 - feat(xmldsig): add RSA signature verification [merged]
#27 - feat(xmldsig): add ecdsa signature verification [closed]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!