Merge pull request #79 from gvonness-apolitical/refactor/error-helpers

Add error helpers and update README feature table

Author: gvonness-apolitical

README.md

@@ -27,8 +27,8 @@ This library provides the foundational capabilities for working with Codex docum
 - **Document Builder** - Fluent API for creating documents programmatically
 - **Metadata** - Dublin Core metadata support
 - **Presentation Layers** - Paginated and continuous presentation types
-- **Digital Signatures** - ECDSA P-256 (ES256) and Ed25519 signing and verification
-- **Encryption** - AES-256-GCM content encryption
+- **Digital Signatures** - ECDSA P-256 (ES256), P-384 (ES384), Ed25519, RSA-PSS (PS256), and ML-DSA-65 signing and verification
+- **Encryption** - AES-256-GCM and ChaCha20-Poly1305 content encryption
 - **Asset Management** - Embed and manage images, fonts, and files
 - **Document Verification** - Verify content hashes and document integrity
 - **Provenance** - Merkle trees, block proofs, and timestamp support for content lineage
@@ -51,9 +51,16 @@ cdx-core = "0.3"
 |---------|---------|-------------|
 | `zstd` | Yes | Zstandard compression support |
 | `signatures` | Yes | ECDSA P-256 digital signatures (ES256) |
+| `signatures-es384` | No | P-384 ECDSA digital signatures (ES384) |
+| `signatures-rsa` | No | RSA-PSS digital signatures (PS256) |
 | `encryption` | No | AES-256-GCM content encryption |
+| `encryption-chacha` | No | ChaCha20-Poly1305 content encryption |
+| `key-wrapping` | No | ECDH-ES+A256KW key agreement |
+| `key-wrapping-rsa` | No | RSA-OAEP-256 key wrapping |
+| `key-wrapping-pbes2` | No | PBES2 password-based key wrapping |
 | `eddsa` | No | Ed25519 digital signatures |
 | `ml-dsa` | No | ML-DSA-65 post-quantum signatures |
+| `webauthn` | No | WebAuthn/FIDO2 signature verification |
 | `timestamps-rfc3161` | No | RFC 3161 timestamp acquisition |
 | `timestamps-ots` | No | OpenTimestamps (Bitcoin anchoring) |
 | `ocsp` | No | Certificate revocation checking (OCSP/CRL) |

cdx-core/src/error.rs

@@ -185,6 +185,34 @@ pub enum Error {
     },
 }
 
+/// Create an [`Error::InvalidManifest`] with a formatted reason.
+pub(crate) fn invalid_manifest(reason: impl Into<String>) -> Error {
+    Error::InvalidManifest {
+        reason: reason.into(),
+    }
+}
+
+/// Create an [`Error::EncryptionError`] with a formatted reason.
+pub(crate) fn encryption_error(reason: impl Into<String>) -> Error {
+    Error::EncryptionError {
+        reason: reason.into(),
+    }
+}
+
+/// Create an [`Error::Network`] error with a formatted message.
+pub(crate) fn network_error(message: impl Into<String>) -> Error {
+    Error::Network {
+        message: message.into(),
+    }
+}
+
+/// Create an [`Error::InvalidCertificate`] with a formatted reason.
+pub(crate) fn invalid_certificate(reason: impl Into<String>) -> Error {
+    Error::InvalidCertificate {
+        reason: reason.into(),
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

cdx-core/src/security/eddsa.rs

@@ -2,6 +2,7 @@
 
 //! EdDSA (Ed25519) signature implementation.
 
+use crate::error::invalid_manifest;
 use crate::{DocumentId, Result};
 
 use super::signature::{Signature, SignatureAlgorithm, SignatureVerification, SignerInfo};
@@ -24,11 +25,8 @@ impl EddsaSigner {
     pub fn from_pem(pem: &str, signer_info: SignerInfo) -> Result<Self> {
         use ed25519_dalek::pkcs8::DecodePrivateKey;
 
-        let signing_key = ed25519_dalek::SigningKey::from_pkcs8_pem(pem).map_err(|e| {
-            crate::Error::InvalidManifest {
-                reason: format!("Failed to parse EdDSA private key PEM: {e}"),
-            }
-        })?;
+        let signing_key = ed25519_dalek::SigningKey::from_pkcs8_pem(pem)
+            .map_err(|e| invalid_manifest(format!("Failed to parse EdDSA private key PEM: {e}")))?;
 
         Ok(Self {
             signing_key,
@@ -47,16 +45,13 @@ impl EddsaSigner {
         use ed25519_dalek::pkcs8::spki::{der::pem::LineEnding, EncodePublicKey};
 
         let mut key_bytes = [0u8; 32];
-        getrandom::fill(&mut key_bytes).map_err(|e| crate::Error::InvalidManifest {
-            reason: format!("System RNG failed: {e}"),
-        })?;
+        getrandom::fill(&mut key_bytes)
+            .map_err(|e| invalid_manifest(format!("System RNG failed: {e}")))?;
         let signing_key = ed25519_dalek::SigningKey::from_bytes(&key_bytes);
         let verifying_key = signing_key.verifying_key();
         let public_key_pem = verifying_key
             .to_public_key_pem(LineEnding::LF)
-            .map_err(|e| crate::Error::InvalidManifest {
-                reason: format!("Failed to encode EdDSA public key: {e}"),
-            })?;
+            .map_err(|e| invalid_manifest(format!("Failed to encode EdDSA public key: {e}")))?;
 
         Ok((
             Self {
@@ -78,9 +73,7 @@ impl EddsaSigner {
         self.signing_key
             .verifying_key()
             .to_public_key_pem(LineEnding::LF)
-            .map_err(|e| crate::Error::InvalidManifest {
-                reason: format!("Failed to encode EdDSA public key: {e}"),
-            })
+            .map_err(|e| invalid_manifest(format!("Failed to encode EdDSA public key: {e}")))
     }
 }
 
@@ -141,11 +134,8 @@ impl EddsaVerifier {
     pub fn from_pem(pem: &str) -> Result<Self> {
         use ed25519_dalek::pkcs8::DecodePublicKey;
 
-        let verifying_key = ed25519_dalek::VerifyingKey::from_public_key_pem(pem).map_err(|e| {
-            crate::Error::InvalidManifest {
-                reason: format!("Failed to parse EdDSA public key PEM: {e}"),
-            }
-        })?;
+        let verifying_key = ed25519_dalek::VerifyingKey::from_public_key_pem(pem)
+            .map_err(|e| invalid_manifest(format!("Failed to parse EdDSA public key PEM: {e}")))?;
 
         Ok(Self { verifying_key })
     }
@@ -174,9 +164,7 @@ impl Verifier for EddsaVerifier {
         // Decode signature from base64
         let sig_bytes = base64::engine::general_purpose::STANDARD
             .decode(&signature.value)
-            .map_err(|e| crate::Error::InvalidManifest {
-                reason: format!("Failed to decode signature: {e}"),
-            })?;
+            .map_err(|e| invalid_manifest(format!("Failed to decode signature: {e}")))?;
 
         // Parse signature
         let sig_array: [u8; 64] =