feat(xml): implement XML-DSig signing in DpsSigner

[vitormattos]

Summary

Implements the full XML-DSig enveloped signature in DpsSigner, completing the Phase 2 signing deliverable.
Previously signXml() was a stub that returned unsigned XML; signing material was computed but immediately discarded.

Changes

src/Xml/DpsSigner.php

• Fixed sign(): keys returned by importPfx() are now passed to signXml() instead of being discarded via unset()
• Implemented signXml(string $xml, string $privateKeyPem, string $certificatePem):
  • Locates the element with @Id (infDPS) as the signed reference
  • Computes SHA-1 digest over its C14N form → DigestValue
  • Builds <Signature> in http://www.w3.org/2000/09/xmldsig# namespace with:
    • CanonicalizationMethod — Canonical XML 1.0
    • SignatureMethod — RSA-SHA1
    • Reference with enveloped-signature + C14N transforms
    • DigestMethod (SHA-1) + DigestValue
  • Canonicalises SignedInfo and RSA-SHA1 signs it via openssl_sign()
  • Appends SignatureValue (base64-encoded RSA output)
  • Appends KeyInfo > X509Data > X509Certificate (base64-encoded cert, no PEM headers)

tests/Unit/Xml/DpsSignerTest.php (new)

7 unit tests using an ephemeral RSA-2048 / self-signed PFX generated in setUp():

• testSignReturnsXmlContainingSignatureElement
• testSignReturnsXmlContainingDigestValue
• testSignReturnsXmlContainingSignatureValue
• testSignReturnsXmlContainingX509Certificate
• testSignThrowsPfxImportExceptionWhenFileNotFound
• testSignedXmlIsStillValidXml
• testSignatureElementIsAppendedToDpsRoot (XPath assertion: /DPS/ds:Signature length = 1)

Test count: 32 → 39 unit tests

Gates

• phpunit: 39/39 ✓
• cs:fix: 0 files changed ✓
• psalm: No errors found ✓