XML Security Library

LibXML2
LibXSLT
OpenSSL

XML Security Library

XML Security Library is a C library based on LibXML2. The library supports major XML security standards:

XML Security Library is released under the MIT Licence see the Copyright file in the distribution for details.

News

  • January 4, 2023
    The XML Security Library 1.3.3 release includes the following changes:

    • (xmlsec-core) Disabled KeyValue and DEREncodedKeyValue XML nodes by default. Use the '--enabled-key-data' option for the xmlsec command line utility or update the 'keyInfoCtx->enabledKeyData' parameter if you need to re-enable these nodes (also see question 3.5 in the FAQ).
    • (xmlsec-core) Removed '--enable-size-t' ('size_t' for MSVC builds) option and made 'xmlSecSize' to always be the same as 'size_t'.
    • (xmlsec-core) Removed previously deprecated functions, defines, etc.
    • (xmlsec-core) Fixed build for libxml2 v2.12.0.
    • (xmlsec-openssl) Removed support for OpenSSL 1.1.0 (end of life in Aug 2016). The minimum OpenSSL supported version is 1.1.1; the version 3.0.0 or greater is recommended.
    • (xmlsec-nss) Added runtime check for the enabled algorithms in NSS.
    • (xmlsec-mscrypto) Removed NT4 support.
    • Several other small fixes (see more details).

  • December 12, 2023
    The legacy XML Security Library 1.2.39 release includes the following changes:
    • Added options to enable/disable local files, HTTP, and FTP support. FTP is disabled by default.
    • Several other small fixes (more details).

  • October 31, 2023
    The XML Security Library 1.3.2 release includes the following changes:

    • (xmlsec-openssl) Fixed padding for GOST 2001 and 2012 signatures.
    • (xmlsec-nss) Added support for reading PEM certificates.
    • (xmlsec-nss) Added a check to ensure that the key certificate matches the key.
    • (xmlsec-nss) Added support for xmlsec command line tool '--verify-keys' option.
    • (xmlsec-gnutls) Added support for GOST R 34.11-94, GOST R 34.11-2012 256 bit, and GOST R 34.11-2012 512 bit digest algorithms.
    • (xmlsec-gnutls) Added support for GOST R 34.10-2001, GOST R 34.11-2012 256 bit, and GOST R 34.11-2012 512 bit signature algorithms.
    • (xmlsec-gnutls) Added support for xmlsec command line tool '--verify-keys' option.
    • (xmlsec-gnutls) Added check to ensure that the key certificat matches the key.
    • (xmlsec-mscng) Added support for xmlsec command line tool '--verify-keys' option.
    • (xmlsec-mscng) Replaced windows.h includes with wincrypt.h includes where possible.
    • (xmlsec-mscrypto) Replaced windows.h includes with wincrypt.h includes where possible.
    • (xmlsec command line tool) Added '--base64-line-size' option to control the base64 encoding line size.
    • (MSVC build) Added 'ftp' and 'http' options to control FTP and HTTP support. FTP support is disabled by default.
    • (MinGW build) The xmlsec-mscrypto is moved down in the default crypto library selection list as it is now in maintanance mode (use '--with-default-crypto' option to force the selection).
    • (MinGW build) Fixed the static libraries build with "--enable-static-linking" option.
    • Several other small fixes (see more details).

  • July 5, 2023
    The legacy XML Security Library 1.2.38 release includes the following changes:
    • Fixed static linking with MinGW.
    • (xmlsec-mscng) Fixed block ciphers key size.
    • Several other small fixes (more details).

  • June 6, 2023
    The XML Security Library 1.3.1 release includes the following changes:

    • Added "--with-libltdl" option for ./configure to allow custom libltdl installations and deprecated "--enable-crypto-dl" option.
    • Added support for cclang compiler on non-MacOSX platforms.
    • (xmlsec-openssl) Restored support for LibreSSL and bumped minimum required version to 3.5.0.
    • (xmlsec-nss) Restored minimum supported NSS version to 3.35.
    • Several other small fixes (more details).

  • April 12, 2023
    The XML Security Library 1.3.0 release includes the following changes:

    • core xmlsec and all xmlsec-crypto libraries:
      • (ABI breaking change) Added support for the KeyInfoReference Element.
      • (ABI breaking change) Switched xmlSecSize to use size_t by default. Use "--enable-size-t=no" configure option ("size_t=no" on Windows) to restore the old behaviour (note that support for xmlSecSize being different from size_t will be removed in the future).
      • (API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode, set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility.
      • (API breaking change) The KeyName element content is now trimmed before key search is performed.
      • (API breaking change) Disabled FTP support by default. Use "--enable-ftp" configure option to restore it. Also added "--enable-http" and "--enable-files" configure options to control support for loading files over HTTP or locally.
      • (API/ABI breaking change) Disabled MD5 digest method by default. Use "--enable-md5" configure options ("legacy-crypto" option on Windows) to re-enable MD5.
      • (ABI breaking change) Added "failureReason" file to xmlSecDSigCtx and xmlEncCtx to provide more granular operation failure reason.
      • (ABI breaking change) Removed deprecated functions.
      • Added support for loading keys through ossl-store interface (e.g. for using keys from an HSM). Also see '--privkey-openssl-store' and '--pubkey-openssl-store ' command line options for XMLSec utility.
      • Added ability to control transforms binary chunk size to improve performance (see '--transform-binary-chunk-size' command line option for XMLSec utility).
      • Fixed all potentially unsafe integer conversions and all the other warnings.
      • Added XML Signature 1.1 interop (2012) and XML Encryption 1.1 interop (2012) tests.
    • xmlsec-openssl library:
    • xmlsec-nss llegacyibrary:
    • xmlsec-gnutls library:
    • xmlsec-mscng library:
    • xmlsec-mscrypto library:
      • In maintenance mode starting from this release.
      • Disabled by default support for NT4. Use "nt4=yes" configure option on Windows to re-enable it.
    • xmlsec-gcrypt library:
    • xmlsec command line utility:
      • (API breaking change) The XMLSec command line utility is using 'strict' key search mode by default. To restore the old 'lax' key search mode, use the new '--lax-key-search' option.
      • (API breaking change) The XMLSec command line utility is no longer prints detailed errors by default. To restore the detailed errors, use the new '--verbose' option.
      • Added '--transform-binary-chunk-size' option to control transforms binary chunk size (increasing the chunk size should improve performance at the expense of memory usage.
      • Added slegacyupport for loading keys through ossl-store interface (e.g. for using keys from an HSM). Also see '--privkey-openssl-store' and '--pubkey-openssl-store ' command line options for XMLSec utility.
      • Added '--enabled-key-info-reference-uris' option to control processing of the the KeyInfoReference Element.
      • Added '--pbkdf2-key' option for loading PBKDF2 keys.
      • Added '--concatkdf-key' option for loading ConcatKDF keys.
      • Added '--hmac-min-out-len' option to control the min accepted HMAC Output length.
      • Added '--pubkey-openssl-engine' option to load public keys from OpenSSL engine.
      • Added '--crl-pem' and '--crl-der' options to load CRLs.
      • Added '--verify-keys' option to verify key's certificate before loading into Keys Manager (only supported for OpenSSL currently).
      • Enabled templatized output filenames to facilitate batch operations on multiple input files.

    Detailed information about supported algorithms can be found here: XMLDsig and XMLEnc interoperability reports.


  • November 30, 2022
    The XML Security Library 1.2.37 release includes the following changes:

  • October 31, 2022
    The XML Security Library 1.2.36 release includes the following changes:

  • October 25, 2022
    The XML Security Library 1.2.35 release includes the following changes:
    • Migration to OpenSSL 3.0 API (based on PR by @snargit). Note that OpenSSL engines are disabled by default when XMLSec library is compiled against OpenSSL 3.0. To re-enable OpenSSL engines, use "--enable-openssl3-engines" configure flag (there will be a lot of deprecation warnings).
    • The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and will be removed in the future versions of XMLSec Library.
    • Refactored all the integer casts to ensure cast-safety. Fixed all warnings and enabled "-Werror" and "-pedantic" flags on CI builds.
    • Added configure flag to use size_t for xmlSecSize (currently disabled by default for backward compatibility).
    • Moved all CI builds to GitHub actions.
    • Several other small fixes (more details).

  • May 3, 2022
    The XML Security Library 1.2.34 release includes the following changes:
    • Support for OpenSSL compiled with OPENSSL_NO_ERR.
    • Full support for LibreSSL 3.5.0 and above (@vishwin).
    • Several other small fixes (more details).

  • October 25, 2021
    The XML Security Library 1.2.33 release includes the following changes:
    • Added --privkey-openssl-engine option to enhance openssl engine support (Leonardo Secci).
    • Fixed decrypting session key for two recipients.
    • Several other small fixes (more details).


See News page for older announcements.