XMLSec 1.3.0

[lsh123]

The XMLSec 1.3.0 release includes a large number of changes including several API / ABI breaking changes (hence version bump).

Detailed information about supported algorithms can be found in the XMLDsig and the XMLEnc interoperability reports.

core xmlsec and all xmlsec-crypto libraries:

• (ABI breaking change) Added support for the KeyInfoReference Element.
• (ABI breaking change) Switched xmlSecSize to use size_t by default. Use "--enable-size-t=no" configure option ("size_t=no" on Windows) to restore the old behaviour (note that support for xmlSecSize being different from size_t will be removed in the future).
• (API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode, set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility.
• (API breaking change) The KeyName element content is now trimmed before key search is performed.
• (API breaking change) Disabled FTP support by default. Use "--enable-ftp" configure option to restore it. Also added "--enable-http" and "--enable-files" configure options to control support for loading files over HTTP or locally.
• (API/ABI breaking change) Disabled MD5 digest method by default. Use "--enable-md5" configure options ("legacy-crypto" option on Windows) to re-enable MD5.
• (ABI breaking change) Added "failureReason" file to xmlSecDSigCtx and xmlEncCtx to provide more granular operation failure reason.
• (ABI breaking change) Removed deprecated functions.
• Added support for loading keys through ossl-store interface (e.g. for using keys from an HSM). Also see '--privkey-openssl-store' and '--pubkey-openssl-store ' command line options for XMLSec utility.
• Added ability to control transforms binary chunk size to improve performance (see '--transform-binary-chunk-size' command line option for XMLSec utility).
• Fixed all potentially unsafe integer conversions and all the other warnings.
• Added XML Signature 1.1 interop (2012) and XML Encryption 1.1 interop (2012) tests.

xmlsec-openssl library:

• Added support for SHA3 digests.
• Added support for ECDSA-SHA3 signatures.
• Added support for RSA PSS signatures (withtout parameters).
• Added support for ConcatKDF key and PBKDF2 derivation algorithms.
• (ABI breaking change) Added support for ECDH-ES Key Agreement algorithm.
• (ABI breaking change) Added support for DH-ES Key Agreement algorithm with explicit KDF.
• Added support for MGF1 algorithm to RSA OAEP key transport.
• Added support for X509Digest element and ability to lookup keys using other X509Data elements.
• Added support for DEREncodedKeyValue element.
• Automatically set key name from PKCS12 key name.
• Removed previously deprecated support for OpenSSL 1.0.0 and LibreSSL before 2.7.0.

xmlsec-nss library:

• Added support for RSA PSS signatures (withtout parameters).
• Added support for RSA OAEP key transport including MGF1 algorithms.
• Added support for AES GCM ciphers.
• Added support for PBKDF2 derivation algorithm.
• Added support for X509Digest element and ability to lookup keys using other X509Data elements.
• Added support for DEREncodedKeyValue element.
• Automatically set key name from PKCS12 key name.

xmlsec-gnutls library:

• (API/ABI breaking change) Removed dependency on xmlsec-gcrypt and libgcrypt libraries (including API functions) to enable support for different GnuTLS backends.
• Bumped minimal GnuTLS version to 3.6.13.
• Added support for SHA3 digests.
• Added support for ECDSA signatures.
• Added support for DSA-SHA256 signatures.
• Added support for RSA PSS signatures (withtout parameters).
• Added support for RSA PKCS 1.5 key transport.
• Added support for AES GCM ciphers.
• Added support for PBKDF2 derivation algorithm.
• Added support for X509Digest element and ability to lookup keys using other X509Data elements.
• Added support for DEREncodedKeyValue element.
• Automatically set key name from PKCS12 key name.

xmlsec-mscng library:

• Added support for RSA PSS signatures (withtout parameters).
• Added support for MGF1 algorithm to RSA OAEP key transport.
• (ABI breaking change) Added support for ECDH-ES Key Agreement algorithm.
• Added support for ConcatKDF key and PBKDF2 derivation algorithms.
• Added support for X509Digest element for keys and certificates lookup from the system stores (only SHA1 is supported).
• Added support for DEREncodedKeyValue element.
• Automatically set key name from PKCS12 key name.

xmlsec-mscrypto library:

• In maintenance mode starting from this release.
• Disabled by default support for NT4. Use "nt4=yes" configure option on Windows to re-enable it.

xmlsec-gcrypt library:

• In maintenance mode starting from this release.
• Added support for SHA3 digests.
• Added support for ECDSA signatures.
• Added support for RSA PSS signatures (withtout parameters).
• Added support for RSA PKCS 1.5 key transport.
• Added support for RSA OAEP key transport including MGF1 algorithms.

xmlsec command line utility:

• (API breaking change) The XMLSec command line utility is using 'strict' key search mode by default. To restore the old 'lax' key search mode, use the new '--lax-key-search' option.
• (API breaking change) The XMLSec command line utility is no longer prints detailed errors by default. To restore the detailed errors, use the new '--verbose' option.
• Added '--transform-binary-chunk-size' option to control transforms binary chunk size (increasing the chunk size should improve performance at the expense of memory usage.
• Added support for loading keys through ossl-store interface (e.g. for using keys from an HSM). Also see '--privkey-openssl-store' and '--pubkey-openssl-store ' command line options for XMLSec utility.
• Added '--enabled-key-info-reference-uris' option to control processing of the the KeyInfoReference Element.
• Added '--pbkdf2-key' option for loading PBKDF2 keys.
• Added '--concatkdf-key' option for loading ConcatKDF keys.
• Added '--hmac-min-out-len' option to control the min accepted HMAC Output length.
• Added '--pubkey-openssl-engine' option to load public keys from OpenSSL engine.
• Added '--crl-pem' and '--crl-der' options to load CRLs.
• Added '--verify-keys' option to verify key's certificate before loading into Keys Manager (only supported for OpenSSL currently).
• Enabled templatized output filenames to facilitate batch operations on multiple input files.

---

This discussion was created from the release 1.3.0.

[grandinj]

Building under clang version 17, this version fails with

CC xmlsec.lo
warning: unknown warning option '-Wformat-overflow=2'; did you mean '-Wshift-overflow'? [-Wunknown-warning-option]
warning: unknown warning option '-Wformat-signedness' [-Wunknown-warning-option]
2 warnings generated.

[lsh123]

So these two options are disabled on Mac:

xmlsec/configure.ac

Line 2492 in 47aa1fa

if test "z$build_on_mac" = "zno" ; then

I guess I need to change it against compiler instead.

[lsh123]

I will track it here: #636

[lsh123]

Should be fixed on master now

[grandinj]

And if I override that by passing
-Wno-unknown-warning-option

then I get a further failure:

CC libxmlsec1_nss_la-x509vfy.lo
crypto.c:415:28: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
xmlSecNssGetInternalKeySlot()
^

[lsh123]

See #627 (it should be fixed on master)

[grandinj]

Passing --disable-werror to configure does not seem to help either

[lsh123]

Use "--disable-pedantic" flag for configure

[grandinj]

Thanks!

[kelemeng]

Hi
I'm trying to compile xmlsec 1.3.0 as an external dependency of LibreOffice under Ubuntu 20.04 which has a rather old nss version: 3.49.1
I'm getting this compilation error:

ciphers_gcm.c: In function 'xmlSecNssGcmCipherEncrypt':
ciphers_gcm.c:248:5: error: unknown type name 'CK_NSS_GCM_PARAMS'; did you mean 'CK_NSS_AEAD_PARAMS'?
248 | CK_NSS_GCM_PARAMS gcm_params;
| ^~~~~~~~~~~~~~~~~
| CK_NSS_AEAD_PARAMS

Is there a way to build it on an older OS as well?

[lsh123]

Looks like it was renamed:

mozilla/gecko-dev@7d42f27#diff-6b44e6819b1325013dc0b02e15e58e5c928838dcbe1e369dcf339024b8ce8557

I will bump min NSS version to 3.52 but you can manually change to the old constant or install later version of NSS.

[lsh123]

NSS version on the master is bumped to 3.52

[1pavlov]

Hey @lsh123 Could you publish the compiled version of the lib as .deb for Ubuntu?

[lsh123]

Sorry, but I don't plan to do binary distributions for linux's due to large number of variations.