3 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4 <title>XML Security Library: News</title>
6 <body><table witdh="100%" valign="top"><tr valign="top">
7 <td valign="top" align="left" width="210">
8 <img src="images/logo.gif" alt="XML Security Library" border="0"><p></p>
10 <li><a href="index.html">Home</a></li>
11 <li><a href="download.html">Download</a></li>
12 <li><a href="news.html">News</a></li>
13 <li><a href="documentation.html">Documentation</a></li>
15 <li><a href="faq.html">FAQ</a></li>
16 <li><a href="api/xmlsec-notes.html">Tutorial</a></li>
17 <li><a href="api/xmlsec-reference.html">API reference</a></li>
18 <li><a href="api/xmlsec-examples.html">Examples</a></li>
20 <li><a href="xmldsig.html">XML Digital Signature</a></li>
21 <ul><li><a href="http://www.aleksey.com/xmlsec/xmldsig-verifier.html">Online Verifier</a></li></ul>
22 <li><a href="xmlenc.html">XML Encryption</a></li>
23 <li><a href="c14n.html">XML Canonicalization</a></li>
24 <li><a href="bugs.html">Reporting Bugs</a></li>
25 <li><a href="http://www.aleksey.com/pipermail/xmlsec">Mailing list</a></li>
26 <li><a href="related.html">Related</a></li>
27 <li><a href="authors.html">Authors</a></li>
32 <td><a href="http://xmlsoft.org/"><img src="images/libxml2-logo.png" alt="LibXML2" border="0"></a></td>
36 <td><a href="http://xmlsoft.org/XSLT"><img src="images/libxslt-logo.png" alt="LibXSLT" border="0"></a></td>
40 <td><a href="http://www.openssl.org/"><img src="images/openssl-logo.png" alt="OpenSSL" border="0"></a></td>
42 <!--Links - start--><!--Links - end-->
45 <td valign="top"><table width="100%" valign="top"><tr><td valign="top" align="left" id="xmlsecContent">
47 <h1>XML Security Library News</h1>
50 <li>December 5 2009<br>
51 Changes in <a href="download.html">XML Security Library 1.2.14</a> release:
53 <li>XMLSec library is switched from built-in LTDL library to the system
54 LTDL library on Linux/Unix and native calls on Windows to fix
55 <a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3736">security
56 issue</a> in LTDL.</li>
57 <li>Fixed minor bugs (see <a href="http://git.gnome.org/cgit/xmlsec/log/">log</a>
58 for complete list).</li>
62 <li>September 12 2009<br>
63 Changes in <a href="download.html">XML Security Library 1.2.13</a> release:
66 <a href="http://xmlsoft.org/">LibXML2</a> version 2.7.4 is now required</li>
67 <li>Implemented support for <a href="http://www.w3.org/TR/xml-c14n11/">C14N version 1.1</a>
69 <li>Increase default minimum hmac size to 80 bits</li>
70 <li>Added support for --with-libxml-src and --with-libxslt-src ./configure options</li>
71 <li>Fixed XML dump output</li>
76 The new <a href="download.html">XML Security Library 1.2.12</a> release
77 includes the following changes (see ChangeLog for the complete list of changes):
79 <li>Fixed HMAC vulnerability with small values of HMAC length
80 (<a href="http://www.kb.cert.org/vuls/id/466161">CERT VU #466161</a>).</li>
81 <li>Added support for the GOST implemented by Russian Crypto Pro CSP
82 (patch from Dennis Prochko)</li>
83 <li>Added an option to return the replaced node (based on the patch from Frank Gross)</li>
84 <li>Added new function xmlSecNodeEncodeAndSetContent for encoding
85 special chars in the node content.</li>
86 <li>Added configurable Base64 line length.</li>
90 <li>November 6 2007<br>
91 The new <a href="download.html">XML Security Library 1.2.11</a> release
92 includes the following changes:
94 <li>Mingw port (Roumen Petrov).</li>
95 <li>Better support for non micorsoft CSP's (Wouter and Ed Shallow).</li>
99 <br><li>June 12 2006<br>
100 The new <a href="download.html">XML Security Library 1.2.10</a> release
101 includes the following changes:
103 <li>GOST algorithms support (Dmitry Belyavsky)</li>
104 <li>Ability to disable system trusted certs in xmlsec-mscrypto
105 (Dmitry Belyavsky)</li>
106 <li>New functions for adding X509IssuerName and X509SerialNumber
107 nodes to the template (Dmitry Belyavsky)
109 <li>Better packaging support for Fedora and Debian (Daniel Veillard, John Belmonte)</li>
110 <li>Cleanups from Coverity tool reports</li>
114 <br><li>July 12 2005<br>
115 The new <a href="download.html">XML Security Library 1.2.9</a> release
116 includes few bug fixes and adds support for the recently released
117 <a href="http://www.openssl.org">OpenSSL 0.9.8</a> including several
118 new algorithms for <a href="xmldsig.html">xmlsec-openssl</a>:
120 <li>SHA224/SHA256/SHA384/SHA512</li>
121 <li>HMAC-SHA224/SHA256/SHA384/SHA512</li>
122 <li>RSA-MD5/RIPEMD160/SHA224/SHA256/SHA384/SHA512</li>
125 <br><li>March 30 2005<br>
126 The new <a href="download.html">XML Security Library 1.2.8</a> release
127 merges OpenOffice.org changes to xmlsec-mscrypto and xmlsec-nss into
128 main xmlsec source tree.
130 <br><li>February 23 2005<br>
131 The new <a href="download.html">XML Security Library 1.2.7</a> release
132 includes several bug fixes and minor enchancements:
134 <li>(core) added xmlSecSimpleKeysStoreGetKeys() function;</li>
135 <li>(core) added functions to create <X509Data/> node children
136 in the signature template;</li>
137 <li>(core) fixed xmlSecGenerateID() function;</li>
138 <li>(core) fixed dynamic linking initialization/shutdown when custom memory
139 allocation functions are used;</li>
140 <li>(core) fixed encrypted text parsing and xmlParseInNodeContext() function;</li>
141 <li>(openssl) fixed parsing quoted values in the certificate subject;</li>
142 <li>(mscrypto) negative numbers support in xmlSecBnFromString()/xmlSecBnToString() functions.</li>
146 <br><li>August 25 2004<br>
147 The new <a href="download.html">XML Security Library 1.2.6</a>
148 fixes several minor bugs and adds support for loading keys and
149 certificates from memory.
152 <br><li>July 27 2004<br>
153 Created a <a href="related.html#books">list of books</a> about
154 cryptography and security that covers most of the topics needed
155 for using XML Security Library.
158 <br><li>April 15 2004<br>
159 The new <a href="download.html">XML Security Library 1.2.5</a>
160 includes a simple XKMS server implementation and fixes a nasty
161 bug with encrypting/decrypting nodes with an empty content.
164 <br><li>January 27 2004<br>
165 The new <a href="download.html">XML Security Library 1.2.4</a>
166 release fixes many configuration and installation problems
170 <br><li>January 6 2004<br>
171 The new <a href="download.html">XML Security Library 1.2.3</a>
172 release upgrades xmlsec-gnutls code to support latest gnutls
173 library version (1.0.4) and fixes several configuration and
174 installation problems.
177 <br><li>November 11 2003<br>
178 The new <a href="download.html">XML Security Library 1.2.2</a>
179 release includes several improvements in ./configure script
180 (Daniel, Roumen) and a bug fix for certificates serial number
181 processing in xmlsec-mscrypto.
184 <br><li>October 14 2003<br>
185 The new <a href="download.html">XML Security Library 1.2.1</a>
186 release includes a special "hack" for supporting ID attributes
187 with invalid values in Visa 3D; fixed processing of root element
188 node siblings (bug #124245); template functions for creating
189 <enc:KeyReference/> and <enc:DataReference/&gt
190 nodes (Wouter); new "XMLSEC_DOCDIR" environment variable
191 for ./configure script; updated README files for xmlsec-crypto
195 <br><li>September 30 2003<br>
196 The major change in the new <a href="download.html">XML Security Library 1.2.0</a>
197 release is the MS Crypto API support implemented by Wouter. Other changes
198 include loading public keys from certificates and improved namespaces
199 support for start node selection with "--node-xpath" command line option
200 for xmlsec command line utility; updated online XML DSig Verifier;
201 updated docs and man pages.
204 <br><li>September 17 2003<br>
205 The new <a href="download.html">XML Security Library 1.1.2</a> release
206 introduces dynamical crypto engines loading based on ltdl library (including
207 tutorial, API reference and documentation updates); adds an ability to build
208 multiple xmlsec-crypto libraries in one build on Windows; fixes minor problems
209 in test suite and multiple warnings when building on Sun Solaris.
212 <br><li>August 21 2003<br>
213 The new <a href="download.html">XML Security Library 1.1.1</a> release
214 adds <X509Data/> node templates support to xmlsec-nss (Tej);
215 includes new functions for reading keys and certificates from memory
216 for xmlsec-core and xmlsec-openssl (Joachim); fixes several problems
217 in xmlsec configuration files (Roumen) and a bug in URI attribute
221 <br><li>August 5 2003<br>
222 A great patch from Tej that dramaticaly improves xmlsec-nss functionality
223 deserves a minor version number update :). In addition to that, the new
224 <a href="download.html">XML Security Library 1.1.0</a>
225 release includes <X509Data/> node templates support
226 for xmlsec-openssl (Roumen); separate pkg-config files for xmlsec-crypto
227 libraries and minor documentation updates (including coding style
228 and some useful commands for xmlsec developers in a new "HACKING"
232 <br><li>July 15 2003<br>
233 There were several minor patches during last month and it's time to do
234 a new <a href="download.html">XML Security Library 1.0.4</a>
235 release to pick up them: x509 certificates names comparison function
236 now supports multiple entries woth the same object name (Roumen);
237 multiple build fixes; documentation mistypes fixes.<br>
238 Also I gave an XML Security presentation at
239 <a href="http://oreillynet.com/oscon2003/">OSCON 2003</a> last week.
240 You can download slides <a href="http://www.aleksey.com/xmlsec/extra/xmlsec_oscon_2003.ppt">here</a>.
243 <br><li>June 17 2003<br>
244 The <a href="download.html">XML Security Library 1.0.3</a>
245 release adds PKCS#8 support for xmlsec-openssl (Tej) and fixes several
246 configuration and portability problems.
248 <br><li>June 03 2003<br>
249 The <a href="download.html">XML Security Library 1.0.2</a>
250 release includes several fixes in xmlsec-nss configuration and
251 linking options (Tej), PKCS21 files reading improvements,
252 minor documentation and help file fixes. Also this release
253 includes some code for XKMS support. This is absolutely not usable
254 right now and not configured in by default. Please, don't
255 use or even compile it in.
257 <br><li>April 28 2003<br>
258 The <a href="download.html">XML Security Library 1.0.1</a>
259 release is a maintanance release. It fixes several compilation
260 problems found in 1.0.0 release on the following platforms:
261 OpenBSD/sparc64, Win32 Wacom C, Sun Workshop CC 6.0. Also from
262 now on Win32 MSVC port enables the threading support
263 by default (this is a part of the Igor's change to
264 LibXML2/LibXSLT/XMLSec libraries).If you don't
265 use one of these platforms then you'll see no difference.
267 <br><li>April 17 2003<br>
268 The <a href="download.html">XML Security Library 1.0.0</a>
269 release is the major upgrade from 0.0.X version.
270 The new version includes multiple crypto engines support
271 (with "out of the box" support for OpenSSL, GnuTLS and NSS);
272 simplified and cleaned internal structure and API;
273 several performance and memory usage improvements;
274 new or updated documentation (tutorial, API reference manual and
277 <br><li>April 10 2003<br>
278 The final release candidate <a href="download.html">XML Security
279 Library 1.0.0rc1</a> is available for download. This release includes
281 complete <a href="api/xmlsec-ref.html">API Reference Manual</a>,
282 new chapters in the <a href="api/xmlsec-notes.html">tutorial</a> and
283 several new <a href="api/xmlsec-examples.html">examples</a>.
284 Another big change is using major version number in library files
285 to prevent collisions between different library versions.<br>
286 If no major problems will be found then the 1.0.0 release should
287 happen in a week from now.
289 <br><li>April 8 2003<br>
290 The new <a href="download.html">XML Security Library 0.0.15</a>
291 release is a preparation for the upcomming 1.0.0 release and
292 provides an ability to have both versions installed together
294 Also this release includes updated expired certificates for
295 the regression test suite and a fix for minor bug in reading binary
298 <br><li>April 6 2003<br><table><tr>
300 <a href="http://conferences.oreilly.com/oscon/"><img border="0" src="http://conferences.oreillynet.com/images/os2003/banners/130x40.gif" alt="O'Reilly Open Source Convent3Dion"></a>
303 <td valign="top">It seems that I'll be giving a
304 <a href="http://conferences.oreillynet.com/cs/os2003/view/e_sess/3838">presentation</a>
305 at the <a href="http://conferences.oreilly.com/oscon/">O'Reilly Open Source Convention 2003</a>
306 about XML Security and XML Security Library. Stop by to say "Hello!".
311 <br><li>March 26 2003<br><a href="download.html">XML Security Library 0.1.1</a>
312 release is the first release candidate for the new stable
313 version of XML Security Library. A lot of internal changes
314 including enchanced processing controls, performance improvements
315 for XML transforms, <a href="api/index.html">new documentation</a>,
316 updated <a href="api/xmlsec-examples.html">examples</a>
317 and many many other small things.<br>
318 Please try this release and report bugs. Again, it's the first
319 release candidate and it's very important for me to get your
320 feedback about it. Also if you are missing some features
321 in the library it's the best time to ask!
323 <br><li>March 19 2003<br><a href="download.html">XML Security Library 0.0.14</a> release
324 includes several minor bugfixes in references URI
325 processing, binary transforms processing and xmlsec
326 command line utility.
328 <br><li>March 5 2003<br>
329 The <a href="download.html">XML Security Library 0.1.0</a> release
330 creates a framework for integrating XML Security Library
331 with almost any crypto engine and even combining multiple crypto
332 engines in one application. As an example, basic support for GnuTLS and NSS
333 libraries is provided (digests, hmac and block ciphers).<br>
334 This is a pre-alpha release <b>not recommended</b> for production
335 (please use the <a href="download.html">stable 0.0.X</a> releases
336 instead). The new 0.1.X API and ABI will defenetly change.
337 However, if you plan to use XML Security Library with a new crypto
338 engine and plan to write some code then you can start now.
339 The "backend" API is pretty stable and I do not expect major
342 <br><li>February 21 2003<br><a href="download.html">XML Security Library 0.0.13</a> release
343 fixes incorrect processing of signatures with more than 3 binary
344 transforms in a row, improved pkcs12 files support and minor
345 documentation update.
347 <br><li>January 26 2003<br>
348 Two major fixes in <a href="http://www.aleksey.com/pipermail/xmlsec/2003/000507.html">HMAC</a> and
349 <a href="http://www.aleksey.com/pipermail/xmlsec/2003/000516.html">DES/AES</a>
350 algorithms are the reason for the new <a href="download.html">XML Security Library 0.0.12</a> release.
351 Also there are few other minor features and bug fixes (see Changelog in the
352 distribution for more details).
354 <br><li>December 3 2002<br>
355 New <a href="download.html">XML Security Library 0.0.11</a> release
356 fixes a <a href="http://www.aleksey.com/pipermail/xmlsec/2002/000368.html">major
357 problem</a> in Reference URI attribute processing. This release
358 also includes several Win32 build process fixes from Igor.
360 <br><li>October 20 2002<br>
361 Almost two months from previous release and a lot of minor
362 enchancements are good reasons for the new
363 <a href="download.html">XML Security Library 0.0.10</a> release:<br>
364 - added a way to specify "current time" to verify certificates
365 expiration against it;<br>
366 - implemented XML results output format for the xmlsec command
368 - fixed XMLDSig examples and added a new one (thanks to Devin
370 - resolved static link issue and a bunch of other improvements
371 for Win32 platform builds (Igor Zlatkovic);<br>
372 - added dynamic linking option for xmlsec command line utility
373 to help Debian port (John Belmonte);<br>
376 <br><li>August 26 2002<br>
377 I've completelly screwed up. The release 0.0.8 was totally broken
378 (I've simply packaged files from wrong CVS :) )
379 and I am doing a new <a href="download.html">0.0.9 release</a>
380 to fix all the problems. Please upgrade to the new version
381 if you use any of previous XML Security Library releases.<br>
382 I am really sorry for my stupid mistakes and I promise to never
383 do releases on Friday :( <br>
384 And special thanks to Ferrell Moultrie for pointing this out.
386 <br><li>August 23 2002<br><a href="download.html">XML Security Library 0.0.8</a> is released:<br>
387 - New errors reporting system is created and all the code is updated;<br>
388 - Added XPointer transform support;<br>
389 - Major enveloped and XPath transforms performance improvements;<br>
390 - Updated XPath 2 Filter implementation to reflect latest W3C specifications;<br>
391 - <a href="xmlsec-man.html">Man page</a> for xmlsec utility is written;<br>
392 - Automatically generated <a href="documentation.html">API Reference
393 Manual</a> (more than 370 symbols) is created;<br>
394 - Minor Win32 bug fixes from Igor;<br>
395 - Debian port from John Belmonte.<br>
397 <br><li>July 11 2002<br>
398 XML Security Library <a href="documentation.html">documentation</a>
401 <br><li>July 10 2002<br>
402 A new <a href="download.html">XML Security Library 0.0.7</a> release
403 includes all small bug fixes for last month and a new LibXML2 library
404 with improved canonicalization.
406 <br><li>May 28 2002<br>
407 New LibXML 2.4.22 is <a href="http://xmlsoft.org/news.html">released</a>
408 and new <a href="download.html">XML Security Library 0.0.6</a> is
410 - Win32 port is added: the idea and most of the configuration scripts
411 code was taken from LibXML2 (written by Igor Zlatkovic). I modified
412 original files so all errors are mine, not Igor's.<br>
413 - Many different performance optimizations (especially for RSA/DSA
414 algorithms and enveloped signatures).<br>
415 - <a href="http://www.w3.org/TR/xmldsig-filter2/">XPath Filter 2</a>
416 and <a href="http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002AprJun/0001.html">Alternative
417 XPath Filter</a> (not compiled by default, use --enable-altxpath configuration
418 switch if you need this transform) support is added. <br>
419 - Custom network protocol handler support is added. It is similar
420 to custom protocol handlers in LibXML2 but applied to binary files.<br>
421 - Separated XML Security Library RPM into xmlsec and xmlsec-devel
422 (suggested by Devin Heitmueller).<br>
424 <br><li>May 14 2002<br>
425 I've checked in new code for plugging in custom input handlers
426 (similar to ones that exist in LibXML2). The downside is that
427 you have to use <a href="ftp://xmlsoft.org/cvs-snapshot.tar.gz">daily
428 LibXML2 snapshot</a> to compile daily XML Security Library snapshot.
430 <br><li>April 28 2002<br><a href="download.html">XMLSec 0.0.5</a> released: <br>
431 - Big external and internal cleanup. Now the API looks much more consistent
432 and I hope simple. I hope to declare API frozen in the next couple weeks.
433 Meantime, all comments and suggestions are welcome!<br>
434 - Added <a href="http://www.w3.org/TR/xmlenc-core/#sec-Alg-SymmetricKeyWrap">
435 symmetric key wrap</a> (aes, des) support.<br>
436 - Added RIPEMD-160 support.<br>
438 <br><li>April 19 2002<br>
439 Minor release <a href="download.html">XMLSec 0.0.4</a> with main
440 goal to fix broken RPM:<br>
441 - The RPM is recompiled using OpenSSL 0.9.6. The previous
442 version was compiled with OpenSSL 0.9.7 but I got few complains
443 that there are no RPMs for 0.9.7 yet. The downsides of using 0.9.6 are
444 some functionality limitations for XML Encryption (no AES support,
445 incorrect padding mode for DES, etc.). If you want to use
446 XML Encryption it is better to compile the library from sources
447 and use OpenSSL 0.9.7<br>
448 - The testDSig, testEnc and testKeys scripts merged into standalone
449 "xmlsec" application.<br>
450 - A couple minor bugs fixed.<br>
452 <br><li>April 17 2002<br>
453 Installed <a href="http://www.aleksey.com/pipermail/xmlsec">
454 xmlsec mailing list.</a><br>
456 <br><li>April 16 2002<br>
457 A lot of changes and time for new release <a href="download.html">XMLSec 0.0.3</a>:<br>
458 - The first release that includes <a href="xmlenc.html">XML Encryption support</a>!
459 The bad news is that most of new features require <a href="download.html">OpenSSL 0.9.7</a> which is
460 not officially released yet.<br>
461 - Options to enable/disable support for particular algorithms were
462 added to the <code>./configure</code> script.<br>
463 - All transforms header files were consolidated in transforms.h
466 <br><li>April 6 2002<br>
467 The <a href="download.html">RPM packages</a> are now available.<br><br>
470 Test suite updates and new minor release <a href="download.html">XML Security Library 0.0.2a.</a>
472 New <a href="http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002AprJun/0017.html">
473 interoperability tests</a>
474 were provided by Merlin Hughes. XML Security Library successfully passed
475 <b>all tests </b>after small test program tweaking and adding workaround
476 for <a href="http://groups.google.com/groups?hl=en&threadm=96uofi%2417gh%241%40FreeBSD.csie.NCTU.edu.tw&rnum=2&prev=/groups%3Fq%3DX509_STORE_add_crl%26hl%3Den%26selm%3D96uofi%252417gh%25241%2540FreeBSD.csie.NCTU.edu.tw%26rnum%3D2">
477 OpenSSL CRL problem.</a>
478 These new tests are included into the distribution and previous Merlin's
479 test suites are removed. Because of these changes I decided to generate
480 a new package that also will include the <a href="http://www.aleksey.com/xmlsec/xmldsig-verifier.html">
481 Online XML Digital Signature Verifier</a>
485 The <a href="http://www%2Caleksey.com/xmlsec/xmldsig-verifier.html">Online XML Digital Signature Verifier</a>
486 is available! You can use this tool to verify your XML Digital Signatures
487 from online Web form or using a simple Perl script. The idea was stolen
488 from <a href="http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002AprJun/0006.html">
489 Manoj K. Srivastava.</a><br><br>
491 <li>March 31 2002<br>
492 Some major changes and a time for new release: <a href="download.html">
493 XML Security Library 0.0.2</a>
494 . Now XML Security Library supports <b>all</b> MUST/SHOULD/MAY <a href="xmldsig-interop.html">
496 from XMLDSig standard!<br>
497 - Added X509 certificates and certificate chains support<br>
498 - The detailed signature generation/verification results are made available
499 to the application<br>
500 - RetrievalMethod, Manifests and <a href="http://www.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt">
501 additional algorithms</a>
503 - The Transforms and KeyInfo code was significantly re-writen with a goal
504 to separate it from XMLDSig logic for better re-usability (in XML Encryption,
507 <li>March 18 2002<br>
508 - Fixed wrong way shift of the DSA digest result bug found by Philipp
509 Gühring. This bug is critical and I have to do a <a href="download/xmlsec-0.0.1a.tar.gz">
512 - Added "--with-pedantic" configuration option and fixed all but "unused
513 variable" warnings (bug reported by Daniel Veillard).<br><br>
515 <li>March 17 2002<br>
516 The <a href="download.html">XML Security Library 0.0.1</a>
517 is released and available for download! Please try it out and send
518 me your comments/suggestions. </li>
521 </td></tr></table></td>