XML Security Library

LibXML2
LibXSLT
OpenSSL

XML Digital Signature

XML Digital Signature provides integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.

XML Security Library supports all MUST/SHOULD/MAY features and algorithms described in the W3C standard and provides API to sign prepared document templates, add signature(s) to a document "on-the-fly" or verify the signature(s) in the document.

XML Digital Signature Online Verifier is an example of a real application based on XML Security Library. Using this tool you can verify any XML Signature and get detailed report on what and how was signed.

XML Security Library XML Signature Interoperability Report


Features and algorithms
Key Word
XMLSec with OpenSSL XMLSec with GnuTLS XMLSec with NSS XMLSec with MSCrypto
Detached Signature
MUST
Y
Y
Y
Y
Enveloping Signature: same document reference with fragment (URI="#Object1")
MUST
Y
Y
Y
Y
Enveloped Signature: same document reference (URI="") with Enveloped Signature Transform .
MUST
Y
Y
Y
Y
SignatureValue generation/validation
MUST
Y
Y
Y
Y
Manifest DigestValue generation/valdiation
MAY Y
Y
Y
Y
Feature: laxly schema valid Signature element generation
MUST
Y
Y
Y
Y
XPointers '#xpointer(/)'
SHOULD
Y
Y
Y
Y
XPointers '#xpointer(id("ID"))'
SHOULD
Y
Y
Y
Y
XPointers: full suppport MAY
Y
Y
Y
Y
XPath
SHOULD
Y
Y
Y
Y
the dsig XPath 'here()' function (can be used to implement enveloped signature)
SHOULD
Y
Y
Y
Y
XSLT (note, the child XSLT element of Transform has been deprecated.)
MAY
Y
Y
Y
Y
RetrievalMethod (e.g., X509Data)
SHOULD
Y
Y
Y
Y
SHA1
MUST
Y
Y
Y
Y
Base64
MUST
Y
Y
Y
Y
HMAC-SHA1
MUST
Y
Y
Y
N
DSAwithSHA1
(DSS)

MUST
Y(1)
N
Y
Y
RSAwithSHA1
SHOULD
Y
N
Y
Y
X509 support
SHOULD
Y
N
Y
Y
minimal (deprecated)
n/a
N
N
N
N
Canonical XML (20010315)
MUST
Y
Y
Y
Y
Canonical XML with comments
SHOULD
Y
Y
Y
Y
Exlusive Canonical XML
SHOULD
Y
Y
Y
Y
Exlusive Canonical XML with comments
SHOULD
Y
Y
Y
Y
Enveloped Signature
MUST
Y
Y
Y
Y
Additional algorithms ( * )





HMAC-MD5
 
Y
Y
Y
N
HMAC-RIPEMD160
 
Y
Y
N
N
XPointer transform
 
Y
Y
Y
Y

(1) Defining DSA key with Seed and PgenCounter is not supported.

Test vectors (from IETF/W3C XML Signature WG: XML Signature Interoperability page):
merlin-xmldsig-twenty-three.tar.gz
merlin-xmldsig-sixteen.tar.gz (features, deprecated)
merlin-xmldsig-fifteen.tar.gz (algorithms, deprecated)



Aleksey Sanin