XML Security Library

LibXML2
LibXSLT
OpenSSL

XML Digital Signature Interoperability Report

XML Security library supports the following features as defined in XML Signature Syntax and Processing 1.1 (also see RFC 9231):

XMLSec Library core features

Requirements Status
Processing rules
Reference Generation Required Yes
Signature Generation Required Yes
Reference Validation Required Yes
Signature Validation Required Yes
Syntax
The ds:CryptoBinary Simple Type Required Yes
The Signature Element Required Yes
The SignatureValue Element Required Yes
The SignedInfo Element Required Yes
The CanonicalizationMethod Element Required Yes
The SignatureMethod Element Required Yes
The Reference Element Required Yes
The Reference Element: URI Attribute Required Yes
The Transforms Element Optional Yes
The DigestMethod Element Required Yes
The DigestValue Element Required Yes
The KeyInfo Element Optional Yes
The KeyName Element Optional Yes
The KeyValue Element Optional Yes (disabled by default; also see algorithms section)
The RetrievalMethod Element Optional Yes
The MgmtData Element NOT RECOMMENDED and SHOULD NOT be used Yes
XML Encryption EncryptedKey and DerivedKey Elements Optional Yes (see XML Encryption report)
The KeyInfoReference Element Optional Yes
The Object Element Optional Yes (only the Manifest element is supported)
The Manifest Element Optional Yes
The SignatureProperties Element Optional No (ignored)
Transforms
Canonical XML 1.0 (C14N) omit comments Required Yes
Canonical XML 1.0 (C14N) with comments Recommended Yes
Canonical XML 1.1 (C14N11) omit comments Required Yes
Canonical XML 1.1 (C14N11) with comments Recommended Yes
Exlusive Canonical XML 1.0 (EXC-C14N) omit comments Required Yes
Exlusive Canonical XML 1.0 (EXC-C14N) with comments Recommended Yes
Base64 Transform Required Yes
XPath Filtering Recommended Yes
XPath Filter 2.0 Recommended Yes
Enveloped Signature Transform Required Yes
XSLT Transform Optional Yes (1)
Decryption Transform Optional Yes
XPointer Transform Optional Yes

XMLSec Cryptographic Libraries features

Requirements XMLSec with OpenSSL XMLSec with NSS XMLSec with GnuTLS XMLSec with MSCng XMLSec with MSCrypto XMLSec with GCrypt
Message Digests
SHA-1 Required (use is DISCOURAGED) Yes Yes Yes Yes Yes Yes
SHA2-224 Optional Yes Yes No No No No
SHA2-256 Required Yes Yes Yes Yes Yes Yes
SHA2-384 Optional Yes Yes Yes Yes Yes Yes
SHA2-512 Optional Yes Yes Yes Yes Yes Yes
SHA3-224 Optional Yes No No No No No
SHA3-256 Optional Yes No Yes No No Yes
SHA3-384 Optional Yes No Yes No No Yes
SHA3-512 Optional Yes No Yes No No Yes
RIPEMD160 Optional Yes No No No No Yes
GOST-R3411-94 Optional Yes (2) No Yes No Yes (3) No
GOST-R3411-2012 (256 bit) Optional Yes (2) No Yes No Yes (3) No
GOST-R3411-2012 (512 bit) Optional Yes (2) No Yes No Yes (3) No
MD5 DEPRECATED Yes Yes Yes Yes Yes Yes
Message Authentication Codes
HMAC-SHA1 Required (use is DISCOURAGED) Yes Yes Yes Yes Yes Yes
HMAC-SHA2-224 Optional Yes Yes No No Yes No
HMAC-SHA2-256 Required Yes Yes Yes Yes Yes Yes
HMAC-SHA2-384 Recommended Yes Yes Yes Yes Yes Yes
HMAC-SHA2-512 Recommended Yes Yes Yes Yes Yes Yes
HMAC-RIPEMD160 Optional Yes Yes No No No Yes
HMAC-MD5 DEPRECATED Yes Yes No Yes Yes Yes
Signatures
DSA-SHA1 Required (use is DISCOURAGED for signature generation) Yes Yes Yes Yes Yes Yes
DSA-SHA256 Optional Yes Yes Yes No No No
PKCS1 RSA-SHA1 Recommended (use is DISCOURAGED for signature generation) Yes Yes Yes Yes Yes Yes
PKCS1 RSA-SHA2-224 Optional Yes Yes No No No No
PKCS1 RSA-SHA2-256 Required Yes Yes Yes Yes Yes Yes
PKCS1 RSA-SHA2-384 Optional Yes Yes Yes Yes Yes Yes
PKCS1 RSA-SHA2-512 Optional Yes Yes Yes Yes Yes Yes
PKCS1 RSA-RIPEMD160 Optional Yes No No No No Yes
PKCS1 RSA-MD5 DEPRECATED Yes Yes No Yes Yes Yes
ECDSA-RIPEMD160 Optional Yes No No No No No
ECDSA-SHA1 Optional (use is DISCOURAGED) Yes Yes Yes Yes No Yes
ECDSA-SHA2-224 Optional Yes Yes No No No No
ECDSA-SHA2-256 Required Yes Yes Yes Yes No Yes
ECDSA-SHA2-384 Optional Yes Yes Yes Yes No Yes
ECDSA-SHA2-512 Optional Yes Yes Yes Yes No Yes
ECDSA-SHA3-224 Optional Yes No No No No No
ECDSA-SHA3-256 Optional Yes No Yes No No Yes
ECDSA-SHA3-384 Optional Yes No Yes No No Yes
ECDSA-SHA3-512 Optional Yes No Yes No No Yes
RSASSA-PSS-SHA1 without Parameters Optional (use is DISCOURAGED) Yes Yes No Yes No Yes
RSASSA-PSS-SHA2-224 without Parameters Optional Yes Yes No No No No
RSASSA-PSS-SHA2-256 without Parameters Optional Yes Yes Yes Yes No Yes
RSASSA-PSS-SHA2-384 without Parameters Optional Yes Yes Yes Yes No Yes
RSASSA-PSS-SHA2-512 without Parameters Optional Yes Yes Yes Yes No Yes
RSASSA-PSS-SHA3-224 without Parameters Optional Yes No No No No No
RSASSA-PSS-SHA3-256 without Parameters Optional Yes No No No No Yes
RSASSA-PSS-SHA3-384 without Parameters Optional Yes No No No No Yes
RSASSA-PSS-SHA3-512 without Parameters Optional Yes No No No No Yes
GOST-R3410-2001 Optional Yes (2) No Yes No Yes (3) No
GOST-R3410-2012 (256 bit) Optional Yes (2) No Yes No Yes (3) No
GOST-R3411-2012 (512 bit) Optional Yes (2) No Yes No Yes (3) No
The KeyInfo Element
The DSAKeyValue Element Optional Yes (4) Yes (4) Yes (4) Yes (4) Yes (4) Yes (4)
The RSAKeyValue Element Optional Yes Yes Yes Yes Yes Yes
The ECKeyValue Element Optional Yes Yes Yes Yes No Yes
The DHKeyValue Element Optional Yes No No No No No
The X509Data Element Optional Yes Yes Yes Yes Yes No
The X509Digest Element Optional Yes Yes Yes Yes (5) No No
The PGPData Element Optional No No No No No No
The SPKIData Element Optional No No No No No No
The DEREncodedKeyValue Element Optional Yes (disabled by default) Yes (disabled by default) Yes (disabled by default) Yes (disabled by default) No No
  • (1) Requires LibXSLT library.
  • (2) GOST support for the xmlsec-openssl library requires installation of the GOST OpenSSL Engine.
  • (3) GOST support for the xmlsec-mscrypto library requires installation of a GOST CSP.
  • (4) Seed and PgenCounter are not supported in DSAKeyValue element.
  • (5) The xmlsec-mscng library only supports SHA1 digest algorithm for X509Digest element.