One month after the 1.5.0 release, the bugfix release 1.5.1 of Apache Santuario is available. Two bugs were fixed: one in XMLSignatureInput when using a BufferedInputStream. The other one caused Santuario to still require Apache Xalan (which was changed to optional in 1.5.0). Besides that, encryption and decryption should work faster now.
A new maintenance release (1.4.6) of Apache Santuario, the Apache XML Security project, is available. The release notes are a little bit confusing. Looks like five bugs were fixed. The new version will be available in the next JCrypTool release.
The German XML Security tutorials are now developed on GitHub. This does not affect the Eclipse XML Security Tools at all; the German tutorials will never be integrated there. The sources are only used to generate the tutorials available on my home page. I'm working on some content updates. As soon as this will be… Continue reading XML Security tutorials now on GitHub
The W3C recently published new working drafts of several XML Security related 1.1 versions: On May 13th, XML Signature Syntax and Processing, XML Encryption Syntax and Processing and XML Security Generic Hybrid Ciphers have been updated. These are so called Last Call Working Drafts, meaning the process is finally coming to an end and we… Continue reading Versions 1.1 of XML Security coming closer
Quite a lot of XML Security related drafts were updated during my two months holiday: XML Signature Syntax and Processing Version 2.0 and Canonical XML Version 2.0 both got updated on March 4th 2010. However both documents are still in working draft stage. Besides that there is a new XML Encryption Syntax and Processing Version… Continue reading Different XML Security drafts updated
The W3C has published two first drafts XML Signature Syntax and Processing and Canonical XML of the upcoming version 2.0. The new XML Signature version promises more simplicity and more performance. Chapter 10 lists the differences to the current version. In short: New namespace dsig2, Canonical XML 2.0 and a completely changed transformation model which… Continue reading XML Signature and Canonical XML 2.0 drafts available
Version 1.4.3 of Apache XML Security (Santuario) is available. In case you do use this API you should update as soon as possible to the new release. This release doesn't provide any new features, but includes a lot of bug fixes, including a correction for the relatively serious security vulnerability that has been discovered lately.
There is a vulnerability with XML Signatures. The W3C recommendation includes support for HMAC truncation, as specified in RFC2104. The thing is, this support is not complete: The RFC does not allow truncation to less than half of the length of the hash output or less than 80 bits (whatever comes first). The XML Signature… Continue reading HMAC truncation authentication bypass in XML Signature
The WebApps working group has published a first working draft of the Widgets 1.0: Digital Signatures recommendation. This is normally neither my working nor my research area. But this recommendation makes already use of XML Signature 1.1 and is a really cool and obvious usage scenario for XML Signatures. Since the widgets are based on… Continue reading XML Signatures for widgets
The W3C XML Security Working Group has released eight first public working drafts last week, from updated XML Encryption 1.1 and XML Signature 1.1 specifications to even some new ones. Among others, these drafts include revisions to XML Signature and XML Encryption to support new algorithms and a new document proposing simplifications to the XML… Continue reading A whole bunch of new XML Security working drafts