Apache XML Security 1.5.1 available

One month after the 1.5.0 release, the bugfix release 1.5.1 of Apache Santuario is available. Two bugs were fixed: one in XMLSignatureInput when using a BufferedInputStream. The other one caused Santuario to still require Apache Xalan (which was changed to optional in 1.5.0). Besides that, encryption and decryption should work faster now.

XML Security tutorials now on GitHub

The German XML Security tutorials are now developed on GitHub. This does not affect the Eclipse XML Security Tools at all; the German tutorials will never be integrated there. The sources are only used to generate the tutorials available on my home page. I'm working on some content updates. As soon as this will be… Continue reading XML Security tutorials now on GitHub

Versions 1.1 of XML Security coming closer

The W3C recently published new working drafts of several XML Security related 1.1 versions: On May 13th, XML Signature Syntax and Processing, XML Encryption Syntax and Processing and XML Security Generic Hybrid Ciphers have been updated. These are so called Last Call Working Drafts, meaning the process is finally coming to an end and we… Continue reading Versions 1.1 of XML Security coming closer

Different XML Security drafts updated

Quite a lot of XML Security related drafts were updated during my two months holiday: XML Signature Syntax and Processing Version 2.0 and Canonical XML Version 2.0 both got updated on March 4th 2010. However both documents are still in working draft stage. Besides that there is a new XML Encryption Syntax and Processing Version… Continue reading Different XML Security drafts updated

XML Signature and Canonical XML 2.0 drafts available

The W3C has published two first drafts XML Signature Syntax and Processing and Canonical XML of the upcoming version 2.0. The new XML Signature version promises more simplicity and more performance. Chapter 10 lists the differences to the current version. In short: New namespace dsig2, Canonical XML 2.0 and a completely changed transformation model which… Continue reading XML Signature and Canonical XML 2.0 drafts available

Apache Santuario 1.4.3 available

Version 1.4.3 of Apache XML Security (Santuario) is available. In case you do use this API you should update as soon as possible to the new release. This release doesn't provide any new features, but includes a lot of bug fixes, including a correction for the relatively serious security vulnerability that has been discovered lately.

HMAC truncation authentication bypass in XML Signature

There is a vulnerability with XML Signatures. The W3C recommendation includes support for HMAC truncation, as specified in RFC2104. The thing is, this support is not complete: The RFC does not allow truncation to less than half of the length of the hash output or less than 80 bits (whatever comes first). The XML Signature… Continue reading HMAC truncation authentication bypass in XML Signature

XML Signatures for widgets

The WebApps working group has published a first working draft of the Widgets 1.0: Digital Signatures recommendation. This is normally neither my working nor my research area. But this recommendation makes already use of XML Signature 1.1 and is a really cool and obvious usage scenario for XML Signatures. Since the widgets are based on… Continue reading XML Signatures for widgets

A whole bunch of new XML Security working drafts

The W3C XML Security Working Group has released eight first public working drafts last week, from updated XML Encryption 1.1 and XML Signature 1.1 specifications to even some new ones. Among others, these drafts include revisions to XML Signature and XML Encryption to support new algorithms and a new document proposing simplifications to the XML… Continue reading A whole bunch of new XML Security working drafts