XML Security Library

LibXML2
LibXSLT
OpenSSL

XML Digital Signature Interoperability Report

XML Security library supports the following features as defined in XML Signature Syntax and Processing 1.1 (also see RFC 9231):

XMLSec Library core features

Requirements Status
Processing rules
Reference Generation Required Yes
Signature Generation Required Yes
Reference Validation Required Yes
Signature Validation Required Yes
Syntax
The ds:CryptoBinary Simple Type Required Yes
The Signature Element Required Yes
The SignatureValue Element Required Yes
The SignedInfo Element Required Yes
The CanonicalizationMethod Element Required Yes
The SignatureMethod Element Required Yes
The Reference Element Required Yes
The Reference Element: URI Attribute Required Yes
The Transforms Element Optional Yes
The DigestMethod Element Required Yes
The DigestValue Element Required Yes
The KeyInfo Element Optional Yes
The KeyName Element Optional Yes
The KeyValue Element Optional Yes (disabled by default; also see algorithms section)
The RetrievalMethod Element Optional Yes
The MgmtData Element NOT RECOMMENDED and SHOULD NOT be used Yes
XML Encryption EncryptedKey and DerivedKey Elements Optional Yes (see XML Encryption report)
The KeyInfoReference Element Optional Yes
The Object Element Optional Yes (only the Manifest element is supported)
The Manifest Element Optional Yes
The SignatureProperties Element Optional No (ignored)
Transforms
Canonical XML 1.0 (C14N) omit comments Required Yes
Canonical XML 1.0 (C14N) with comments Recommended Yes
Canonical XML 1.1 (C14N11) omit comments Required Yes
Canonical XML 1.1 (C14N11) with comments Recommended Yes
Exlusive Canonical XML 1.0 (EXC-C14N) omit comments Required Yes
Exlusive Canonical XML 1.0 (EXC-C14N) with comments Recommended Yes
Base64 Transform Required Yes
XPath Filtering Recommended Yes
XPath Filter 2.0 Recommended Yes
Enveloped Signature Transform Required Yes
XSLT Transform Optional Yes (2)
Decryption Transform Optional Yes
XPointer Transform Optional Yes

XMLSec Cryptographic Libraries features

Requirements XMLSec with OpenSSL XMLSec with NSS XMLSec with GnuTLS XMLSec with MSCng XMLSec with MSCrypto (1) XMLSec with GCrypt (1)
Message Digests
SHA-1 Required (use is DISCOURAGED) Yes Yes Yes Yes Yes Yes
SHA2-224 Optional Yes Yes Yes No No No
SHA2-256 Required Yes Yes Yes Yes Yes Yes
SHA2-384 Optional Yes Yes Yes Yes Yes Yes
SHA2-512 Optional Yes Yes Yes Yes Yes Yes
SHA3-224 Optional Yes No Yes No No No
SHA3-256 Optional Yes No Yes Yes (10) No Yes
SHA3-384 Optional Yes No Yes Yes (10) No Yes
SHA3-512 Optional Yes No Yes Yes (10) No Yes
RIPEMD160 DEPRECATED Yes (1) No No No No Yes (1)
GOST-R3411-94 Optional Yes (3) No Yes No Yes (4) No
GOST-R3411-2012 (256 bit) Optional Yes (3) No Yes No Yes (4) No
GOST-R3411-2012 (512 bit) Optional Yes (3) No Yes No Yes (4) No
MD5 DEPRECATED Yes (1) Yes (1) Yes (1) Yes (1) Yes (1) Yes (1)
Message Authentication Codes
HMAC-SHA1 Required (use is DISCOURAGED) Yes Yes Yes Yes Yes Yes
HMAC-SHA2-224 Optional Yes Yes Yes No Yes No
HMAC-SHA2-256 Required Yes Yes Yes Yes Yes Yes
HMAC-SHA2-384 Recommended Yes Yes Yes Yes Yes Yes
HMAC-SHA2-512 Recommended Yes Yes Yes Yes Yes Yes
HMAC-RIPEMD160 DEPRECATED Yes (1) Yes (1) No No Yes (1) Yes (1)
HMAC-MD5 DEPRECATED Yes (1) Yes (1) No Yes (1) Yes (1) Yes (1)
Signatures
DSA-SHA1 Required (use is DISCOURAGED for signature generation) Yes Yes Yes Yes Yes Yes
DSA-SHA256 Optional Yes Yes Yes Yes No No
PKCS1 RSA-SHA1 Recommended (use is DISCOURAGED for signature generation) Yes Yes Yes Yes Yes Yes
PKCS1 RSA-SHA2-224 Optional Yes Yes Yes No No No
PKCS1 RSA-SHA2-256 Required Yes Yes Yes Yes Yes Yes
PKCS1 RSA-SHA2-384 Optional Yes Yes Yes Yes Yes Yes
PKCS1 RSA-SHA2-512 Optional Yes Yes Yes Yes Yes Yes
PKCS1 RSA-RIPEMD160 DEPRECATED Yes (1) No No No No Yes (1)
PKCS1 RSA-MD5 DEPRECATED Yes (1) Yes (1) No Yes (1) Yes (1) Yes (1)
ECDSA-RIPEMD160 DEPRECATED Yes (1) No No No No No
ECDSA-SHA1 Optional (use is DISCOURAGED) Yes Yes Yes Yes No Yes
ECDSA-SHA2-224 Optional Yes Yes Yes No No No
ECDSA-SHA2-256 Required Yes Yes Yes Yes No Yes
ECDSA-SHA2-384 Optional Yes Yes Yes Yes No Yes
ECDSA-SHA2-512 Optional Yes Yes Yes Yes No Yes
ECDSA-SHA3-224 Optional Yes No Yes No No No
ECDSA-SHA3-256 Optional Yes No Yes Yes (10) No Yes
ECDSA-SHA3-384 Optional Yes No Yes Yes (10) No Yes
ECDSA-SHA3-512 Optional Yes No Yes Yes (10) No Yes
RSASSA-PSS-SHA1 without Parameters Optional (use is DISCOURAGED) Yes Yes No Yes No Yes
RSASSA-PSS-SHA2-224 without Parameters Optional Yes Yes No No No No
RSASSA-PSS-SHA2-256 without Parameters Optional Yes Yes Yes Yes No Yes
RSASSA-PSS-SHA2-384 without Parameters Optional Yes Yes Yes Yes No Yes
RSASSA-PSS-SHA2-512 without Parameters Optional Yes Yes Yes Yes No Yes
RSASSA-PSS-SHA3-224 without Parameters Optional Yes No No No No No
RSASSA-PSS-SHA3-256 without Parameters Optional Yes No No Yes (10) No Yes
RSASSA-PSS-SHA3-384 without Parameters Optional Yes No No Yes (10) No Yes
RSASSA-PSS-SHA3-512 without Parameters Optional Yes No No Yes (10) No Yes
GOST-R3410-2001 Optional Yes (3) No Yes No Yes (4) No
GOST-R3410-2012 (256 bit) Optional Yes (3) No Yes No Yes (4) No
GOST-R3411-2012 (512 bit) Optional Yes (3) No Yes No Yes (4) No
ML-DSA EXPERIMENTAL Yes (1) No Yes (1) (7) No No No
SLH-DSA-SHA2 (128, 192, 256; fast and slow variants) EXPERIMENTAL Yes (1) No No No No No
EdDSA (Ed25519, Ed25519ctx (8), Ed25519ph, Ed448, Ed448ph) Optional Yes Yes (9) Yes No No No
The KeyInfo Element
The DSAKeyValue Element Optional Yes (1) (5) Yes (1) (5) Yes (1) (5) Yes (1) (5) Yes (1) (5) Yes (1) (5)
The RSAKeyValue Element Optional Yes (1) Yes (1) Yes (1) Yes (1) Yes (1) Yes (1)
The ECKeyValue Element Optional Yes (1) Yes (1) Yes (1) Yes (1) No Yes
The X509Data Element Optional Yes Yes Yes Yes Yes No
The X509Digest Element Optional Yes Yes Yes Yes (6) No No
The PGPData Element Optional No No No No No No
The SPKIData Element Optional No No No No No No
The DEREncodedKeyValue Element Optional Yes (1) Yes (1) Yes (1) Yes (1) (11) No No
  • (1) The feature is disabled by default but can be re-enabled at build time.
  • (2) Requires LibXSLT library.
  • (3) GOST support for the xmlsec-openssl library requires installation of the GOST OpenSSL Engine.
  • (4) GOST support for the xmlsec-mscrypto library requires installation of a GOST CSP.
  • (5) The Seed and PgenCounter are not supported in DSAKeyValue element.
  • (6) The xmlsec-mscng library only supports SHA1 digest algorithm for X509Digest element.
  • (7) The ML-DSA or SLH-DSA ContextString is not supported.
  • (8) Ed25519ctx requires a non-empty context string (per RFC 8032).
  • (9) The xmlsec-nss library only supports Ed25519 (Ed448 is not supported). Additionally, NSS cannot import EdDSA private keys from PKCS#12 files; use unencrypted PKCS#8 DER format instead.
  • (10) SHA3 digest algorithms in xmlsec-mscng require Windows 11 22H2 or later.
  • (11) The xmlsec-mscng library supports XDH (X25519) key data (X448 is not supported); see the XML Encryption Interoperability Report for key agreement support details.