XML Security Library

LibXML2
LibXSLT
OpenSSL

XML Encryption Interoperability Report

XML Security library supports the following features as defined in XML Encryption Syntax and Processing Version 1.1 (also see RFC 9231):

XMLSec Library core features

Requirements Status
Processing rules
Type parameter value: Element Required Yes
Type parameter value: Content Required Yes
Type parameter value: EXI Optional No
Encryption Required Yes
Decryption Required Yes
XML Encryption Optional Yes
Syntax
The EncryptedType Element Required Yes
The EncryptionMethodElement Optional Yes
The CipherData Element Required Yes
The CipherReference Element Optional Yes
The EncryptedData Element Required Yes
The EncryptedKey Element Optional Yes
The DerivedKey Element Required Yes (2)
The ds:RetrievalMethod Element Optional Yes
The ReferenceList Element Optional Yes
The EncryptionProperties Element Optional Yes
Transforms
XML Canonicalization See XMLDsig Report

XMLSec Cryptographic Libraries features

Requirements XMLSec with OpenSSL XMLSec with NSS XMLSec with GnuTLS XMLSec with MSCng XMLSec with MSCrypto (1) XMLSec with GCrypt (1)
Block Encryption Algorithms
Triple DES (DES3) Required Yes Yes Yes Yes Yes Yes
AES-CBC-128 Required Yes Yes Yes Yes Yes Yes
AES-CBC-192 Optional Yes Yes Yes Yes Yes Yes
AES-CBC-256 Required Yes Yes Yes Yes Yes Yes
AES-GCM-128 Required Yes Yes Yes Yes No No
AES-GCM-192 Optional Yes Yes Yes Yes No No
AES-GCM-256 Optional Yes Yes Yes Yes No No
Camellia-CBC-128 Optional Yes Yes Yes No No No
Camellia-CBC-192 Optional Yes Yes Yes No No No
Camellia-CBC-256 Optional Yes Yes Yes No No No
ChaCha20 Optional Yes No Yes No No No
ChaCha20-Poly1305 Optional Yes Yes Yes No No No
Stream Encryption Algorithms Optional Yes Yes Yes Yes No No
Key Derivation
ConcatKDF Required Yes (3) (4) Yes Yes (4) Yes (4) (5) No No
PBKDF2 Optional Yes (3) (6) Yes (6) Yes (6) Yes (5) (6) No No
HKDF Optional Yes (3) Yes Yes Yes (5) No No
Key Transport
RSA PKCS1 v1.5 Optional Yes Yes Yes Yes Yes Yes
RSA-OAEP (MGF1 with SHA1) Required Yes Yes No Yes Yes Yes
RSA-OAEP with MGF1-SHA1 Optional Yes Yes No Yes (7) No Yes (7)
RSA-OAEP with MGF1-SHA224 Optional Yes Yes No No No Yes (7)
RSA-OAEP with MGF1-SHA256 Optional Yes Yes No Yes (7) No Yes (7)
RSA-OAEP with MGF1-SHA384 Optional Yes Yes No Yes (7) No Yes (7)
RSA-OAEP with MGF1-SHA512 Optional Yes Yes No Yes (7) No Yes (7)
Key Agreement
Elliptic Curve Diffie-Hellman (ECDH) Required Yes (3) Yes Yes Yes (5) No No
XDH Key Agreement (X25519, X448) Optional Yes (3) Yes (9) Yes Yes (10) No No
Diffie-Hellman with legacy KDF Optional No No No No No No
Diffie-Hellman with explicit KDF Optional Yes (3) (8) No No Yes No No
Symmetric Key Wrap
Triple DES Key Wrap Required Yes Yes Yes Yes Yes Yes
AES-128 KeyWrap Required Yes Yes Yes Yes Yes Yes
AES-192 KeyWrap Optional Yes Yes Yes Yes Yes Yes
AES-256 KeyWrap Required Yes Yes Yes Yes Yes Yes
Camellia-128 KeyWrap Optional Yes Yes Yes No No No
Camellia-192 KeyWrap Optional Yes Yes Yes No No No
Camellia-256 KeyWrap Optional Yes Yes Yes No No No
Message Digest
Message Digest Algorithms See XMLDsig Report
  • (1) The feature is disabled by default but can be re-enabled at build time.
  • (2) Some optional features in DerivedKey element are not supported (more details).
  • (3) Requires OpenSSL 3.0.0 or newer.
  • (4) Only byte-aligned bit strings in ConcatKDFParams element are supported (more details).
  • (5) The xmlsec-mscng library does not support some cryptographic algorithms on older versions of Windows.
  • (6) Only "specified" salt is supported for PBKDF2.
  • (7) RSA-OAEP digest algorithm and MGF1 algorithm must be the same.
  • (8) The xmlsec-openssl library only supports DHX (X9.42 format) keys for DH algorithm.
  • (9) The xmlsec-nss library only supports X25519; X448 (Curve448) is not yet implemented in NSS.
  • (10) The xmlsec-mscng library only supports X25519; X448 (Curve448) is not supported.