Versions Compared

Old Version 11

changes.mady.by.user Ian Young

Saved on

compared with

New Version Current

changes.mady.by.user Ian Young

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • XSTJ-36xmlsectool has been ported from the old OpenSAML 2 software stack to OpenSAML 3. This means that xmlsectool relies only on supported software. 
  • XSTJ-25xmlsectool now requires at least Java 7 to run.
  • XSTJ-52: Now that the Java runtime's XML processing API implementations are sufficiently reliable, xmlsectool no longer depends on, or bundles, "endorsed" versions of them. One benefit of this change is that some cases in which xmlsectool previously inserted redundant namespace prefix definitions have been addressed (see XSTJ-4).
  • XSTJ-11: the Java package name has been changed to correspond to the Maven artifact ID. The main class name has also changed to correspond to Shibboleth project conventions. These changes have no effect on command-line operation, but means that environments in which the Java code is called directly must use a new entry point of net.shibboleth.tool.xmlsectool.XMLSecTool.
  • XSTJ-45xmlsectool no longer creates log files in its home directory by default. This means that write access to the installation directory is no longer required to run xmlsectool. If the previous behaviour is desired, use the --logConfig command line option to supply a custom logging configuration.
  • XSTJ-54: errors are now still logged if --quiet logging is selected. If the previous behaviour is desired, use the --logConfig command line option to supply a custom logging configuration.
  • XSTJ-55: the --signatureRequired command line option has been removed. Its effect was always present by default and there was no way to negate it, rendering it entirely redundant.
  • XSTJ-35: it is now possible to sign using an elliptic curve credential taken from a file.
  • XSTJ-34: in line with current recommendations for digital signatures, the default signing digest algorithm has been changed from SHA-1 to SHA-256. Use the --digest command line option if you are sure that you need to override this.
  • XSTJ-39: in line with current recommendations for digital signatures, the SHA-1 digest algorithm has been added to the default blacklist, which now consists of MD5 and SHA-1. This means that some signatures accepted by xmlsectool V1.2.0 will not be accepted by default by xmlsectool V2.0.0. If you are sure that you need to override this, you can do so by using the new --whitelistDigest option to remove a specific digest algorithm from the blacklist, as an alternative to the combination of --clearBlacklist and --blacklistDigest options already available from V1.2.0.
  • XSTJ-51: ECDSA signatures are now schema-valid. The empty KeyValue elements produced by previous versions of xmlsectool are no longer included in the output.
  • XSTJ-44: (post beta 1) ECDSA signatures may now be made and validated on a wider variety of platforms.

Release 1.2.0 (previous stable release)

Release date: 2013-04-17

For a complete list of issues addressed in this release, see https://issues.shibboleth.net/jira/issues/?filter=10273.

  • XSTJ-38: blacklist MD5 algorithm during signature verification
  • XSTJ-33: release process for XmlSecTool 1.2.0
  • XSTJ-31: add ECDSA elliptic curve signature support
  • XSTJ-28: provide blacklist ability for SHA-1 during signature verification
  • XSTJ-27: compatibility with Apache Santuario 1.5.x
  • XSTJ-24: should not use xmlsec IdResolver class
  • XSTJ-23: stabilise xmlsectool build, update dependencies
  • XSTJ-22: non-zero exit codes from shell script
  • XSTJ-20: pass JVMOPTS environment variable through xmlsectool.sh
  • XSTJ-19: pkcs11Config option fails to use indicated keystore provider
  • XSTJ-17: multiple errors in --help documentation
  • XSTJ-16: misleading error message on failed schema validation
  • XSTJ-15: XmlSecTool fails with String index out of range -1
  • XSTJ-14: allow specification of Digest and Signature algorithms when signing
  • XSTJ-5: ship RPM packaging files with xmlsectool

Release 1.1.5

Release date: 2011-07-25

  • XSTJ-13: failure to fetch via http if web server doesn't present a content-encoding header field
  • Security issue: additional validation of signatures to protect against signature wrapping attacks similar to CVE-2011-1411

Release 1.1.4

  • XTSJ-10: Correct class and command name
  • XSTJ-9: Add support for reading/writting base64, deflate, gzip encoded files
  • XTSJ-8: xmlsectool generates spurious xmlns:xml definitions in output
  • XTSJ-7: verify xmlsectool dependencies

Release 1.1.3

  • XSTJ-6: program fails with a NullPointerException when using a signing key from the filesystem without a password

Release 1.1.2

  • XSTJ-1: Update dependency libraries for version 1.1.2
  • XSTJ-2: non-zero status code not returned when a signature is invalid