...
- XSTJ-36:
xmlsectool
has been ported from the old OpenSAML 2 software stack to OpenSAML 3. This means thatxmlsectool
relies only on supported software. - XSTJ-25:
xmlsectool
now requires at least Java 7 to run. - XSTJ-52: Now that the Java runtime's XML processing API implementations are sufficiently reliable,
xmlsectool
no longer depends on, or bundles, "endorsed" versions of them. One benefit of this change is that some cases in whichxmlsectool
previously inserted redundant namespace prefix definitions have been addressed (see XSTJ-4). - XSTJ-11: the Java package name has been changed to correspond to the Maven artifact ID. The main class name has also changed to correspond to Shibboleth project conventions. These changes have no effect on command-line operation, but means that environments in which the Java code is called directly must use a new entry point of
net.shibboleth.tool.xmlsectool.XMLSecTool
. - XSTJ-45:
xmlsectool
no longer creates log files in its home directory by default. This means that write access to the installation directory is no longer required to runxmlsectool
. If the previous behaviour is desired, use the--logConfig
command line option to supply a custom logging configuration. - XSTJ-54: errors are now still logged if
--quiet
logging is selected. If the previous behaviour is desired, use the--logConfig
command line option to supply a custom logging configuration. - XSTJ-55: the
--signatureRequired
command line option has been removed. Its effect was always present by default and there was no way to negate it, rendering it entirely redundant. - XSTJ-35: it is now possible to sign using an elliptic curve credential taken from a file.
- XSTJ-34: in line with current recommendations for digital signatures, the default signing digest algorithm has been changed from SHA-1 to SHA-256. Use the
--digest
command line option if you are sure that you need to override this. - XSTJ-39: in line with current recommendations for digital signatures, the SHA-1 digest algorithm has been added to the default blacklist, which now consists of MD5 and SHA-1. This means that some signatures accepted by
xmlsectool
V1.2.0 will not be accepted by default byxmlsectool
V2.0.0. If you are sure that you need to override this, you can do so by using the new--whitelistDigest
option to remove a specific digest algorithm from the blacklist, as an alternative to the combination of--clearBlacklist
and--blacklistDigest
options already available from V1.2.0. - XSTJ-51: ECDSA signatures are now schema-valid. The empty
KeyValue
elements produced by previous versions ofxmlsectool
are no longer included in the output. - XSTJ-44: (post beta 1) ECDSA signatures may now be made and validated on a wider variety of platforms.
Release 1.2.0 (previous stable release)
Release date: 2013-04-17
For a complete list of issues addressed in this release, see https://issues.shibboleth.net/jira/issues/?filter=10273.
- XSTJ-38: blacklist MD5 algorithm during signature verification
- XSTJ-33: release process for XmlSecTool 1.2.0
- XSTJ-31: add ECDSA elliptic curve signature support
- XSTJ-28: provide blacklist ability for SHA-1 during signature verification
- XSTJ-27: compatibility with Apache Santuario 1.5.x
- XSTJ-24: should not use xmlsec IdResolver class
- XSTJ-23: stabilise xmlsectool build, update dependencies
- XSTJ-22: non-zero exit codes from shell script
- XSTJ-20: pass JVMOPTS environment variable through xmlsectool.sh
- XSTJ-19: pkcs11Config option fails to use indicated keystore provider
- XSTJ-17: multiple errors in --help documentation
- XSTJ-16: misleading error message on failed schema validation
- XSTJ-15: XmlSecTool fails with String index out of range -1
- XSTJ-14: allow specification of Digest and Signature algorithms when signing
- XSTJ-5: ship RPM packaging files with xmlsectool
Release 1.1.5
Release date: 2011-07-25
- XSTJ-13: failure to fetch via http if web server doesn't present a content-encoding header field
- Security issue: additional validation of signatures to protect against signature wrapping attacks similar to CVE-2011-1411
Release 1.1.4
- XTSJ-10: Correct class and command name
- XSTJ-9: Add support for reading/writting base64, deflate, gzip encoded files
- XTSJ-8: xmlsectool generates spurious xmlns:xml definitions in output
- XTSJ-7: verify xmlsectool dependencies
Release 1.1.3
- XSTJ-6: program fails with a NullPointerException when using a signing key from the filesystem without a password
Release 1.1.2
- XSTJ-1: Update dependency libraries for version 1.1.2
- XSTJ-2: non-zero status code not returned when a signature is invalid