Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


serverShibboleth JIRA

  • XSTJ-67: In this release of xmlsectool, the --key option has been split into --keyAlias and --keyFile depending on operation (--keyFile is used with --certificate while --keyAlias  is used with keystores and with PKCS#11 tokens). The --key option can still be used in both contexts but will result in a deprecation warning. The --key option will be removed in the next major release of xmlsectool (4.0.0).

  • XSTJ-68: Previous versions of xmlsectool set an explicit heap limit of 256MB to compensate for the very low defaults imposed by early versions of Java. xmlsectool no longer does this, as recent Java versions on modern hardware now allows the allocation of a much larger heap by default. This means that xmlsectool will be more likely to work on large documents. For documents which need still more heap, set a non-default heap size by invoking xmlsectool like this:

    Code Block
    JVMOPTS="-Xmx1.5G" ...xmlsectool --sign ...
  • XSTJ-69xmlsectool 3.0.0 includes defensive coding to limit the effect of some changes that have been made to the XML DSIG code within the JDK and the Santuario XML security dependency library. The intention is to ensure that xmlsectool produces the same output across versions of these dependencies, and to ensure that signed output does not include encoded CR characters (
 or similar) known to cause problems for some consumers. One result is that in most circumstances, xmlsectool 3.0.0 produces identical output to xmlsectool 2.0.0, although this is not guaranteed and in particular may not be the case for a future major version of xmlsectool.

  • XSTJ-73xmlsectool 3.0.0 is now based on the Shibboleth Project's Java 11 product platform. This means that it requires a minimum of Java 11 to run. For more details on supported Java versions and distributions, see System Requirements.

  • XSTJ-82Changes in the way Java handles the SunPKCS11 provider have necessarily resulted in changes to the way xmlsectool provides this functionality. The full details can be found in Using PKCS#11 Credentials; if you are upgrading from a previous version of xmlsectool then Upgrading from a previous version of xmlsectool gives detailed instructions.

  • XSTJ-85: for reasons of clarity and inclusivity, the following command-line options have been renamed:

    • --clearBlacklist becomes --allowAllDigests

    • --blacklistDigest becomes --disallowDigest

    • --whitelistDigest becomes --allowDigest

    • --listBlacklist becomes --listAlgorithms