XML Security Library: XML Digital Signature

XML Security library supports the following features as defined in XML Signature Syntax and Processing 1.1 (also see RFC 9231):

XMLSec Library core features

	Requirements	Status
Processing rules
Reference Generation	Required	Yes
Signature Generation	Required	Yes
Reference Validation	Required	Yes
Signature Validation	Required	Yes
Syntax
The ds:CryptoBinary Simple Type	Required	Yes
The Signature Element	Required	Yes
The SignatureValue Element	Required	Yes
The SignedInfo Element	Required	Yes
The CanonicalizationMethod Element	Required	Yes
The SignatureMethod Element	Required	Yes
The Reference Element	Required	Yes
The Reference Element: URI Attribute	Required	Yes
The Transforms Element	Optional	Yes
The DigestMethod Element	Required	Yes
The DigestValue Element	Required	Yes
The KeyInfo Element	Optional	Yes
The KeyName Element	Optional	Yes
The KeyValue Element	Optional	Yes (disabled by default; also see algorithms section)
The RetrievalMethod Element	Optional	Yes
The MgmtData Element	NOT RECOMMENDED and SHOULD NOT be used	Yes
XML Encryption EncryptedKey and DerivedKey Elements	Optional	Yes (see XML Encryption report)
The KeyInfoReference Element	Optional	Yes
The Object Element	Optional	Yes (only the Manifest element is supported)
The Manifest Element	Optional	Yes
The SignatureProperties Element	Optional	No (ignored)
Transforms
Canonical XML 1.0 (C14N) omit comments	Required	Yes
Canonical XML 1.0 (C14N) with comments	Recommended	Yes
Canonical XML 1.1 (C14N11) omit comments	Required	Yes
Canonical XML 1.1 (C14N11) with comments	Recommended	Yes
Exlusive Canonical XML 1.0 (EXC-C14N) omit comments	Required	Yes
Exlusive Canonical XML 1.0 (EXC-C14N) with comments	Recommended	Yes
Base64 Transform	Required	Yes
XPath Filtering	Recommended	Yes
XPath Filter 2.0	Recommended	Yes
Enveloped Signature Transform	Required	Yes
XSLT Transform	Optional	Yes ⁽¹⁾
Decryption Transform	Optional	Yes
XPointer Transform	Optional	Yes

XMLSec Cryptographic Libraries features

	Requirements	XMLSec with OpenSSL	XMLSec with NSS	XMLSec with GnuTLS	XMLSec with MSCng	XMLSec with MSCrypto	XMLSec with GCrypt
Message Digests
SHA-1	Required (use is DISCOURAGED)	Yes	Yes	Yes	Yes	Yes	Yes
SHA2-224	Optional	Yes	Yes	No	No	No	No
SHA2-256	Required	Yes	Yes	Yes	Yes	Yes	Yes
SHA2-384	Optional	Yes	Yes	Yes	Yes	Yes	Yes
SHA2-512	Optional	Yes	Yes	Yes	Yes	Yes	Yes
SHA3-224	Optional	Yes	No	No	No	No	No
SHA3-256	Optional	Yes	No	Yes	No	No	Yes
SHA3-384	Optional	Yes	No	Yes	No	No	Yes
SHA3-512	Optional	Yes	No	Yes	No	No	Yes
RIPEMD160	Optional	Yes	No	No	No	No	Yes
GOST-R3411-94	Optional	Yes ⁽²⁾	No	Yes	No	Yes ⁽³⁾	No
GOST-R3411-2012 (256 bit)	Optional	Yes ⁽²⁾	No	Yes	No	Yes ⁽³⁾	No
GOST-R3411-2012 (512 bit)	Optional	Yes ⁽²⁾	No	Yes	No	Yes ⁽³⁾	No
MD5	DEPRECATED	Yes	Yes	Yes	Yes	Yes	Yes
Message Authentication Codes
HMAC-SHA1	Required (use is DISCOURAGED)	Yes	Yes	Yes	Yes	Yes	Yes
HMAC-SHA2-224	Optional	Yes	Yes	No	No	Yes	No
HMAC-SHA2-256	Required	Yes	Yes	Yes	Yes	Yes	Yes
HMAC-SHA2-384	Recommended	Yes	Yes	Yes	Yes	Yes	Yes
HMAC-SHA2-512	Recommended	Yes	Yes	Yes	Yes	Yes	Yes
HMAC-RIPEMD160	Optional	Yes	Yes	No	No	No	Yes
HMAC-MD5	DEPRECATED	Yes	Yes	No	Yes	Yes	Yes
Signatures
DSA-SHA1	Required (use is DISCOURAGED for signature generation)	Yes	Yes	Yes	Yes	Yes	Yes
DSA-SHA256	Optional	Yes	Yes	Yes	No	No	No
PKCS1 RSA-SHA1	Recommended (use is DISCOURAGED for signature generation)	Yes	Yes	Yes	Yes	Yes	Yes
PKCS1 RSA-SHA2-224	Optional	Yes	Yes	No	No	No	No
PKCS1 RSA-SHA2-256	Required	Yes	Yes	Yes	Yes	Yes	Yes
PKCS1 RSA-SHA2-384	Optional	Yes	Yes	Yes	Yes	Yes	Yes
PKCS1 RSA-SHA2-512	Optional	Yes	Yes	Yes	Yes	Yes	Yes
PKCS1 RSA-RIPEMD160	Optional	Yes	No	No	No	No	Yes
PKCS1 RSA-MD5	DEPRECATED	Yes	Yes	No	Yes	Yes	Yes
ECDSA-RIPEMD160	Optional	Yes	No	No	No	No	No
ECDSA-SHA1	Optional (use is DISCOURAGED)	Yes	Yes	Yes	Yes	No	Yes
ECDSA-SHA2-224	Optional	Yes	Yes	No	No	No	No
ECDSA-SHA2-256	Required	Yes	Yes	Yes	Yes	No	Yes
ECDSA-SHA2-384	Optional	Yes	Yes	Yes	Yes	No	Yes
ECDSA-SHA2-512	Optional	Yes	Yes	Yes	Yes	No	Yes
ECDSA-SHA3-224	Optional	Yes	No	No	No	No	No
ECDSA-SHA3-256	Optional	Yes	No	Yes	No	No	Yes
ECDSA-SHA3-384	Optional	Yes	No	Yes	No	No	Yes
ECDSA-SHA3-512	Optional	Yes	No	Yes	No	No	Yes
RSASSA-PSS-SHA1 without Parameters	Optional (use is DISCOURAGED)	Yes	Yes	No	Yes	No	Yes
RSASSA-PSS-SHA2-224 without Parameters	Optional	Yes	Yes	No	No	No	No
RSASSA-PSS-SHA2-256 without Parameters	Optional	Yes	Yes	Yes	Yes	No	Yes
RSASSA-PSS-SHA2-384 without Parameters	Optional	Yes	Yes	Yes	Yes	No	Yes
RSASSA-PSS-SHA2-512 without Parameters	Optional	Yes	Yes	Yes	Yes	No	Yes
RSASSA-PSS-SHA3-224 without Parameters	Optional	Yes	No	No	No	No	No
RSASSA-PSS-SHA3-256 without Parameters	Optional	Yes	No	No	No	No	Yes
RSASSA-PSS-SHA3-384 without Parameters	Optional	Yes	No	No	No	No	Yes
RSASSA-PSS-SHA3-512 without Parameters	Optional	Yes	No	No	No	No	Yes
GOST-R3410-2001	Optional	Yes ⁽²⁾	No	Yes	No	Yes ⁽³⁾	No
GOST-R3410-2012 (256 bit)	Optional	Yes ⁽²⁾	No	Yes	No	Yes ⁽³⁾	No
GOST-R3411-2012 (512 bit)	Optional	Yes ⁽²⁾	No	Yes	No	Yes ⁽³⁾	No
The KeyInfo Element
The DSAKeyValue Element	Optional	Yes ⁽⁴⁾	Yes ⁽⁴⁾	Yes ⁽⁴⁾	Yes ⁽⁴⁾	Yes ⁽⁴⁾	Yes ⁽⁴⁾
The RSAKeyValue Element	Optional	Yes	Yes	Yes	Yes	Yes	Yes
The ECKeyValue Element	Optional	Yes	Yes	Yes	Yes	No	Yes
The DHKeyValue Element	Optional	Yes	No	No	No	No	No
The X509Data Element	Optional	Yes	Yes	Yes	Yes	Yes	No
The X509Digest Element	Optional	Yes	Yes	Yes	Yes ⁽⁵⁾	No	No
The PGPData Element	Optional	No	No	No	No	No	No
The SPKIData Element	Optional	No	No	No	No	No	No
The DEREncodedKeyValue Element	Optional	Yes (disabled by default)	Yes (disabled by default)	Yes (disabled by default)	Yes (disabled by default)	No	No

⁽¹⁾ Requires LibXSLT library.
⁽²⁾ GOST support for the xmlsec-openssl library requires installation of the GOST OpenSSL Engine.
⁽³⁾ GOST support for the xmlsec-mscrypto library requires installation of a GOST CSP.
⁽⁴⁾ Seed and PgenCounter are not supported in DSAKeyValue element.
⁽⁵⁾ The xmlsec-mscng library only supports SHA1 digest algorithm for X509Digest element.

XML Digital Signature Interoperability Report

XMLSec Library core features

XMLSec Cryptographic Libraries features

Test vectors