2.0.0 ===================================== This is a major upgrade of the library that includes both a small number of enumerated changes, and a large number of fairly minimal API changes across the entire library. For this release, and all future releases, please refer to the web site and/or issue tracker for a summary of changes. Below are older change logs maintained from earlier releases. Changes since 1.7.0 ===================================== * Fixes for CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156 * Reduced entity expansion limits when parsing Changes since 1.6.1 ===================================== * [SANTUARIO-314] - AES-GCM support * [SANTUARIO-315] - XML Encryption 1.1 OAEP enhancements Changes since 1.6.0 ===================================== * [SANTUARIO-268] - TXFMXPathFilter->evaluateExpr crashes on Windows * [SANTUARIO-270] - DSIGObject::load method crashes for ds:Object without Id attribute * [SANTUARIO-271] - Bug when signing files with big RSA keys * [SANTUARIO-272] - Memory bug inside XENCCipherImpl::deSerialise * [SANTUARIO-274] - Function cleanURIEscapes always throws XSECException, when any escape sequence occurs * [SANTUARIO-275] - Function isHexDigit doesn't recognize invalid escape sequences. * [SANTUARIO-276] - Percent-encoded multibyte (UTF-8) sequences unrecognized * [SANTUARIO-280] - RSA-OAEP handler only allows SHA-1 digests Changes since 1.5.1 ===================================== * Fix for bug#43964, wrong namespace in encryption DigestMethod (SC) * Fix for bug#48676, RetrievalMethod handler (SC) * Fix for bug#45867, support for >1 CRL per KeyInfo (SC) * Fix for bug#49148, buffer initialization issue (SC) * Fix for bug#49255, vector index bug (SC) * Fix for bug#49257, stylesheet append bug (SC) * Fix for bug#49260, header guard in XPath transform header (SC) * Fix for bug#49264, string release crash (SC) * Fix for bug#44983, improper c14n of XSLT (SC) * Fix for bug#49289, setters for Reference Type/Id (SC) * Fix for bug#49371, skip comments in X509Certificate elements (SC) * Fix for bug#49459, more header guards (SC) * Fix for bug#49660, NSS verification of RSA broken (SC) * Expose algorithm URI on Signature and Reference objects (SC) * White/blacklisting of otherwise registered algorithms (SC) * Add selected XML Signature 1.1 KeyInfo extensions (SC) * Add elliptic curve keys and signatures via ECDSA (SC) * Support debugging of Reference/SignedInfo data (SC) * Clean up tests for SHA2 algorithms in OpenSSL (SC) * Updated autoconf script, added NSS support, removed pre-automake material (SC) * Add methods for Reference removal to DSIGSignature/DSIGSignedInfo classes (SC) Changes between 1.5 and 1.5.1 ===================================== * Fix for bug#47353 in c14n of default namespaces (SC) * Fix Sparc compilation bug (SC) * Fix for CVE-2009-0217 (SC) Changes between version 1.4 and 1.5 ===================================== * Make SHA-1 the implicit default DigestMethod for RSA-OAEP key transport, allowing for interop until broken impls are fixed (SC) * Fix memory leak in OpenSSL RSA/DSA key cloning (SC) * Expose KeyInfo extensions via DOM (SC) * Fix c14n to omit standard xmlns:xml declarations (SC) * Add partial support for Inclusive C14N 1.1 with regard to xml:id but not xml:base (SC) * Finish port to Xerces 3.0 (SC) * 64-bit API changes (SC) * Add VC9 build files (SC) Changes between version 1.3.1 and 1.4 ===================================== * Fix exclusive c14n namespace bug (rev. 526939) (BL) * Add const specifiers and methods to various classes (SC) * Add better extraction of openssl build settings using pkg-config (SC) * Fix XSECnew macro to stop catching arbitrary errors and report crypto exceptions instead of turning them into allocation errors (SC) * Add various missing files to dist target (SC) Changes between version 1.3 and 1.3.1 ===================================== * Refactor NIX build to use automake and libtool * Initial support for API changes in Xerces 3.0 * Fix bug in autconf that would stop proper detection of Xerces ability to set Id attributes * Fix bug 40085 - incorrect OIDs on non SHA1 based RSA signatures. * Update support for non SHA1 based RSA signatures * Remove redundant code from SignedInfo that was preventing the library from loading signatures it did not have an algorithm hard wired for * Fix bug in envelope transform when input nodeset is a document fragment rather than the entire document and the canonicalisation uses a namespace that was not defined directly in the fragment * Fix bug in DSIGXPathFilterExpr where m_loaded was not initialised potentially causing an exception when an XPath expression was loaded reported by Ralf "Sabo" Saborowski. Changes between version 1.2.1 and 1.3 ===================================== * Performance improvements in canonicalisation * Implemented algorithm handlers for the digital signature classes, to provide algorithm extensibility * Update signature classes to pass in requested algorithms as URIs rather than enums. Enum based methods are now deprecated. * Fix memory leaks in OpenSSL wrapping code * Provide ability for calling application to define whether references are interlocking. * Provide some stability if the Apache keystore is corrupted under Windows. * Initial import of beta NSS crypto support * Complete implementation of XKMS message set * Methods to allow loading of encrypted data without doing decrypt and to process a decrypt/encrypt operation without replacing the original nodes * Provide MS VC++ 2005 project files * Fix bug when encrypting small input docs * Implement checks for broken OpenSSL support under Solaris 10 * Add --with-xalan, --with-openssl, --with-xerces and --enable-warnerror flags in configure * Configure now detects if Xalan is installed rather than having XALANCROOT being a pointer to the compile directory - Reorder hashing in DSIGReference.cpp as per suggestion by Peter Gubis - Update microsoft project files to reflect new version as per Scott Cantor - Replace setAttribute with setAttributeNS calls - Add methods to OpenSSL classes to extract OpenSSL objects - Fix handling of libcrypto on Solaris platform - Fix bug in Canoncicalisation courtesy of Scott Cantor Changes between version 1.2 and 1.2.1 ===================================== * Fixed library versions in Windows builds (were being generated as 1.1) * Added "No Xalan" builds for xklient under Windows VC6.0 * Added "No Xalan" builds for all projects in VC 7.0 Changes between version 1.1 and 1.2 =================================== * Started a changelog :> * Remove MFC dependency and clean up memory debugging * Remove dynamic_casts and RTTI requirement * Implemented XKMS Message generation and processing * Implemented command line XKMS tool for generating and dumping XKMS messages * Support for DESTDIR as provided by ville.skytta@iki.fi in Bugzilla 28520 * Update to Apache licence 2.0. * Add support for SHA224/256/384/512 (requires OpenSSL 0.9.8 Beta) * Patch for Mac OS X compile - provided by Scott Cantor - cantor.2@osu.edu - See Bugzilla #34920 * Updates to compile against Xalan 1.9 * Backport to compile with Xerces 2.1 * Fix bug with NULL pointer when validating or signing empty reference lists - fix as suggested by Jesse Pelton on 23 March 2005 on security-dev@xml * Provided support for nominating namespace based Id attributes * Change to allow apps to calculate and obtain signed info hash - from Eckehard.Hermann@softwareag.com - see email of 2 March 2005 on security-dev@xml * Patch for long RSA keys provided by Michael Braunoeder - michael@mib.priv.at to security-dev@xml on 16 Nov 2005 * Memory leak in OpenSSLCryptoBase64 reported by Jesse Pelton fixed. * Move to internal Base64 decoder in a number of methods to handle non-wrapping data * Resize buffer in OpenSSLCryptoKeyRSA for larger RSA keys - as submitted by Vadim Ismailov 3 December 2005 * Remove redundant m_keyType class variable from OpenSSLCryptoKeyRSA as reported by Jesse Pelton (jsp@pkc.com) on security-dev@xml * Don't throw an exception when an RSA decrypt fails during sig validation - this is a failed validate, not an error * Shutdown OpenSSL properly - as suggested by Jesse Pelton in e-mail to security-dev@xml on 9 March 2005 * Changed scope of WinCapiCryptoKey::importKey() from private to public. It returns key now, instead of void. * Fix problem in Windows CAPI where XSEC doesn't work if user doesn't have admin rights. * Bug fix in Windows CAPI code for some W2K machines - reported by Andrzej Matejko 4/5/2004 * Fix build on non WINCAPI systems, as reported by Milan Tomic on 22/4/2004 * New constructor added to WinCapiX509 * Fixed Bug in encode() XSCryptCryptoBase64. * Fix bug in XPathFilter transform when checking if an attribute is in the input node set. * Fix bug in in UTF transcoder for counting of transcoded characters (count characters not bytes) reported by Milan Tomic * Move function definitions in the Windows BinInput stream class to static to avoid conflicts with Xerces. As suggested by Jesse Pelton on 2 Feb 2005 in security-dev@xml * Added complete KeyInfo handling for XENCEncryptedType * Fix to stop re-use of derived key encrypting key when decrypting multiple elements in a document * Fix to ignore encryption exceptions during a private key decrypt * Add code to detect ASN.1 encoded DSA signatures and validate accordingly