XML Security Library

LibXML2
LibXSLT
OpenSSL

XML Encryption Interoperability Report

XML Security library supports the following features as defined in XML Encryption Syntax and Processing Version 1.1 (also see RFC 9231):

XMLSec Library core features

Requirements Status
Processing rules
Type parameter value: Element Required Yes
Type parameter value: Content Required Yes
Type parameter value: EXI Optional No
Encryption Required Yes
Decryption Required Yes
XML Encryption Optional Yes
Syntax
The EncryptedType Element Required Yes
The EncryptionMethodElement Optional Yes
The CipherData Element Required Yes
The CipherReference Element Optional Yes
The EncryptedData Element Required Yes
The EncryptedKey Element Optional Yes
The DerivedKey Element Required Yes (2)
The ds:RetrievalMethod Element Optional Yes
The ReferenceList Element Optional Yes
The EncryptionProperties Element Optional Yes
Transforms
XML Canonicalization See XMLDsig Report

XMLSec Cryptographic Libraries features

Requirements XMLSec with OpenSSL XMLSec with NSS XMLSec with GnuTLS XMLSec with MSCng XMLSec with MSCrypto (1) XMLSec with GCrypt (1)
Block Encryption Algorithms
Triple DES (DES3) Required Yes Yes Yes Yes Yes Yes
AES-CBC-128 Required Yes Yes Yes Yes Yes Yes
AES-CBC-192 Optional Yes Yes Yes Yes Yes Yes
AES-CBC-256 Required Yes Yes Yes Yes Yes Yes
AES-GCM-128 Required Yes Yes Yes Yes Yes No
AES-GCM-192 Optional Yes Yes Yes Yes Yes No
AES-GCM-256 Optional Yes Yes Yes Yes Yes No
Stream Encryption Algorithms Optional No No No No No No
Key Derivation
ConcatKDF Required Yes (3) (4) No No Yes (4) (5) No No
PBKDF2 Optional Yes (3) (6) Yes (6) Yes (6) Yes (5) (6) No No
Key Transport
RSA PKCS1 v1.5 Optional Yes Yes Yes Yes Yes Yes
RSA-OAEP (MGF1 with SHA1) Required Yes Yes No Yes Yes Yes
RSA-OAEP with MGF1-SHA1 Optional Yes Yes No Yes (7) No Yes (7)
RSA-OAEP with MGF1-SHA224 Optional Yes Yes No No No Yes (7)
RSA-OAEP with MGF1-SHA256 Optional Yes Yes No Yes (7) No Yes (7)
RSA-OAEP with MGF1-SHA384 Optional Yes Yes No Yes (7) No Yes (7)
RSA-OAEP with MGF1-SHA512 Optional Yes Yes No Yes (7) No Yes (7)
Key Agreement
Elliptic Curve Diffie-Hellman (ECDH) Required Yes (3) No No Yes (5) No No
Diffie-Hellman with legacy KDF Optional No No No No No No
Diffie-Hellman with explicit KDF Optional Yes (3) (8) No No No No No
Symmetric Key Wrap
Triple DES Key Wrap Required Yes Yes Yes Yes Yes Yes
AES-128 KeyWrap Required Yes Yes Yes Yes Yes Yes
AES-192 KeyWrap Optional Yes Yes Yes Yes Yes Yes
AES-256 KeyWrap Required Yes Yes Yes Yes Yes Yes
Message Digest
Message Digest Algorithms See XMLDsig Report
  • (1) The feature is disabled by default but can be re-enabled at build time.
  • (2) Some optional features in DerivedKey element are not supported (more details).
  • (3) Requires OpenSSL 3.0.0 or greater.
  • (4) Only byte-aligned bit strings in ConcatKDFParams element are supported (more details).
  • (5) The xmlsec-mscng library does not support some cryptographic algortihms on Windows 8, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP.
  • (6) Only "specified" salt is supported for PBKDF2.
  • (7) RSA-OAEP digest algorithm and MGF1 algorithm must be the same.
  • (8) The xmlsec-openssl library only supports DHX (X9.42 format) keys for DH algorithm.