XSECT 2.14

IAIK XML Security Toolkit (XSECT) implements the upcoming APIs for the Java™ platform

XML Digital Signatures APIs for the Java™ platform
XML Digtial Encryption APIs for the Java™ platform

as specified by the Java™ Specification Request JSR#105 and JSR#106 respectively.

Main Features

XSECT enables Java™ developers to easily integrate the processing of XML Signatures according to the joint IETF/W3C recommendation XML-Signature Syntax and Processing (XMLDSig)  (12 February 2002) and XML Encryption according to the W3C recommendation XML Encryption Syntax and Processing (XMLEnc)  (10 December 2002) into their applications.

The IAIK XML Security Toolkit (XSECT) is the successor of the IAIK XML Signature Library (IXSIL).

XSECT implements the XML Digital Signature APIs for the Java™ platform and XML DigitalEncryption APIs for the Java™ platform as defined in the Java™ Specification Request 105  and >Java™ Specification Request 106, respectively.

Pricing and Licensing

For current prices of the XSECT, please see our price list and license conditions.

See Prices


To order the product enter

See Webshop


 URI  specified by  employed JCA/JCE Algorithm
http://www.w3.org/2000/09/xmldsig#sha1 XML-Signature Syntax and Processing MessageDigest.SHA1
http://www.w3.org/2001/04/xmlenc#sha256 XML Encryption Syntax and Processing MessageDigest.SHA256
http://www.w3.org/2001/04/xmlenc#sha512 XML Encryption Syntax and Processing MessageDigest.SHA512
http://www.w3.org/2001/04/xmlenc#ripemd160 XML Encryption Syntax and Processing MessageDigest.RIPEMD160
http://www.w3.org/2001/04/xmldsig-more#md5 RFC4051 section 2.1.1 MessageDigest.MD5
http://www.w3.org/2001/04/xmldsig-more#sha224 RFC4051 section 2.1.2 MessageDigest.SHA224
http://www.w3.org/2001/04/xmldsig-more#sha384 RFC4051 section 2.1.3 MessageDigest.SHA384
http://www.w3.org/2007/05/xmldsig-more#sha3-224 RFC6931 section 2.1.5 MessageDigest.SHA3-224
http://www.w3.org/2007/05/xmldsig-more#sha3-256 RFC6931 section 2.1.5 MessageDigest.SHA3-256
http://www.w3.org/2007/05/xmldsig-more#sha3-384 RFC6931 section 2.1.5 MessageDigest.SHA3-384
http://www.w3.org/2007/05/xmldsig-more#sha3-512 RFC6931 section 2.1.5 MessageDigest.SHA3-512
 URI  specified by  employed JCA/JCE Algorithm
http://www.w3.org/2000/09/xmldsig#dsa-sha1 XML-Signature Syntax and Processing Signature.DSA
http://www.w3.org/2000/09/xmldsig#rsa-sha1 XML-Signature Syntax and Processing Signature.SHA1withRSA
http://www.w3.org/2000/09/xmldsig#hmac-sha1 XML-Signature Syntax and Processing Mac.HMAC/SHA
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 RFC4051 section 2.3.2 Signature.SHA256withRSA
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 RFC4051 section 2.3.3 Signature.SHA384withRSA
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 RFC4051 section 2.3.4 Signature.SHA512withRSA
http://www.w3.org/2001/04/xmldsig-more#rsa-md5 RFC4051 section 2.3.1 Signature.MD5withRSA
http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160 RFC4051 section 2.3.5 Signature.RIPEMD160withRSA
http://www.w3.org/2001/04/xmldsig-more#hmac-sha224 RFC4051 section 2.2.2 Mac.HmacSHA224
http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 RFC4051 section 2.2.2 Mac.HmacSHA256
http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 RFC4051 section 2.2.2 Mac.HmacSHA384
http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 RFC4051 section 2.2.2 Mac.HmacSHA512
http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160 RFC4051 section 2.2.3 Mac.HmacRipeMd160
http://www.w3.org/2001/04/xmldsig-more#hmac-md5 RFC4051 section 2.2.1 Mac.HmacMD5
http://www.w3.org/2007/05/xmldsig-more#rsa-pss RFC6931 section 2.3.9 Signature.RSASSA-PSS
http://www.w3.org/2007/05/xmldsig-more#md2-rsa-MGF1 RFC6931 section 2.3.10 Signature.MD2withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#md5-rsa-MGF1 RFC6931 section 2.3.10 Signature.MD5withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1 RFC6931 section 2.3.10 Signature.SHA1withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1 RFC6931 section 2.3.10 Signature.SHA224withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 RFC6931 section 2.3.10 Signature.SHA256withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1 RFC6931 section 2.3.10 Signature.SHA384withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1 RFC6931 section 2.3.10 Signature.SHA512withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#ripemd128-rsa-MGF1 RFC6931 section 2.3.10 Signature.RIPEMD128withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#ripemd160-rsa-MGF1 RFC6931 section 2.3.10 Signature.RIPEMD160withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#whirlpool-rsa-MGF1 RFC6931 section 2.3.10 Signature.WHIRLPOOLwithRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#sha3-224-rsa-MGF1 RFC6931 section 2.3.10 Signature.SHA3-224withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#sha3-256-rsa-MGF1 RFC6931 section 2.3.10 Signature.SHA3-256withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#sha3-384-rsa-MGF1 RFC6931 section 2.3.10 Signature.SHA3-384withRSAandMGF1
http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1 RFC6931 section 2.3.10 Signature.SHA3-512withRSAandMGF1  SignatureMethod requiring the IAIK ECC library (ECCelerate)
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1 RFC4051 section 2.3.6 Signature.ECDSA
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224 RFC4051 section 2.3.6 Signature.SHA224withECDSA
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 RFC4051 section 2.3.6 Signature.SHA256withECDSA
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384 RFC4051 section 2.3.6 Signature.SHA384withECDSA
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 RFC4051 section 2.3.6 Signature.SHA512withECDSA
http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160  INTERNET-DRAFT
which will likely obsolete RCF4051
 URI  specified by  employed JCA/JCE Algorithm
http://www.w3.org/2001/04/xmlenc#tripledes-cbc XML Encryption Syntax and Processing Cipher.DESede/CBC/ISO10126Padding
http://www.w3.org/2001/04/xmlenc#aes128-cbc XML Encryption Syntax and Processing Cipher.AES/CBC/ISO10126Padding
http://www.w3.org/2001/04/xmlenc#aes192-cbc XML Encryption Syntax and Processing Cipher.AES/CBC/ISO10126Padding
http://www.w3.org/2001/04/xmlenc#aes256-cbc XML Encryption Syntax and Processing Cipher.AES/CBC/ISO10126Padding
http://www.w3.org/2001/04/xmlenc#rsa-1_5 XML Encryption Syntax and Processing Cipher.RSA
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p XML Encryption Syntax and Processing Cipher.RSA/ECB/OAEP
http://www.w3.org/2001/04/xmlenc#kw-tripledes XML Encryption Syntax and Processing Cipher.DESede/CBC/NoPadding
http://www.w3.org/2001/04/xmlenc#kw-aes128 XML Encryption Syntax and Processing Cipher.AES/ECB/NoPadding
http://www.w3.org/2001/04/xmlenc#kw-aes192 XML Encryption Syntax and Processing Cipher.AES/ECB/NoPadding
http://www.w3.org/2001/04/xmlenc#kw-aes256 XML Encryption Syntax and Processing Cipher.AES/ECB/NoPadding
http://www.w3.org/2001/04/xmldsig-more#arcfour RFC4051 section 2.6.1 Cipher.ARCFOUR/ECB/NoPadding
http://www.w3.org/2001/04/xmldsig-more#camellia128-cbc RFC4051 section 2.6.2 Cipher.Camellia/CBC/ISO10126Padding
http://www.w3.org/2001/04/xmldsig-more#camellia192-cbc RFC4051 section 2.6.2 Cipher.Camellia/CBC/ISO10126Padding
http://www.w3.org/2001/04/xmldsig-more#camellia256-cbc RFC4051 section 2.6.2 Cipher.Camellia/CBC/ISO10126Padding
http://www.w3.org/2001/04/xmldsig-more#kw-camellia128-cbc RFC4051 section 2.6.3 Cipher.Camellia/ECB/NoPadding
http://www.w3.org/2001/04/xmldsig-more#kw-camellia192-cbc RFC4051 section 2.6.3 Cipher.Camellia/ECB/NoPadding
http://www.w3.org/2001/04/xmldsig-more#kw-camellia256-cbc RFC4051 section 2.6.3 Cipher.Camellia/ECB/NoPadding
 URI  specified by  employed JCA/JCE Algorithm
http://www.w3.org/2000/09/xmldsig#base64 XML-Signature Syntax and Processing
http://www.w3.org/2000/09/xmldsig#enveloped-signature XML-Signature Syntax and Processing
http://www.w3.org/TR/1999/REC-xpath-19991116 XML-Signature Syntax and Processing
http://www.w3.org/TR/1999/REC-xslt-19991116 XML-Signature Syntax and Processing
http://www.w3.org/2002/06/xmldsig-filter2 XML-Signature XPath Filter 2.0

(can also be used as Transform)

 URI  specified by  employed JCA/JCE Algorithm
http://www.w3.org/TR/2001/REC-xml-c14n-20010315 XML-Signature Syntax and Processing
XML-Signature Syntax and Processing
http://www.w3.org/2001/10/xml-exc-c14n# Exclusive XML Canonicalization
http://www.w3.org/2001/10/xml-exc-c14n#WithComments Exclusive XML Canonicalization
http://www.w3.org/2006/12/xml-c14n11 (Experimental) XML-Signature Syntax and Processing section 6.5.2
http://www.w3.org/2006/12/xml-c14n11#WithComments (Experimental) XML-Signature Syntax and Processing section 6.5.2

XSECT supports all required and many optional algorithms of XML-Signature Syntax and Processing (XMLDSig) and XML Encryption Syntax and Processing (XMLEnc). In addition it supports many of the algorithms specified in RFC4051 and RSA-PSS (with and without parameters) from RFC6931. For a complete list of supported algorithms see features.

XSECT supports all Java™ versions since JDK 1.2.1 and has been successfully tested with JDK 1.2.1, JDK 1.3.1, JDK 1.4.2, JDK 1.5.0, JDK 1.6.0, JDK 1.7.0, JDK 1.8.0.

On July 12th 2007 Bradly Hill from iSEC Partners (http://isecpartners.com/ ) published a command injection attack in the context of XML Signature and Encryption:


Brad Hill made a draft of his paper available to SIC/IAIK end of February 2007 (thanks to Brad), so that SIC/IAIK was able to develop countermeasures against this attack and release a patch version of its XML Security Toolkit XSECT end of March 2007. Immediately after this release IAIK informed all customers concerned. Now – after Brad Hill has officially published his paper – we can make our customer notification available to the public audience:

We have been informed about a critical attack regarding XLST processing. We examined the Xalan stylesheet processor in its default configuration and found that applications based on this library may be vulnerable to this attack, which may allow execution of arbitrary code. Versions 1.10 and higher of our XSECT library contain countermeasures to block this kind of attack in the context of XML Signature and Encryption. Please note that the problem is NOT located in the XSECT library. Any application that uses Xalan for stylesheet transformations may be affected. Besides the upgrade of XSECT, we highly recommend a review of any Xalan-based application.

On request, customers of the older IXSIL library can also get a maintenance release that contains similar countermeasures.

It is advisable to fix vulnerable applications as soon as possible. Inside stylesheet transformations, Apache Xalan supports certain non-standard extensions of the stylesheet language. The support for these extensions is enabled by default. Applications that use stylesheets from unknown sources may be vulnerable to this attack. An attacker who can trick an application to process a chosen stylesheet can execute arbitrary code with the rights of the application containing Xalan. Applications that create or verify XML signatures with stylesheet transformations in their references, e.g. to transform XML data into HTML text, can be susceptible. An attacker may send an XML signature to a service that automatically verifies the signature. During verification it may execute any included stylesheets. This stylesheet, however, can include arbitrary code that Apache Xalan will execute. Newer versions of Apache Xalan allow disabling these extension features as a countermeasure. XSECT version 1.10 disables these extensions in newer versions of Xalan and includes additional countermeasures for older versions of Xalan.

The following demo is to show the use of the ECDSA in XMLDSIG and was created in reply to a newsgroup posting.

The following demo is to show the use of the URIDereferencer, and how to work without a URI inside and was created in reply to a newsgroup posting.

You will have to download the evaluation versions of IAIK’s JCE and XSECT and copy the following jar files into the same directory as the demo jar file.

  • xalan-2_5_1.jar
  • xercesImpl-2_5_0.jar
  • xml-apis.jar
  • iaik_jce.jar
  • iaik_xsect.jar

Then run java -jar XSECT-Demo-NG20060713.jar , to get debug output you can also create a debug.flag file in the same directory by typing ‘echo “”
> debug.flag’ on your command line and then run the demo again.

Online Javadoc for XSECT.

XSECT 2.14 – 23. December 2019
Class or Package Bug / Change / New Feature Description and Examples

Added SHA3 digest and SHA3 based RSA PSS signature algorithms according to RFC 6931 (Additional XML Security Uniform Resource Identifiers).

XSECT 2.13 – 2. October 2017
Class or Package Bug / Change / New Feature Description and Examples

Provides a special version of iaik_xsect.jar allowing to use unlimited strength cryptography also if only the default jurisdiction policy files are installed (to may be used in countries with no restrictions of key sizes)


Corresponding IAIK XAdES library: 2.13

XSECT 2.12 – 14. June 2017
Class or Package Bug / Change / New Feature Description and Examples

jar files are signed with old (for supporting old DSA JCE code signing CA) and new (for supporting new RSA JCE code signing CA) IAIK-JCE provider certificates. The new certificate provides a stronger protection (SHA256withRSA) than the old one (SHA1withDSA). The new JCE code signing CA is effective for Java versions 8u121, 7u131, 6u141 upwards. To support other (former) Java versions the jar files must be signed with the old provider certificate, too.

iaik.xml.crypto.dom.DOMCryptoContext NF

Added new property “iaik.xml.crypto.utils.DOMUtils.parse.XercesSecurityManager” for passing a XERCES Security Manager to be used by the parser.

iaik.xml.crypto.dsig.keyinfo.EccelerateDSAKeyValueImpl B

Marshaling and unmarshaling of ECDSAKeyVAlue failed if domain parameters were explicit encoded.

iaik.xml.crypto.dsig.keyinfo.KeyValueImpl B

Fixed error on setting public key via constructor when old IAIK EC library is used.


Added support for IAIK Eccelerate >= 4.0
Note: Earlier versions of XSECT only support IAIK Eccelerate version <= 3.02


Corresponding IAIK XAdES library: 2.12

XSECT 2.10 – 19. May 2016
Class or Package Bug / Change / New Feature Description and Examples

XSECT version to be used with IAIK XAdES ETSI_EN_319_132v1.1.0 library

For older versions please see the version history included in the XSECT distribution.

Any questions?

Don‘t hestitate to ask us about our products.

Contact us