Welcome to Apache Santuario™

The Project

The Apache Santuario™ project is aimed at providing implementation of the primary security standards for XML:

• XML-Signature Syntax and Processing
• XML Encryption Syntax and Processing.

Two libraries are currently available.

• Apache XML Security for Java: This library includes the standard JSR-105 (Java XML Digital Signature) API,  a mature DOM-based implementation of both XML Signature and XML Encryption, as well as a more recent StAX-based (streaming) XML Signature and XML Encryption implementation.
• Apache XML Security for C++: This library includes a mature Digital Signature and Encryption implementation using a proprietary C++ API on top of the Xerces-C XML Parser's DOM API. It includes a pluggable cryptographic layer, but support for alternatives to OpenSSL are less complete and less mature.

News

November 2021

Version 2.3.0 of the Apache XML Security for Java library has been released. This is a major new release of the library. Some of the significant changes include:

• A rewrite for the StAX output processor chain to make it
  deterministic - https://issues.apache.org/jira/browse/SANTUARIO-555
• Secure Validation is now enabled by default -
  https://issues.apache.org/jira/browse/SANTUARIO-574
• Local + HTTP ResourceResolvers are disabled by default -
  https://issues.apache.org/jira/browse/SANTUARIO-573

Test.

November 2021

Version 2.0.4 of the Apache XML Security for C++ library has been released. This release fixes a regression in 2.0.3 allowing the code to build on pre-1.1 OpenSSL versions.

October 2021

Version 2.0.3 of the Apache XML Security for C++ library has been released. This release adds support for OpenSSL 3.0.0, though using a number of now-deprecated function calls.

September 2021

Version 2.2.3 and 2.1.7 of the Apache XML Security for Java library has been released. Please see the release notes for more information.

These releases contain a fix for a new CVE:

• CVE-2021-40690 - Bypass of the secureValidation property

Please refer to the security advisories page for further information.

November 2018

Version 2.0.2 of the Apache XML Security for C++ library has been released.

This patch corrects a bug that can cause crashes in upstream applications. It is similar to, but not the same as, the one that was patched in V2.0.1, and resulted from further review of the code by the project that contributes all of the current manpower to the project. Appreciation is extended to the Shibboleth Project team for this review.

Older News

See here for old news.