package.json version of xml-encryption doesn't support Shibboleth 4.x default encryption method
ahwitz opened this issue · 1 comments
ahwitz commented
xml-encryption@0.11.0, the current included version, doesn't support http://www.w3.org/2009/xmlenc11#aes128-gcm, which, per an announcement from DFN-AAI, the German identity federation:
The new major version Shibboleth IdP 4.x uses the secure encryption algorithm AES-GCM for SAML assertions per default. The old IdP version 3.x still relies on AES-CBC which is no longer considered secure.
The most up-to-date version includes this algorithm.
#198 gets a step closer, but xml-encryption@1.0.0 does not include that algorithm.
mcab commented
xml-encryption@1.1.0 adds this functionality. As of version 2.0.6, we now enforce xml-encryption with any minor or patch version greater than 1.2.1.