[xmlsec] Visa 3D and xmlsec
Aleksey Sanin
aleksey@aleksey.com
Sun, 05 Oct 2003 01:28:26 -0700
As we already have discussed several times, Visa 3D protocol
does not follow XML/XPointer/XMLDSig specifications when it
declares "id" attribute as CDATA instead of ID and uses invalid
ID values (like "12345" or "aaa+bbb") for these attributes.
However, Visa 3D protocol is an important use case thus I have
decided to implement a *special hack* for ones who have to work
with it. This change is available in CVS and would be included
in the next xmlsec release. Explanations are placed in FAQ
(see bellow).
For example, after implementing this hack you would be able to verify
a Visa 3D documents with xmlsec command line utility using the following
command line:
xmlsec1 verify --enable-visa3d-hack --id-attr PARes --trusted
some.cert some.xml
Again, this is a hack, use it on your own risk!
Aleksey
From the FAQ:
--------------------------
3.3. I am trying to sign/validate a document but xmlXPtrEval
function
can't evaluate "xpointer(id('XXXXXXX'))" expression. What's wrong?
First of all, read section 3.2 <cid:part1.09070409.00070400@aleksey.com>
about ID attributes. If you have tried to declare
required ID attribute in DTD as it is described and you still have
problems then
I would guess that you are playing with Visa 3D protocol. This protocol
tries to
reference to an "id" attribute defined as CDATA instead of ID in the DTD
and
it is impossible in XML as described in section 3.2
<cid:part1.09070409.00070400@aleksey.com>. Even worse, the value of
this Visa 3D "id" attribute may start from number or contain "+" or "/"
characters
which is impossible for ID attribute
<http://www.w3.org/TR/REC-xml#sec-attribute-types>. Based on this, I
have to say that Visa 3D
protocol does not use XML or XMLDSig specifications. And if you can then
you should probably let Visa guys know about this problem (thought it was
already done several times).
The only good solution for this problem is changing Visa 3D protocol.
However,
it might take time. As a short term solution you can use a special "Visa
3D specific"
hack in xmlsec. Please note, that nobody (including me) knows what else
might be broken in your application if you decide to use this hack. You
are on
your own here because this hack makes your application to work with non-XML
and non-XMLDSig but some "Visa 3D" files.
In order to process "Visa 3D" documents, you need to do two things:
* Register ID attributes manually (|xmlAddID| function or
|--id-attr| option for
xmlsec command line utility).
* Enable Visa 3D hack in XML DSig context (|dsigCtx->flags |=
XMLSEC_DSIG_FLAGS_USE_VISA3D_HACK| or |--enable-visa3d-hack| option
for xmlsec command line utility).
This is a *hack*. *You are warned!*