[xmlsec] XPATH and Visa 3D-secure specification

Aleksey Sanin aleksey at aleksey.com
Thu Sep 25 09:43:18 PDT 2003

> It's sucks but I don't see any option other than hacking LibXML2. Of 
> course, this is a worst idea
> one can ever imagine but that's all I have.

I had some time to think about that while I was driving to work and 
probably there is
a better option. If someone is interested in investigating/implementing 
it then don't
forget that contributions are welcome :)

So, why do we have this problem? There are few reasons:
    0) Visa protocol does not declare id attribute as ID in DTD/schemas.
    1) Visa sends out id attributes in the random string form (I guess 
some junior
    programmer just wrote a code to produce id's using rand() and base64()
    functions :) ).
    2) If id attribute is declared as ID in DTD/schema then LibXML2 
checks for
    validity of this attribute.
    3) LibXML2 Xpointer (Xpath) functions do not like when id attribute 
starts from
    a digit (libxml2 thinks that this is a number) or has '+' inside 
(libxml2 thinks that
    someone is trying to add something to something).
    3) xmlsec uses xpointer (xpath) to resolve "#ID" URIs.

It does not sound like we can change 0) or 1). And we don't like an 
option of changing 2) or 3).
Thus lets explore if we can change 4).

LibXML2 keeps a list of ID attributes internaly (xmlGetID/xmlAddID). 
Thus one who wants to
resolve ID attributes "by hand" can do it. The only thing is that you 
have to
    - Change xmlsec code to understand that "#ID" is not 
"#xpointer(...)" or "#xmlns(...)"
    (and probably, not something like "#something(...)" in general) and 
if it is the case,
    call xmlGetID() instead of XPointer functions.
    - Do register the functions IDs in LibXML2 manually (xmlAddID).

This is a hack. For example, I would not expect this to ever work with 
xmlsec command line
tool (remember that you need to call xmlAddID manually because of item 
2) above). I don't like
it at all. But Visa3D is an important use case. Thus I think that it's 
acceptable to have this hack
in xmlsec. As I wrote before, if anyone interested, feel free to submit 
a patch. Search for
"xpointer" in src/transform.c" file. There is only one function that 
needs to be changes in xmlsec.
If you will do it then please put a comment there with explanations why 
it was decided to use xmlGetID
directly instead of using xpointers.

With best regards,


More information about the xmlsec mailing list