[xmlsec] Visa 3D and xmlsec

[Aleksey Sanin]

As we already have discussed several times, Visa 3D protocol
does not follow XML/XPointer/XMLDSig specifications when it
declares "id" attribute as CDATA instead of ID and uses invalid
ID values (like "12345" or "aaa+bbb") for these attributes.

However, Visa 3D protocol is an important use case thus I have
decided to implement a *special hack* for ones who have to work
with it. This change is available in CVS and would be included
in the next xmlsec release. Explanations are placed in FAQ 
(see bellow).

For example, after implementing this hack you would be able to verify
a Visa 3D documents with xmlsec command line utility using the following
command line:

    xmlsec1 verify --enable-visa3d-hack --id-attr PARes --trusted 
some.cert some.xml

Again, this is a hack, use it on your own risk!

Aleksey





 From the FAQ:
--------------------------


        3.3. I am trying to sign/validate a document but xmlXPtrEval
        function
        can't evaluate "xpointer(id('XXXXXXX'))" expression. What's wrong?

First of all, read section 3.2 <cid:part1.09070409.00070400 at aleksey.com> 
about ID attributes. If you have tried to declare
required ID attribute in DTD as it is described and you still have 
problems then
I would guess that you are playing with Visa 3D protocol. This protocol 
tries to
reference to an "id" attribute defined as CDATA instead of ID in the DTD 
and
it is impossible in XML as described in section 3.2 
<cid:part1.09070409.00070400 at aleksey.com>. Even worse, the value of
this Visa 3D "id" attribute may start from number or contain "+" or "/" 
characters
which is impossible for ID attribute 
<http://www.w3.org/TR/REC-xml#sec-attribute-types>. Based on this, I 
have to say that Visa 3D
protocol does not use XML or XMLDSig specifications. And if you can then
you should probably let Visa guys know about this problem (thought it was
already done several times).

The only good solution for this problem is changing Visa 3D protocol. 
However,
it might take time. As a short term solution you can use a special "Visa 
3D specific"
hack in xmlsec. Please note, that nobody (including me) knows what else
might be broken in your application if you decide to use this hack. You 
are on
your own here because this hack makes your application to work with non-XML
and non-XMLDSig but some "Visa 3D" files.

In order to process "Visa 3D" documents, you need to do two things:

    * Register ID attributes manually (|xmlAddID| function or
      |--id-attr| option for
      xmlsec command line utility).
    * Enable Visa 3D hack in XML DSig context (|dsigCtx->flags |=
      XMLSEC_DSIG_FLAGS_USE_VISA3D_HACK| or |--enable-visa3d-hack| option
      for xmlsec command line utility).

This is a *hack*. *You are warned!*