XML Security Library

LibXML2
LibXSLT
OpenSSL

Frequently Asked Questions

0. Where can I read more about XML Signature and XML Encryption?

First of all, read the original specifications: XML Digital Signature and XML Encrytpion. Also there several books available that can help you to get started.

1. License(s).

1.1. Licensing Terms for XMLSec library.

XML Security Library is released under the MIT License, see the file Copyright in the distribution for the precise wording.

1.2. Can I use xmlsec with proprietary application or library? Can I use xmlsec with a GNU GPL application or library?

Probably, you will need to ask a lawyer. But IANAL answer can be found in the following table:

XML Security Library module Dependencies Dependencies Licenses Using with proprietary code Using with MIT/BSD code Using with GPL code
xmlsec-core LibXML2, LibXSLT MIT License Yes Yes Yes
xmlsec-openssl OpenSSL OpenSSL licenses Yes Yes It's complicated, see OpenSSL FAQ for more details
xmlsec-nss NSS MPLv2 Yes Yes Yes
xmlsec-gnutls GnuTLS LGPLv2.1+ It's complicated, talk to a lawyer Yes Yes
xmlsec-mscrypto and xmlsec-mscng Windows OS Microsoft licensing, part of Windows OS. It's complicated, talk to a lawyer It's complicated, talk to a lawyer It's complicated, talk to a lawyer
xmlsec-gcrypt LibGCrypt LGPLv2.1+ It's complicated, talk to a lawyer Yes Yes

If you have questions about XML Security Library licensing then feel free to send these questions to the mailing list.

2. Building XMLSec.

2.1. Where can I get xmlsec?

See XML Security Library download page.

2.2. How to compile xmlsec?

On Unix just follow the "standard":

gunzip -c xmlsec-<version>.tar.gz | tar xvf -
cd xmlsec-<version>
mkdir build
cd build
../configure --help
../configure [configure options]
make
make check
make install

On Windows the process is more complicated. Please check readme file in the xmlsec-<version>/win32 folder.

2.3. What other libraries are needed to compile/install xmlsec?

See Download page for detailed list.

2.4. Why does make check fail for some tests?

The most likely reason is that some features might require additional configuration (e.g. installing and configuring GOST plugins for OpenSSL and MSCrypto). Otherwise, please submit a bug report and I'll try to fix it.

2.5. I got the xmlsec source code from GitHub and there is no configure script. Where can I get it?

The configure (and several other files) are generated. Use the autogen.sh script to regenerate these files:

mkdir build
cd build
../autogen.sh [configure options]
make
...

2.6. I do not need all these features supported by xmlsec. Can I disable some of them?

Yes, you can. Please run configure --help for the list of possible configuration options.

2.7. I am compiling XMLSec library on Windows and it does not compile or crashes right after the launch. Can you help me?

There are several possible reasons why you might have problems on Windows:

  • Incorrect MS C runtime libraries. Windows basically has multiple C runtimes. First, there is one called libc.lib and it can only be linked to statically. The other is called msvcrt.dll and can only be linked to dynamically. The first one occurs in its single-threaded and multithreaded variants. Then for each of the libraries above, there are both debug and release version (we are at six runtimes!). Next, different versions of Microsoft Visual C/C++ have different runtimes which aren't compatible with each other (e.g. MSVC 6.0 runtime is not compatible with .NET 2003 runtime). The rule is simple: exactly the same runtime must be used throughout the application and all the librareies used by the application (e.g. XMLSec, LibXML2, LibXSLT, ...).
  • Mismatched compilation parameters. The XMLSec library and the application should use the same defines. For example, when linking statically, the #define XMLSEC_STATIC or /DXMLSEC_STATIC=1 should be used (and same applies to LIBXML_STATIC and LIBXSLT_STATIC defines). These defines are critical on Windows (e.g. to ensure __declspec(dllimport) is done correctly) but have no effect on Unix.

3. Using XMLSec.

3.1. xmlSecDSigCtxValidate() function returned 0. Does this mean that the signature is valid?

No! The xmlSecDSigCtxValidate() function returns 0 when there are no processing errors during signature validation (i.e. the document has correct syntax, all keys were found, etc.). The signature is valid if and only if the xmlSecDSigCtxValidate() function returns 0 and the status member of the xmlSecDSigCtx structure is equal to xmlSecDSigStatusSucceeded.

3.2. I am trying to sign use a part of XML document using an "Id" attribute but it does not work. Do you support "Id" attributes at all?

Yes, the Id attributes are supported by both XMLSec and LibXML2 libraries. However, you have to tell LibXML2/XMLSec what is the name of the ID attribute. XML specification does not require ID attribute to have name "ID", "Id" or "id". It can be anything you want! There are several ways to declare an ID attribute:

  • Use DTD. For example, the following DTD declares Id attribute in Data node to be an XML ID attribute:
    <!DOCTYPE test [
    <!ATTLIST Data Id ID #IMPLIED>
    ]>
    The DTD might be directly included in the XML file or located in a standalone file. In the second case, you might load the DTD in xmlsec command line utility with the --dtd-file option.
  • Use xml:id. The xml:id spec allows to declare an ID attribute in the schema or DTD.
  • Use --id-attr for xmlsec command line utility. The --id-attr command line option allows to quickly declare an ID attribute for xmlsec command line utility.
  • Use xmlAddID function. If you are writing an application, you can declare an ID attribute using the xmlAddID LibXML2 function.

3.3. I am trying to sign an XML document and I have a warning about "empty nodes set". Should I worry about this?

Most likely yes. When it's not an error from specification point of view, I can hardly imagine a real world case that requires signing an empty nodes set (i.e. signing an empty string). Most likely, you have this error because you are trying to use an ID attribute and you did not declare the ID attribute (see section 3.2 about ID attributes).

3.4. I am trying to sign/validate a document but xmlXPtrEval function can't evaluate "xpointer(id('XXXXXXX'))" expression. What's wrong?

First of all, read section 3.2 about ID attributes. If you have tried to declare the required ID attribute and you still have problems then it is likely working with the Visa 3D protocol. This protocol tries to reference to an "id" attribute defined as CDATA instead of ID in the DTD (it is impossible in XML as described in section 3.2). Even worse, the value of the Visa 3D "id" attribute may start from number or contain "+" or "/" and this breakes the XML specification again. The right solution for this problem is to change Visa 3D protocol. As a practical soluton, try (on your own risk) the "Visa 3D hack" in xmlsec:

  • First, register ID attributes manually (using either xmlAddID function or --id-attr option for xmlsec command line utility).
  • Second, enable the "Visa 3D hack" in XML DSig context (using either dsigCtx->flags |= XMLSEC_DSIG_FLAGS_USE_VISA3D_HACK or --enable-visa3d-hack option for xmlsec command line utility).

This is a hack. You are warned!

UPDATE: It appears that newer version (Novemeber, 2005) of the Visa3D DTD has this problem fixed and now "id" attribute is declared as ID correctly.

3.5. The XMLSec library or XMLSec command line tool fails because the key cannot be found. What's wrong?

There might be multiple reasons for the "key cannot be found error":

  • KeyValue or DEREncodedKeyValue nodes are disabled by default. The KeyValue and DEREncodedKeyValue nodes allow definition of the key value directly in an XML file. This creates a security risk because there is no mechanism to verify the key origin (and for example, this enables to create "fake" signatures). Thus, the KeyValue and DEREncodedKeyValue nodes are disabled by default. Yet, in some use cases the use of these nodes in XML file can be appropriate. If you verify that these nodes do not present security concerns for your applicaton, then you can re-enable KeyValue and DEREncodedKeyValue nodes using the --enabled-key-data option for the xmlsec command line utility, or by setting the keyInfoCtx->enabledKeyData parameter in your application. THIS IS NOT SECURE AND NOT RECOMMENDED.
  • Key is not referenced in KeyInfo node (or this node is not included). If a key is not referenced in the XML file then it creates a potential security risk because the key is no longer coupled with signature (the KeyInfo node is signed during the XML signature process and it's integrity is validated during XML signature verification). Yet, in some use cases not using the KeyInfo node to specifiy the key can be appropriate. If you verify that this does not present a security concerns for your applicaton, then you can enable "lax" key search mode by using --lax-key-search option for the xmlsec command line utility, or by setting keyInfoCtx->flags |= XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH; flag in your application. THIS IS NOT SECURE AND NOT RECOMMENDED.
  • Certificate cannot be verified. See the next question 3.6 in this FAQ.

3.6. The XMLSec library or XMLSec command line tool fails because the certificate cannot be verified. What's wrong?

There might be several reasons why XMLSec library cannot verify a certificate:

  • First, check that both trusted (root) and untrusted certificates from the certificate chain are provided to the XMLSec library or command line tool (e.g. in the XML file, or loaded into the keys manager, or available in the crypto library ceritificates store, or provided in the command line, or ...).
  • Check if any of the certificates in the certificate verification chain expired. The XML Digital Signature specification does not have a standard way to include the signature timestamp. If you decide to add timestamp to your signature, then consider signing the timestamp along with other data. If you verify that changing signature verification time from "now" to some other value does not present a security concerns for your applicaton, then you can use --verification-time <time> option (where <time> is the local system time in the YYYY-MM-DD HH:MM:SS format), or by setting keyInfoCtx->certsVerificationTime parameter in your application.
  • Older certificates that use MD5 or SHA1 hashes might be rejected by newer cryptographic libraries because these algorithms are no longer considered secure. If you verify that this does not present a security concerns for your applicaton, then you can re-enable these algorithms (and also skip some other strict certificate verification checks) by using the --X509-skip-strict-checks option for the xmlsec command line utility, or by setting keyInfoCtx->flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS; flag in your application. THIS IS NOT SECURE AND NOT RECOMMENDED.
  • Lastly, you can use the --insecure option for the xmlsec command line utility, or by set keyInfoCtx->flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS; flag in your application to completely disable the certificates verification. Disabling certificate verification creates a security risk because there is no mechanism to verify the key origin (and for example, this enables to create "fake" signatures). THIS IS NOT SECURE AND NOT RECOMMENDED.

3.7. I really like the XMLSec library but it is based on OpenSSL and I have to use another crypto library in my application. Can you write code to support my crypto library?

The XMLSec library has a very modular structure and there should be no problem with using another crypto library. For example, XMLSec already supports NSS, GnuTLS, GCrypt and multple Microsoft Crypto APIs. If your favorite cryptographic library is not supported by XMLSec then you can either write intergration yourself or contact me to discuss possible options.

3.8. I really like the XMLSec library but it does not have cipher or transform that I need. Can you write code for me?

The XMLSec library has a very modular structure and it is easy to add any cipher or other transform. You can either write intergration yourself or contact me to discuss possible options.