Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The library makes use of the Apache Xerces-C XML Parser and Xalan-C XSLT processor. The latter is used for processing XPath and XSLT transforms. The use of Xalan-C is optional, but without it, XPath and XSLT transformations cannot be performed.


The state of the Xalan-C project is unclear at this time, and these features should be viewed with caution.

In addition, the library currently uses OpenSSL to provide cryptographic functionality. The cryptographic interface is implemented via a thin wrapper layer, and development versions of implementations for the Windows Cryptographic API and NSS have also been implemented, but are poorly supported, may be removed in the future, and are not in practice recommended for use.


The XML Signature and Encryption specifications are complex and difficult (some would say virtually impossible) to implement securely. Moreover, this library is extremely generic in nature and was designed to support a wide array of use cases with different characteristics and threat models, and out of the box it does not (and cannot) provide the safeguards needed to ensure that any given use case is implemented safely. Applications or libraries using this library have to be carefully designed with their own needs in mind and generally would need to include a large amount of additional code to limit the kinds of signature or encryption syntaxes permitted.

This library in particular is not modular in nature to the extent that specific features can easily be turned on and off, and so the potential for vulnerabilities is very large and very hard to avoid, especially for developers not extremely well versed in the specifications. Notably, the support for XPath and XSLT, while extensive when Xalan is included, is an extremely large source of risk and should be avoided in virtually all cases.

Thus, we strongly urge that developers consider whether they are prepared to take on such a responsibility and in most cases should seek better options that may already exist to address their needs rather than attempting (and likely failing) to produce a secure solution on their own.

Furthermore, this library has very limited support in the form of active maintainers and should be viewed as a poor option for new applications in general.


Version 2.0.4 of the Apache XML Security for C++ has been released, correcting support for OpenSSL earlier than 1.1.