Do you mind posting the full xml document? Aleksey
On 3/14/12 6:45 AM, Claude Lecommandeur wrote: > > Hi, > > I am trying to write a small SAML2 IDP and have a strange problem when > creating encrypted saml2:Assertion. > I create a saml2p:Response which contains an assertion : > > <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > IssueInstant="2012-03-13T12:02:56Z" > Version="2.0"> > ... > </saml2:Assertion> > > I crypted it with an AES key, and ebbed it inside > saml2:EncryptedAssertion and xenc:EncryptedData and everything goes > well. The problem arise wher I try to decrypt it with xmlsec1 --decrypt. > I get this : > > ------------------------------------ > xmlsec1 --decrypt --trusted-pem kissrv64.crt --privkey kissrv64.key resp > Entity: line 80: parser error : chunk is not well balanced > </saml2:Attribute></saml2:AttributeStatement></saml2:Assertion> > ^ > func=xmlSecReplaceNodeBufferAndReturn:file=xmltree.c:line=573:obj=unknown:subj=xmlParseInNodeContext:error=5:libxml2 > library function failed:Failed to parse content > func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=648:obj=unknown:subj=xmlSecReplaceNodeBuffer:error=1:xmlsec > library function failed:node=EncryptedData > Error: failed to decrypt file > Error: failed to decrypt file "resp" > ----------------------------------- > > This is strange since my assertion is well balanced. If I remove the > closing tag of the assertion, making it invalid XML, the decrypting > works but produce an invalid result : no saml2:Assertion inside. > > I then tried to insert a prefix to the assertion : > > <saml2:Assertion <saml2:Assertion > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > IssueInstant="2012-03-13T12:02:56Z" > Version="2.0"> > ... > </saml2:Assertion> > > Yes, perfect non sense but dectypting works and seems correct, but > when feeding it to a Shibboleth SP, it chokes with "Decryption did not > result in a single element." > > > I am lost, if anyone has a an advice ready for this case, I'll take it. > > Claude. > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
