[xmlsec] Encrypting with pub key in cert

Ashley Hindmarsh ashley.hindmarsh at bbc.co.uk
Tue Feb 12 01:19:42 PST 2013

I'm trying to generate encrypted XML from a pre-signed SAML token using 

Platform is RHEL5 (running as a VM).

I'm using this document (along with xmlsec docs) as a reference
This describes the use-case (hybrid encryption) very nicely.

/usr/bin/xmlsec1 encrypt \
  --pubkey-cert-pem t/psdrsamlcert.pem  \
  --print-debug \
  --session-key aes-256  \
  --xml-data t/DecryptedToken.xml \
  --output psdr-encrypted-xpath.xml \
  --node-xpath / t/session-key-template.xml

psdrsamlcert.pem is generated using basic openssl defaults + an RSA key 
pair (self-signed).

session-key-template.xml reads as follows:

<?xml version="1.0" encoding="UTF-8"?>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" 
   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
     <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

The error I get is:
library function failed:

I tried adding --X509-skip-strict-checks, but that makes no difference.

It seems that using self-signed certs may be a problem, but that 
appeared to apply only to xmlsec verification functions

Is it the case that the same functions are required to extract the X509 

If so it there a work-around which avoids this.
I don't *need* to have X509Data in the token response, just some 
reference to the issuer.
I tried using 'KeyName' in place of X509Data but again, it makes no 

thanks for reading,

More information about the xmlsec mailing list