Merge branch 'multi-certificates'

26 files changed, 583 insertions, 84 deletions

diff --git a/lasso/errors.c b/lasso/errors.c
index af772c14..2a38f3dd 100644
--- a/lasso/errors.c
+++ b/lasso/errors.c
@@ -359,6 +359,8 @@ lasso_strerror(int error_code)
 			return "The known password does not match the UsernameToken";
 		case LASSO_WSSEC_ERROR_MISSING_SECURITY_TOKEN:
 			return "The request miss a WS-Security token.";
+		case LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA:
+			return "The EncryptedData node is invalid, look at the logs.";
 		case LASSO_XML_ERROR_ATTR_NOT_FOUND:
 			return "Unable to get attribute of element.";
 		case LASSO_XML_ERROR_ATTR_VALUE_NOT_FOUND:
diff --git a/lasso/errors.h b/lasso/errors.h
index 8cc114fb..10d91818 100644
--- a/lasso/errors.h
+++ b/lasso/errors.h
@@ -1076,3 +1076,10 @@ LASSO_EXPORT const char* lasso_strerror(int error_code);
  * The current assertion query does not contain an attribute query.
  */
 #define LASSO_ASSERTION_QUERY_ERROR_NOT_AN_ATTRIBUTE_QUERY 1902
+
+/**
+ * LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA
+ *
+ * The EncryptedData node is invalid, look at the logs.
+ */
+#define LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA -2001
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c
index 9e914002..31cb94bc 100644
--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@@ -384,12 +384,13 @@ lasso_login_build_assertion(LassoLogin *login,
 	/* Encrypt NameID */
 	provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
 	ss = LASSO_SAML_SUBJECT_STATEMENT_ABSTRACT(as);
-	if (provider && provider->private_data->encryption_mode & LASSO_ENCRYPTION_MODE_NAMEID
-			&& lasso_provider_get_encryption_public_key(provider) != NULL) {
+	if (provider
+			&& (lasso_provider_get_encryption_mode(provider) & LASSO_ENCRYPTION_MODE_NAMEID)) {
 		encrypted_element = LASSO_SAML2_ENCRYPTED_ELEMENT(lasso_node_encrypt(
-			LASSO_NODE(ss->Subject->NameIdentifier),
-			lasso_provider_get_encryption_public_key(provider),
-			provider->private_data->encryption_sym_key_type, provider->ProviderID));
+					LASSO_NODE(ss->Subject->NameIdentifier),
+					lasso_provider_get_encryption_public_key(provider),
+					lasso_provider_get_encryption_sym_key_type(provider),
+					provider->ProviderID));
 		if (encrypted_element != NULL) {
 			lasso_assign_new_gobject(ss->Subject->EncryptedNameIdentifier, encrypted_element);
 			lasso_release_gobject(ss->Subject->NameIdentifier);
diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
index 8df653de..c90819a3 100644
--- a/lasso/id-ff/provider.c
+++ b/lasso/id-ff/provider.c
@@ -548,16 +548,16 @@ xmlSecKey*
 lasso_provider_get_encryption_public_key(const LassoProvider *provider)
 {
 	g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
-	GList *public_keys;
+	GList *keys;
 
-	if (provider->private_data->encryption_public_keys) {
-		return provider->private_data->encryption_public_keys->data;
+	keys = provider->private_data->encryption_public_keys;
+	/* encrypt using the first given key, multiple encryption key in the metadata is generally
+	 * useless. roll-over of the encryption key is done mainly at the receiving side, by trying
+	 * to decipher using the two private keys, the old and the new. */
+	if (keys && keys->data) {
+		return (xmlSecKey*)keys->data;
 	}
-	public_keys = lasso_provider_get_public_keys(provider);
-	if (! public_keys) {
-		return NULL;
-	}
-	return (xmlSecKey*)public_keys->data;
+	return NULL;
 }
 
 static void
@@ -859,9 +859,7 @@ dispose(GObject *object)
 		provider->private_data->encryption_public_key_str = NULL;
 	}
 
-	if (provider->private_data->encryption_public_keys) {
-		lasso_release_list_of_sec_key(provider->private_data->encryption_public_keys);
-	}
+	lasso_release_list_of_sec_key(provider->private_data->encryption_public_keys);
 
 	lasso_release(provider->private_data->affiliation_id);
 	provider->private_data->affiliation_id = NULL;
@@ -1289,8 +1287,8 @@ lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType publi
 						list_of_sec_key);
 				break;
 			case LASSO_PUBLIC_KEY_ENCRYPTION:
-				lasso_transfer_full(provider->private_data->encryption_public_keys,
-						keys, list_of_sec_key);
+				lasso_transfer_full(provider->private_data->encryption_public_keys, keys,
+						list_of_sec_key);
 				break;
 			default:
 				lasso_release_list_of_sec_key(keys);
diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c
index 882a50b0..9d3b7365 100644
--- a/lasso/id-ff/server.c
+++ b/lasso/id-ff/server.c
@@ -182,10 +182,7 @@ lasso_server_set_encryption_private_key_with_password(LassoServer *server,
 		if (! key || ! (xmlSecKeyGetType(key) & xmlSecKeyDataTypePrivate)) {
 			return LASSO_SERVER_ERROR_SET_ENCRYPTION_PRIVATE_KEY_FAILED;
 		}
-		lasso_release_sec_key(server->private_data->encryption_private_key);
-		server->private_data->encryption_private_key = key;
-	} else {
-		lasso_release_sec_key(server->private_data->encryption_private_key);
+		lasso_list_add_new_sec_key(server->private_data->encryption_private_keys, key);
 	}
 
 	return 0;
@@ -289,8 +286,8 @@ init_from_xml(LassoNode *node, xmlNode *xmlnode)
 	rc = parent_class->init_from_xml(node, xmlnode);
 
 	if (server->private_key) {
-		server->private_data->encryption_private_key =
-			lasso_xmlsec_load_private_key(server->private_key, server->private_key_password);
+		lasso_server_set_encryption_private_key_with_password(server, server->private_key,
+				server->private_key_password);
 	}
 	if (rc)
 		return rc;
@@ -481,7 +478,7 @@ dispose(GObject *object)
 	}
 	server->private_data->dispose_has_run = TRUE;
 
-	lasso_release_sec_key(server->private_data->encryption_private_key);
+	lasso_release_list_of_sec_key(server->private_data->encryption_private_keys);
 
 	lasso_release_list_of_gobjects(server->private_data->svc_metadatas);
 
@@ -523,7 +520,7 @@ instance_init(LassoServer *server)
 {
 	server->private_data = g_new0(LassoServerPrivate, 1);
 	server->private_data->dispose_has_run = FALSE;
-	server->private_data->encryption_private_key = NULL;
+	server->private_data->encryption_private_keys = NULL;
 	server->private_data->svc_metadatas = NULL;
 
 	server->providers = g_hash_table_new_full(
@@ -610,7 +607,7 @@ lasso_server_new(const gchar *metadata,
 		if (lasso_provider_load_metadata(LASSO_PROVIDER(server), metadata) == FALSE) {
 			message(G_LOG_LEVEL_CRITICAL,
 					"Failed to load metadata from %s.", metadata);
-			lasso_node_destroy(LASSO_NODE(server));
+			lasso_release_gobject(server);
 			return NULL;
 		}
 	}
@@ -619,11 +616,11 @@ lasso_server_new(const gchar *metadata,
 	if (private_key) {
 		lasso_assign_string(server->private_key, private_key);
 		lasso_assign_string(server->private_key_password, private_key_password);
-		server->private_data->encryption_private_key = lasso_xmlsec_load_private_key(private_key,
-				private_key_password);
-		if (! server->private_data->encryption_private_key) {
+		if (lasso_server_set_encryption_private_key_with_password(server, private_key,
+				private_key_password) != 0) {
 			message(G_LOG_LEVEL_WARNING, "Cannot load the private key");
 			lasso_release_gobject(server);
+			return NULL;
 		}
 	}
 	lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_SIGNING);
@@ -657,7 +654,7 @@ lasso_server_new_from_buffers(const char *metadata, const char *private_key_cont
 		if (lasso_provider_load_metadata_from_buffer(LASSO_PROVIDER(server), metadata) == FALSE) {
 			message(G_LOG_LEVEL_CRITICAL,
 					"Failed to load metadata from preloaded buffer");
-			lasso_node_destroy(LASSO_NODE(server));
+			lasso_release_gobject(server);
 			return NULL;
 		}
 	}
@@ -665,12 +662,12 @@ lasso_server_new_from_buffers(const char *metadata, const char *private_key_cont
 	if (private_key_content) {
 		lasso_assign_string(server->private_key, private_key_content);
 		lasso_assign_string(server->private_key_password, private_key_password);
-		server->private_data->encryption_private_key =
-			lasso_xmlsec_load_private_key_from_buffer(private_key_content,
-					strlen(private_key_content), private_key_password);
-		if (! server->private_data->encryption_private_key) {
+
+		if (lasso_server_set_encryption_private_key_with_password(server, private_key_content,
+				private_key_password) != 0) {
 			message(G_LOG_LEVEL_WARNING, "Cannot load the private key");
 			lasso_release_gobject(server);
+			return NULL;
 		}
 	}
 	lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_SIGNING);
@@ -731,14 +728,14 @@ lasso_server_get_private_key(LassoServer *server)
 }
 
 /**
- * lasso_server_get_encryption_private_key:
+ * lasso_server_get_encryption_private_keys:
  * @server: a #LassoServer object
  *
- * Return:(transfer none): a xmlSecKey object, it is owned by the #LassoServer object, so do not
+ * Return:(transfer none)(element-type xmlSecKeyPtr): a GList of xmlSecKey object, it is owned by the #LassoServer object, so do not
  * free it.
  */
-xmlSecKey*
-lasso_server_get_encryption_private_key(LassoServer *server)
+GList*
+lasso_server_get_encryption_private_keys(LassoServer *server)
 {
 	if (! LASSO_IS_SERVER(server))
 		return NULL;
@@ -746,7 +743,7 @@ lasso_server_get_encryption_private_key(LassoServer *server)
 	if (! server->private_data)
 		return NULL;
 
-	return server->private_data->encryption_private_key;
+	return server->private_data->encryption_private_keys;
 }
 
 /**
diff --git a/lasso/id-ff/serverprivate.h b/lasso/id-ff/serverprivate.h
index 8375fc2e..c800edc2 100644
--- a/lasso/id-ff/serverprivate.h
+++ b/lasso/id-ff/serverprivate.h
@@ -32,7 +32,7 @@ extern "C" {
 struct _LassoServerPrivate
 {
 	gboolean dispose_has_run;
-	xmlSecKey *encryption_private_key;
+	GList *encryption_private_keys;
 	GList *svc_metadatas;
 };
 
@@ -40,7 +40,7 @@ gchar* lasso_server_get_first_providerID(LassoServer *server);
 gchar* lasso_server_get_first_providerID_by_role(const LassoServer *server, LassoProviderRole role);
 gchar* lasso_server_get_providerID_from_hash(LassoServer *server, gchar *b64_hash);
 xmlSecKey* lasso_server_get_private_key(LassoServer *server);
-xmlSecKey* lasso_server_get_encryption_private_key(LassoServer *server);
+GList* lasso_server_get_encryption_private_keys(LassoServer *server);
 
 #ifdef __cplusplus
 }
diff --git a/lasso/id-wsf-2.0/saml2_login.c b/lasso/id-wsf-2.0/saml2_login.c
index fc0f074b..6f86ff8e 100644
--- a/lasso/id-wsf-2.0/saml2_login.c
+++ b/lasso/id-wsf-2.0/saml2_login.c
@@ -91,7 +91,7 @@ lasso_server_create_assertion_as_idwsf2_security_token(LassoServer *server,
 			lasso_release_gobject(assertion);
 			goto cleanup;
 		}
-		lasso_assign_gobject(assertion->Subject->EncryptedID, encrypted_id);
+		lasso_assign_new_gobject(assertion->Subject->EncryptedID, encrypted_id);
 	} else {
 		lasso_assign_new_gobject(assertion->Subject->NameID, name_id);
 	}
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index 3955b62c..acc9125a 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -1160,16 +1160,16 @@ _lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provi
 static gint
 _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *samlp2_response)
 {
-	xmlSecKey *encryption_private_key;
-	GList *it;
+	GList *encryption_private_keys = NULL;
+	GList *it = NULL;
 	gboolean at_least_one_decryption_failture = FALSE;
 	gboolean at_least_one_malformed_element = FALSE;
 
 	if (! samlp2_response->EncryptedAssertion)
 		return 0; /* nothing to do */
 
-	encryption_private_key = lasso_server_get_encryption_private_key(login->parent.server);
-	if (! encryption_private_key) {
+	encryption_private_keys = lasso_server_get_encryption_private_keys(login->parent.server);
+	if (! encryption_private_keys) {
 			message(G_LOG_LEVEL_WARNING, "Missing private encryption key, cannot decrypt assertions.");
 			return LASSO_DS_ERROR_DECRYPTION_FAILED_MISSING_PRIVATE_KEY;
 	}
@@ -1185,9 +1185,19 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa
 			continue;
 		}
 		encrypted_assertion = (LassoSaml2EncryptedElement*)it->data;
-		rc1 = lasso_saml2_encrypted_element_decrypt(encrypted_assertion, encryption_private_key, (LassoNode**)&assertion);
-
-		if (rc1) {
+		lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it,
+				encryption_private_keys)
+		{
+			rc1 = lasso_saml2_encrypted_element_decrypt(encrypted_assertion, encryption_private_key, (LassoNode**)&assertion);
+			if (rc1 == 0)
+				break;
+		}
+		lasso_foreach_full_end();
+		if (rc1 == LASSO_DS_ERROR_DECRYPTION_FAILED) {
+			message(G_LOG_LEVEL_WARNING, "Could not decrypt the EncryptedKey");
+			at_least_one_decryption_failture |= TRUE;
+			continue;
+		} else if (rc1) {
 			message(G_LOG_LEVEL_WARNING, "Could not decrypt an assertion: %s", lasso_strerror(rc1));
 			at_least_one_decryption_failture |= TRUE;
 			continue;
@@ -1429,6 +1439,7 @@ lasso_saml20_login_build_authn_response_msg(LassoLogin *login)
 	lasso_check_good_rc(lasso_saml20_profile_build_response_msg(profile, NULL, http_method, url));
 
 cleanup:
+	lasso_release_string(url);
 	return rc;
 }
 
@@ -1486,7 +1497,7 @@ lasso_saml20_login_init_idp_initiated_authn_request(LassoLogin *login,
 		return LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND;
 
 	lasso_assign_string(profile->remote_providerID, remote_providerID);
-	lasso_assign_gobject(profile->request, lasso_samlp2_authn_request_new());
+	lasso_assign_new_gobject(profile->request, lasso_samlp2_authn_request_new());
 	lasso_assign_new_gobject(LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy,
 			lasso_samlp2_name_id_policy_new());
 	lasso_assign_new_gobject(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer,
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
index 7921e04a..97b5ac69 100644
--- a/lasso/saml-2.0/profile.c
+++ b/lasso/saml-2.0/profile.c
@@ -506,10 +506,23 @@ lasso_saml20_profile_set_session_from_dump_decrypt(
 				assertion->Subject->EncryptedID->original_data);
 		lasso_release_gobject(assertion->Subject->EncryptedID);
 		} else { /* decrypt */
-			int rc = 0;
-			rc = lasso_saml2_encrypted_element_decrypt(assertion->Subject->EncryptedID,
-					lasso_server_get_encryption_private_key(profile->server),
-					(LassoNode**) &assertion->Subject->NameID);
+			int rc;
+			GList *encryption_private_keys =
+				lasso_server_get_encryption_private_keys(profile->server);
+
+			rc = LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+			lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it,
+					encryption_private_keys);
+			{
+				rc = lasso_saml2_encrypted_element_decrypt(
+						assertion->Subject->EncryptedID,
+						encryption_private_key,
+						(LassoNode**)&assertion->Subject->NameID);
+				if (rc == 0)
+					break;
+			}
+			lasso_foreach_full_end();
+
 			if (rc == 0) {
 				lasso_release_gobject(assertion->Subject->EncryptedID);
 			} else {
@@ -560,7 +573,6 @@ lasso_saml20_profile_process_name_identifier_decryption(LassoProfile *profile,
 		LassoSaml2NameID **name_id,
 		LassoSaml2EncryptedElement **encrypted_id)
 {
-	xmlSecKey *encryption_private_key = NULL;
 	int rc = 0;
 
 	lasso_bad_param(PROFILE, profile);
@@ -568,15 +580,20 @@ lasso_saml20_profile_process_name_identifier_decryption(LassoProfile *profile,
 	lasso_null_param(encrypted_id);
 
 	if (*name_id == NULL && *encrypted_id != NULL) {
-		encryption_private_key = profile->server->private_data->encryption_private_key;
 		if (! LASSO_IS_SAML2_ENCRYPTED_ELEMENT(*encrypted_id)) {
 			return LASSO_PROFILE_ERROR_MISSING_NAME_IDENTIFIER;
 		}
-		if (encrypted_id != NULL && encryption_private_key == NULL) {
-			return LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+		rc = LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+		lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it,
+				lasso_server_get_encryption_private_keys(profile->server));
+		{
+			rc = lasso_saml2_encrypted_element_decrypt(*encrypted_id, encryption_private_key,
+					&profile->nameIdentifier);
+			if (rc == 0)
+				break;
 		}
-		rc = lasso_saml2_encrypted_element_decrypt(*encrypted_id, encryption_private_key,
-				&profile->nameIdentifier);
+		lasso_foreach_full_end();
+
 		if (rc)
 			goto cleanup;
 		if (! LASSO_IS_SAML2_NAME_ID(profile->nameIdentifier)) {
diff --git a/lasso/saml-2.0/provider.c b/lasso/saml-2.0/provider.c
index 747ca2e5..66293c3f 100644
--- a/lasso/saml-2.0/provider.c
+++ b/lasso/saml-2.0/provider.c
@@ -287,7 +287,6 @@ load_endpoint_type(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole
 	} else {
 		name = g_strdup_printf("%s %s", xmlnode->name, binding_s);
 	}
-	lasso_release_xml_string(binding);
 
 	/* Response endpoint ? */
 	response_value = getSaml2MdProp(xmlnode, LASSO_SAML2_METADATA_ATTRIBUTE_RESPONSE_LOCATION);
@@ -301,6 +300,7 @@ load_endpoint_type(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole
 	_lasso_provider_add_metadata_value_for_role(provider, role, name, (char*)value);
 
 cleanup:
+	lasso_release_xml_string(binding);
 	lasso_release_xml_string(value);
 	lasso_release_xml_string(response_value);
 	lasso_release_string(name);
diff --git a/lasso/saml-2.0/saml2_helper.c b/lasso/saml-2.0/saml2_helper.c
index 3d835962..4151a7b4 100644
--- a/lasso/saml-2.0/saml2_helper.c
+++ b/lasso/saml-2.0/saml2_helper.c
@@ -776,8 +776,22 @@ int
 lasso_saml2_encrypted_element_server_decrypt(LassoSaml2EncryptedElement* encrypted_element, LassoServer *server, LassoNode** decrypted_node)
 {
 	lasso_bad_param(SERVER, server);
+	int rc = 0;
+	GList *encryption_private_keys;
 
-	return lasso_saml2_encrypted_element_decrypt(encrypted_element, lasso_server_get_encryption_private_key(server), decrypted_node);
+	encryption_private_keys = lasso_server_get_encryption_private_keys(server);
+	if (! encryption_private_keys) {
+		return LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+	}
+	lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it, encryption_private_keys)
+	{
+		rc = lasso_saml2_encrypted_element_decrypt(encrypted_element,
+				encryption_private_key, decrypted_node);
+		if (rc == 0)
+			break;
+	}
+	lasso_foreach_full_end();
+	return rc;
 }
 
 /**
diff --git a/lasso/saml-2.0/server.c b/lasso/saml-2.0/server.c
index f2dc8879..cac2d89b 100644
--- a/lasso/saml-2.0/server.c
+++ b/lasso/saml-2.0/server.c
@@ -139,7 +139,7 @@ lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole
 
 	provider = lasso_provider_new_from_xmlnode(role, entity);
 	if (provider) {
-		char *name = g_strdup(provider->ProviderID);
+		char *name = provider->ProviderID;
 
 		if (g_list_find_custom(blacklisted_entity_ids, name,
 					(GCompareFunc) g_strcmp0)) {
@@ -153,7 +153,7 @@ lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole
 			l->next->data = g_strdup(name);
 			*loaded_end = l->next;
 		}
-		g_hash_table_insert(server->providers, name, provider);
+		g_hash_table_insert(server->providers, g_strdup(name), provider);
 		return 0;
 	} else {
 		return LASSO_SERVER_ERROR_NO_PROVIDER_LOADED;
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index 0eeb8d2f..b4afba91 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -1574,7 +1574,7 @@ lasso_node_decrypt_xmlnode(xmlNode* encrypted_element,
 	xmlChar *algorithm = NULL;
 	xmlSecKeyDataId key_type;
 	GList *i = NULL;
-	int rc = LASSO_DS_ERROR_DECRYPTION_FAILED;
+	int rc = LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA;
 
 	if (encryption_private_key == NULL || !xmlSecKeyIsValid(encryption_private_key)) {
 		message(G_LOG_LEVEL_WARNING, "Invalid decryption key");
@@ -1582,6 +1582,8 @@ lasso_node_decrypt_xmlnode(xmlNode* encrypted_element,
 		goto cleanup;
 	}
 
+	xmlSetGenericErrorFunc(NULL, lasso_xml_generic_error_func);
+
 	/* Need to duplicate it because xmlSecEncCtxDestroy(encCtx); will destroy it */
 	encryption_private_key = xmlSecKeyDuplicate(encryption_private_key);
 
@@ -1655,8 +1657,8 @@ lasso_node_decrypt_xmlnode(xmlNode* encrypted_element,
 	if (key_buffer != NULL) {
 		sym_key = xmlSecKeyReadBuffer(key_type, key_buffer);
 	}
+	rc = LASSO_DS_ERROR_ENCRYPTION_FAILED;
 	if (sym_key == NULL) {
-		message(G_LOG_LEVEL_WARNING, "EncryptedKey decryption failed");
 		goto cleanup;
 	}
 
@@ -1673,6 +1675,7 @@ lasso_node_decrypt_xmlnode(xmlNode* encrypted_element,
 
 	/* decrypt the EncryptedData */
 	if ((xmlSecEncCtxDecrypt(encCtx, encrypted_data_node) < 0) || (encCtx->result == NULL)) {
+		rc = LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA;
 		message(G_LOG_LEVEL_WARNING, "EncryptedData decryption failed");
 		goto cleanup;
 	}
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index 465a6992..9ce3f245 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -916,6 +916,7 @@ _lasso_node_free_custom_element(struct _CustomElement *custom_element)
 		lasso_release_string(custom_element->private_key);
 		lasso_release_string(custom_element->private_key_password);
 		lasso_release_string(custom_element->certificate);
+		lasso_release_sec_key(custom_element->encryption_public_key);
 	}
 	lasso_release(custom_element);
 }
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
index e0158055..69991d4b 100644
--- a/tests/basic_tests.c
+++ b/tests/basic_tests.c
@@ -1840,6 +1840,13 @@ START_TEST(test10_test_alldumps)
 	lasso_release_string(node_dump);
 	lasso_release_gobject(node2);
 	lasso_release_gobject(node);
+	/* test serialization / deserialization of KeyInfoConfirmationDataType */
+	node = LASSO_NODE(lasso_saml2_key_info_confirmation_data_type_new());
+	node_dump = lasso_node_dump(node);
+	fail_unless((node2 = lasso_node_new_from_dump(node_dump)) != NULL, "restoring dump failed after lasso_saml2_key_info_confirmation_data_type_new");
+	lasso_release_string(node_dump);
+	lasso_release_gobject(node2);
+	lasso_release_gobject(node);
 #endif
 	/* test deserialization of saml2:EncryptedAssertion" */
 	const char *encrypted_element_xml[] = {
@@ -1873,10 +1880,6 @@ START_TEST(test10_test_alldumps)
 		lasso_release_doc(xmldoc);
 		++iter;
 	}
-	/* test serialization / deserialization of KeyInfoConfirmationDataType */
-	node = LASSO_NODE(lasso_saml2_key_info_confirmation_data_type_new());
-	printf("%s\n", lasso_node_debug(node, 10));
-	lasso_release_gobject(node);
 }
 END_TEST
 
@@ -1976,6 +1979,7 @@ START_TEST(test13_test_lasso_server_load_metadata)
 	check_equals(g_list_length(loaded_entity_ids), 283);
 	check_equals(g_hash_table_size(server->providers), 393);
 #endif
+	lasso_release_list_of_strings(loaded_entity_ids);
 
 	lasso_release_gobject(server);
 }
diff --git a/tests/data/idp6-saml2/certificate.pem b/tests/data/idp6-saml2/certificate.pem
new file mode 100644
index 00000000..9bdaf99d
--- /dev/null
+++ b/tests/data/idp6-saml2/certificate.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF
+-----END CERTIFICATE-----
diff --git a/tests/data/sp11-multikey-saml2/certificate-after-rollover.pem b/tests/data/sp11-multikey-saml2/certificate-after-rollover.pem
new file mode 100644
index 00000000..9bdaf99d
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/certificate-after-rollover.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF
+-----END CERTIFICATE-----
diff --git a/tests/data/sp11-multikey-saml2/certificate-before-rollover.pem b/tests/data/sp11-multikey-saml2/certificate-before-rollover.pem
new file mode 100644
index 00000000..cb830e75
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/certificate-before-rollover.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHjCCAYegAwIBAgIJAKCn8J6jYs6kMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAoTCkVudHJvdXZlcnQwHhcNMTEwMTE5MjAxNDE2WhcNMTEwMjE4MjAxNDE2WjAV
+MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDGI2g/WLmdODxhiraxFklG09r6C/yjX06zTt1MapA5+eIcEg2Hp+elCwcCogL1
+ZK9/vYlU2yzIGgxV5mVVUybgdQuIvmEi8BlWM4HM5np97J/g6r41vG5auA4ve1Xp
+F11rVO9Ru1LIQwMaHXJVf0yojNLH6VOmJU3GDELjKB+VLwIDAQABo3YwdDAdBgNV
+HQ4EFgQUssAKE1M50yrgLpqoFzRbSOeZ41swRQYDVR0jBD4wPIAUssAKE1M50yrg
+LpqoFzRbSOeZ41uhGaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQCgp/Ceo2LO
+pDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABPxbVQuuVzkfZFmeUJH
+S6WSvTKoEfJKXm7xLB9ChtPixZkPN6XXYaV0zx6cIwiUBi97ijcMU4W/+s5Xn4rB
+/HJ2UWPlObpjZOxdl1eGsrTw8l7LWPls1B0b0wYms32q6bDVwPWVlDqc5Z13b9M3
+8bNF5SUdZmcRJzk3LKXZ9nkA
+-----END CERTIFICATE-----
diff --git a/tests/data/sp11-multikey-saml2/metadata-after-rollover.xml b/tests/data/sp11-multikey-saml2/metadata-after-rollover.xml
new file mode 100644
index 00000000..3fe5f754
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/metadata-after-rollover.xml
@@ -0,0 +1,88 @@
+<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+      xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+      entityID="http://sp11/metadata">
+  <SPSSODescriptor
+      AuthnRequestsSigned="true"
+      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>
+MIICHjCCAYegAwIBAgIJAKCn8J6jYs6kMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAoTCkVudHJvdXZlcnQwHhcNMTEwMTE5MjAxNDE2WhcNMTEwMjE4MjAxNDE2WjAV
+MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDGI2g/WLmdODxhiraxFklG09r6C/yjX06zTt1MapA5+eIcEg2Hp+elCwcCogL1
+ZK9/vYlU2yzIGgxV5mVVUybgdQuIvmEi8BlWM4HM5np97J/g6r41vG5auA4ve1Xp
+F11rVO9Ru1LIQwMaHXJVf0yojNLH6VOmJU3GDELjKB+VLwIDAQABo3YwdDAdBgNV
+HQ4EFgQUssAKE1M50yrgLpqoFzRbSOeZ41swRQYDVR0jBD4wPIAUssAKE1M50yrg
+LpqoFzRbSOeZ41uhGaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQCgp/Ceo2LO
+pDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABPxbVQuuVzkfZFmeUJH
+S6WSvTKoEfJKXm7xLB9ChtPixZkPN6XXYaV0zx6cIwiUBi97ijcMU4W/+s5Xn4rB
+/HJ2UWPlObpjZOxdl1eGsrTw8l7LWPls1B0b0wYms32q6bDVwPWVlDqc5Z13b9M3
+8bNF5SUdZmcRJzk3LKXZ9nkA
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+
+<KeyDescriptor>
+    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:X509Data>
+        <ds:X509Certificate>MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </KeyDescriptor>
+
+    <ArtifactResolutionService isDefault="true" index="0"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+      Location="http://sp11/artifact" />
+    <SingleLogoutService
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+      Location="http://sp11/singleLogoutSOAP" />
+    <SingleLogoutService
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      Location="http://sp11/singleLogout"
+      ResponseLocation="http://sp11/singleLogoutReturn" />
+    <ManageNameIDService
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+      Location="http://sp11/manageNameIdSOAP" />
+    <ManageNameIDService
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      Location="http://sp11/manageNameId"
+      ResponseLocation="http://sp11/manageNameIdReturn" />
+    <AssertionConsumerService isDefault="true" index="0"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+      Location="http://sp11/singleSignOnArtifact" />
+    <AssertionConsumerService index="1"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      Location="http://sp11/singleSignOnPost" />
+    <AssertionConsumerService index="2"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
+      Location="http://sp11/singleSignOnSOAP" />
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+  </SPSSODescriptor>
+  <Organization>
+     <OrganizationName xml:lang="en">Example SAML 2.0 metadatas</OrganizationName>
+  </Organization>
+</EntityDescriptor>
diff --git a/tests/data/sp11-multikey-saml2/metadata-before-rollover.xml b/tests/data/sp11-multikey-saml2/metadata-before-rollover.xml
new file mode 100644
index 00000000..bfb91a5d
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/metadata-before-rollover.xml
@@ -0,0 +1,88 @@
+<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+      xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+      entityID="http://sp11/metadata">
+  <SPSSODescriptor
+      AuthnRequestsSigned="true"
+      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>
+MIICHjCCAYegAwIBAgIJAKCn8J6jYs6kMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAoTCkVudHJvdXZlcnQwHhcNMTEwMTE5MjAxNDE2WhcNMTEwMjE4MjAxNDE2WjAV
+MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDGI2g/WLmdODxhiraxFklG09r6C/yjX06zTt1MapA5+eIcEg2Hp+elCwcCogL1
+ZK9/vYlU2yzIGgxV5mVVUybgdQuIvmEi8BlWM4HM5np97J/g6r41vG5auA4ve1Xp
+F11rVO9Ru1LIQwMaHXJVf0yojNLH6VOmJU3GDELjKB+VLwIDAQABo3YwdDAdBgNV
+HQ4EFgQUssAKE1M50yrgLpqoFzRbSOeZ41swRQYDVR0jBD4wPIAUssAKE1M50yrg
+LpqoFzRbSOeZ41uhGaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQCgp/Ceo2LO
+pDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABPxbVQuuVzkfZFmeUJH
+S6WSvTKoEfJKXm7xLB9ChtPixZkPN6XXYaV0zx6cIwiUBi97ijcMU4W/+s5Xn4rB
+/HJ2UWPlObpjZOxdl1eGsrTw8l7LWPls1B0b0wYms32q6bDVwPWVlDqc5Z13b9M3
+8bNF5SUdZmcRJzk3LKXZ9nkA
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+
+<KeyDescriptor use="signing">
+    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:X509Data>
+        <ds:X509Certificate>MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </KeyDescriptor>
+
+    <ArtifactResolutionService isDefault="true" index="0"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+      Location="http://sp11/artifact" />
+    <SingleLogoutService
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+      Location="http://sp11/singleLogoutSOAP" />
+    <SingleLogoutService
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      Location="http://sp11/singleLogout"
+      ResponseLocation="http://sp11/singleLogoutReturn" />
+    <ManageNameIDService
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+      Location="http://sp11/manageNameIdSOAP" />
+    <ManageNameIDService
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      Location="http://sp11/manageNameId"
+      ResponseLocation="http://sp11/manageNameIdReturn" />
+    <AssertionConsumerService isDefault="true" index="0"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+      Location="http://sp11/singleSignOnArtifact" />
+    <AssertionConsumerService index="1"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      Location="http://sp11/singleSignOnPost" />
+    <AssertionConsumerService index="2"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
+      Location="http://sp11/singleSignOnSOAP" />
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+  </SPSSODescriptor>
+  <Organization>
+     <OrganizationName xml:lang="en">Example SAML 2.0 metadatas</OrganizationName>
+  </Organization>
+</EntityDescriptor>
diff --git a/tests/data/sp11-multikey-saml2/private-key-after-rollover.pem b/tests/data/sp11-multikey-saml2/private-key-after-rollover.pem
new file mode 100644
index 00000000..626e1fcc
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/private-key-after-rollover.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzTofHpWAdhH3BR/+1lVVNGRVY2qH3H4+8cDaofg5gy6oazgB
+/qVTZixm+euZF1wVa/T5SR0CBeFF4JYBmC0HWl39b2bqoNGV0ILLKyjDrE88pHP+
+k5PBFeb98zRAY95fPDOPfgFc4g64W76fvri8qfXx3665UATOTXnvqnFOnilA/Ml9
+00ust5Dy/IKyGgVT4xgm2nVQD6HYmg7Rjyga/LBtTEeKgc3k++fM5t8AzhdoNCiG
+Z/Ez1RztanjEoBzWdSrmHAGsemMUxFLPpQJ8yglIYiL7fEkyQ0KMvRcTDk0pVzmN
+EqTNKQ3mPwpMz+TWM8+wMc9FjNtZaGc213omWQIDAQABAoIBAEPj5keHzWdBqiXX
+38WnlPgv+M9afndCjDANTEYoh14OIUjWzlIe/ufd6HLkrVA89hkwgQbewbyQOT2C
+YiSlQLl0PlKMCTIKIzVHD07HvXNTAwykEqNfTZChSYEa1/Ixre+MXvugF8nwdKxk
+8xN0qXTQF6OXeVYvQNAAdng743YON4ubqKlEezIwnfG/jcoZrGkiTpx+k1JXJsZN
+4dHKFP12RRhUTGjaOkBo41w8GNKQLFpy1vqAOYMyi1SJcrwpAu3H0iQug9SylQaM
+bFjt8j/m13gu3zXIJbi8xbyg3nqpxl9dxcZG/cDA9z2tLu/h3G3nPq7CXvkZxmjl
+ePvOCwECgYEA9zbwYMtd8tT3PHtrCtjwkfxV0dvMmfNw/rRT4ShWtKLmgX+K9nz/
+T4qpbehz4z7OvsLjQ6Bt6wjMNMw9SEBeEMyDVTpmzSD2PowARegmeLX4CsilqHHl
+/AMYUtywEQ2f65/CWPiMIt8mLnEyJ/dsyVLpuzGUNNt34Yaqpu2qXnUCgYEA1IUy
+PObmTh3I8ZyESyGhbu2TYs0A8Zy6eTIAv0ijOIpmUykzjE5pR9sB3nYEd4GTHPEv
+hF6SWfNIDDr83TqThJYzkFyXMCxiVLH55U42wlsvwp4jTnOI3K/7Y7U/lEmBlgcl
+JbIIv1t9okg3+Kuu4i7iB6JR89cSO/Wfcdu/c9UCgYAHE5eF7cxeqyH4pT/HK7aX
+NzXtr/EHZySQ5fCQvWrd+NvIUTJVI/ba/AklkEXg92dLpqCCyxDabYIK8N3AN7d5
+m6EWy3kt3geueqt3VNHlGrBi/qNfUwNWV3BWzuJrWox9XjFeAp9gUCrzoWHiKv7+
+NFVkemLXsICaABTaemsqEQKBgQDJJ4n1u1gieG7Kwqs1sg9rP9RRoFlUWFTogjvS
+0p4r1lQkQstX8qAUM2gBeROhSjRFIMUpNZqxKWT4rpzJibg3tzP3YKx6HIi2Qf+W
+3AFY1ZbPT397sj/JI4l/Rv93DFxr9TdkBq/g8GhqQpE3/sj5rgaj0zBe7SOFPWg+
+DRGaQQKBgEEcSF5KmpIHnhi3WlfGiEtx3kcD63orKME0YYA5BM6wnmRT4QiSw+qj
+i7ljrKGSbmdMFC3ArM42/k2lXYpVLsYWmyaRYSgbdowxLM1XxDJMFIPR2uG6N+vi
+HzWkRxi2SXKU42vfs5eA0itHvQP2DfUx8VuvtwVbOxDGgntYia70
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data/sp11-multikey-saml2/private-key-before-rollover.pem b/tests/data/sp11-multikey-saml2/private-key-before-rollover.pem
new file mode 100644
index 00000000..ac7a9b59
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/private-key-before-rollover.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDGI2g/WLmdODxhiraxFklG09r6C/yjX06zTt1MapA5+eIcEg2H
+p+elCwcCogL1ZK9/vYlU2yzIGgxV5mVVUybgdQuIvmEi8BlWM4HM5np97J/g6r41
+vG5auA4ve1XpF11rVO9Ru1LIQwMaHXJVf0yojNLH6VOmJU3GDELjKB+VLwIDAQAB
+AoGAKqJ3zhmzZwcwxvRoN1bKUblIh0GJDUZ20tKHf+f2PONuKgggbS5OBA+JZKGj
+7VXLBbutD1tSGYSxXtKCv4dy97xDWlsWmc9AhWss0i7bYMQ+bps0buCtLclrBbOA
+5N9/NU1j2E+V7CStQ8C7P3DbEjYuwm9lB+A85HFaONXhT5ECQQDzAKw8j/+6M5Ib
+asuO+Vj7WIelVaXJ2pjLrf78pQInYt1elO/bqqi4AMJu953OIY7dlDKlu1BPd+9J
+5/lrw6q7AkEA0LxtXRfiJrcZdQf8X6Uq51hceQSbnkWB+d4CREMtAK2tpbsb/kJc
+INvG2ncVb0MUbv/6jrlHZf7/oua6PpbaHQJBANpHT2+zVd33dxXjr2gFeTWFh4sv
+TRXtovTKndJpkm64surD1FU4jgeCvySYjorbwA4vkfMnN/O6Yxq7ImP3xgMCQQDP
+TYOTxAd/CbNHrnGvj7qnXfMg4TmoG0H1pM49ezWzicl+YfBwOPmETKEWENSB1m3x
+u1nc6xeErZa280yeonTlAkAHzm/BUqAY8I1IMQMcNn4db9CJK3pRHRHjPxYMClWK
+TPsLK5iak13+EZ6r9Lej/i1J4cujVh7ijA7J9zH+01Ve
+-----END RSA PRIVATE KEY-----
diff --git a/tests/integration/valgrind-wrapper.sh b/tests/integration/valgrind-wrapper.sh
index 5c3275b7..b66208b8 100755
--- a/tests/integration/valgrind-wrapper.sh
+++ b/tests/integration/valgrind-wrapper.sh
@@ -5,6 +5,6 @@ if [ $1 == 'python' ]; then
 else
 	NAME=$1
 fi
-env G_DEBUG=gc-friendly MALLOC_CHECK_=2 G_SLICE=always-malloc valgrind --show-reachable=yes --suppressions=../valgrind/lasso.supp --suppressions=../valgrind/glib.supp --suppressions=../valgrind/openssl.supp --suppressions=/usr/lib/valgrind/python.supp --leak-check=full --log-file="${NAME}_${DATE}_pid-$$.log" --track-origins=yes "$@"
+env G_DEBUG=gc-friendly MALLOC_CHECK_=2 G_SLICE=always-malloc valgrind --show-reachable=yes --suppressions=../valgrind/lasso.supp --suppressions=../valgrind/glib.supp --suppressions=../valgrind/openssl.supp --suppressions=/usr/lib/valgrind/python.supp --log-file="${NAME}_${DATE}_pid-$$.log" --track-origins=yes --num-callers=50 "$@"
 
 
diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
index 27c0f820..448e1fa6 100644
--- a/tests/login_tests_saml2.c
+++ b/tests/login_tests_saml2.c
@@ -799,6 +799,107 @@ START_TEST(test05_sso_idp_with_key_rollover)
 }
 END_TEST
 
+#define make_context(ctx, server_prefix, server_suffix, provider_role, \
+		provider_prefix, provider_suffix) \
+	ctx =  lasso_server_new( \
+			TESTSDATADIR server_prefix "/metadata" server_suffix ".xml", \
+			TESTSDATADIR server_prefix "/private-key" server_suffix ".pem", \
+			NULL, /* Secret key to unlock private key */ \
+			TESTSDATADIR server_prefix "/certificate" server_suffix ".pem"); \
+	check_not_null(ctx); \
+	check_good_rc(lasso_server_add_provider( \
+			ctx, \
+			provider_role, \
+			TESTSDATADIR provider_prefix "/metadata" provider_suffix ".xml", \
+			NULL, \
+			NULL)); \
+	providers = g_hash_table_get_values(ctx->providers); \
+	check_not_null(providers); \
+	lasso_provider_set_encryption_mode(LASSO_PROVIDER(providers->data), \
+			LASSO_ENCRYPTION_MODE_ASSERTION | LASSO_ENCRYPTION_MODE_NAMEID); \
+	g_list_free(providers);
+
+void
+sso_sp_with_key_rollover(LassoServer *idp_context, LassoServer *sp_context)
+{
+	LassoLogin *idp_login_context;
+	LassoLogin *sp_login_context;
+
+	check_not_null(idp_login_context = lasso_login_new(idp_context));
+	check_not_null(sp_login_context = lasso_login_new(sp_context))
+
+	/* Create response */
+	check_good_rc(lasso_login_init_idp_initiated_authn_request(idp_login_context,
+				"http://sp11/metadata"));
+
+	lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(idp_login_context->parent.request)->ProtocolBinding,
+			LASSO_SAML2_METADATA_BINDING_POST);
+	lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(idp_login_context->parent.request)->NameIDPolicy->Format,
+			LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT);
+	LASSO_SAMLP2_AUTHN_REQUEST(idp_login_context->parent.request)->NameIDPolicy->AllowCreate = 1;
+
+	check_good_rc(lasso_login_process_authn_request_msg(idp_login_context, NULL));
+	check_good_rc(lasso_login_validate_request_msg(idp_login_context,
+			1, /* authentication_result */
+		        0 /* is_consent_obtained */
+			));
+
+	check_good_rc(lasso_login_build_assertion(idp_login_context,
+			LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD,
+			"FIXME: authenticationInstant",
+			"FIXME: reauthenticateOnOrAfter",
+			"FIXME: notBefore",
+			"FIXME: notOnOrAfter"));
+	check_good_rc(lasso_login_build_authn_response_msg(idp_login_context));
+	check_not_null(idp_login_context->parent.msg_body);
+	check_not_null(idp_login_context->parent.msg_url);
+
+	/* Process response */
+	check_good_rc(lasso_login_process_authn_response_msg(sp_login_context,
+				idp_login_context->parent.msg_body));
+	check_good_rc(lasso_login_accept_sso(sp_login_context));
+
+	/* Cleanup */
+	lasso_release_gobject(idp_login_context);
+	lasso_release_gobject(sp_login_context);
+}
+
+START_TEST(test06_sso_sp_with_key_rollover)
+{
+	LassoServer *idp_context_before_rollover = NULL;
+	LassoServer *idp_context_after_rollover = NULL;
+	LassoServer *sp_context_before_rollover = NULL;
+	LassoServer *sp_context_after_rollover = NULL;
+	GList *providers;
+
+	/* Create an IdP context for IdP initiated SSO with provider metadata 1 */
+	make_context(idp_context_before_rollover, "idp6-saml2", "", LASSO_PROVIDER_ROLE_SP,
+			"sp11-multikey-saml2", "-before-rollover")
+	make_context(idp_context_after_rollover, "idp6-saml2", "", LASSO_PROVIDER_ROLE_SP,
+			"sp11-multikey-saml2", "-after-rollover")
+	make_context(sp_context_before_rollover, "sp11-multikey-saml2", "-before-rollover",
+			LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", "")
+	lasso_server_set_encryption_private_key(sp_context_before_rollover,
+			TESTSDATADIR "sp11-multikey-saml2/private-key-after-rollover.pem");
+	make_context(sp_context_after_rollover, "sp11-multikey-saml2", "-after-rollover",
+			LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", "")
+	lasso_server_set_encryption_private_key(sp_context_after_rollover,
+			TESTSDATADIR "sp11-multikey-saml2/private-key-before-rollover.pem");
+
+	/* Tests... */
+	sso_sp_with_key_rollover(idp_context_before_rollover, sp_context_before_rollover);
+	sso_sp_with_key_rollover(idp_context_after_rollover, sp_context_before_rollover);
+	sso_sp_with_key_rollover(idp_context_before_rollover, sp_context_after_rollover);
+	sso_sp_with_key_rollover(idp_context_after_rollover, sp_context_after_rollover);
+
+	/* Cleanup */
+	lasso_release_gobject(idp_context_before_rollover);
+	lasso_release_gobject(idp_context_after_rollover);
+	lasso_release_gobject(sp_context_before_rollover);
+	lasso_release_gobject(sp_context_after_rollover);
+}
+END_TEST
+
 Suite*
 login_saml2_suite()
 {
@@ -808,16 +909,19 @@ login_saml2_suite()
 	TCase *tc_spLoginMemory = tcase_create("Login initiated by service provider without key loading");
 	TCase *tc_spSloSoap = tcase_create("Login initiated by service provider without key loading and with SLO SOAP");
 	TCase *tc_idpKeyRollover = tcase_create("Login initiated by idp, idp use two differents signing keys (simulate key roll-over)");
+	TCase *tc_spKeyRollover = tcase_create("Login initiated by idp, sp use two differents encrypting keys (simulate key roll-over)");
 	suite_add_tcase(s, tc_generate);
 	suite_add_tcase(s, tc_spLogin);
 	suite_add_tcase(s, tc_spLoginMemory);
 	suite_add_tcase(s, tc_spSloSoap);
 	suite_add_tcase(s, tc_idpKeyRollover);
+	suite_add_tcase(s, tc_spKeyRollover);
 	tcase_add_test(tc_generate, test01_saml2_generateServersContextDumps);
 	tcase_add_test(tc_spLogin, test02_saml2_serviceProviderLogin);
 	tcase_add_test(tc_spLoginMemory, test03_saml2_serviceProviderLogin);
 	tcase_add_test(tc_spSloSoap, test04_sso_then_slo_soap);
 	tcase_add_test(tc_idpKeyRollover, test05_sso_idp_with_key_rollover);
+	tcase_add_test(tc_spKeyRollover, test06_sso_sp_with_key_rollover);
 	return s;
 }
 
diff --git a/tests/non_regression_tests.c b/tests/non_regression_tests.c
index b266e9dd..03c11a35 100644
--- a/tests/non_regression_tests.c
+++ b/tests/non_regression_tests.c
@@ -88,6 +88,7 @@ END_TEST
 START_TEST(indexed_endpoints_20101008)
 {
 	LassoProvider *provider = NULL;
+	char *str;
 	char *meta01 = "<md:EntityDescriptor entityID=\"google.com\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n\
 <SPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n\
 <AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"wrong\" index=\"1\" />\n\
@@ -115,27 +116,51 @@ START_TEST(indexed_endpoints_20101008)
 
 	provider = lasso_provider_new_from_buffer(LASSO_PROVIDER_ROLE_SP, meta01, NULL, NULL);
 	check_not_null(provider);
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, NULL), "ok");
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "0"), "ok");
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "1"), "wrong");
+	str = lasso_provider_get_assertion_consumer_service_url(provider, NULL);
+	check_str_equals(str, "ok");
+	g_free(str);
+	str = lasso_provider_get_assertion_consumer_service_url(provider, "0");
+	check_str_equals(str, "ok");
+	g_free(str);
+	str = lasso_provider_get_assertion_consumer_service_url(provider, "1");
+	check_str_equals(str, "wrong");
+	g_free(str);
 	lasso_release_gobject(provider);
 	provider = lasso_provider_new_from_buffer(LASSO_PROVIDER_ROLE_SP, meta02, NULL, NULL);
 	check_not_null(provider);
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, NULL), "ok");
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "0"), "wrong");
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "1"), "ok");
+	str = lasso_provider_get_assertion_consumer_service_url(provider, NULL);
+	check_str_equals(str, "ok");
+	g_free(str);
+	str = lasso_provider_get_assertion_consumer_service_url(provider, "0");
+	check_str_equals(str, "wrong");
+	g_free(str);
+	str = lasso_provider_get_assertion_consumer_service_url(provider, "1");
+	check_str_equals(str, "ok");
+	g_free(str);
 	lasso_release_gobject(provider);
 	provider = lasso_provider_new_from_buffer(LASSO_PROVIDER_ROLE_SP, meta03, NULL, NULL);
 	check_not_null(provider);
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, NULL), "ok");
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "0"), "wrong");
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "1"), "ok");
+	str = lasso_provider_get_assertion_consumer_service_url(provider, NULL);
+	check_str_equals(str, "ok");
+	g_free(str);
+	str = lasso_provider_get_assertion_consumer_service_url(provider, "0");
+	check_str_equals(str, "wrong");
+	g_free(str);
+	str = lasso_provider_get_assertion_consumer_service_url(provider, "1");
+	check_str_equals(str, "ok");
+	g_free(str);
 	lasso_release_gobject(provider);
 	provider = lasso_provider_new_from_buffer(LASSO_PROVIDER_ROLE_SP, meta04, NULL, NULL);
 	check_not_null(provider);
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, NULL), "ok");
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "0"), "wrong");
-	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "1"), "ok");
+	str = lasso_provider_get_assertion_consumer_service_url(provider, NULL);
+	check_str_equals(str, "ok");
+	g_free(str);
+	str = lasso_provider_get_assertion_consumer_service_url(provider, "0");
+	check_str_equals(str, "wrong");
+	g_free(str);
+	str = lasso_provider_get_assertion_consumer_service_url(provider, "1");
+	check_str_equals(str, "ok");
+	g_free(str);
 	lasso_release_gobject(provider);
 }
 END_TEST
diff --git a/tests/valgrind/lasso.supp b/tests/valgrind/lasso.supp
index b4d22161..4e9a80e2 100644
--- a/tests/valgrind/lasso.supp
+++ b/tests/valgrind/lasso.supp
@@ -165,3 +165,42 @@
    fun:g_hash_table_new
    fun:g_quark_from_static_string
 }
+{
+   g_type_init
+   Memcheck:Leak
+   fun:malloc
+   ...
+   fun:g_type_init
+}
+{
+   g_type_init
+   Memcheck:Leak
+   fun:calloc
+   ...
+   fun:g_type_init
+}
+{
+   g_type_init
+   Memcheck:Leak
+   fun:realloc
+   ...
+   fun:g_type_init
+}
+{
+   register type
+   Memcheck:Leak
+   fun:malloc
+   ...
+   fun:g_type_register_static
+   ...
+   fun:lasso_*get_type
+}
+{
+   register type
+   Memcheck:Leak
+   fun:realloc
+   ...
+   fun:g_type_register_static
+   ...
+   fun:lasso_*get_type
+}