AW: [xmlsec] hybrid encrypted data for multiple recipients doesn't find keys in Keymanager after first during decryption

Bundschuh, Goetz Goetz.Bundschuh at
Wed Oct 26 05:00:17 PDT 2005

I dumped the keys, they are all present.
I validated this first by dumping the Keymanagers contents and secondly by editing the <EncryptedKey> list in the encrypted document and copy-and-paste a <EncryptedKey> from a lower position in the list to the first one. If the recipient key is not the first <EncryptedKey> in the list of encrypted keys, it's not found, no decryption occurs. If it's copied to first position -- voila, decryption works. 
The problem doesn't seem to be that xmlsec doesn't find the keys, but that it stops looking after the first <EncryptedKey> entry. I tracked this problem down in the xmlsec source code to the "xmlSecKeyDataEncryptedKeyXmlRead" routine in the "keyinfo.c" file. In line 1414 the Variable keyInfoCtx->maxEncryptedKeyLevel is checked against keyInfoCtx->curEncryptedKeyLevel. If curEncryptedKeyLevel is larger or the same, the routine throws an error. maxEncryptedKeyLevel is defined as 1 in line 303. 
As far as i understand the source, it seems to me that all <EncryptedKey> nodes after the first are never processed because of maxEncryptedKeyLevel.
This matches with the error output i get from xmlsec, see below:

y:subj=unknown:error=61:maximum encrypted key level:cur=1;max=1;last error=-2146
893819 (0x80090005);last error msg=Invalid Data 

cKeyDataXmlRead:error=1:xmlsec library function failed:node=EncryptedKey;last er
ror=-2146893819 (0x80090005);last error msg=Invalid Data

yInfoNodeRead:error=1:xmlsec library function failed:node=KeyInfo;last error=-21
46893819 (0x80090005);last error msg=Invalid Data

unknown:error=45:key is not found: ;last error=-2146893819 (0x80090005);last err
or msg=Invalid Data

xmlSecEncCtxEncDataNodeRead:error=1:xmlsec library function failed: ;last error=
-2146893819 (0x80090005);last error msg=Invalid Data

cCtxDecryptToBuffer:error=1:xmlsec library function failed: ;last error=-2146893
819 (0x80090005);last error msg=Invalid Data

Could the problem be solved by simply increasing maxEncryptedKeyLevel, or is there another 'official' way to solve this problem, like parsing the document beforehand with my own routine, checking the keys and removing all but the one I want to use?


-----Ursprüngliche Nachricht-----
Von: Aleksey Sanin [mailto:aleksey at] 
Gesendet: Freitag, 21. Oktober 2005 17:06
An: Bundschuh, Goetz
Cc: xmlsec at
Betreff: Re: [xmlsec] hybrid encrypted data for multiple recipients doesn't find keys in Keymanager after first during decryption

> I'm using xmlsec 1.2.8 under WinXPSP2, using mscrypto.
I recall that someone else also had problems with key names in xmlsec-mscrypto. I believe that in this case, key name is either
0) key name assigned by you when you added key to the keys manager
1) cert id (key/cert is in MS store)
2) full subject dn (key/cert is in MS store)

The key name you use

<KeyName>de, TU Darmstadt, FB20, Christian Valentin-6E</KeyName>

does not look like 1) or 2) thus you have to put key into keys manager yourself. Try to dump keys manager and check that the key is there.


More information about the xmlsec mailing list