I dumped the keys, they are all present. I validated this first by dumping the Keymanagers contents and secondly by editing the <EncryptedKey> list in the encrypted document and copy-and-paste a <EncryptedKey> from a lower position in the list to the first one. If the recipient key is not the first <EncryptedKey> in the list of encrypted keys, it's not found, no decryption occurs. If it's copied to first position -- voila, decryption works. The problem doesn't seem to be that xmlsec doesn't find the keys, but that it stops looking after the first <EncryptedKey> entry. I tracked this problem down in the xmlsec source code to the "xmlSecKeyDataEncryptedKeyXmlRead" routine in the "keyinfo.c" file. In line 1414 the Variable keyInfoCtx->maxEncryptedKeyLevel is checked against keyInfoCtx->curEncryptedKeyLevel. If curEncryptedKeyLevel is larger or the same, the routine throws an error. maxEncryptedKeyLevel is defined as 1 in line 303. As far as i understand the source, it seems to me that all <EncryptedKey> nodes after the first are never processed because of maxEncryptedKeyLevel. This matches with the error output i get from xmlsec, see below:
func=xmlSecKeyDataEncryptedKeyXmlRead:file=..\src\keyinfo.c:line=1415:obj=enc-ke y:subj=unknown:error=61:maximum encrypted key level:cur=1;max=1;last error=-2146 893819 (0x80090005);last error msg=Invalid Data func=xmlSecKeyInfoNodeRead:file=..\src\keyinfo.c:line=114:obj=enc-key:subj=xmlSe cKeyDataXmlRead:error=1:xmlsec library function failed:node=EncryptedKey;last er ror=-2146893819 (0x80090005);last error msg=Invalid Data func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1343:obj=unknown:subj=xmlSecKe yInfoNodeRead:error=1:xmlsec library function failed:node=KeyInfo;last error=-21 46893819 (0x80090005);last error msg=Invalid Data func=xmlSecEncCtxEncDataNodeRead:file=..\src\xmlenc.c:line=885:obj=unknown:subj= unknown:error=45:key is not found: ;last error=-2146893819 (0x80090005);last err or msg=Invalid Data func=xmlSecEncCtxDecryptToBuffer:file=..\src\xmlenc.c:line=643:obj=unknown:subj= xmlSecEncCtxEncDataNodeRead:error=1:xmlsec library function failed: ;last error= -2146893819 (0x80090005);last error msg=Invalid Data func=xmlSecEncCtxDecrypt:file=..\src\xmlenc.c:line=582:obj=unknown:subj=xmlSecEn cCtxDecryptToBuffer:error=1:xmlsec library function failed: ;last error=-2146893 819 (0x80090005);last error msg=Invalid Data Could the problem be solved by simply increasing maxEncryptedKeyLevel, or is there another 'official' way to solve this problem, like parsing the document beforehand with my own routine, checking the keys and removing all but the one I want to use? Götz -----Ursprüngliche Nachricht----- Von: Aleksey Sanin [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 21. Oktober 2005 17:06 An: Bundschuh, Goetz Cc: [email protected] Betreff: Re: [xmlsec] hybrid encrypted data for multiple recipients doesn't find keys in Keymanager after first during decryption > I'm using xmlsec 1.2.8 under WinXPSP2, using mscrypto. I recall that someone else also had problems with key names in xmlsec-mscrypto. I believe that in this case, key name is either 0) key name assigned by you when you added key to the keys manager 1) cert id (key/cert is in MS store) 2) full subject dn (key/cert is in MS store) The key name you use <KeyName>de, TU Darmstadt, FB20, Christian Valentin-6E</KeyName> does not look like 1) or 2) thus you have to put key into keys manager yourself. Try to dump keys manager and check that the key is there. Aleksey _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
