Support for ECDH key agreement encryption

[jtalir]

Hello,
i tried to search mailing list for these keywords but didn't find anything. Does it mean this encryption method is not supported?
Regards,
Jaromir

[lsh123]

ECDH support for xmlsec-openssl and xmlsec-mscng will be included in the next release (April 2023) and is already available in the github master. Feel free to try it out (master should be pretty stable) and let me know if you run into any problems!

[jtalir]

I'll be happy to test. Do you have a hint about encoding template? My guess would be following, but not sure about specification of two EC keys that are used and algorithms that are supposed to be supported:

<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <xenc:EncryptedKey Recipient="http://id.example.com/sp1"
                       xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256"
                             xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
      <ds:KeyInfo>
        <xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">
          <xenc11:KeyDerivationMethod Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF"
                                      xmlns:xenc11="http://www.w3.org/2009/xmlenc11#">
            <xenc11:ConcatKDFParams AlgorithmID="0000" PartyUInfo="0000" PartyVInfo="0000">
              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"
                               xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
            </xenc11:ConcatKDFParams>
          </xenc11:KeyDerivationMethod>
          <xenc:OriginatorKeyInfo>
            <ds:KeyValue>
              <ds11:ECKeyValue xmlns:ds11="http://www.w3.org/2009/xmldsig11#">
                <ds11:NamedCurve URI="urn:oid:1.2.840.10045.3.1.7"/>
                <ds11:PublicKey></ds11:PublicKey>
              </ds11:ECKeyValue>
            </ds:KeyValue>
          </xenc:OriginatorKeyInfo>
           <xenc:RecipientKeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:X509Certificate>
	      </ds:X509Certificate>
            </ds:X509Data>
          </xenc:RecipientKeyInfo>
        </xenc:AgreementMethod>
      </ds:KeyInfo>
      <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:CipherValue/>
      </xenc:CipherData>
    </xenc:EncryptedKey>
  </ds:KeyInfo>
  <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <xenc:CipherValue/>
  </xenc:CipherData>
</xenc:EncryptedData>

[lsh123]

I have a couple ECDH tests from XMLEnc 1.1 interop, for example this one. I plan to add more test for various permutations of algorithms soon too, but in general I would recommend ECDH plus ConcatKDF with SHA256 as this is the most portable combination (see implementation requirements). For example, I cannot make XMLEnc interop tests for ECDH + PBKDF work (and given that I am testing against several crypto libraries, I suspect a bug in the Oracle's PBKDF implementation).

For keys selection, my high level take is that the simplest thing to do is to use key names on both signing and verification sides. I will try to add dsig11:X509Digest support before the next release as well and this would enable using X509Data instead of key names too.

[jtalir]

I used suggested template and code from master and encryption seems to work. I generated two EC key pairs, one for originator and one for recipient. To generate encrypted message I used public key of recipient and private key of originator. This worked well. However then I tried to decrypt with private key of recipient and it failed. Surpsingly, if I used private key of originator, I could decrypt this message. I'm probably doing something wrong.

$ cat template.xml 
<?xml version="1.0"?>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
  <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128"/>
      <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">
          <xenc11:KeyDerivationMethod xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF">
            <xenc11:ConcatKDFParams AlgorithmID="" PartyUInfo="00123456" PartyVInfo="">
              <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            </xenc11:ConcatKDFParams>
          </xenc11:KeyDerivationMethod>
          <xenc:OriginatorKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:KeyName>EC-P256</dsig:KeyName>
            <dsig:KeyValue/>
          </xenc:OriginatorKeyInfo>
          <xenc:RecipientKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:KeyName>ecdsa-secp256r1</dsig:KeyName>
          </xenc:RecipientKeyInfo>
        </xenc:AgreementMethod>
      </dsig:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue/>
      </xenc:CipherData>
    </xenc:EncryptedKey>
  </dsig:KeyInfo>
  <xenc:CipherData>
    <xenc:CipherValue/>
  </xenc:CipherData>
</xenc:EncryptedData>
$ cat source.xml 
<?xml version='1.0' encoding='UTF-8'?>
<root>
  <element>text</element>
  <encrypted>private text</encrypted>
</root>
$ openssl req -x509 -keyform PEM -outform PEM -subj "/CN=Originator" -out orig-cert.pem -newkey ec -pkeyopt ec_paramgen_curve:P-256 -sha256 -keyout orig-key.pem -nodes
-----
$ openssl req -x509 -keyform PEM -outform PEM -subj "/CN=Recepient" -out rec-cert.pem -newkey ec -pkeyopt ec_paramgen_curve:P-256 -sha256 -keyout rec-key.pem -nodes
-----
$ ./xmlsec1 encrypt --pubkey-cert-pem rec-cert.pem --privkey-pem orig-key.pem --session-key aes-256 --xml-data source.xml --node-xpath "/*[local-name()='root']/*[local-name()='encrypted']" template.xml | tee encrypted.xml 
<?xml version="1.0" encoding="UTF-8"?>
<root>
  <element>text</element>
  <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
  <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128"/>
      <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">
          <xenc11:KeyDerivationMethod xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF">
            <xenc11:ConcatKDFParams AlgorithmID="" PartyUInfo="00123456" PartyVInfo="">
              <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            </xenc11:ConcatKDFParams>
          </xenc11:KeyDerivationMethod>
          <xenc:OriginatorKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:KeyName>EC-P256</dsig:KeyName>
            <dsig:KeyValue>
<ECKeyValue xmlns="http://www.w3.org/2009/xmldsig11#">
<NamedCurve URI="urn:oid:1.2.840.10045.3.1.7"/>
<PublicKey>
BFOJYDOreBRnybUR4lWUP4onMy5qmDMQbj4WEc+e6bCmlNuS0IlaJT3I+WWbbBSu
pgwdal97bXAPDI8A6f62VWc=
</PublicKey>
</ECKeyValue>
</dsig:KeyValue>
          </xenc:OriginatorKeyInfo>
          <xenc:RecipientKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:KeyName>ecdsa-secp256r1</dsig:KeyName>
          </xenc:RecipientKeyInfo>
        </xenc:AgreementMethod>
      </dsig:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>M1J9UOQ+QJNjSCefDY+d5hMW2kloJSKejoOwjeOBSzNk2KpUlf0iWw==</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedKey>
  </dsig:KeyInfo>
  <xenc:CipherData>
    <xenc:CipherValue>1mj4dkCyNkVTyyqq1CxK3Z9hXrcFvL4/uAbU/Ca2Z+TzkZLqk5UHi+IWRNPJEHa+
fOsdBcjBOzkg1LGZuyW5</xenc:CipherValue>
  </xenc:CipherData>
</xenc:EncryptedData>
</root>
$ ./xmlsec1 decrypt --privkey-pem rec-key.pem encrypted.xml
func=xmlSecKWAesDecode:file=kw_aes_des.c:line=894:obj=unknown:subj=unknown:error=12:invalid data:bad magic block
func=xmlSecTransformKWAesExecute:file=kw_aes_des.c:line=656:obj=kw-aes128:subj=xmlSecKWAesDecode:error=1:xmlsec library function failed: 
func=xmlSecOpenSSLKWAesExecute:file=kw_aes.c:line=237:obj=kw-aes128:subj=xmlSecTransformKWAesExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1934:obj=kw-aes128:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:final=1
func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1958:obj=kw-aes128:subj=xmlSecTransformPushBin:error=1:xmlsec library function failed:final=1;outSize=40
func=xmlSecTransformCtxBinaryExecute:file=transforms.c:line=949:obj=unknown:subj=xmlSecTransformPushBin:error=1:xmlsec library function failed:dataSize=56
func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=624:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec library function failed: 
func=xmlSecKeysMngrGetKey:file=keys.c:line=1256:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: 
func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=790:obj=unknown:subj=unknown:error=45:key is not found:encMethod=aes128-gcm
func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=610:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec library function failed: 
func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=536:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec library function failed: 
Error: failed to decrypt file
Error: failed to decrypt file "encrypted.xml"
$ ./xmlsec1 decrypt --privkey-pem orig-key.pem encrypted.xml
<?xml version="1.0" encoding="UTF-8"?>
<root>
  <element>text</element>
  <encrypted>private text</encrypted>
</root> 

[lsh123]

You need to specify the key names when you encrypt and decrypt or it might find the wrong key. Something like this should work (btw there are tests in tests/testEnc.sh that show how to do it as well):

./xmlsec1 encrypt --pubkey-cert-pem:ecdsa-secp256r1 rec-cert.pem --privkey-pem:EC-P256 orig-key.pem --session-key aes-256 --xml-data source.xml --node-xpath "/*[local-name()='root']/*[local-name()='encrypted']" template.xml

Note: I think I got key names correct but if not, then try to swap names in the command line :)

[jtalir]

I can confirm, that this helped and I could decrypt with recipient key.

[lsh123]

Great, thanks for letting me know!

[lsh123]

BTW, after PR #548 lands, you should be able to use X509Digest or any other X509Data elements to select keys (including private keys). I think it will make it much easier to do key agreements.

[jtalir]

Unfortunately, I'm failing to repeat the same when private key for decryption is in softhsm2. This was actually my primary motivation to switch from RSA to EC, since I was getting "unsupported padding" error on RSA-OAEP decryption with xmlsec.
Here, it throws this error (of course it may be some lower level stuff):

$ ./xmlsec1 decrypt --privkey-openssl-engine "pkcs11;pkcs11:token=test;object=test;pin-value=secret1" encrypted.xml 
func=xmlSecOpenSSLKeyDataEcSetValue:file=evp.c:line=2283:obj=ec:subj=EVP_PKEY_CTX_set_group_name:error=4:crypto library function failed:openssl error: error:00000000:lib(0)::reason(0)
func=xmlSecOpenSSLKeyDataEcRead:file=evp.c:line=2378:obj=ec:subj=xmlSecOpenSSLKeyDataEcSetValue():error=1:xmlsec library function failed: 
func=xmlSecKeyDataEcXmlRead:file=keysdata.c:line=1048:obj=ec:subj=xmlSecKeyDataEcRead:error=1:xmlsec library function failed: 
func=xmlSecKeyDataValueXmlRead:file=keyinfo.c:line=886:obj=key-value:subj=xmlSecKeyDataXmlRead:error=1:xmlsec library function failed:node=ECKeyValue
func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=122:obj=key-value:subj=xmlSecKeyDataXmlRead:error=1:xmlsec library function failed:node=KeyValue
func=xmlSecKeysMngrGetKey:file=keys.c:line=1237:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec library function failed:node=OriginatorKeyInfo
func=xmlSecTransformEcdhReadKey:file=transforms.c:line=2921:obj=OriginatorKeyInfo:subj=unknown:error=45:key is not found:details=key not found
func=xmlSecTransformEcdhParamsRead:file=transforms.c:line=3041:obj=AgreementMethod:subj=xmlSecTransformEcdhReadKey(OriginatorKeyInfo):error=1:xmlsec library function failed: 
func=xmlSecOpenSSLEcdhNodeRead:file=key_agrmnt.c:line=176:obj=unknown:subj=xmlSecTransformEcdhParamsRead:error=1:xmlsec library function failed: 
func=xmlSecTransformNodeRead:file=transforms.c:line=1351:obj=ecdh-es:subj=readNode:error=1:xmlsec library function failed: 
func=xmlSecTransformCtxNodeRead:file=transforms.c:line=602:obj=AgreementMethod:subj=xmlSecTransformNodeRead:error=1:xmlsec library function failed: 
func=xmlSecEncCtxAgreementMethodGenerate:file=xmlenc.c:line=1398:obj=AgreementMethod:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec library function failed: 
func=xmlSecKeysMngrGetKey:file=keys.c:line=1256:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: 
func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=790:obj=unknown:subj=unknown:error=45:key is not found:encMethod=kw-aes128
func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=610:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec library function failed: 
func=xmlSecKeysMngrGetKey:file=keys.c:line=1256:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: 
func=xmlSecEncCtxEncDataNodeRead:file=xmlenc.c:line=790:obj=unknown:subj=unknown:error=45:key is not found:encMethod=aes128-gcm
func=xmlSecEncCtxDecryptToBuffer:file=xmlenc.c:line=610:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec library function failed: 
func=xmlSecEncCtxDecrypt:file=xmlenc.c:line=536:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec library function failed: 
Error: failed to decrypt file
Error: failed to decrypt file "encrypted.xml"

[jtalir]

Small issue is that orig key is usually ephemeral, so you cannot put it anywhere in advance. It must be taken from encrypted file.

[lsh123]

yeah, I tried that too:

$ SOFTHSM2_CONF=./softhsm.conf ../../xmlsec/build-openssl/apps/xmlsec1 decrypt --pubkey-cert-pem:key1 cert1.pem  --privkey-openssl-engine:key2 "pkcs11;pkcs11:token=test;object=key1;pin-value=secret1"  encrypted-ecdh.xml

func=xmlSecKWAesDecode:file=../../src/kw_aes_des.c:line=894:obj=unknown:subj=unknown:error=12:invalid data:bad magic block
...

This error means that ECDH derived a different key somehow and then key wrap fails because key is wrong. Honestly, I have no idea why it happens because both "pub + priv keys in HSM" and "pub + priv keys not in HSM" work just fine. Only "priv key in HSM + pub key is not in HSM" is broken --> sounds like OpenSSL / HSM bug to me.

[lsh123]

Scratch that! I made it work with DEREncodedKeyValue !!!

cat encrypted-ecdh2.xml 

...
          <xenc:OriginatorKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
		<dsig:KeyName>key1</dsig:KeyName>
		<dsig11:DEREncodedKeyValue xmlns:dsig11="http://www.w3.org/2009/xmldsig11#"/>
          </xenc:OriginatorKeyInfo>
          <xenc:RecipientKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:KeyName>key2</dsig:KeyName>
          </xenc:RecipientKeyInfo>
...


xmlsec1 encrypt  --session-key aes-256  --xml-data source.xml --node-xpath "/*[local-name()='root']/*[local-name()='encrypted']" --privkey-pem:key1 privkey1.pem --pubkey-cert-pem:key2 cert2.pem ./template-ecdh2.xml  > encrypted-ecdh2.xml


SOFTHSM2_CONF=./softhsm.conf xmlsec1 decrypt  --privkey-openssl-engine:key2 "pkcs11;pkcs11:token=test;object=key2;pin-value=secret1" encrypted-ecdh2.xml

<?xml version="1.0" encoding="UTF-8"?>
<root>
  <element>text</element>
  <encrypted>private text</encrypted>
</root>

[jtalir]

So let's hope for success also with RSA OAEP .

[lsh123]

I would not hold my breath. I re-compiled everything, fixed the libp11 as we discussed above and made sure the new code is used with a printf. Well, it still failed past that code. So either it is even more broken or rsa oaep in libp11 was removed (and the commit message just wrong). Either way, let see if they reply in OpenSC/libp11#485

Meantime, I will write up a complete solution at the top level shortly so next person can find it easily.

[lsh123]

I think the issue is that the EC key is specified in XML document by value and loading it into HSM fails because HSM doesn't support direct keys loading. In general, I would not recommend using KeyValue for any real production use cases anyway. I see a few possible options (in the order of "easy to try" to "harder to try"):

1. Write keys into XML document using DEREncodedKeyValue or X509Certificate. I am not sure if it will work though but it should be easy to try (there are plenty of examples in xmlsec tests/ folder).

2. Load keys into HSM from xmlsec command line and specify keyname (I am not sure it will work out-of-the-box but I also think it will be a simple fix to enable it -- I will gladly accept patches :) ). Then you will be able to refer to the key using KeyName.

3. Pre-load keys into HSM independently, use custom code to fetch keys from HSM and load into xmlsec-openssl keys manager. Then refer to the keys with KeyName.

4. If softhsm2 has any key search capabilities, then it might be possible to enhance xmlsec-openssl KeysManager implementation to lookup keys by names (or certificate digest, or...) directly in HSM as well. Then everything will work "magically" out of the box.

[lsh123]

BTW it might also mean that softhsm2 simply doesn't support that specific curve :) I would double check with prime256v1 keys since it's the most commonly supported curve

[simo5]

@lsh123 if xmlsec1 will move to use the store API from OpenSSL 3+ to load keys, and you can pass a URI to it, then that would be the preferred method to deal with HSMs, as you can pass a pkcs11: URI which allows to uniquely identify keys preloaded into an HSM.

In terms of loading keys, it makes no sense whatsoever to use an HSM that way.
If it is public keys, you do not need to use an HSM, there is no advantage.
If these are private keys, you do not have them outside of an HSM (use pkcs11 URI to identify them).
If these really are private keys, it makes no sense to use an HSM, the cat is out of the bag :-)

With OpenSSL < 3.0 you need to use the openssl-pkcs11 engine (or similar) and the engine API to be able to use URIs and HSMs.

With OpenSSL >= 3 using the store API will allow to transparently use providers (like https://github.com/latchset/pkcs11-provider), assuming only EVP APIs are then used for key operations, and not the legacy APIs.

HTH.

[lsh123]

yes you need to import the peer public key

This is where I think it fails now for you. The ECKeyValue data and APIs xmlsec is using to create EVP key from it are low level

[simo5]

I think you mean @jtalir I never tried this myself :)

[lsh123]

Right sorry --> I meant to ask @jtalir

[lsh123]

PR #566 adds support for loading keys through ossl-store. If someone has an HSM to play with then I would appreciate a quick test that it works as expected.

[simo5]

@lsh123 you can test with OpenSSL 3.0.7+, https://github.com/latchset/pkcs11-provider and a software token (see the project tests for example).
HTH

[lsh123]

The following is a complete solution (requires xmlsec 1.3.0 or greater):

Preparation

Install prerequisites

$ sudo apt install libsofthsm2 softhsm2 openssl openssl libengine-pkcs11-openssl opensc libxmlsec1 xmlsec1 libxmlsec1-openssl

If you are compiling xmlsec library from sources, make sure to specify --enable-openssl3-engines parameter for configure script.

Configure softhsm

$ cat softhsm.conf 
directories.tokendir = ./keystore

Create a pair of EC keys

$ openssl  req -nodes -new -x509 -subj '/CN=test1' -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -keyout privkey1.pem -out cert1.pem
$ openssl  req -nodes -new -x509 -subj '/CN=test2' -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -keyout privkey2.pem -out cert2.pem
$ openssl pkey -in privkey1.pem -pubout -out pubkey1.pem

Create xml file to encrypt

$ cat source.xml 
<?xml version='1.0' encoding='UTF-8'?>
<root>
  <element>text</element>
  <encrypted>private text</encrypted>
</root>

Option 1: use key names in the XML file

Prepare template and encrypt the file using keys from files

$ cat template-ecdh.xml 
...
          <xenc:OriginatorKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:KeyName>key1</dsig:KeyName>
          </xenc:OriginatorKeyInfo>
          <xenc:RecipientKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:KeyName>key2</dsig:KeyName>
          </xenc:RecipientKeyInfo>
...

$ xmlsec1 encrypt  --session-key aes-256  --xml-data source.xml --node-xpath "/*[local-name()='root']/*[local-name()='encrypted']" --privkey-pem:key1 privkey1.pem --pubkey-cert-pem:key2 cert2.pem ./template-ecdh.xml  > encrypted-ecdh.xml

Reset softhsm and load private / public keys into softhsm2

$ rm -rf ./keystore
$ mkdir ./keystore
$ SOFTHSM2_CONF=./softhsm.conf softhsm2-util --slot 0 --label test --init-token --pin secret1 --so-pin secret2
$ SOFTHSM2_CONF=./softhsm.conf pkcs11-tool --usage-derive --module /usr/lib/softhsm/libsofthsm2.so --login --write-object privkey2.pem -y privkey --label key2 --pin secret1
$ SOFTHSM2_CONF=./softhsm.conf pkcs11-tool --usage-derive --module /usr/lib/softhsm/libsofthsm2.so --login --write-object pubkey1.pem -y pubkey --label pubkey1 --pin secret1

Decrypt the file using public/private keys in softhsm2

$ SOFTHSM2_CONF=./softhsm.conf xmlsec1 decrypt --pubkey-openssl-engine:key1 "pkcs11;pkcs11:token=test;object=pubkey1;pin-value=secret1"  --privkey-openssl-engine:key2 "pkcs11;pkcs11:token=test;object=key2;pin-value=secret1" encrypted-ecdh.xml

<?xml version="1.0" encoding="UTF-8"?>
<root>
  <element>text</element>
  <encrypted>private text</encrypted>
</root>

Option 2: use DEREncodedKeyValue for the originator public key

Prepare template and encrypt the file using keys from files

$ cat template-ecdh2.xml 
...
          <xenc:OriginatorKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
		<dsig:KeyName>key1</dsig:KeyName>
		<dsig11:DEREncodedKeyValue xmlns:dsig11="http://www.w3.org/2009/xmldsig11#"/>
          </xenc:OriginatorKeyInfo>
          <xenc:RecipientKeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:KeyName>key2</dsig:KeyName>
          </xenc:RecipientKeyInfo>
...

$ xmlsec1 encrypt  --session-key aes-256  --xml-data source.xml --node-xpath "/*[local-name()='root']/*[local-name()='encrypted']" --privkey-pem:key1 privkey1.pem --pubkey-cert-pem:key2 cert2.pem ./template-ecdh2.xml  > encrypted-ecdh2.xml

Reset softhsm and load private / public keys into softhsm2

$ rm -rf ./keystore
$ mkdir ./keystore
$ SOFTHSM2_CONF=./softhsm.conf softhsm2-util --slot 0 --label test --init-token --pin secret1 --so-pin secret2
$ SOFTHSM2_CONF=./softhsm.conf pkcs11-tool --usage-derive --module /usr/lib/softhsm/libsofthsm2.so --login --write-object privkey2.pem -y privkey --label key2 --pin secret1

Decrypt the file using public key in the XML file and private key in softhsm2

$ SOFTHSM2_CONF=./softhsm.conf xmlsec1 decrypt --privkey-openssl-engine:key2 "pkcs11;pkcs11:token=test;object=key2;pin-value=secret1" encrypted-ecdh2.xml
<?xml version="1.0" encoding="UTF-8"?>
<root>
  <element>text</element>
  <encrypted>private text</encrypted>
</root>