diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 9d0e752b4..e27eea621 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -890,10 +890,9 @@ hx509_cms_decrypt_encrypted(hx509_lock lock,
 			    heim_octet_string *content)
 {
     heim_octet_string cont;
-    const struct _hx509_password *pw;
     CMSEncryptedData ed;
     AlgorithmIdentifier *ai;
-    int ret, i;
+    int ret;
 
     memset(content, 0, sizeof(*content));
     memset(&cont, 0, sizeof(cont));
@@ -917,17 +916,10 @@ hx509_cms_decrypt_encrypted(hx509_lock lock,
 	goto out;
     }
 
-    pw = _hx509_lock_get_passwords(lock);
-
-    ret = HX509_CRYPTO_INTERNAL_ERROR;
-    for (i = 0; i < pw->len; i++) {
-	ret = _hx509_pbe_decrypt(pw->val[i],
-				 ai,
-				 ed.encryptedContentInfo.encryptedContent,
-				 &cont);
-	if (ret == 0)
-	    break;
-    }
+    ret = _hx509_pbe_decrypt(lock,
+			     ai,
+			     ed.encryptedContentInfo.encryptedContent,
+			     &cont);
     if (ret)
 	goto out;
 
diff --git a/lib/hx509/ks_p12.c b/lib/hx509/ks_p12.c
index 91dfa1aec..2d737222c 100644
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -88,8 +88,6 @@ ShroudedKeyBag_parser(struct collector *c, const void *data, size_t length,
     PKCS8EncryptedPrivateKeyInfo pk;
     PKCS8PrivateKeyInfo ki;
     heim_octet_string content;
-    const struct _hx509_password *pw;
-    int i;
     int ret;
     
     printf("pkcs8ShroudedKeyBag\n");
@@ -107,17 +105,10 @@ ShroudedKeyBag_parser(struct collector *c, const void *data, size_t length,
 	return ret;
     }
 
-    pw = _hx509_lock_get_passwords(c->lock);
-
-    ret = HX509_CRYPTO_INTERNAL_ERROR;
-    for (i = 0; i < pw->len; i++) {
-	ret = _hx509_pbe_decrypt(pw->val[i],
-				 &pk.encryptionAlgorithm,
-				 &pk.encryptedData,
-				 &content);
-	if (ret == 0)
-	    break;
-    }
+    ret = _hx509_pbe_decrypt(c->lock,
+			     &pk.encryptionAlgorithm,
+			     &pk.encryptedData,
+			     &content);
     free_PKCS8EncryptedPrivateKeyInfo(&pk);
     if (ret) {
 	printf("decrypt encryped failed %d\n", ret);