On bouncycastle I ran into an issue where sometimes messages encrypted with two or more passphrases would fail to decrypt.
As I used GnuPG to verify that the message is apparently broken, it took me a while to come to the conclusion that the error did not happen during encryption, but instead during the decryption phase.
Consider this message:
-----BEGIN PGP MESSAGE----- Version: BCPG v1.68 jC4ECQMCtL4bq5btiMJgL6wPT4kDozGheHZa1fmAUpp3CIBeLXw4B3IUZ05QSPRF jC4ECQMC5nZ8aoh9uYpgtDeGdkTLP+obVSiMvs99ibpcFm60vJY7feYNTiSk2StJ 0kgB9vDAT0vUdXz1sPTEv2YIK2zeNyoA7pD9BDd68VgFVj61vSQ6Ovf6Uidv2v0M 5cfawfKpjRn0Ku3JEzDv3TuYioRWzuzxptc= =9QAC -----END PGP MESSAGE-----
It was encrypted using password "password1" and "password2" (in that order).
Decrypting it with "password1" succeeds as expected and reveals the secret message.
Decryption with "password2" however fails.
The message was encrypted using AES-256 (algorithm 0x09), but gpg --decrypt --show-session-key reveals the following apparent session key:
Apparently GnuPG does not try the correct SKESK (the second one in this case) and fails after decryption of the SEIP with the first SKESK session key failed.