16

I have a private key in p12 which has empty passphrase set. Now when I'm trying to import this private key using SecPKCS12Import on OS X or iOS, I've got an error (equivalent on Windows works).

- (NSError *)setClientIdentityCertificateFromPKCS12Data: (NSData *)PKCS12Data withPassword: (NSString *)password
{
    OSStatus securityError = errSecSuccess;

    const void *keys[] =   { kSecImportExportPassphrase };
    const void *values[] = { (__bridge CFStringRef)password };
    CFDictionaryRef optionsDictionary = NULL;

    optionsDictionary = CFDictionaryCreate(
                                           NULL, keys,
                                           values, (password?1:0),
                                           NULL, NULL);
    CFArrayRef items = NULL;

    securityError = SecPKCS12Import((__bridge CFDataRef)PKCS12Data,
                                    optionsDictionary,
                                    &items);

I've tried different combinations when password is empty:

  • optionsDictionary = NULL
  • optionsDictionary with no values
  • optionsDictionary with @"" value for key kSecImportExportPassphrase

It always ends with securityError not equal to errSecSuccess. Respectively:

  • securityError=-25260 "Passphrase is required for import/export."
  • securityError=-25260 "Passphrase is required for import/export."
  • securityError=-25264 "MAC verification failed during PKCS12 import (wrong password?)"

Now I'm Ok that it doesn't work. I understudy that p12 without a password is a security threat, but If this is the reason why it doesn't work I need some documentation which states that. I've tried to Google that without luck so far.

I've also tried to import this file to OS X Keychain application with same result (invalid password), so this must be problem with SecPKCS12Import.

Or maybe there is a way to overcome this problem?

JAL
  • 41,701
  • 23
  • 172
  • 300
Marek R
  • 32,568
  • 6
  • 55
  • 140

2 Answers2

2

I believe this is a defect with the Cocoa SDK, see rdar://22909471.

Unfortunately, this radar has been closed as a dupe of an existing radar. I would file an additional bug report with Apple to elevate this issue. I can think of two alternatives:

  1. Add a password your p12 blob.

  2. Convert the certificate to DER encoding. This answer may help.

Community
  • 1
  • 1
JAL
  • 41,701
  • 23
  • 172
  • 300
2

This seems to be fixed by now, I've tested it on iOS 10. I can use an empty string as the password for my p12. However it seems like the kSecImportExportPassphrase is still required.

Simon
  • 1,076
  • 7
  • 13