API: SecPKCS12Import; error code: -25264; error message: MAC verification failed during PKCS12 import (wrong password?)

I couldn't upload the sample p12 cert. Let me know if there is a way to do so. Thanks.

I need to clarify your goals here. You wrote:

Pre-requisite is to generate a PKCS#12 file using openssl 3.x or above.

I presume that you have the additional constraint of without enabling legacy mode.

using SecPKCS12Import on macOS (tried on [macOS 13], [macOS 14], [macOS 15]).

Is macOS 13 your minimum deployment target? If so, there’s no way to achieve your goal. macOS 15 introduced support for a bunch of new algorithms that should allow you to import modern OpenSSL PKCS#12 files. See this thread for details [1].

So, you have a choice. If you need to support systems prior to macOS 15 then you’ll need to find some other way to import your digital identity. You could either change your import format — for an example of that, see Importing a PEM-based RSA Private Key and its Certificate — or write or acquire your own PKCS#12 code.

OTOH, if you’re happy with only supported macOS 15 and later, we can look at why your OpenSSL stuff isn’t working.

I couldn't upload the sample p12 cert. Let me know if there is a way to do so. Thanks.

For small stuff like that I generally recommend that folks attach a text file containing a hex dump. Or you can upload it elsewhere and post a link. If you do the latter, see tip 14 in Quinn’s Top Ten DevForums Tips.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] It’s about iOS 18, but the comments there also apply to macOS 18 and other aligned releases.

macOS 15 introduced support for a bunch of new algorithms that should allow you to import modern OpenSSL PKCS#12 files. See this thread for details [1].

I'm unable to import the p12 cert with latest algos using security CLI on macOS 15.

$sw_vers                                                                   
ProductName:		macOS
ProductVersion:		15.4
BuildVersion:		24E5238a
 
$security import ~/Downloads/modern_certificate.p12 -k ~/Library/Keychains/login.keychain -P "export"
security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)
 
$security import ~/Downloads/legacy_certificate.p12 -k ~/Library/Keychains/login.keychain -P "export"
1 identity imported.

Here,

"modern_certificate.p12" consists of the latest algos and,

"legacy_certificate.p12" was regenerated from "modern_certificate.p12" with legacy algos.

PFA, the hexdump for both the p12 certificates.

Thanks for those examples.

Unfortunately they seem to have been munged by the DevForums platform )-: [1] Can you try copying out the text yourself to see if it accurately reflects what you posted?

If not, that confirms that your post has been affected by this bug, and my next suggestion is that you upload the data somewhere and then post a URL to it.

I apologise for the runaround here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] This is a bug that’s been with us for a while, alas (r. 136655649).

No worries. I have uploaded the files under this link and made it accessible. Kindly verify the same.

https://www.icloud.com/iclouddrive/038xlfc8yNEepedQDfHLRlklg#DevForum%23779466

Thanks for that.

I spent some time today testing DevForums’s text attachment feature to work out why your previous attachments got corrupted. I now have a better understanding of the failure and know how to avoid it in the future [1]. I’ve also updated our bug about this.

However, this means that I’ve run out of time to look at your actual PKCS#12 issue )-: I’ll take a pass at that tomorrow.

I appreciate your patience here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] If you’re gonna post a hex dump, generate it using xxd -p rather than simply xxd.

I’ll take a pass at that tomorrow.

Bah! Friday and Monday were a complete bust, but I dug into this today.

AFAICT this is all working.

Here’s the checksums of the files in question, so you can confirm that I’m working with the right stuff:

% shasum -a 256 *.p12
4a2018a79c052341ff28b7b366bdc85605710d8a4503edcbb499cce386360b1d  legacy_certificate.p12
8c0edbdc7921bf1badc2e8dd3197083b3c07a3b55e7aac9b10cc7ee7e67b3359  modern_certificate.p12

To test this on macOS I used Keychain Access to import each digital identity into a ‘scratch’ keychain. That worked as expected, testing on macOS 15.4.

I then decided to write some code. Testing that code on iOS is easier [1], so I created a new test app and added this code to it:

func test(_ name: String) {
    let pkcs12URL = Bundle.main.url(forResource: name, withExtension: "p12")!
    let pkcs12Data = try! Data(contentsOf: pkcs12URL)
    let sha = SHA256.hash(data: pkcs12Data)
    let shaDesc = (Data(sha) as NSData).debugDescription
    print("will import")
    print("  name: \(name)")
    print("  sha: \(shaDesc)")
    print("  os: \(ProcessInfo.processInfo.operatingSystemVersionString)")

    var importedCF: CFArray? = nil
    let err = SecPKCS12Import(pkcs12Data as NSData, [
        kSecImportExportPassphrase: "export"
    ] as NSDictionary, &importedCF)
    guard
        err == errSecSuccess,
        let importedNS = importedCF as NSArray?,
        let imported = importedNS as? [[String:Any]],
        let firstImport = imported.first,
        let identityAny = firstImport[kSecImportItemIdentity as String],
        CFGetTypeID(identityAny as CFTypeRef) == SecIdentityGetTypeID()
    else {
        fatalError()
    }

    let identity = identityAny as! SecIdentity
    print("will import, identity: \(identity)")
}

I then added two buttons, each of which calls the code with one of the .p12 file names. Here’s what I saw when I ran the app in the iOS 18.4 simulator:

will import
  name: legacy_certificate
  sha: <4a2018a7 9c052341 ff28b7b3 66bdc856 05710d8a 4503edcb b499cce3 86360b1d>
  os: Version 18.4 (Build 22E238)
will import, identity: <SecIdentityRef: 0x600000224980>
will import
  name: modern_certificate
  sha: <8c0edbdc 7921bf1b adc2e8dd 3197083b 3c07a3b5 5e7aac9b 10cc7ee7 e67b3359>
  os: Version 18.4 (Build 22E238)
will import, identity: <SecIdentityRef: 0x600000224940>

The checksums align, confirming that I’m working with the right files. And each identity was imported as expected.

I’m not sure why this is failing in your setup, but it’s working for me.

Please repeat my test and see what you get at your end.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Because you don’t have to worry about accidentally importing into the file-based keychain.

Thanks for the response.

I had similar observations today while trying the following:

1. When I drag and drop the p12 cert in question into login keychain and provide the password, I was able to import the cert.
2. I've written a similar sample code for macOS and tried importing the p12 cert in question. I was able to import the cert there as well.

I believe the issue comes when using the CLI command. Please verify this on your end as well.

Additional question: Will the macOS < 15 systems support the new algos in future?

I believe the issue comes when using the CLI command.

You mean the security tool? Yeah, I wouldn’t be surprised if that failed. As it dates from the dawn of Mac OS X it tends to use CDSA code paths, which means it misses out on a lot of the new stuff.

In a situation like this, where you can import your .p12 via Keychain Access but not via security tool, I recommend that you file a bug against the tool.

Please post your bug number, just for the record.

Additional question: Will the macOS &lt; 15 systems support the new algos in future?

I can’t reliably predict the future but that seems… unlikely. Historically, once macOS N ships the updates to macOS N-1 are focused on fixes for significant security problems. If you need this support on older systems I recommend that you write or acquire your own PKCS#12 parsing library.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for all the input.

Conclusion:

• From macOS 15, SecPKCS12Import API supports import for pfx certificates with modern algos (especially SHA256 for MAC in this case)

• For macOS <15, the only ways to achieve this, is to convert the pfx cert to a legacy format (sample code linked in first message) or implement your own pkcs#12 parsing algo.

Follow-up Question:

Are there any native API's (under Security.framework) that can achieve the pfx cert conversion to legacy format as done in the sample code I have shared? If so, I would highly appreciate if you can share references or sample code to achieve the same.

I recommend that you file a bug against the tool.

Please post your bug number, just for the record.

Bug filed. Ref: FB17330275

Are there any native API's … that can achieve the pfx cert conversion to legacy format as done in the sample code I have shared?

No.

Even if there were, I don’t think it’d help you because step 1 in that process is to import the PKCS#12, and doing that would fail on system prior to macOS 15 for example the same reason that SecPKCS12Import fails on such systems.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"