SecPKCS12Import when p12 requries an empty passphrase

Question

I have a private key in p12 which has empty passphrase set. Now when I'm trying to import this private key using SecPKCS12Import on OS X or iOS, I've got an error (equivalent on Windows works).

- (NSError *)setClientIdentityCertificateFromPKCS12Data: (NSData *)PKCS12Data withPassword: (NSString *)password
{
    OSStatus securityError = errSecSuccess;

    const void *keys[] =   { kSecImportExportPassphrase };
    const void *values[] = { (__bridge CFStringRef)password };
    CFDictionaryRef optionsDictionary = NULL;

    optionsDictionary = CFDictionaryCreate(
                                           NULL, keys,
                                           values, (password?1:0),
                                           NULL, NULL);
    CFArrayRef items = NULL;

    securityError = SecPKCS12Import((__bridge CFDataRef)PKCS12Data,
                                    optionsDictionary,
                                    &items);

I've tried different combinations when password is empty:

• optionsDictionary = NULL
• optionsDictionary with no values
• optionsDictionary with @"" value for key kSecImportExportPassphrase

It always ends with securityError not equal to errSecSuccess. Respectively:

• securityError=-25260 "Passphrase is required for import/export."
• securityError=-25260 "Passphrase is required for import/export."
• securityError=-25264 "MAC verification failed during PKCS12 import (wrong password?)"

Now I'm Ok that it doesn't work. I understudy that p12 without a password is a security threat, but If this is the reason why it doesn't work I need some documentation which states that. I've tried to Google that without luck so far.

I've also tried to import this file to OS X Keychain application with same result (invalid password), so this must be problem with SecPKCS12Import.

Or maybe there is a way to overcome this problem?

Answer 1

I believe this is a defect with the Cocoa SDK, see rdar://22909471.

Unfortunately, this radar has been closed as a dupe of an existing radar. I would file an additional bug report with Apple to elevate this issue. I can think of two alternatives:

1. Add a password your p12 blob.

2. Convert the certificate to DER encoding. This answer may help.

Answer 2

This seems to be fixed by now, I've tested it on iOS 10. I can use an empty string as the password for my p12. However it seems like the kSecImportExportPassphrase is still required.