Import private key by SecPKCS12Import when passphrase is empty

I have a private key in p12 which has empty passphrase set. Now when I'm trying to import this private key using SecPKCS12Import on OS X or iOS, I've got an error (equivalent on windows works).

- (NSError *)setClientIdentityCertificateFromPKCS12Data: (NSData *)PKCS12Data 
                                           withPassword: (NSString *)password
{
     OSStatus securityError = errSecSuccess;
     const void *keys[] = { kSecImportExportPassphrase };
     const void *values[] = { (__bridge CFStringRef)password };
     CFDictionaryRef optionsDictionary = NULL;
     optionsDictionary = CFDictionaryCreate( NULL, keys, values, (password?1:0), NULL, NULL);
     CFArrayRef items = NULL; securityError = SecPKCS12Import((__bridge CFDataRef)PKCS12Data, optionsDictionary, &items);

I've tried different combinations when password is empty:

  • optionsDictionary = NULL
  • optionsDictionary
    with no values
  • optionsDictionary
    with
    @""
    value for key
    kSecImportExportPassphrase

it always ends with

securityError
not equal to
errSecSuccess
. Respectively:
  • securityError=-25260
    "Passphrase is required for import/export."
  • securityError=-25260
    "Passphrase is required for import/export."
  • securityError=-25264
    "MAC verification failed during PKCS12 import (wrong password?)"


Now I'm Ok that it doesn't work. I understudy that

p12
without a password is a security threat, but If this is the reason why it doesn't work I need some documentation which states that. I've tried to google that without luck so far.

I've also tried to import this file to OS X Keychain application with same result (invalid password), so this must be problem with

SecPKCS12Import
.

Or maybe there is a way to overcome this problem?

Replies

SecPKCS12Import does not currently support importing PKCS#12 blobs with an empty password (r. 12503102). I don’t know of any good workaround for this, other than the obvious one: give the PKCS#12 blob a password.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Is this fact somewhere documented? I was unable to find anything in documentation about that.

I need somthing I can show to my cooperatives.

Is this fact somewhere documented?

I believe it’s documented by this DevForums post.

Seriously though, there’s no formal documentation for this limitation. Feel free to file a bug against the docs for not covering this case.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"