API: SecPKCS12Import; error code: -25264; error message: MAC verification failed during PKCS12 import (wrong password?)

Privacy & Security General
lvksubhash
lvksubhash OP
Created 2w
Replies 9
Boosts 0
Views 103
Participants 2

Problem Statement:

  • Pre-requisite is to generate a PKCS#12 file using openssl 3.x or above.

  • Note: I have created a sample cert, but unable to upload it to this thread. Let me know if there is a different way I can upload.

  • When trying to import a p12 certificate (generated using openssl 3.x) using SecPKCS12Import on MacOS (tried on Ventura, Sonoma, Sequoia).

  • It is failing with the error code: -25264 and error message: MAC verification failed during PKCS12 import (wrong password?).

  • I have tried importing in multiple ways through,

    • Security Framework API (SecPKCS12Import)
    • CLI (security import <cert_name> -k ~/Library/Keychains/login.keychain -P "<password>”)
    • Drag and drop in to the Keychain Application

  • All of them fail to import the p12 cert.

RCA:

  • The issues seems to be due to the difference in the MAC algorithm.
  • The MAC algorithm used in the modern certs (by OpenSSL3 is SHA-256) which is not supported by the APPLE’s Security Framework. The keychain seems to be expecting the MAC algorithm to be SHA-1.

Workaround:

  • The current workaround is to convert the modern p12 cert to a legacy format (using openssl legacy provider which uses openssl 1.1.x consisting of insecure algorithms) which the SecPKCS12Import API understands.
  • I have created a sample code using references from another similar thread (https://developer.apple.com/forums/thread/723242) from 2023.
  • The steps to compile and execute the sample is mentioned in the same file.
  • PFA the sample code by the name “pkcs12_modern_to_legacy_converter.cpp”.
  • Also PFA a sample certificate which will help reproduce the issue by the name “modern_certificate.p12” whose password is “export”.

Questions:

  1. Is there a fix on this issue? If yes, pls guide me through it; else, is it expected to be fixed in the future releases?
  2. Is there a different way to import the p12 cert which is resistant to the issue?
  3. This issue also poses a security concerns on using outdated cryptographic algorithms. Kindly share your thoughts.

// Author: L V K Subhash Rayudu Battina
// Date: 2025-04-03
// Description: Converts a modern pkcs12 cert to a legacy format and writes it to a file
// Pre-requisites: Ensure you system's openssl version is 3.0 or above
// Steps to compile: g++ -o pkcs12_converter pkcs12_modern_to_legacy_converter.cpp -lcrypto -L/opt/homebrew/opt/openssl@3/lib -I/opt/homebrew/opt/openssl@3/include
// Steps to execute: ./pkcs12_converter   

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

// Static global variables for OpenSSL providers
static OSSL_PROVIDER* legacyProvider = nullptr;
static OSSL_PROVIDER* defaultProvider = nullptr;

// Cleanup function to unload OpenSSL providers
static void cleanupOpenSSL() {
    if (legacyProvider) OSSL_PROVIDER_unload(legacyProvider);
    if (defaultProvider) OSSL_PROVIDER_unload(defaultProvider);
}

// Function to initialize OpenSSL and load providers
void initializeOpenSSL() {
    std::cout << "[INFO] Initializing OpenSSL..." << std::endl;

    // Check OpenSSL version compatibility
    if (OpenSSL_version_num() < 0x30000000L) {
        throw std::runtime_error("OpenSSL 3.0 or later is required to load the legacy provider");
    }

    // Load the legacy provider
    std::cout << "[INFO] Loading legacy provider..." << std::endl;
    legacyProvider = OSSL_PROVIDER_load(NULL, "legacy");
    if (!legacyProvider) {
        std::cerr << "[ERROR] Failed to load legacy provider. Ensure OpenSSL is configured correctly." << std::endl;
        throw std::runtime_error("Failed to load legacy provider");
    }

    // Load the default provider
    std::cout << "[INFO] Loading default provider..." << std::endl;
    defaultProvider = OSSL_PROVIDER_load(NULL, "default");
    if (!defaultProvider) {
        std::cerr << "[ERROR] Failed to load default provider. Ensure OpenSSL is configured correctly." << std::endl;
        throw std::runtime_error("Failed to load default provider");
    }

    // Unload providers at program exit to prevent resource leaks
    atexit(cleanupOpenSSL);

    std::cout << "[INFO] OpenSSL initialized with legacy and default providers loaded." << std::endl;
}

// Function to read a file into a vector of bytes
std::vector readFile(const std::string& filePath) {
    std::cout << "[INFO] Reading file: " << filePath << std::endl;
    std::ifstream file(filePath, std::ios::binary);
    if (!file) {
        throw std::runtime_error("Failed to open file: " + filePath);
    }
    std::vector data((std::istreambuf_iterator(file)), std::istreambuf_iterator());
    std::cout << "[INFO] Successfully read " << data.size() << " bytes from file: " << filePath << std::endl;
    return data;
}

// Function to write a vector of bytes to a file
void writeFile(const std::string& filePath, const std::vector& data) {
    std::cout << "[INFO] Writing to file: " << filePath << std::endl;
    std::ofstream file(filePath, std::ios::binary);
    if (!file) {
        throw std::runtime_error("Failed to write to file: " + filePath);
    }
    file.write(reinterpret_cast(data.data()), data.size());
    std::cout << "[INFO] Successfully wrote " << data.size() << " bytes to file: " << filePath << std::endl;
}

// Function to validate a PKCS#12 file
void validatePKCS12(const std::vector& pkcs12Data, const std::string& passphrase) {
    std::cout << "[INFO] Validating PKCS#12 file with passphrase: " << passphrase << std::endl;
    BIO* bio = BIO_new_mem_buf(pkcs12Data.data(), pkcs12Data.size());
    if (!bio) {
        throw std::runtime_error("Failed to create BIO for PKCS#12 data");
    }

    PKCS12* pkcs12 = d2i_PKCS12_bio(bio, nullptr);
    BIO_free(bio);
    if (!pkcs12) {
        throw std::runtime_error("Failed to parse PKCS#12 data");
    }

    EVP_PKEY* privateKey = nullptr;
    X509* certificate = nullptr;
    STACK_OF(X509)* caChain = nullptr;

    if (!PKCS12_parse(pkcs12, passphrase.c_str(), &privateKey, &certificate, &caChain)) {
        PKCS12_free(pkcs12);
        throw std::runtime_error("Failed to validate PKCS#12 with the provided passphrase");
    }

    std::cout << "[INFO] PKCS#12 file validated successfully." << std::endl;

    PKCS12_free(pkcs12);
    EVP_PKEY_free(privateKey);
    X509_free(certificate);
    sk_X509_pop_free(caChain, X509_free);
}

// Function to create a new PKCS#12 file with specific encryption algorithms
std::vector createPKCS12fromPKCS12(const std::vector& inputData, const std::string& passphrase) {
    std::cout << "[INFO] Creating new PKCS#12 file from input data..." << std::endl;

    // Parse the original PKCS#12 file
    std::cout << "[INFO] Parsing original PKCS#12 file..." << std::endl;
    BIO* bp = BIO_new_mem_buf(inputData.data(), (int)inputData.size());
    if (!bp) {
        throw std::runtime_error("Failed to create BIO for input data");
    }

    PKCS12* originalPKCS12 = NULL;
    d2i_PKCS12_bio(bp, &originalPKCS12);
    BIO_free(bp);
    if (!originalPKCS12) {
        throw std::runtime_error("Failed to parse PKCS#12 data");
    }

    EVP_PKEY* privateKey = nullptr;
    X509* x509 = nullptr;
    STACK_OF(X509)* caChain = NULL;

    if (!PKCS12_parse(originalPKCS12, passphrase.c_str(), &privateKey, &x509, &caChain)) {
        PKCS12_free(originalPKCS12);
        throw std::runtime_error("Failed to parse PKCS#12 with the original passphrase");
    }
    PKCS12_free(originalPKCS12);

    std::cout << "[INFO] Successfully parsed original PKCS#12 file." << std::endl;

    // Create a new PKCS#12 structure with the specified encryption algorithms
    std::cout << "[INFO] Creating new PKCS#12 structure..." << std::endl;
    int nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
    int nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
    
    // Use SHA-1 as the MAC algorithm
    PKCS12* newPKCS12 = PKCS12_create_ex(
        passphrase.c_str(), "SampleCert", privateKey, x509,
        caChain, NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
        NID_pbe_WithSHA1And40BitRC2_CBC,
        PKCS12_DEFAULT_ITER, -1, 0, nullptr, nullptr
    );
    char* outPKCS12 = nullptr;
    int outPKCS12Len = 0;
    if (newPKCS12) {
        const char* pswd = passphrase.c_str();
        if (PKCS12_set_mac(newPKCS12, pswd, strlen(pswd), nullptr, 0, 1, EVP_sha1()) == 1) {
            int nP12Len = 0;
            BIO* outBioP12 = BIO_new(BIO_s_mem());
            i2d_PKCS12_bio(outBioP12, newPKCS12);
            nP12Len = BIO_pending(outBioP12);

            outPKCS12 = static_cast(calloc(1, nP12Len + 1));
            if (outPKCS12) {
                BIO_read(outBioP12, reinterpret_cast(outPKCS12), nP12Len);
                outPKCS12Len = nP12Len;
            } else {
                std::cerr << "[ERROR] Memory allocation failed for outPKCS12." << std::endl;
            }

            BIO_free(outBioP12);
        } else {
            std::cerr << "[ERROR] Failed to add P12 MAC." << std::endl;
        }

    } else {
        // EVP_PKEY_free(privateKey);
        // X509_free(x509);
        // sk_X509_pop_free(caChain, X509_free);
        std::cerr << "[ERROR] Failed to create P12." << std::endl;
        throw std::runtime_error("Failed to create new PKCS#12 structure");
    }

    // Serialize the new PKCS#12 structure to memory
    std::cout << "[INFO] Serializing new PKCS#12 structure..." << std::endl;
    BIO* outputBio = BIO_new(BIO_s_mem());
    if (!i2d_PKCS12_bio(outputBio, newPKCS12)) {
        PKCS12_free(newPKCS12);
        BIO_free(outputBio);
        EVP_PKEY_free(privateKey);
        X509_free(x509);
        sk_X509_pop_free(caChain, X509_free);
        throw std::runtime_error("Failed to serialize new PKCS#12 structure");
    }
    PKCS12_free(newPKCS12);

    char* outputData = nullptr;
    long outputLength = BIO_get_mem_data(outputBio, &outputData);
    std::vector result(outputData, outputData + outputLength);
    BIO_free(outputBio);

    std::cout << "[INFO] Successfully created new PKCS#12 file." << std::endl;

    // Free resources
    EVP_PKEY_free(privateKey);
    X509_free(x509);
    sk_X509_pop_free(caChain, X509_free);

    return result;
}

int GeneratePKCS12(char* passPhrase, char* friendlyName, EVP_PKEY* privateKey,
    X509* cert, STACK_OF(X509)* caCerts, char** outPKCS12, int* outPKCS12Len)
{
    // Load the legacy provider
    OSSL_PROVIDER* legacy = OSSL_PROVIDER_load(nullptr, "legacy");
    OSSL_PROVIDER* defaultProvider = OSSL_PROVIDER_load(nullptr, "default");

    if (legacy != nullptr) {
        PKCS12* p12OutCert = PKCS12_create_ex(
            passPhrase, friendlyName, privateKey, cert,
            caCerts, NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
            NID_pbe_WithSHA1And40BitRC2_CBC,
            PKCS12_DEFAULT_ITER, -1, 0, nullptr, nullptr
        );

        if (p12OutCert) {
            const char* pswd = passPhrase;
            if (PKCS12_set_mac(p12OutCert, pswd, strlen(pswd), nullptr, 0, 1, EVP_sha1()) == 1) {
                int nP12Len = 0;
                BIO* outBioP12 = BIO_new(BIO_s_mem());
                i2d_PKCS12_bio(outBioP12, p12OutCert);
                nP12Len = BIO_pending(outBioP12);

                *outPKCS12 = static_cast(calloc(1, nP12Len + 1));
                if (*outPKCS12) {
                    BIO_read(outBioP12, *outPKCS12, nP12Len);
                    *outPKCS12Len = nP12Len;
                } else {
                    std::cerr << "[ERROR] Memory allocation failed for outPKCS12." << std::endl;
                }

                BIO_free(outBioP12);
            } else {
                std::cerr << "[ERROR] Failed to add P12 MAC." << std::endl;
            }

            PKCS12_free(p12OutCert);
        } else {
            std::cerr << "[ERROR] Failed to create P12." << std::endl;
        }

        OSSL_PROVIDER_unload(legacy);
        OSSL_PROVIDER_unload(defaultProvider);
    } else {
        char buf[256];
        unsigned long err = ERR_get_error();
        ERR_error_string_n(err, buf, sizeof(buf));
        std::cerr << "[ERROR] Failed to load provider - " << buf << std::endl;
    }

    return 0;
}

int main(int argc, char* argv[]) {
    if (argc != 4) {
        std::cerr << "[ERROR] Usage: " << argv[0] << "    " << std::endl;
        return 1;
    }

    const std::string inputFilePath = argv[1];
    const std::string outputFilePath = argv[2];
    const std::string passphrase = argv[3];

    try {
        std::cout << "[INFO] Starting PKCS#12 processing..." << std::endl;

        initializeOpenSSL();

        // Read the input PKCS#12 file
        std::vector inputData = readFile(inputFilePath);

        // Validate the original PKCS#12 file
        validatePKCS12(inputData, passphrase);

        // Create a new PKCS#12 file with the new passphrase
        std::vector outputData = createPKCS12fromPKCS12(inputData, passphrase);

        // Validate the modified PKCS#12 file
        validatePKCS12(outputData, passphrase);

        // Write the modified PKCS#12 file to disk
        writeFile(outputFilePath, outputData);

        std::cout << "[INFO] Successfully created new PKCS#12 file: " << outputFilePath << std::endl;
    } catch (const std::exception& ex) {
        std::cerr << "[ERROR] " << ex.what() << std::endl;
        return 1;
    }

    return 0;
}
Answered by DTS Engineer in 833152022

I need to clarify your goals here. You wrote:

Written by lvksubhash in 779466021
Pre-requisite is to generate a PKCS#12 file using openssl 3.x or above.

I presume that you have the additional constraint of without enabling legacy mode.

Written by lvksubhash in 779466021
using SecPKCS12Import on macOS (tried on [macOS 13], [macOS 14], [macOS 15]).

Is macOS 13 your minimum deployment target? If so, there’s no way to achieve your goal. macOS 15 introduced support for a bunch of new algorithms that should allow you to import modern OpenSSL PKCS#12 files. See this thread for details [1].

So, you have a choice. If you need to support systems prior to macOS 15 then you’ll need to find some other way to import your digital identity. You could either change your import format — for an example of that, see Importing a PEM-based RSA Private Key and its Certificate — or write or acquire your own PKCS#12 code.

OTOH, if you’re happy with only supported macOS 15 and later, we can look at why your OpenSSL stuff isn’t working.

Written by lvksubhash in 833120022
I couldn't upload the sample p12 cert. Let me know if there is a way to do so. Thanks.

For small stuff like that I generally recommend that folks attach a text file containing a hex dump. Or you can upload it elsewhere and post a link. If you do the latter, see tip 14 in Quinn’s Top Ten DevForums Tips.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] It’s about iOS 18, but the comments there also apply to macOS 18 and other aligned releases.

Replies  9
Boosts  0
Views  103
Participants  2
lvksubhash
lvksubhash OP
2w

I couldn't upload the sample p12 cert. Let me know if there is a way to do so. Thanks.

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
2w
Recommended

I need to clarify your goals here. You wrote:

Written by lvksubhash in 779466021
Pre-requisite is to generate a PKCS#12 file using openssl 3.x or above.

I presume that you have the additional constraint of without enabling legacy mode.

Written by lvksubhash in 779466021
using SecPKCS12Import on macOS (tried on [macOS 13], [macOS 14], [macOS 15]).

Is macOS 13 your minimum deployment target? If so, there’s no way to achieve your goal. macOS 15 introduced support for a bunch of new algorithms that should allow you to import modern OpenSSL PKCS#12 files. See this thread for details [1].

So, you have a choice. If you need to support systems prior to macOS 15 then you’ll need to find some other way to import your digital identity. You could either change your import format — for an example of that, see Importing a PEM-based RSA Private Key and its Certificate — or write or acquire your own PKCS#12 code.

OTOH, if you’re happy with only supported macOS 15 and later, we can look at why your OpenSSL stuff isn’t working.

Written by lvksubhash in 833120022
I couldn't upload the sample p12 cert. Let me know if there is a way to do so. Thanks.

For small stuff like that I generally recommend that folks attach a text file containing a hex dump. Or you can upload it elsewhere and post a link. If you do the latter, see tip 14 in Quinn’s Top Ten DevForums Tips.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] It’s about iOS 18, but the comments there also apply to macOS 18 and other aligned releases.

0
lvksubhash
lvksubhash OP
1w
Written by DTS Engineer in 833152022
macOS 15 introduced support for a bunch of new algorithms that should allow you to import modern OpenSSL PKCS#12 files. See this thread for details [1].

I'm unable to import the p12 cert with latest algos using security CLI on macOS 15.

$sw_vers                                                                   
ProductName:		macOS
ProductVersion:		15.4
BuildVersion:		24E5238a
 
$security import ~/Downloads/modern_certificate.p12 -k ~/Library/Keychains/login.keychain -P "export"
security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)
 
$security import ~/Downloads/legacy_certificate.p12 -k ~/Library/Keychains/login.keychain -P "export"
1 identity imported.

Here,

"modern_certificate.p12" consists of the latest algos and,

"legacy_certificate.p12" was regenerated from "modern_certificate.p12" with legacy algos.

PFA, the hexdump for both the p12 certificates.

00000000: 3082 09bf 0201 0330 8209 7506 092a 8648  0......0..u..*.H
00000010: 86f7 0d01 0701 a082 0966 0482 0962 3082  .........f...b0.
00000020: 095e 3082 03ca 0609 2a86 4886 f70d 0107  .^0.....*.H.....
00000030: 06a0 8203 bb30 8203 b702 0100 3082 03b0  .....0......0...
00000040: 0609 2a86 4886 f70d 0107 0130 5f06 092a  ..*.H......0_..*
00000050: 8648 86f7 0d01 050d 3052 3031 0609 2a86  .H......0R01..*.
00000060: 4886 f70d 0105 0c30 2404 1063 5790 9bdf  H......0$..cW...
00000070: 335c c8db 171a b6a1 e20c fa02 0208 0030  3\.............0
00000080: 0c06 082a 8648 86f7 0d02 0905 0030 1d06  ...*.H.......0..
00000090: 0960 8648 0165 0304 012a 0410 5176 306b  .`.H.e...*..Qv0k
000000a0: c97c dd57 354a e49e 2784 b781 8082 0340  .|.W5J..'......@
000000b0: 6575 cefa ee87 35a6 50a4 664e 30af 21b0  eu....5.P.fN0.!.
000000c0: 5d5e e6a5 c9bb 88ca fb32 f19f 6ba3 857c  ]^.......2..k..|
000000d0: 1fb5 de71 f053 3f59 6d9f c67a 5db7 0d3e  ...q.S?Ym..z]..>
000000e0: 8684 5eda bd6d 30d5 3d05 1ad2 ad49 44e3  ..^..m0.=....ID.
000000f0: 9c76 c91b 7e6a b77f 5003 1069 b7ca bef5  .v..~j..P..i....
00000100: 55a9 5403 5a96 61aa 9ec8 31ef cd87 a204  U.T.Z.a...1.....
00000110: 6d98 e52d 90c8 c335 d3df c4e8 aa3a 5f99  m..-...5.....:_.
00000120: 99c7 ee1c eb9a 59ef 5298 f160 72ef f90e  ......Y.R..`r...
00000130: e1ab 228e 3a44 fcd9 9774 ca8a 5394 50ac  ..".:D...t..S.P.
00000140: efe0 c601 5415 e14f ab0f ee9b eea1 06e1  ....T..O........
00000150: 776d 8651 d95d 7a81 d72e 4d90 ab9e b720  wm.Q.]z...M.... 
00000160: b7a0 f9bb 63fa cbf7 f5f9 6448 05cc cf55  ....c.....dH...U
00000170: cf08 ac04 f417 c52a ed45 5c21 6e70 eef6  .......*.E\!np..
00000180: 7bea 89d6 5a60 ed35 9b0c a2cb 5f65 b84c  {...Z`.5...._e.L
00000190: 449c e7ed 48ab cbce 247d 36e2 3d24 5dd5  D...H...$}6.=$].
000001a0: d8db 015a 1762 9e4c 7208 c698 9652 f984  ...Z.b.Lr....R..
000001b0: d959 20cf d12e 3112 a38f eb41 3e12 ca25  .Y ...1....A>..%
000001c0: 6ed8 517d 0359 aa4f 6146 db5c a997 2397  n.Q}.Y.OaF.\..#.
000001d0: 72ed 66cc d98e afce 097c 6edc ec40 0625  r.f......|n..@.%
000001e0: 7d55 5284 a2af e9ad c6e6 3f9a d3e2 f03c  }UR.......?....<
000001f0: 1c40 5bb0 cdb7 8471 1edc 070d 9ea1 d149  .@[....q.......I
00000200: 0deb 39fc 5375 5b51 a10a 9501 e608 60f8  ..9.Su[Q......`.
00000210: ea44 7e16 cb8a db73 ea76 5594 037c 10f1  .D~....s.vU..|..
00000220: f44f 4ea4 7e39 df70 c688 f3fc 93ff e208  .ON.~9.p........
00000230: 0f44 d4cf 095b 9e5c 84a4 33c9 4cfb edc1  .D...[.\..3.L...
00000240: 79f7 90f3 eb07 efa2 baab 4df7 4fcb 93c6  y.........M.O...
00000250: c670 f821 b0b1 3c15 2bd5 fc1d bb76 8f37  .p.!..<.+....v.7
00000260: fc91 5d14 bcf5 26d3 acb3 97fe e62d 8c4e  ..]...&......-.N
00000270: e73c f1fd 9e84 63b2 7fd2 865a b17e bec6  .<....c....Z.~..
00000280: 4d70 c8dc 96f7 3079 0da7 6c44 37bf b86f  Mp....0y..lD7..o
00000290: 8388 a6f9 bd72 8747 11dc 7669 7eb2 9e86  .....r.G..vi~...
000002a0: ad15 9bfe 4c59 fadb 30fe 379d 1e68 848f  ....LY..0.7..h..
000002b0: 17fa afb8 2f5b e2a3 a25a 6ba0 d16b 2072  ..../[...Zk..k r
000002c0: 531f dc83 4c47 026f 20cc d43f 78fa c1c4  S...LG.o ..?x...
000002d0: 9eec 9ba8 a60b d220 2acd 11ac 2d01 ca85  ....... *...-...
000002e0: b57f 9c5e 63e9 468c 4950 ce79 8b93 877b  ...^c.F.IP.y...{
000002f0: ddee e055 0a93 47b7 e37c d984 759c 9340  ...U..G..|..u..@
00000300: f187 2d1d 6b14 619c 558c 7fec d87c dfcd  ..-.k.a.U....|..
00000310: 12f3 496c dc3e c072 346d 9d44 fa53 6b99  ..Il.>.r4m.D.Sk.
00000320: f4cf 22ee 13bb fd83 0fe6 95f5 a5ef 71d5  .."...........q.
00000330: 234a 633e 3569 463a c466 4fe3 4d69 5e6d  #Jc>5iF:.fO.Mi^m
00000340: 0b0f 9b4a ff61 f869 e852 4f2a a9cf 2ee1  ...J.a.i.RO*....
00000350: a071 4fb8 d529 1436 430f d507 bcf9 9da8  .qO..).6C.......
00000360: ee84 b923 78fd 152c 092c 4b5c 80c8 a233  ...#x..,.,K\...3
00000370: 171b 1f6d 5483 0163 4e49 014c abfa 70e4  ...mT..cNI.L..p.
00000380: 0899 7067 888b c972 1c54 539e b7b8 0dc2  ..pg...r.TS.....
00000390: 98f3 4448 9d09 3ae6 a9ed c434 347c 4c47  ..DH..:....44|LG
000003a0: 65dd 7704 7a1e 806b c7fa 80c7 312e 4205  e.w.z..k....1.B.
000003b0: 8d6b 2f6c 695a a660 5e83 f70d 8306 f128  .k/liZ.`^......(
000003c0: 3852 5921 66bd 8e3a 68dc 4dca e985 92c4  8RY!f..:h.M.....
000003d0: 9853 69bc 94cc e8d3 2684 bea5 5d87 9c73  .Si.....&...]..s
000003e0: 5861 9a40 d170 456c c022 f29b b759 1378  Xa.@.pEl."...Y.x
000003f0: 3082 058c 0609 2a86 4886 f70d 0107 01a0  0.....*.H.......
00000400: 8205 7d04 8205 7930 8205 7530 8205 7106  ..}...y0..u0..q.
00000410: 0b2a 8648 86f7 0d01 0c0a 0102 a082 0539  .*.H...........9
00000420: 3082 0535 305f 0609 2a86 4886 f70d 0105  0..50_..*.H.....
00000430: 0d30 5230 3106 092a 8648 86f7 0d01 050c  .0R01..*.H......
00000440: 3024 0410 cc71 142d 391a 0060 9e19 7ec0  0$...q.-9..`..~.
00000450: 05a2 95d4 0202 0800 300c 0608 2a86 4886  ........0...*.H.
00000460: f70d 0209 0500 301d 0609 6086 4801 6503  ......0...`.H.e.
00000470: 0401 2a04 10de 989f 0057 3364 58f9 bdc5  ..*......W3dX...
00000480: e2c5 05d0 2604 8204 d0bd 0fc3 1ae6 123a  ....&..........:
00000490: 21f4 c2a8 007e c0f0 1ff5 024d 8b4b 1846  !....~.....M.K.F
000004a0: d27a acf4 37d8 e167 a0e1 067c 68a4 f11e  .z..7..g...|h...
000004b0: c322 5797 5376 dbd6 c906 b04c a643 659a  ."W.Sv.....L.Ce.
000004c0: 992a 173d 7152 21bb 1aa7 d944 4215 202b  .*.=qR!....DB. +
000004d0: dbcd 8c8d 8472 12ff 650e 8248 d179 4dcf  .....r..e..H.yM.
000004e0: ef72 c50e 81e4 09db 09b5 6c56 803b 506f  .r........lV.;Po
000004f0: 4586 2a33 aa16 30c7 9ddc ace1 4c51 453a  E.*3..0.....LQE:
00000500: 7bd9 a33b a0cc 9e50 b202 39bc ebde 8a7f  {..;...P..9.....
00000510: 9ffb a6fe f100 0a9c c7e6 fd43 39b7 ee7e  ...........C9..~
00000520: 92d0 2685 fdcd 9a03 1c39 8bda 9f2b 4b01  ..&......9...+K.
00000530: 5bca 1aa3 aeae 94ff b977 3396 619c bc4b  [........w3.a..K
00000540: b891 1e75 eed0 6fa8 c5c0 05ce 50fd 336b  ...u..o.....P.3k
00000550: 6c69 fffd d20b 8d52 0934 c336 df57 c102  li.....R.4.6.W..
00000560: e122 e553 10aa 9c78 63aa eac9 7c2d c88f  .".S...xc...|-..
00000570: d6a1 2cec 68d5 1971 7d16 cce4 da41 ecc0  ..,.h..q}....A..
00000580: 52b9 56d2 e021 e780 690e 8e52 ddc1 0769  R.V..!..i..R...i
00000590: 71f7 410e b7dd 195b 835d 6ff0 80bf a8e6  q.A....[.]o.....
000005a0: 37ff 62f7 d814 d8d5 929c 4bf1 b99d 76bb  7.b.......K...v.
000005b0: 9e02 cb7e c5d7 471b b48e 48d6 2d9f bb51  ...~..G...H.-..Q
000005c0: b615 a738 512c b37e 3d9d 958b 2bc0 cdef  ...8Q,.~=...+...
000005d0: 8270 80c0 be1b 936d c48e 98ca ed0d 9b26  .p.....m.......&
000005e0: 3b53 80e7 f422 f4c4 f9d4 5fcf 63cd 3c8d  ;S..."...._.c.<.
000005f0: 3de7 38f2 b2c8 42d7 19da 121d c346 c2b2  =.8...B......F..
00000600: 57ca 5af9 1a03 eaef d289 9e21 33e7 1ae0  W.Z........!3...
00000610: 99b8 e577 4bf5 efa6 2c29 08fa b788 21e8  ...wK...,)....!.
00000620: 12fc 9d40 8222 beb8 5e23 2b8e cd81 2f65  ...@."..^#+.../e
00000630: 1766 59fe 6ed8 5bb9 c128 9325 72a0 7b92  .fY.n.[..(.%r.{.
00000640: 71e9 de20 33b9 ab2a 7ec0 79ba 3f17 a659  q.. 3..*~.y.?..Y
00000650: 628a a6bb 36bc cf10 7615 2ad9 1b16 3583  b...6...v.*...5.
00000660: 80e4 f163 231d 259a 0e6e eb44 c133 38ca  ...c#.%..n.D.38.
00000670: 1205 585f c0d7 4cf9 2944 df4e dffa 4f0c  ..X_..L.)D.N..O.
00000680: 1814 3683 f61f c258 ea99 2325 32d4 9f1d  ..6....X..#%2...
00000690: c18d 1338 eadf ee2e de9b 51f3 08ed 4621  ...8......Q...F!
000006a0: 3dbd 8d35 431d 340d d0bd 2e68 f68a 5124  =..5C.4....h..Q$
000006b0: 3692 6471 34d2 e052 ee15 3210 2ccb 7ba1  6.dq4..R..2.,.{.
000006c0: 0118 acd4 b2d6 4f78 4e24 b8f1 bfa5 f8ea  ......OxN$......
000006d0: ee8b 6bc0 f275 3439 5b89 0689 2c4f 7032  ..k..u49[...,Op2
000006e0: fe1c 9048 fc01 57a6 a44a 3aa6 47f1 7ed1  ...H..W..J:.G.~.
000006f0: 0453 a00b fe9b f53c e793 4977 8b05 009b  .S.....<..Iw....
00000700: b264 47d3 9fdb 0d56 c019 8c52 091d f09e  .dG....V...R....
00000710: a8ab b88c f6b5 0890 864e 329d 1fd3 a981  .........N2.....
00000720: f1d6 4c9d 95d5 65cd 89a2 241a 6d7b 0b43  ..L...e...$.m{.C
00000730: 405d 8cb5 68db 0067 0998 28de 399b 5eb2  @]..h..g..(.9.^.
00000740: 0176 b55b fa16 30eb f54e 23ba eba4 7fd0  .v.[..0..N#.....
00000750: 8476 e122 a545 ec8a 816f cbe0 0378 0de4  .v.".E...o...x..
00000760: 24dc 02d5 74ac 939c 8267 b76b f0d9 f84f  $...t....g.k...O
00000770: b5b9 c9fa babb 454f c673 7cb7 edd0 1db8  ......EO.s|.....
00000780: 4d92 e556 93a9 b065 eed1 b734 4917 7e0e  M..V...e...4I.~.
00000790: b729 d032 6ce4 beba e4c9 76a7 0150 e6d0  .).2l.....v..P..
000007a0: 44d5 2e7e 11a6 788b 0fb9 7953 af42 0b65  D..~..x...yS.B.e
000007b0: a330 68dd 6b82 50fd 4f1b d85f fe9c c5ae  .0h.k.P.O.._....
000007c0: 4484 ab93 8e47 b01b 4898 2fd1 fb9d 1dec  D....G..H./.....
000007d0: 9b6b a18b b7f9 cf37 9625 2590 a3c1 f779  .k.....7.%%....y
000007e0: b527 97eb 2ec3 2816 a873 7a94 fe96 2702  .'....(..sz...'.
000007f0: a550 20d7 457d a170 b1a9 b621 9465 247f  .P .E}.p...!.e$.
00000800: 7200 5aef b7f8 ebe1 e252 e9c9 b45f a830  r.Z......R..._.0
00000810: eb1d cc27 069b 73f8 5092 078c 3e86 f9fb  ...'..s.P...>...
00000820: 36a6 fe3e c17e f442 8725 454d 7153 0e89  6..>.~.B.%EMqS..
00000830: 9cbb a304 becb 2572 f6fc 4063 b8a1 f407  ......%r..@c....
00000840: 408a c3ed 053f 19ca c9df 7555 bf02 d609  @....?....uU....
00000850: e180 1405 b269 8490 eea9 c044 f978 b2c8  .....i.....D.x..
00000860: 4c33 ecd4 941d 7e5b df02 f1ef 1991 0add  L3....~[........
00000870: e7f5 4631 09dc edc6 6920 9219 e7fe 4a4a  ..F1....i ....JJ
00000880: f94b 6077 6db7 5826 5775 fb91 1f22 974f  .K`wm.X&Wu...".O
00000890: 1ad8 9d71 d0ac 6077 53f0 afb4 3f29 97bd  ...q..`wS...?)..
000008a0: 4c3b 310d a7b5 73fc fede 6cc5 32a1 7998  L;1...s...l.2.y.
000008b0: 92e9 7c4a 9ffc 7454 924f 0d59 53b7 7b23  ..|J..tT.O.YS.{#
000008c0: 7eab 28d5 2211 81ba 9afd 5536 a182 b160  ~.(.".....U6...`
000008d0: 9222 6cf4 6310 e7d7 4586 16e1 c20c 8656  ."l.c...E......V
000008e0: 6b9e 6748 f4bf 2fb3 9f2e 6f76 4da6 5ea8  k.gH../...ovM.^.
000008f0: dc58 8e25 dcdc 18d8 0a7a bea1 9715 fe63  .X.%.....z.....c
00000900: b9e1 5f7a b8c3 b5ba 9a56 9065 bc0e a8d8  .._z.....V.e....
00000910: ddab fcfe 512f 6d8f 3c01 d81a 3c21 1a45  ....Q/m.<...

00000000: 3082 0962 0201 0330 8209 2c06 092a 8648  0..b...0..,..*.H
00000010: 86f7 0d01 0701 a082 091d 0482 0919 3082  ..............0.
00000020: 0915 3082 03a7 0609 2a86 4886 f70d 0107  ..0.....*.H.....
00000030: 06a0 8203 9830 8203 9402 0100 3082 038d  .....0......0...
00000040: 0609 2a86 4886 f70d 0107 0130 1c06 0a2a  ..*.H......0...*
00000050: 8648 86f7 0d01 0c01 0630 0e04 08eb f7cc  .H.......0......
00000060: bc05 bd06 e302 0208 0080 8203 6059 c578  ............`Y.x
00000070: 4e24 d392 32b6 352e d0a2 1edd 5e8d 817b  N$..2.5.....^..{
00000080: 82d0 56b3 0eb3 6195 178f 4e4c 1156 3461  ..V...a...NL.V4a
00000090: 1a2b 7c4f 2393 ccdd c51c 8932 d8f3 5511  .+|O#......2..U.
000000a0: f3d2 7bad d016 4822 8072 a727 6cd6 763f  ..{...H".r.'l.v?
000000b0: 3ee5 6001 c1c4 4106 0196 9ce2 0d16 0817  >.`...A.........
000000c0: 9f78 e407 e1d4 f348 17f7 06e7 edc6 5a10  .x.....H......Z.
000000d0: f750 1374 5ef4 4420 b169 83b4 2b1f d485  .P.t^.D .i..+...
000000e0: e25b f649 e5ea d6bc 1554 3454 bea1 66c9  .[.I.....T4T..f.
000000f0: 48ef ba22 a8e6 6f77 b964 8065 5713 b4d0  H.."..ow.d.eW...
00000100: 0690 9a5c 66f4 08a5 f57b d576 0fb3 749c  ...\f....{.v..t.
00000110: b84b 3e81 8b95 c2f7 96aa 56d4 22ec 0b58  .K>.......V."..X
00000120: 9f02 35af 51ff 7053 f93a 84b0 2fd3 367a  ..5.Q.pS.:../.6z
00000130: f2ff 8dc6 4dde 36e0 5887 baf7 9dfd 6bab  ....M.6.X.....k.
00000140: 595a 8b39 4ea7 c0d6 724a 6722 db49 09d8  YZ.9N...rJg".I..
00000150: 24da aae6 0601 d88c 2903 fc7e 0d18 a718  $.......)..~....
00000160: db77 3fb5 f24a bc0f 817e 645c 6923 55d3  .w?..J...~d\i#U.
00000170: af1a cd01 6379 49e4 4e4e 5f39 681c 8889  ....cyI.NN_9h...
00000180: a2b3 0e3a ec47 a7fd a508 4ed2 7141 e81e  ...:.G....N.qA..
00000190: 33be aa84 12a0 2bfc 6a5c 309c fa21 f3bd  3.....+.j\0..!..
000001a0: 5e3f a118 bfc7 5418 7bfa 8bbc e421 d46d  ^?....T.{....!.m
000001b0: 0c8f a700 a3d5 8b77 e48e 9b0e 14db 78e2  .......w......x.
000001c0: d16a 7a15 85eb 4ac5 706e f501 0a35 3062  .jz...J.pn...50b
000001d0: 9197 4c9a 03ce a884 93f1 c8a1 51a1 347c  ..L.........Q.4|
000001e0: 8ebc 6ee9 7f64 ae96 c166 34ec a3b3 81c0  ..n..d...f4.....
000001f0: 1bc7 a8d5 f94b 6a94 fb7a f339 1568 7902  .....Kj..z.9.hy.
00000200: 7942 e55a 5c9e a166 7d92 70bc 3c52 2064  yB.Z\..f}.p..&yq
00000340: e398 f01d afb0 496d a048 79ac 3726 c1b3  ......Im.Hy.7&..
00000350: 8f92 7ef0 7d4d 1a22 ddb3 999e dc83 1245  ..~.}M.".......E
00000360: d2c2 78b7 3bdb 1a46 d10a 45c4 b599 b181  ..x.;..F..E.....
00000370: b66c 612c 5048 1840 1731 fc34 9702 2f35  .la,PH.@.1.4../5
00000380: fc9e ba0f 078b 8d63 6ee4 3093 149c 40cf  .......cn.0...@.
00000390: 96b5 11f0 2d97 dd54 054c ce01 2c65 bf0d  ....-..T.L..,e..
000003a0: a494 058a 2061 d6b6 2bfb 8ff9 7cef 20e0  .... a..+...|. .
000003b0: ee30 6a8e d931 2f12 748e 8fe9 bde5 1d85  .0j..1/.t.......
000003c0: ab2c 6d0e 44cb 6747 ad4e 9af5 6230 8205  .,m.D.gG.N..b0..
000003d0: 6606 092a 8648 86f7 0d01 0701 a082 0557  f..*.H.........W
000003e0: 0482 0553 3082 054f 3082 054b 060b 2a86  ...S0..O0..K..*.
000003f0: 4886 f70d 010c 0a01 02a0 8204 ee30 8204  H............0..
00000400: ea30 1c06 0a2a 8648 86f7 0d01 0c01 0330  .0...*.H.......0
00000410: 0e04 0817 520d acdc 513d 8d02 0208 0004  ....R...Q=......
00000420: 8204 c8b8 7141 822c 539a 0b7d 8cad 7fae  ....qA.,S..}....
00000430: aa9c 931a daef 2cbd 29b4 9e79 2221 ce11  ......,.)..y"!..
00000440: d62e 8c3d a350 a89c d28d 8ee6 39a4 8204  ...=.P......9...
00000450: a52d 9686 9e51 cff4 90bd 2a0e ce3d 114e  .-...Q....*..=.N
00000460: 7269 ee51 8ce8 b231 465c 5aa5 8319 891e  ri.Q...1F\Z.....
00000470: 6adb 63fa 0677 0064 17ff e07d ddf6 3a15  j.c..w.d...}..:.
00000480: b2bc d07f ed6b c05e c2d4 4a89 d0ca 823a  .....k.^..J....:
00000490: 619c 42ef 29a3 dc04 bb26 89a3 d8c7 90d6  a.B.)....&......
000004a0: 0802 43fd ea37 c7ea 7989 2559 6e16 3e28  ..C..7..y.%Yn.>(
000004b0: ab89 1333 0194 38b9 56ae 5cec 46c4 e82c  ...3..8.V.\.F..,
000004c0: 54ad da4e 683b d99e a6af a80f dae2 ce8a  T..Nh;..........
000004d0: 1266 5da5 77ca d7bc 5a48 0e2c e714 d133  .f].w...ZH.,...3
000004e0: 9579 e504 33ab 364e 4b2f f422 e389 f299  .y..3.6NK/."....
000004f0: 1ed2 a4bc 3eab 85a4 77cd a0d3 0d23 0999  ....>...w....#..
00000500: 96c3 99fe 63d7 89eb e20e 87e9 e6c4 c455  ....c..........U
00000510: 9a48 770b a183 471a afd5 8cb8 7d73 1fe2  .Hw...G.....}s..
00000520: a979 2e65 065c 314b 5f35 7fe0 4ecf 7dab  .y.e.\1K_5..N.}.
00000530: 86ba 9a8a 8b31 4c04 4e60 4ec5 21af f53c  .....1L.N`N.!..<
00000540: a381 702e 9d42 22da bef0 ded1 453b 4720  ..p..B".....E;G 
00000550: edac c089 eb43 84fc efef 2244 e411 f411  .....C...."D....
00000560: 1bc2 dba1 8767 a6ab 3038 2146 9c9f 333c  .....g..08!F..3<
00000570: db46 f66b 890d 1ace a5aa 323b 2b33 561b  .F.k......2;+3V.
00000580: 4462 0bcd 4fa7 22d0 13f3 7a9c 1dc2 d029  Db..O."...z....)
00000590: 464a e922 1bc9 9c6c 03eb ec6e 1e82 8f83  FJ."...l...n....
000005a0: 0bbf b60a 7346 3994 94f0 c85c 046f a265  ....sF9....\.o.e
000005b0: b86a 24b6 d183 eeec b445 f11e 3d15 b6ef  .j$......E..=...
000005c0: beec d9aa fa4d 32a8 1688 9e53 d1e0 5a9c  .....M2....S..Z.
000005d0: 6a23 6cfd 4718 d1ea 3f84 cefe ff88 fceb  j#l.G...?.......
000005e0: 31d0 1e86 fea2 e445 d39c 86c7 8eb3 d7b0  1......E........
000005f0: 4422 bf23 6b05 c233 f95c a49d d235 f41a  D".#k..3.\...5..
00000600: 6d44 168f 4c93 2f18 66ce 3707 913e 4d88  mD..L./.f.7..>M.
00000610: 6aa6 fb88 d043 f4d0 5269 6604 2f7e 5341  j....C..Rif./~SA
00000620: 399e 391f 6271 953d 8e2f 8ce6 2366 a6af  9.9.bq.=./..#f..
00000630: 3980 8044 2fda 3672 7e2b 78b2 2fad 91d7  9..D/.6r~+x./...
00000640: f5d8 a980 144b ec38 f40a a645 2469 b0b4  .....K.8...E$i..
00000650: fc0c 0ad4 d2f9 3fdb 7ced dc3d 263e d3c0  ......?.|..=&>..
00000660: 0145 a7b9 73ee 1b76 b702 b357 c704 4963  .E..s..v...W..Ic
00000670: 4bbd 4145 5462 8761 811d 5fac 6f7e bcb5  K.AETb.a.._.o~..
00000680: 2219 9cea e3fa 1d50 cc13 7944 a998 29ef  "......P..yD..).
00000690: 64b3 1abc 0fbb efb1 ba2d 15cf d070 057a  d........-...p.z
000006a0: 0d5a b75d a88b ffb4 09fc 397e 9d73 2d34  .Z.]......9~.s-4
000006b0: bc92 7e7c c9f7 60e9 8142 df98 006e f712  ..~|..`..B...n..
000006c0: 5ddc 7ff2 6f1f 369a 56ad 9f1f d82b 1267  ]...o.6.V....+.g
000006d0: ef49 2f34 85fd aed0 efc1 671a c1cc af7c  .I/4......g....|
000006e0: 85af f92f 3ba5 8113 1835 6ae0 ba74 f281  .../;....5j..t..
000006f0: 8f2f 7061 4bd9 abcb fb49 7800 211e 2085  ./paK....Ix.!. .
00000700: d198 774d 0eb9 491d 9d3e cc19 b9ef 4560  ..wM..I..>....E`
00000710: 898f d5bb 5992 21d4 36ab 7d85 ee50 3391  ....Y.!.6.}..P3.
00000720: 779c 3551 d66f 8bb4 a0e1 ed41 834c d12f  w.5Q.o.....A.L./
00000730: 54d7 77da df82 e52f 3eff c5a7 767d 3a03  T.w..../>...v}:.
00000740: 5720 e932 9886 2523 6925 489f 8457 2093  W .2..%#i%H..W .
00000750: 7cdb d0d0 b95f 6db9 4d4f bc05 b43b 1d82  |...._m.MO...;..
00000760: adf3 edae 2d38 e41a 25fb 8e0e cb43 be70  ....-8..%....C.p
00000770: 4adc 869d c227 8331 7756 9b24 ff0e cc88  J....'.1wV.$....
00000780: cc81 774e c284 10c1 5311 9330 32fc 59dd  ..**....S..02.Y.
00000790: fde7 d6f5 1677 cc63 d833 0851 a353 3126  .....w.c.3.Q.S1&
000007a0: 44b9 065c 7194 77d7 f368 5ad6 2601 1925  D..\q.w..hZ.&..%
000007b0: 804e bc07 68b5 94ed 86f6 9967 0ac1 ca7e  .N..h......g...~
000007c0: e054 2c6a d310 b556 12fc abd5 0cd4 34b8  .T,j...V......4.
000007d0: 22e8 868d bda8 940e 0938 49b8 7eba 9f30  "........8I.~..0
000007e0: 8bbe 95e2 09a4 388c 834c f9a7 e8d6 a856  ......8..L.....V
000007f0: b9ac d49f 31ea ad3f 43d0 dbe8 7d33 bb43  ....1..?C...}3.C
00000800: 48d0 d9f5 c7aa d9e2 68af 13cf 4a7e 1076  H.......h...J~.v
00000810: a509 8e04 22c2 a226 e49b 807b c6e7 a5b1  ...."..&...{....
00000820: f7dd 7fc9 1d65 1c4b 844e c7db 4384 e83a  .....e.K.N..C..:
00000830: 2b77 ac5a 2445 d0c4 b050 8fbd 56cf f15d  +w.Z$E...P..V..]
00000840: 9c63 e4f5 f690 7c0d b5e7 6de5 30ce 1950  .c....|...m.0..P
00000850: d64a 6a57 1ba8 e73d 3914 1456 5088 3da2  .JjW...=9..VP.=.
00000860: e1c7 eef9 c379 5478 7d87 3f8a 9cf7 dc18  .....yTx}.?.....
00000870: 6f26 05a3 4590 baec 24aa 5244 2f3c 138b  o&..E...$.RD/<..
00000880: 5f38 7ded dfdb ed8c b088 261e fdc4 e7d9  _8}.......&.....
00000890: 5108 76d9 a3aa 3236 190e 2683 c5f3 da03  Q.v...26..&.....
000008a0: 5fb6 baae d386 d145 02cf b91b 2c95 37ce  _......E....,.7.
000008b0: 77e8 37b7 73ef 0ffc 7cc8 f367 da56 1745  w.7.s...|..g.V.E
000008c0: e8db 4cbd b43d 5d6e 3e42 8391 3ad9 caf1  ..L..=]n>B..:...
000008d0: e937 fff9 42a1 35f3 5c40 7374 b4e3 0fbd  .7..B.5.\@st....
000008e0: 278d f4e0 9d90 a170 7ef3 e531 4a30 2306  '......p~..1J0#.
000008f0: 092a 8648 86f7 0d01 0914 3116 1e14 0053  .*.H......1....S
00000900: 0061 006d 0070 006c 0065 0043 0065 0072  .a.m.p.l.e.C.e.r
00000910: 0074 3023 0609 2a86 4886 f70d 0109 1531  .t0#..*.H......1
00000920: 1604 1453 6dcd 9e7e 477d 1762 9661 39f1  ...Sm..~G}.b.a9.
00000930: 6809 897b 493a b730 2d30 2130 0906 052b  h..{I:.0-0!0...+
00000940: 0e03 021a 0500 0414 2771 5484 4c96 5988  ........'qT.L.Y.
00000950: 3b18 71e0 368b b291 03a2 8c20 0408 bc2c  ;.q.6...... ...,
00000960: f56d b98a f627                           .m...'
0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
1w

Thanks for those examples.

Unfortunately they seem to have been munged by the DevForums platform )-: [1] Can you try copying out the text yourself to see if it accurately reflects what you posted?

If not, that confirms that your post has been affected by this bug, and my next suggestion is that you upload the data somewhere and then post a URL to it.

I apologise for the runaround here.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] This is a bug that’s been with us for a while, alas (r. 136655649).

0
lvksubhash
lvksubhash OP
1w

No worries. I have uploaded the files under this link and made it accessible. Kindly verify the same.

https://www.icloud.com/iclouddrive/038xlfc8yNEepedQDfHLRlklg#DevForum%23779466

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
1w

Thanks for that.

I spent some time today testing DevForums’s text attachment feature to work out why your previous attachments got corrupted. I now have a better understanding of the failure and know how to avoid it in the future [1]. I’ve also updated our bug about this.

However, this means that I’ve run out of time to look at your actual PKCS#12 issue )-: I’ll take a pass at that tomorrow.

I appreciate your patience here.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] If you’re gonna post a hex dump, generate it using xxd -p rather than simply xxd.

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
6d
Written by DTS Engineer in 834420022
I’ll take a pass at that tomorrow.

Bah! Friday and Monday were a complete bust, but I dug into this today.

AFAICT this is all working.

Here’s the checksums of the files in question, so you can confirm that I’m working with the right stuff:

% shasum -a 256 *.p12
4a2018a79c052341ff28b7b366bdc85605710d8a4503edcbb499cce386360b1d  legacy_certificate.p12
8c0edbdc7921bf1badc2e8dd3197083b3c07a3b55e7aac9b10cc7ee7e67b3359  modern_certificate.p12

To test this on macOS I used Keychain Access to import each digital identity into a ‘scratch’ keychain. That worked as expected, testing on macOS 15.4.

I then decided to write some code. Testing that code on iOS is easier [1], so I created a new test app and added this code to it:

func test(_ name: String) {
    let pkcs12URL = Bundle.main.url(forResource: name, withExtension: "p12")!
    let pkcs12Data = try! Data(contentsOf: pkcs12URL)
    let sha = SHA256.hash(data: pkcs12Data)
    let shaDesc = (Data(sha) as NSData).debugDescription
    print("will import")
    print("  name: \(name)")
    print("  sha: \(shaDesc)")
    print("  os: \(ProcessInfo.processInfo.operatingSystemVersionString)")
 
    var importedCF: CFArray? = nil
    let err = SecPKCS12Import(pkcs12Data as NSData, [
        kSecImportExportPassphrase: "export"
    ] as NSDictionary, &importedCF)
    guard
        err == errSecSuccess,
        let importedNS = importedCF as NSArray?,
        let imported = importedNS as? [[String:Any]],
        let firstImport = imported.first,
        let identityAny = firstImport[kSecImportItemIdentity as String],
        CFGetTypeID(identityAny as CFTypeRef) == SecIdentityGetTypeID()
    else {
        fatalError()
    }
 
    let identity = identityAny as! SecIdentity
    print("will import, identity: \(identity)")
}

I then added two buttons, each of which calls the code with one of the .p12 file names. Here’s what I saw when I ran the app in the iOS 18.4 simulator:

will import
  name: legacy_certificate
  sha: <4a2018a7 9c052341 ff28b7b3 66bdc856 05710d8a 4503edcb b499cce3 86360b1d>
  os: Version 18.4 (Build 22E238)
will import, identity: <SecIdentityRef: 0x600000224980>
will import
  name: modern_certificate
  sha: <8c0edbdc 7921bf1b adc2e8dd 3197083b 3c07a3b5 5e7aac9b 10cc7ee7 e67b3359>
  os: Version 18.4 (Build 22E238)
will import, identity: <SecIdentityRef: 0x600000224940>

The checksums align, confirming that I’m working with the right files. And each identity was imported as expected.

I’m not sure why this is failing in your setup, but it’s working for me.

Please repeat my test and see what you get at your end.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Because you don’t have to worry about accidentally importing into the file-based keychain.

0
lvksubhash
lvksubhash OP
6d

Thanks for the response.

I had similar observations today while trying the following:

  1. When I drag and drop the p12 cert in question into login keychain and provide the password, I was able to import the cert.
  2. I've written a similar sample code for macOS and tried importing the p12 cert in question. I was able to import the cert there as well.

I believe the issue comes when using the CLI command. Please verify this on your end as well.

Additional question: Will the macOS < 15 systems support the new algos in future?

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
5d
Written by lvksubhash in 835238022
I believe the issue comes when using the CLI command.

You mean the security tool? Yeah, I wouldn’t be surprised if that failed. As it dates from the dawn of Mac OS X it tends to use CDSA code paths, which means it misses out on a lot of the new stuff.

In a situation like this, where you can import your .p12 via Keychain Access but not via security tool, I recommend that you file a bug against the tool.

Please post your bug number, just for the record.

Written by lvksubhash in 835238022
Additional question: Will the macOS &lt; 15 systems support the new algos in future?

I can’t reliably predict the future but that seems… unlikely. Historically, once macOS N ships the updates to macOS N-1 are focused on fixes for significant security problems. If you need this support on older systems I recommend that you write or acquire your own PKCS#12 parsing library.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
API: SecPKCS12Import; error code: -25264; error message: MAC verification failed during PKCS12 import (wrong password?)
First post date Last post date
 
 
Q