We recently upgraded OpenSSL from version 1.1.1 to 3.4.0. After this upgrade, we observed that PKCS#12 files generated using OpenSSL 3.4.0 fail to import into the macOS Keychain with the following error:
Failed to import PKCS#12 data: -25264 (MAC verification failed during PKCS12 import (wrong password?))
This issue is reproducible on macOS 14.8.2. The same PKCS#12 files import successfully on other macOS versions, including 15.x and 26.x.
Additionally, PKCS#12 files that fail to import on macOS 14.8 work correctly when copied and imported on other macOS versions without any errors.
PKCS#12 Creation
The PKCS#12 data is created using the following OpenSSL API:
const char* platformPKCS12SecureKey =
_platformSecureKey.has_value() ? _platformSecureKey.value().c_str() : NULL;
PKCS12* p12 = PKCS12_create(
platformPKCS12SecureKey,
NULL,
keys,
_cert,
NULL,
0, 0, 0, 0, 0
);
if (!p12)
{
throw std::runtime_error("Failed to create PKCS#12 container");
}
PKCS#12 Import
The generated PKCS#12 data is imported into the macOS Keychain using the following code:
NSString *certPassKey = [NSString stringWithUTF8String:getCertPassKey()];
NSDictionary *options = @{
(__bridge id)kSecImportExportPassphrase: certPassKey,
(__bridge id)kSecAttrAccessible:
(__bridge id)kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
(__bridge id)kSecAttrIsExtractable: @YES,
(__bridge id)kSecAttrIsPermanent: @YES,
(__bridge id)kSecAttrAccessGroup: APP_GROUP
};
CFArrayRef items = NULL;
OSStatus status = SecPKCS12Import(
(__bridge CFDataRef)pkcs12Data,
(__bridge CFDictionaryRef)options,
&items
);