PKCS#12 Invalid Password

0 投票
最新提问 用户: (240 分)

I am using this OpenSSL code on the iPhone to generate a PKCS#12 file given some data of a certificate/private key. I am able to verify that this PKCS#12 is parseable on OpenSSL, since it doesn't print out an error when I check for it in the code. However, when I transfer it to my server, it says: Error: PKCS#12 MAC could not be verified. Invalid password? Does anyone know why this is? I am using the same password, which is 'password'

 - (NSData *)generateP12AsNSData:(NSData *)keyData certificate:(NSData *)certificateData {
    //put the certificateData into a X509 certificate
    const unsigned char *certificateDataBytes = (const unsigned char*)[certificateData bytes];
    X509 *certificateX509 = d2i_X509(NULL, &certificateDataBytes, [certificateData length]);

    EVP_PKEY *privateKey;
    PKCS12 *p12;
    //cast the key data as an unsigned char so that we can convert it to the OpenSSL key format
    const unsigned char *bits = (unsigned char *) [keyData bytes];
    int length = (int)[keyData length];
    privateKey = EVP_PKEY_new();

    //convert the unsigned char to OpenSSL Key format
    RSA *rsa = NULL;
    d2i_RSAPrivateKey(&rsa, &bits, &length);
    EVP_PKEY_assign_RSA(privateKey, rsa);

    //create the PKCS#12
    p12 = PKCS12_create("password", "ExtraDeviceP12", privateKey, certificateX509, NULL, 0,0,0,0,0);

    //make sure the p12 exists
    if(!p12) {
        fprintf(stderr, "Error creating PKCS#12 ");
        return nil;

    //error checking to make sure we generated the CSR correctly
    STACK_OF(X509) *ca = NULL;
    EVP_PKEY *parseKey;
    X509 *parseCert;
    if (!PKCS12_parse(p12, "password", &parseKey, &parseCert, &ca)) {
        printf("error parsing PKCS#12 file");
        return nil;

    //convert the PKCS#12 to binary data
    //create a new memory BIO. A BIO is used for basic I/O abstraction.
    BIO *bio;
    bio = BIO_new(BIO_s_mem());
    //i2d_PKCS12_bio is used to export a PKCS12 object
    i2d_PKCS12_bio(bio, p12);
    BUF_MEM *buffer;
    BIO_get_mem_ptr(bio, &buffer);

    //int bioLen = BIO_pending(&buffer);

    char *buff = (char*)malloc(buffer->length);
    memcpy(buff, buffer->data, buffer->length - 1);
    buff[buffer->length - 1] = 0;
    NSData *data = [NSData dataWithBytes:buff length:buffer->length];

    NSString *string = [data base64EncodedStringWithOptions:0];
    NSLog(@"Base64 PKCS#12: %@", string);


    return data;

EDIT: Here is the code on my server side written in Javascript. In this case req.body is the NSData sent from the iPhone. I get the invalid password error.

  var p12b64 = req.body.toString('base64');    
  var p12Der = forge.util.decode64(pk12b64);
  var p12Asn1 = forge.asn1.fromDer(p12Der);
  var p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, 'password');
发表于 用户: (240 分)
Will just changing the NSData line fix the problem? Can't I encode the binary data as base64?
发表于 用户: (240 分)
It comes when I run openssl pkcs12 -in p12.p12 -nocerts -out privateKey.pem in the Shell. It asks for a password and it causes that error when putting the password. p12.p12 is a file that has the data in it. I used a different function to create it, and that works since I have tested with a different format.
发表于 用户: (240 分)
I edited the original post. What am I mishandling in the "code above" and how can it be fixed?
发表于 用户: (240 分)
That fixed it thanks. If you want, you can post an answer and I can mark it as correct.


0 投票
最新回答 用户: (2.5k 分)

Try the following. It shows you where some key return values should be checked, and it avoids extra copies of the data:

BIO *bio = BIO_new(BIO_s_mem());
ASSERT(bio != NULL);

int ret = i2d_PKCS12_bio(bio, p12);
ASSERT(ret == 1);

BUF_MEM *buffer;
BIO_get_mem_ptr(bio, &buffer);
ASSERT(buffer != NULL);

NSData *data = [NSData dataWithBytes:buffer->data length:buffer->length];

You can find the docs for i2d_PKCS12_bio at i2d_PKCS12_bio man pages.

If you want, you can Base64 encode the binary data from i2d_PKCS12_bio. See Non-printable character after generating random n-byte Base64 string for using a BIO chain and ensuring the Base64 string is NULL terminated.

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。