PKCS12 Identity [mac verify failure] on legacy format

[641i130]

mac verify failure

I'm struggling to get legacy PKCS12 pfx files to work on a server emulator I'm working on (check my repos for more details if you're interested).

I'm restricted to use a certain PFX file due to a client requirement.

Error:

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Normal(ErrorSt
ack([Error { code: 621174887, library: "DSO support routines", function: "dlfcn_load",
 reason: "could not load the shared library", file: "crypto/dso/dso_dlfcn.c", line: 11
8, data: "filename(libproviders.so): libproviders.so: cannot open shared object file: 
No such file or directory" }, Error { code: 621215847, library: "DSO support routines"
, function: "DSO_load", reason: "could not load the shared library", file: "crypto/dso
/dso_lib.c", line: 162 }, Error { code: 235360366, library: "configuration file routin
es", function: "module_load_dso", reason: "error loading dso", file: "crypto/conf/conf
_mod.c", line: 224, data: "module=providers, path=providers" }, Error { code: 23536446
5, library: "configuration file routines", function: "module_run", reason: "unknown mo
dule name", file: "crypto/conf/conf_mod.c", line: 165, data: "module=providers" }, Err
or { code: 587718764, library: "PKCS12 routines", function: "PKCS12_verify_mac", reaso
n: "mac absent", file: "crypto/pkcs12/p12_mutl.c", line: 157 }, Error { code: 58768600
1, library: "PKCS12 routines", function: "PKCS12_parse", reason: "mac verify failure",
 file: "crypto/pkcs12/p12_kiss.c", line: 70 }]))', src/main.rs:20:61
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Code:

use native_tls::{Identity, TlsAcceptor, TlsStream};
use std::fs::File;
use std::io::Read;
use std::io::{prelude::*, BufReader};
use std::net::{TcpListener, TcpStream};
use std::sync::Arc;
use std::thread;

fn handle_connection(mut stream: TlsStream<TcpStream>) {
    let buf_reader = BufReader::new(&mut stream);
    let http_request: Vec<_> = buf_reader.lines().map(|result| result.unwrap()).take_while(|line| !line.is_empty()).collect();

    println!("Request: {:#?}", http_request);
}

fn main() {
    let mut file = File::open("root.pfx").unwrap();
    let mut identity = vec![];
    file.read_to_end(&mut identity).unwrap();
    let identity = Identity::from_pkcs12(&identity, "").unwrap();

    let listener = TcpListener::bind("0.0.0.0:8443").unwrap();
    let acceptor = TlsAcceptor::new(identity).unwrap();
    let acceptor = Arc::new(acceptor);

    for stream in listener.incoming() {
        match stream {
            Ok(stream) => {
                let acceptor = acceptor.clone();
                thread::spawn(move || {
                    let stream = acceptor.accept(stream).unwrap();
                    handle_connection(stream);
                });
            }
            Err(_e) => { /* connection failed */ }
        }
    }
}

Cargo.toml

[package]
name = "pfx-example"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
actix-files = "0.6.2"
actix-web = { features = ["rustls"] }
env_logger = "0.10.0"
log = "0.4.17"
native-tls = "0.2.11"
rustls = "0.20.2"
rustls-pemfile = "1"

Here are the commands I use to generate the certificates:

# Generate certificate
openssl req -newkey rsa:2048 -nodes -keyout root.key -x509 -days 3650 -out root.crt -subj "/CN=Root Cert"
# Put into legacy PFX format for client
openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey root.key -in root.crt -out root.pfx

Any help, tips, or anything would be greatly appreciated. I'm hitting my head on the wall at this point. I've tried many different crates, and this one seemed to be the lowest level.

Please note the password I use when exporting to .pfx format is "" (nothing).

[sfackler]

That looks like an issue with your OpenSSL installation - libproviders.so is part of OpenSSL 3.x and should be present on your system.

[641i130]

pacman -Qi openssl
Name            : openssl
Version         : 3.1.1-1
Description     : The Open Source toolkit for Secure Sockets Layer and Transport Layer Security
Architecture    : x86_64
URL             : https://www.openssl.org
Licenses        : Apache
Groups          : None
Provides        : libcrypto.so=3-64  libssl.so=3-64
Depends On      : glibc
Optional Deps   : ca-certificates [installed]
                  perl [installed]
Required By     : bind  capnproto  coreutils  cryptsetup  curl  dotnet-runtime  dotnet-runtime-6.0
                  efitools  elinks  git  gst-plugins-bad  guile1.8  i2pd  john  kmod  ldns  lib32-openssl
                  libarchive  libevent  libgit2  libimobiledevice  libsasl  libshout  libssh  libssh2
                  libtpms  libvncserver  libwebsockets  libzip  lynx  minizip-ng  mixxx  mtxclient  neon
                  nginx  nmap  nodejs  ntp  openssh  openvpn  opusfile  ostree  pkcs11-helper  polyphone
                  ppp  python  qpdf  rsync  ruby  s-nail  socat  spice-gtk  sqlcipher  srt  sudo  swtpm
                  systemd  telegram-desktop  tensorflow  testdisk  tpm2-tss  vpnc  w3m  wpa_supplicant
                  x11vnc  xmlsec
Optional For    : csound
Conflicts With  : None
Replaces        : openssl-perl  openssl-doc
Installed Size  : 11.44 MiB
Packager        : Pierre Schmitz <[email protected]>
Build Date      : Tue 30 May 2023 11:44:23 AM CDT
Install Date    : Tue 27 Jun 2023 11:28:14 PM CDT
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

I guess I need to install openssl manually. I'll try that and update this with results.

Update:
After installing openssl manually, (https://www.openssl.org/source/openssl-3.1.1.tar.gz) no change has been made. The file libproviders.so still isn't found.

Another Update:
Trying this on an ubuntu system, I get this error (the libproviders issue seems to be resolved).

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Normal(ErrorStack([Error { code: 587718764, library: "PKCS12 routines", function: "PKCS12_verify_mac", reason: "mac absent", file: "../crypto/pkcs12/p12_mutl.c", line: 157 }, Error { code: 587686001, library: "PKCS12 routines", function: "PKCS12_parse", reason: "mac verify failure", file: "../crypto/pkcs12/p12_kiss.c", line: 70 }]))', src/main.rs:20:61
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

[641i130]

Ignore the above, I reinstalled my system and get the following error:

called `Result::unwrap()` on an `Err` value: Normal(ErrorStack([Error { code: 29360138
8, library: "PKCS12 routines", function: "PKCS12_verify_mac", reason: "mac absent", fi
le: "crypto/pkcs12/p12_mutl.c", line: 187 }, Error { code: 293601393, library: "PKCS12
 routines", function: "PKCS12_parse", reason: "mac verify failure", file: "crypto/pkcs
12/p12_kiss.c", line: 71 }]))
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

This is likely due to the PFX format being odd.