Skip to content

Reqwest::Identity::from_pkcs12_der() fails in Mac #144057

New issue
New issue
Closed
Closed
Reqwest::Identity::from_pkcs12_der() fails in Mac#144057
@sagarmadala

Description

@sagarmadala
sagarmadala
opened on Jul 17, 2025

Background:
I have generated TLS certificates with NIST ECC secp521r1 and openssl.
Example:
openssl ecparam -name secp521r1 -genkey
Env: Mac OS

The following Rust code failing with below error:

Error: reqwest::Error { kind: Builder, source: Error { code: -25264, message: "MAC verification failed during PKCS12 import (wrong password?)" } }

use openssl::pkcs12::Pkcs12;
use openssl::pkey::PKey;
use openssl::stack::Stack;
use openssl::x509::X509;
use reqwest::{Certificate, Client, Identity};
use std::fs;
use std::fs::File;
use std::io::Read;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Load private key and certificate
    let key_pem = fs::read("client.key")?;
    let cert_pem = fs::read("client.crt")?;
    let key = PKey::private_key_from_pem(&key_pem)?;
    let cert = X509::from_pem(&cert_pem)?;

    let password = "mypass";
    let pkcs12 = Pkcs12::builder()
        .name("tls-identity")
        .pkey(&key)
        .cert(&cert)
        .build2(password)
        .unwrap();
    let pkcs12_der = pkcs12.to_der().unwrap();
    println!("pkcs12_der is created");
    let identity = Identity::from_pkcs12_der(&pkcs12_der, password)?;
    Ok(())
}

Cargo.toml:

[package]
name = "request_client"
version = "0.1.0"
edition = "2024"

[dependencies]
openssl = "0.10.73"
reqwest = { version = "0.11", features = ["native-tls"] }
tokio = { version = "1", features = ["full"] }

Issue
The same code works fine in Linux but fails in Mac OS.

I have verified the binary is linked to correct Openssl.
Additional details:

otool -L target/debug/request_client| grep ssl
	/opt/homebrew/opt/openssl@3/lib/libssl.3.dylib (compatibility version 3.0.0, current version 3.0.0)
	/opt/homebrew/opt/openssl@3/lib/libcrypto.3.dylib (compatibility version 3.0.0, current version 3.0.0)

➜  rust git:(master) ✗ cargo --version
cargo 1.88.0 (873a06493 2025-05-10)
➜  rust git:(master) ✗ rustc --version
rustc 1.88.0 (6b00bc388 2025-06-23)

➜  rust git:(master) ✗ openssl --version
OpenSSL 3.5.0 8 Apr 2025 (Library: OpenSSL 3.5.0 8 Apr 2025)

Strange that it is failing only in mac OS.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions