PKCS12 app fix

Do not call PKCS12_verify_mac() twice if the UTF8 password matches the mac
password.

In the case of an error in the verify path do not print
"Mac verify error: invalid password?" if there is already an error on the
error stack. An error means something failed in PKCS12_verify_mac(),
If only the password was wrong it does not raise an error.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 10:47:29 2026
(Merged from https://github.com/openssl/openssl/pull/30279)

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 709a9767582c34d463e44780a02139a181e51596..09ed684472ce951e582461052c53a6dba40d309b 100644 (file)
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -910,8 +910,9 @@ int pkcs12_main(int argc, char **argv)
                 goto end;
             }
             OPENSSL_free(utmp);
-            if (!PKCS12_verify_mac(p12, badpass, -1)) {
-                BIO_puts(bio_err, "Mac verify error: invalid password?\n");
+            if (strcmp(mpass, badpass) == 0 || !PKCS12_verify_mac(p12, badpass, -1)) {
+                if (ERR_peek_error() == 0)
+                    BIO_puts(bio_err, "Mac verify error: invalid password?\n");
                 ERR_print_errors(bio_err);
                 goto end;
             } else {