OSSL_STORE and PKCS#12: Check if there is a MAC to verify before prompting

When a DER object with unknown contents comes all the way to
ossl_store_handle_load_result(), and it attempts to decode them as different
objects, the PKCS#12 decoding attempt would (almost) always prompt for a
passphrase, even if there isn't a MAC to verify it against in the PKCS#12
object.

This change checks if there is a MAC to verify against before attempting to
prompt for a passphrase, leading to less surprising behavior.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21197)

(cherry picked from commit 7a520619c997146639f42ce8595162ac34c2ad41)

1 files changed, 3 insertions, 1 deletions

diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c
index ca436b361f..8cc14fc848 100644
--- a/crypto/store/store_result.c
+++ b/crypto/store/store_result.c
@@ -553,8 +553,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
 
             ok = 0;              /* Assume decryption or parse error */
 
-            if (PKCS12_verify_mac(p12, "", 0)
+            if (!PKCS12_mac_present(p12)
                 || PKCS12_verify_mac(p12, NULL, 0)) {
+                pass = NULL;
+            } else if (PKCS12_verify_mac(p12, "", 0)) {
                 pass = "";
             } else {
                 static char prompt_info[] = "PKCS12 import pass phrase";