Open-source Languages & Tools for z/OS

 View Only

 Question regardng using PKCS12 certificates with curl?

Mitch Johnson's profile image
Mitch Johnson posted 01-05-2021 17:41
I installed the most recent version of the curl tool and all works fine with the exception of using PKCS12 personal certificates. When I specify the parameters --cert /u/johnson/curl/fred.12:secret --cert-type P12 I receive message curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.  I know the password is correct because if I move the file to Windows for example, I am am able to successfully import the PKCS12 certificate.with the same password into a trust store. Is there another step I need to do differently to provide the password on z/OS?
Sergey Rezepin's profile image
ROCKETEER Sergey Rezepin posted 01-11-2021 09:51

Hi Mitch,

Could you check the tag of PKCS12 certificate file?

ls -T /u/johnson/curl/fred.12

If the file is 'untagged' or have mixed tag (m ISO8859-1), tag them as ISO8859-1:

chtag -tc 819 /u/johnson/curl/fred.12

And then, try the cURL command again.

If it will not help, could you also say the version and build of cURL and OpenSSL installed on your system?

Mitch Johnson's profile image
Mitch Johnson posted 01-12-2021 09:39
Thank you for your response. I think you are on the right track.  I followed your suggestions to tag the PCKS12 file

ls -T FRED.P12
t ISO8859-1 T=on FRED.P12

and repeated invoking the curl command:

BPXBATCH SH export CURL=&CURL; $CURL/bin/curl -X GET --cacert /u/johnson/CERTAUTH.PEM +
--cert /u/johnson/FRED.P12:secret --cert-type P12 https://wg31.washington.ibm.com:9445/cscvinc/employee/000100

and received the same results:

curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

The results from a curl -V command are shown here:
curl 7.66.0 (i370-ibm-openedition) libcurl/7.66.0 OpenSSL/1.0.2l zlib/1.2.11 libssh2/1.8.0 nghttp2/1.18.1
Release-Date: 2019-09-11
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
Sergey Rezepin's profile image
ROCKETEER Sergey Rezepin posted 01-15-2021 08:05

Thanks for reporting the problem.

It also reproduced for a previous version of cURL, but it's fixed for cURL delivered with Miniconda (but, it looks there is also need to use tagged file).

We recently moved to a new delivery and installation model. Now all the ported tools should be installed via package manager Conda. Please, take a look at this post on our forum:

Introducing z/OS conda for download and deployment of z/OS open source products
How to install z/OS Miniconda - the first step in using Open Source on z

You can install Miniconda and than install cURL from public Conda channel.

Mitch Johnson's profile image
Mitch Johnson posted 01-15-2021 09:33
Thanks for the information.