Ticket https://pagure.io/freeipa/issue/5378 attempted to improve error reporting when loading PKCS#12 files.
It treated pk12util returncode 18 as invalid password, like 17. Looking at the NSS source it defines these:
#define PK12UERR_DECODEVERIFY 17 #define PK12UERR_DECODEVALIBAGS 18
So 18 really means that the PKCS#12 file can't be decoded at all, not that it doesn't have a bad password. This is causing key imports to fail because they are not in PKCS#12 format so through an 18.
This is an inconsistency in pk12util:
$ pk12util -d /etc/pki/nssdb/ -i /tmp/test.p12 Enter password for PKCS12 file: pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. $ echo $? 18
File https://bugzilla.redhat.com/show_bug.cgi?id=1679789 against nss.
Login to comment on this ticket.