Mbed TLS v3.6.1
|
Public Key abstraction layer. More...
#include "mbedtls/private_access.h"
#include "mbedtls/build_info.h"
#include "mbedtls/md.h"
#include "mbedtls/rsa.h"
#include "mbedtls/ecp.h"
#include "mbedtls/ecdsa.h"
#include "psa/crypto.h"
Go to the source code of this file.
Data Structures | |
struct | mbedtls_pk_rsassa_pss_options |
Options for RSASSA-PSS signature verification. See mbedtls_rsa_rsassa_pss_verify_ext() More... | |
struct | mbedtls_pk_debug_item |
Item to send to the debug module. More... | |
struct | mbedtls_pk_context |
Public key container. More... | |
Macros | |
#define | MBEDTLS_ERR_PK_ALLOC_FAILED -0x3F80 |
#define | MBEDTLS_ERR_PK_TYPE_MISMATCH -0x3F00 |
#define | MBEDTLS_ERR_PK_BAD_INPUT_DATA -0x3E80 |
#define | MBEDTLS_ERR_PK_FILE_IO_ERROR -0x3E00 |
#define | MBEDTLS_ERR_PK_KEY_INVALID_VERSION -0x3D80 |
#define | MBEDTLS_ERR_PK_KEY_INVALID_FORMAT -0x3D00 |
#define | MBEDTLS_ERR_PK_UNKNOWN_PK_ALG -0x3C80 |
#define | MBEDTLS_ERR_PK_PASSWORD_REQUIRED -0x3C00 |
#define | MBEDTLS_ERR_PK_PASSWORD_MISMATCH -0x3B80 |
#define | MBEDTLS_ERR_PK_INVALID_PUBKEY -0x3B00 |
#define | MBEDTLS_ERR_PK_INVALID_ALG -0x3A80 |
#define | MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00 |
#define | MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980 |
#define | MBEDTLS_ERR_PK_SIG_LEN_MISMATCH -0x3900 |
#define | MBEDTLS_ERR_PK_BUFFER_TOO_SMALL -0x3880 |
#define | MBEDTLS_PK_SIGNATURE_MAX_SIZE 0 |
Maximum size of a signature made by mbedtls_pk_sign(). | |
#define | MBEDTLS_PK_DEBUG_MAX_ITEMS 3 |
#define | MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) |
Typedefs | |
typedef struct mbedtls_pk_rsassa_pss_options | mbedtls_pk_rsassa_pss_options |
Options for RSASSA-PSS signature verification. See mbedtls_rsa_rsassa_pss_verify_ext() | |
typedef struct mbedtls_pk_debug_item | mbedtls_pk_debug_item |
Item to send to the debug module. | |
typedef struct mbedtls_pk_info_t | mbedtls_pk_info_t |
Public key information and operations. | |
typedef struct mbedtls_pk_context | mbedtls_pk_context |
Public key container. | |
typedef void | mbedtls_pk_restart_ctx |
typedef int(* | mbedtls_pk_rsa_alt_decrypt_func) (void *ctx, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len) |
Types for RSA-alt abstraction. | |
typedef int(* | mbedtls_pk_rsa_alt_sign_func) (void *ctx, int(*f_rng) (void *, unsigned char *, size_t), void *p_rng, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig) |
typedef size_t(* | mbedtls_pk_rsa_alt_key_len_func) (void *ctx) |
Enumerations | |
enum | mbedtls_pk_type_t { MBEDTLS_PK_NONE =0 , MBEDTLS_PK_RSA , MBEDTLS_PK_ECKEY , MBEDTLS_PK_ECKEY_DH , MBEDTLS_PK_ECDSA , MBEDTLS_PK_RSA_ALT , MBEDTLS_PK_RSASSA_PSS , MBEDTLS_PK_OPAQUE } |
Public key types. More... | |
enum | mbedtls_pk_debug_type { MBEDTLS_PK_DEBUG_NONE = 0 , MBEDTLS_PK_DEBUG_MPI , MBEDTLS_PK_DEBUG_ECP , MBEDTLS_PK_DEBUG_PSA_EC } |
Types for interfacing with the debug module. More... | |
Functions | |
const mbedtls_pk_info_t * | mbedtls_pk_info_from_type (mbedtls_pk_type_t pk_type) |
Return information associated with the given PK type. | |
void | mbedtls_pk_init (mbedtls_pk_context *ctx) |
Initialize a mbedtls_pk_context (as NONE). | |
void | mbedtls_pk_free (mbedtls_pk_context *ctx) |
Free the components of a mbedtls_pk_context. | |
int | mbedtls_pk_setup (mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info) |
Initialize a PK context with the information given and allocates the type-specific PK subcontext. | |
int | mbedtls_pk_setup_rsa_alt (mbedtls_pk_context *ctx, void *key, mbedtls_pk_rsa_alt_decrypt_func decrypt_func, mbedtls_pk_rsa_alt_sign_func sign_func, mbedtls_pk_rsa_alt_key_len_func key_len_func) |
Initialize an RSA-alt context. | |
size_t | mbedtls_pk_get_bitlen (const mbedtls_pk_context *ctx) |
Get the size in bits of the underlying key. | |
static size_t | mbedtls_pk_get_len (const mbedtls_pk_context *ctx) |
Get the length in bytes of the underlying key. | |
int | mbedtls_pk_can_do (const mbedtls_pk_context *ctx, mbedtls_pk_type_t type) |
Tell if a context can do the operation given by type. | |
int | mbedtls_pk_get_psa_attributes (const mbedtls_pk_context *pk, psa_key_usage_t usage, psa_key_attributes_t *attributes) |
Determine valid PSA attributes that can be used to import a key into PSA. | |
int | mbedtls_pk_import_into_psa (const mbedtls_pk_context *pk, const psa_key_attributes_t *attributes, mbedtls_svc_key_id_t *key_id) |
Import a key into the PSA key store. | |
int | mbedtls_pk_copy_from_psa (mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk) |
Create a PK context starting from a key stored in PSA. This key: | |
int | mbedtls_pk_copy_public_from_psa (mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk) |
Create a PK context for the public key of a PSA key. | |
int | mbedtls_pk_verify (mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len) |
Verify signature (including padding if relevant). | |
int | mbedtls_pk_verify_restartable (mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len, mbedtls_pk_restart_ctx *rs_ctx) |
Restartable version of mbedtls_pk_verify() | |
int | mbedtls_pk_verify_ext (mbedtls_pk_type_t type, const void *options, mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len) |
Verify signature, with options. (Includes verification of the padding depending on type.) | |
int | mbedtls_pk_sign (mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t sig_size, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Make signature, including padding if relevant. | |
int | mbedtls_pk_sign_ext (mbedtls_pk_type_t pk_type, mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t sig_size, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Make signature given a signature type. | |
int | mbedtls_pk_sign_restartable (mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t sig_size, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, mbedtls_pk_restart_ctx *rs_ctx) |
Restartable version of mbedtls_pk_sign() | |
int | mbedtls_pk_decrypt (mbedtls_pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Decrypt message (including padding if relevant). | |
int | mbedtls_pk_encrypt (mbedtls_pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Encrypt message (including padding if relevant). | |
int | mbedtls_pk_check_pair (const mbedtls_pk_context *pub, const mbedtls_pk_context *prv, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Check if a public-private pair of keys matches. | |
int | mbedtls_pk_debug (const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items) |
Export debug information. | |
const char * | mbedtls_pk_get_name (const mbedtls_pk_context *ctx) |
Access the type name. | |
mbedtls_pk_type_t | mbedtls_pk_get_type (const mbedtls_pk_context *ctx) |
Get the key type. | |
static mbedtls_rsa_context * | mbedtls_pk_rsa (const mbedtls_pk_context pk) |
static mbedtls_ecp_keypair * | mbedtls_pk_ec (const mbedtls_pk_context pk) |
int | mbedtls_pk_parse_key (mbedtls_pk_context *ctx, const unsigned char *key, size_t keylen, const unsigned char *pwd, size_t pwdlen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Parse a private key in PEM or DER format. | |
int | mbedtls_pk_parse_public_key (mbedtls_pk_context *ctx, const unsigned char *key, size_t keylen) |
Parse a public key in PEM or DER format. | |
int | mbedtls_pk_parse_keyfile (mbedtls_pk_context *ctx, const char *path, const char *password, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Load and parse a private key. | |
int | mbedtls_pk_parse_public_keyfile (mbedtls_pk_context *ctx, const char *path) |
Load and parse a public key. | |
int | mbedtls_pk_write_key_der (const mbedtls_pk_context *ctx, unsigned char *buf, size_t size) |
Write a private key to a PKCS#1 or SEC1 DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer. | |
int | mbedtls_pk_write_pubkey_der (const mbedtls_pk_context *ctx, unsigned char *buf, size_t size) |
Write a public key to a SubjectPublicKeyInfo DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer. | |
int | mbedtls_pk_write_pubkey_pem (const mbedtls_pk_context *ctx, unsigned char *buf, size_t size) |
Write a public key to a PEM string. | |
int | mbedtls_pk_write_key_pem (const mbedtls_pk_context *ctx, unsigned char *buf, size_t size) |
Write a private key to a PKCS#1 or SEC1 PEM string. | |
int | mbedtls_pk_parse_subpubkey (unsigned char **p, const unsigned char *end, mbedtls_pk_context *pk) |
Parse a SubjectPublicKeyInfo DER structure. | |
int | mbedtls_pk_write_pubkey (unsigned char **p, unsigned char *start, const mbedtls_pk_context *key) |
Write a subjectPublicKey to ASN.1 data Note: function works backwards in data buffer. | |
Public Key abstraction layer.
Definition in file pk.h.
#define MBEDTLS_ERR_PK_ALLOC_FAILED -0x3F80 |
#define MBEDTLS_ERR_PK_BAD_INPUT_DATA -0x3E80 |
#define MBEDTLS_ERR_PK_BUFFER_TOO_SMALL -0x3880 |
#define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980 |
#define MBEDTLS_ERR_PK_FILE_IO_ERROR -0x3E00 |
#define MBEDTLS_ERR_PK_INVALID_ALG -0x3A80 |
#define MBEDTLS_ERR_PK_INVALID_PUBKEY -0x3B00 |
#define MBEDTLS_ERR_PK_KEY_INVALID_FORMAT -0x3D00 |
#define MBEDTLS_ERR_PK_KEY_INVALID_VERSION -0x3D80 |
#define MBEDTLS_ERR_PK_PASSWORD_MISMATCH -0x3B80 |
#define MBEDTLS_ERR_PK_PASSWORD_REQUIRED -0x3C00 |
#define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH -0x3900 |
#define MBEDTLS_ERR_PK_TYPE_MISMATCH -0x3F00 |
#define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00 |
#define MBEDTLS_ERR_PK_UNKNOWN_PK_ALG -0x3C80 |
#define MBEDTLS_PK_DEBUG_MAX_ITEMS 3 |
#define MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) |
#define MBEDTLS_PK_SIGNATURE_MAX_SIZE 0 |
Maximum size of a signature made by mbedtls_pk_sign().
typedef struct mbedtls_pk_context mbedtls_pk_context |
Public key container.
typedef struct mbedtls_pk_debug_item mbedtls_pk_debug_item |
Item to send to the debug module.
typedef struct mbedtls_pk_info_t mbedtls_pk_info_t |
Public key information and operations.
typedef void mbedtls_pk_restart_ctx |
typedef int(* mbedtls_pk_rsa_alt_decrypt_func) (void *ctx, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len) |
typedef int(* mbedtls_pk_rsa_alt_sign_func) (void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig) |
typedef struct mbedtls_pk_rsassa_pss_options mbedtls_pk_rsassa_pss_options |
Options for RSASSA-PSS signature verification. See mbedtls_rsa_rsassa_pss_verify_ext()
enum mbedtls_pk_type_t |
int mbedtls_pk_can_do | ( | const mbedtls_pk_context * | ctx, |
mbedtls_pk_type_t | type | ||
) |
Tell if a context can do the operation given by type.
ctx | The context to query. It must have been initialized. |
type | The desired type. |
int mbedtls_pk_check_pair | ( | const mbedtls_pk_context * | pub, |
const mbedtls_pk_context * | prv, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Check if a public-private pair of keys matches.
pub | Context holding a public key. |
prv | Context holding a private (and public) key. |
f_rng | RNG function, must not be NULL . |
p_rng | RNG parameter |
0
on success (keys were checked and match each other). int mbedtls_pk_copy_from_psa | ( | mbedtls_svc_key_id_t | key_id, |
mbedtls_pk_context * | pk | ||
) |
Create a PK context starting from a key stored in PSA. This key:
The resulting PK object will be a transparent type:
Once this functions returns the PK object will be completely independent from the original PSA key that it was generated from. Calling mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting PK context will perform the corresponding algorithm for that PK context type.
key_id | The key identifier of the key stored in PSA. |
pk | The PK context that will be filled. It must be initialized, but not set up. |
int mbedtls_pk_copy_public_from_psa | ( | mbedtls_svc_key_id_t | key_id, |
mbedtls_pk_context * | pk | ||
) |
Create a PK context for the public key of a PSA key.
The key must be an RSA or ECC key. It can be either a public key or a key pair, and only the public key is copied. The resulting PK object will be a transparent type: - #MBEDTLS_PK_RSA for RSA keys or - #MBEDTLS_PK_ECKEY for EC keys. Once this functions returns the PK object will be completely independent from the original PSA key that it was generated from. Calling mbedtls_pk_verify() or mbedtls_pk_encrypt() on the resulting PK context will perform the corresponding algorithm for that PK context type. For an RSA key, the output PK context will allow both encrypt and verify regardless of the original key's policy. The original key's policy determines the output key's padding mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, otherwise PKCS1 v1.5 is set.
key_id | The key identifier of the key stored in PSA. |
pk | The PK context that will be filled. It must be initialized, but not set up. |
int mbedtls_pk_debug | ( | const mbedtls_pk_context * | ctx, |
mbedtls_pk_debug_item * | items | ||
) |
Export debug information.
ctx | The PK context to use. It must have been initialized. |
items | Place to write debug items |
int mbedtls_pk_decrypt | ( | mbedtls_pk_context * | ctx, |
const unsigned char * | input, | ||
size_t | ilen, | ||
unsigned char * | output, | ||
size_t * | olen, | ||
size_t | osize, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Decrypt message (including padding if relevant).
ctx | The PK context to use. It must have been set up with a private key. |
input | Input to decrypt |
ilen | Input size |
output | Decrypted output |
olen | Decrypted message length |
osize | Size of the output buffer |
f_rng | RNG function, must not be NULL . |
p_rng | RNG parameter |
|
inlinestatic |
Quick access to an EC context inside a PK context.
Definition at line 1060 of file pk.h.
References MBEDTLS_PK_ECDSA, MBEDTLS_PK_ECKEY, MBEDTLS_PK_ECKEY_DH, mbedtls_pk_get_type(), and MBEDTLS_PRIVATE.
int mbedtls_pk_encrypt | ( | mbedtls_pk_context * | ctx, |
const unsigned char * | input, | ||
size_t | ilen, | ||
unsigned char * | output, | ||
size_t * | olen, | ||
size_t | osize, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Encrypt message (including padding if relevant).
ctx | The PK context to use. It must have been set up. |
input | Message to encrypt |
ilen | Message size |
output | Encrypted output |
olen | Encrypted output length |
osize | Size of the output buffer |
f_rng | RNG function, must not be NULL . |
p_rng | RNG parameter |
f_rng
is used for padding generation.void mbedtls_pk_free | ( | mbedtls_pk_context * | ctx | ) |
Free the components of a mbedtls_pk_context.
ctx | The context to clear. It must have been initialized. If this is NULL , this function does nothing. |
size_t mbedtls_pk_get_bitlen | ( | const mbedtls_pk_context * | ctx | ) |
Get the size in bits of the underlying key.
ctx | The context to query. It must have been initialized. |
Referenced by mbedtls_pk_get_len().
|
inlinestatic |
Get the length in bytes of the underlying key.
ctx | The context to query. It must have been initialized. |
Definition at line 439 of file pk.h.
References mbedtls_pk_get_bitlen().
const char * mbedtls_pk_get_name | ( | const mbedtls_pk_context * | ctx | ) |
Access the type name.
ctx | The PK context to use. It must have been initialized. |
int mbedtls_pk_get_psa_attributes | ( | const mbedtls_pk_context * | pk, |
psa_key_usage_t | usage, | ||
psa_key_attributes_t * | attributes | ||
) |
Determine valid PSA attributes that can be used to import a key into PSA.
The attributes determined by this function are suitable for calling mbedtls_pk_import_into_psa() to create a PSA key with the same key material.
The typical flow of operations involving this function is
[in] | pk | The PK context to use. It must have been set up. It can either contain a key pair or just a public key. |
usage | A single PSA_KEY_USAGE_xxx flag among the following:
| |
[out] | attributes | On success, valid attributes to import the key into PSA.
|
pk
does not contain a key of the type identified in attributes
. Another error code on other failures. mbedtls_pk_type_t mbedtls_pk_get_type | ( | const mbedtls_pk_context * | ctx | ) |
Get the key type.
ctx | The PK context to use. It must have been initialized. |
Referenced by mbedtls_pk_ec(), and mbedtls_pk_rsa().
int mbedtls_pk_import_into_psa | ( | const mbedtls_pk_context * | pk, |
const psa_key_attributes_t * | attributes, | ||
mbedtls_svc_key_id_t * | key_id | ||
) |
Import a key into the PSA key store.
This function is equivalent to calling psa_import_key() with the key material from pk
.
The typical way to use this function is:
psa_set_key_type(&attributes, PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( psa_get_key_type(&attributes)));
[in] | pk | The PK context to use. It must have been set up. It can either contain a key pair or just a public key. |
[in] | attributes | The attributes to use for the new key. They must be compatible with pk . In particular, the key type must match the content of pk . If pk contains a key pair, the key type in attributes can be either the key pair type or the corresponding public key type (to import only the public part). |
[out] | key_id | On success, the identifier of the newly created key. On error, this is MBEDTLS_SVC_KEY_ID_INIT. |
pk
does not contain a key of the type identified in attributes
. Another error code on other failures. const mbedtls_pk_info_t * mbedtls_pk_info_from_type | ( | mbedtls_pk_type_t | pk_type | ) |
Return information associated with the given PK type.
pk_type | PK type to search for. |
void mbedtls_pk_init | ( | mbedtls_pk_context * | ctx | ) |
Initialize a mbedtls_pk_context (as NONE).
ctx | The context to initialize. This must not be NULL . |
int mbedtls_pk_parse_key | ( | mbedtls_pk_context * | ctx, |
const unsigned char * | key, | ||
size_t | keylen, | ||
const unsigned char * | pwd, | ||
size_t | pwdlen, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Parse a private key in PEM or DER format.
ctx | The PK context to fill. It must have been initialized but not set up. |
key | Input buffer to parse. The buffer must contain the input exactly, with no extra trailing material. For PEM, the buffer must contain a null-terminated string. |
keylen | Size of key in bytes. For PEM data, this includes the terminating null byte, so keylen must be equal to strlen(key) + 1 . |
pwd | Optional password for decryption. Pass NULL if expecting a non-encrypted key. Pass a string of pwdlen bytes if expecting an encrypted key; a non-encrypted key will also be accepted. The empty password is not supported. |
pwdlen | Size of the password in bytes. Ignored if pwd is NULL . |
f_rng | RNG function, must not be NULL . Used for blinding. |
p_rng | RNG parameter |
int mbedtls_pk_parse_keyfile | ( | mbedtls_pk_context * | ctx, |
const char * | path, | ||
const char * | password, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Load and parse a private key.
ctx | The PK context to fill. It must have been initialized but not set up. |
path | filename to read the private key from |
password | Optional password to decrypt the file. Pass NULL if expecting a non-encrypted key. Pass a null-terminated string if expecting an encrypted key; a non-encrypted key will also be accepted. The empty password is not supported. |
f_rng | RNG function, must not be NULL . Used for blinding. |
p_rng | RNG parameter |
int mbedtls_pk_parse_public_key | ( | mbedtls_pk_context * | ctx, |
const unsigned char * | key, | ||
size_t | keylen | ||
) |
Parse a public key in PEM or DER format.
ctx | The PK context to fill. It must have been initialized but not set up. |
key | Input buffer to parse. The buffer must contain the input exactly, with no extra trailing material. For PEM, the buffer must contain a null-terminated string. |
keylen | Size of key in bytes. For PEM data, this includes the terminating null byte, so keylen must be equal to strlen(key) + 1 . |
int mbedtls_pk_parse_public_keyfile | ( | mbedtls_pk_context * | ctx, |
const char * | path | ||
) |
Load and parse a public key.
ctx | The PK context to fill. It must have been initialized but not set up. |
path | filename to read the public key from |
int mbedtls_pk_parse_subpubkey | ( | unsigned char ** | p, |
const unsigned char * | end, | ||
mbedtls_pk_context * | pk | ||
) |
Parse a SubjectPublicKeyInfo DER structure.
p | the position in the ASN.1 data |
end | end of the buffer |
pk | The PK context to fill. It must have been initialized but not set up. |
|
inlinestatic |
Quick access to an RSA context inside a PK context.
Definition at line 1037 of file pk.h.
References mbedtls_pk_get_type(), MBEDTLS_PK_RSA, and MBEDTLS_PRIVATE.
int mbedtls_pk_setup | ( | mbedtls_pk_context * | ctx, |
const mbedtls_pk_info_t * | info | ||
) |
Initialize a PK context with the information given and allocates the type-specific PK subcontext.
ctx | Context to initialize. It must not have been set up yet (type MBEDTLS_PK_NONE). |
info | Information to use |
mbedtls_pk_setup_rsa_alt()
instead. int mbedtls_pk_setup_rsa_alt | ( | mbedtls_pk_context * | ctx, |
void * | key, | ||
mbedtls_pk_rsa_alt_decrypt_func | decrypt_func, | ||
mbedtls_pk_rsa_alt_sign_func | sign_func, | ||
mbedtls_pk_rsa_alt_key_len_func | key_len_func | ||
) |
Initialize an RSA-alt context.
ctx | Context to initialize. It must not have been set up yet (type MBEDTLS_PK_NONE). |
key | RSA key pointer |
decrypt_func | Decryption function |
sign_func | Signing function |
key_len_func | Function returning key length in bytes |
mbedtls_pk_setup()
for RSA-alt. int mbedtls_pk_sign | ( | mbedtls_pk_context * | ctx, |
mbedtls_md_type_t | md_alg, | ||
const unsigned char * | hash, | ||
size_t | hash_len, | ||
unsigned char * | sig, | ||
size_t | sig_size, | ||
size_t * | sig_len, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Make signature, including padding if relevant.
ctx | The PK context to use. It must have been set up with a private key. |
md_alg | Hash algorithm used (see notes) |
hash | Hash of the message to sign |
hash_len | Hash length |
sig | Place to write the signature. It must have enough room for the signature. MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. You may use a smaller buffer if it is large enough given the key type. |
sig_size | The size of the sig buffer in bytes. |
sig_len | On successful return, the number of bytes written to sig . |
f_rng | RNG function, must not be NULL . |
p_rng | RNG parameter |
int mbedtls_pk_sign_ext | ( | mbedtls_pk_type_t | pk_type, |
mbedtls_pk_context * | ctx, | ||
mbedtls_md_type_t | md_alg, | ||
const unsigned char * | hash, | ||
size_t | hash_len, | ||
unsigned char * | sig, | ||
size_t | sig_size, | ||
size_t * | sig_len, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Make signature given a signature type.
pk_type | Signature type. |
ctx | The PK context to use. It must have been set up with a private key. |
md_alg | Hash algorithm used (see notes) |
hash | Hash of the message to sign |
hash_len | Hash length |
sig | Place to write the signature. It must have enough room for the signature. MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. You may use a smaller buffer if it is large enough given the key type. |
sig_size | The size of the sig buffer in bytes. |
sig_len | On successful return, the number of bytes written to sig . |
f_rng | RNG function, must not be NULL . |
p_rng | RNG parameter |
pk_type
is MBEDTLS_PK_RSASSA_PSS, see PSA_ALG_RSA_PSS for a description of PSS options used.int mbedtls_pk_sign_restartable | ( | mbedtls_pk_context * | ctx, |
mbedtls_md_type_t | md_alg, | ||
const unsigned char * | hash, | ||
size_t | hash_len, | ||
unsigned char * | sig, | ||
size_t | sig_size, | ||
size_t * | sig_len, | ||
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng, | ||
mbedtls_pk_restart_ctx * | rs_ctx | ||
) |
Restartable version of mbedtls_pk_sign()
mbedtls_pk_sign()
, but can return early and restart according to the limit set with mbedtls_ecp_set_max_ops()
to reduce blocking for ECC operations. For RSA, same as mbedtls_pk_sign()
.ctx | The PK context to use. It must have been set up with a private key. |
md_alg | Hash algorithm used (see notes for mbedtls_pk_sign()) |
hash | Hash of the message to sign |
hash_len | Hash length |
sig | Place to write the signature. It must have enough room for the signature. MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. You may use a smaller buffer if it is large enough given the key type. |
sig_size | The size of the sig buffer in bytes. |
sig_len | On successful return, the number of bytes written to sig . |
f_rng | RNG function, must not be NULL . |
p_rng | RNG parameter |
rs_ctx | Restart context (NULL to disable restart) |
mbedtls_pk_sign()
. mbedtls_ecp_set_max_ops()
. int mbedtls_pk_verify | ( | mbedtls_pk_context * | ctx, |
mbedtls_md_type_t | md_alg, | ||
const unsigned char * | hash, | ||
size_t | hash_len, | ||
const unsigned char * | sig, | ||
size_t | sig_len | ||
) |
Verify signature (including padding if relevant).
ctx | The PK context to use. It must have been set up. |
md_alg | Hash algorithm used. This can be MBEDTLS_MD_NONE if the signature algorithm does not rely on a hash algorithm (non-deterministic ECDSA, RSA PKCS#1 v1.5). For PKCS#1 v1.5, if md_alg is MBEDTLS_MD_NONE, then hash is the DigestInfo structure used by RFC 8017 §9.2 steps 3–6. If md_alg is a valid hash algorithm then hash is the digest itself, and this function calculates the DigestInfo encoding internally. |
hash | Hash of the message to sign |
hash_len | Hash length |
sig | Signature to verify |
sig_len | Signature length |
sig
but its length is less than sig_len
, or a specific error code. int mbedtls_pk_verify_ext | ( | mbedtls_pk_type_t | type, |
const void * | options, | ||
mbedtls_pk_context * | ctx, | ||
mbedtls_md_type_t | md_alg, | ||
const unsigned char * | hash, | ||
size_t | hash_len, | ||
const unsigned char * | sig, | ||
size_t | sig_len | ||
) |
Verify signature, with options. (Includes verification of the padding depending on type.)
type | Signature type (inc. possible padding type) to verify |
options | Pointer to type-specific options, or NULL |
ctx | The PK context to use. It must have been set up. |
md_alg | Hash algorithm used (see notes) |
hash | Hash of the message to sign |
hash_len | Hash length or 0 (see notes) |
sig | Signature to verify |
sig_len | Signature length |
sig
but its length is less than sig_len
, or a specific error code.int mbedtls_pk_verify_restartable | ( | mbedtls_pk_context * | ctx, |
mbedtls_md_type_t | md_alg, | ||
const unsigned char * | hash, | ||
size_t | hash_len, | ||
const unsigned char * | sig, | ||
size_t | sig_len, | ||
mbedtls_pk_restart_ctx * | rs_ctx | ||
) |
Restartable version of mbedtls_pk_verify()
mbedtls_pk_verify()
, but can return early and restart according to the limit set with mbedtls_ecp_set_max_ops()
to reduce blocking for ECC operations. For RSA, same as mbedtls_pk_verify()
.ctx | The PK context to use. It must have been set up. |
md_alg | Hash algorithm used (see notes) |
hash | Hash of the message to sign |
hash_len | Hash length or 0 (see notes) |
sig | Signature to verify |
sig_len | Signature length |
rs_ctx | Restart context (NULL to disable restart) |
mbedtls_pk_verify()
, or mbedtls_ecp_set_max_ops()
. int mbedtls_pk_write_key_der | ( | const mbedtls_pk_context * | ctx, |
unsigned char * | buf, | ||
size_t | size | ||
) |
Write a private key to a PKCS#1 or SEC1 DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer.
ctx | PK context which must contain a valid private key. |
buf | buffer to write to |
size | size of the buffer |
int mbedtls_pk_write_key_pem | ( | const mbedtls_pk_context * | ctx, |
unsigned char * | buf, | ||
size_t | size | ||
) |
Write a private key to a PKCS#1 or SEC1 PEM string.
ctx | PK context which must contain a valid private key. |
buf | Buffer to write to. The output includes a terminating null byte. |
size | Size of the buffer in bytes. |
int mbedtls_pk_write_pubkey | ( | unsigned char ** | p, |
unsigned char * | start, | ||
const mbedtls_pk_context * | key | ||
) |
Write a subjectPublicKey to ASN.1 data Note: function works backwards in data buffer.
p | reference to current position pointer |
start | start of the buffer (for bounds-checking) |
key | PK context which must contain a valid public or private key. |
int mbedtls_pk_write_pubkey_der | ( | const mbedtls_pk_context * | ctx, |
unsigned char * | buf, | ||
size_t | size | ||
) |
Write a public key to a SubjectPublicKeyInfo DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer.
ctx | PK context which must contain a valid public or private key. |
buf | buffer to write to |
size | size of the buffer |
int mbedtls_pk_write_pubkey_pem | ( | const mbedtls_pk_context * | ctx, |
unsigned char * | buf, | ||
size_t | size | ||
) |
Write a public key to a PEM string.
ctx | PK context which must contain a valid public or private key. |
buf | Buffer to write to. The output includes a terminating null byte. |
size | Size of the buffer in bytes. |