mbedtls_pk_get_ec_group_id() function

Free the components of a #mbedtls_pk_context.

Quick access to an RSA context inside a PK context. \warning This function can only be used when the type of the context, as returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_RSA. Ensuring that is the caller's responsibility. Alternatively, you can check whether this function returns NULL.

Tell if a context can do the operation given by type

Quick access to an EC context inside a PK context. \warning This function can only be used when the type of the context, as returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_ECKEY, #MBEDTLS_PK_ECKEY_DH, or #MBEDTLS_PK_ECDSA. Ensuring that is the caller's responsibility. Alternatively, you can check whether this function returns NULL.

Get the key type

Initialize a PK context with the information given and allocates the type-specific PK subcontext.

Initialize a #mbedtls_pk_context (as NONE).

Parse a private key in PEM or DER format

Public function mbedtls_pk_ec() can be used to get direct access to the wrapped ecp_keypair structure pointed to the pk_ctx. However this is not ideal because it bypasses the PK module on the control of its internal structure (pk_context) fields. For backward compatibility we keep mbedtls_pk_ec() when ECP_C is defined, but we provide 2 very similar functions when only ECP_LIGHT is enabled and not ECP_C. These variants embed the "ro" or "rw" keywords in their name to make the usage of the returned pointer explicit. Of course the returned value is const or non-const accordingly.

Parse a SubjectPublicKeyInfo DER structure

Get the size in bits of the underlying key

Generic helpers

Parse a public key in PEM or DER format

Write a public key to a SubjectPublicKeyInfo DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer

Verify signature, with options. (Includes verification of the padding depending on type.)

Make signature, including padding if relevant.

Write a private key to a PKCS#1 or SEC1 DER structure Note: data is written at the end of the buffer! Use the return value to determine where you should start using the buffer

Write a subjectPublicKey to ASN.1 data Note: function works backwards in data buffer

Get the length in bytes of the underlying key

Verify signature (including padding if relevant).

Set own certificate chain and private key

Restartable version of \c mbedtls_pk_sign()

Decrypt message (including padding if relevant).

Access the type name

Restartable version of \c mbedtls_pk_verify()

PKCS#8 parsing functions

Check if a public-private pair of keys matches.

Encrypt message (including padding if relevant).

Set own certificate and key for the current handshake

Make signature given a signature type.

Export debug information

Load and parse a private key

Load and parse a public key

Write a public key to a PEM string

Write a private key to a PKCS#1 or SEC1 PEM string

Initialize an RSA-alt context

Determine valid PSA attributes that can be used to import a key into PSA. The attributes determined by this function are suitable for calling mbedtls_pk_import_into_psa() to create a PSA key with the same key material. The typical flow of operations involving this function is ``` psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; int ret = mbedtls_pk_get_psa_attributes(pk, &attributes); if (ret != 0) ...; // error handling omitted // Tweak attributes if desired psa_key_id_t key_id = 0; ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id); if (ret != 0) ...; // error handling omitted ```

Import a key into the PSA key store. This function is equivalent to calling psa_import_key() with the key material from \p pk. The typical way to use this function is: -# Call mbedtls_pk_get_psa_attributes() to obtain attributes for the given key. -# If desired, modify the attributes, for example: - To create a persistent key, call psa_set_key_identifier() and optionally psa_set_key_lifetime(). - To import only the public part of a key pair: psa_set_key_type(&attributes, PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( psa_get_key_type(&attributes))); - Restrict the key usage if desired. -# Call mbedtls_pk_import_into_psa().

Create a PK context starting from a key stored in PSA. This key: - must be exportable and - must be an RSA or EC key pair or public key (FFDH is not supported in PK). The resulting PK object will be a transparent type: - #MBEDTLS_PK_RSA for RSA keys or - #MBEDTLS_PK_ECKEY for EC keys. Once this functions returns the PK object will be completely independent from the original PSA key that it was generated from. Calling mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting PK context will perform the corresponding algorithm for that PK context type. * For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC. * For an RSA key, the output PK context will allow both encrypt/decrypt and sign/verify regardless of the original key's policy. The original key's policy determines the output key's padding mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, otherwise PKCS1 v1.5 is set.

Create a PK context for the public key of a PSA key. The key must be an RSA or ECC key. It can be either a public key or a key pair, and only the public key is copied. The resulting PK object will be a transparent type: - #MBEDTLS_PK_RSA for RSA keys or - #MBEDTLS_PK_ECKEY for EC keys. Once this functions returns the PK object will be completely independent from the original PSA key that it was generated from. Calling mbedtls_pk_verify() or mbedtls_pk_encrypt() on the resulting PK context will perform the corresponding algorithm for that PK context type. For an RSA key, the output PK context will allow both encrypt and verify regardless of the original key's policy. The original key's policy determines the output key's padding mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS, otherwise PKCS1 v1.5 is set.

Set the subject public key for the certificate

Set the issuer key used for signing the certificate

Internal functions for RSA keys.

Set the key for a CSR (public key will be included, private key used to sign the CSR when writing it)