-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PKCS8 writing support #1759
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -363,6 +363,9 @@ int mbedtls_pk_write_key_der( mbedtls_pk_context *key, unsigned char *buf, size_ | |
#define PEM_BEGIN_PUBLIC_KEY "-----BEGIN PUBLIC KEY-----\n" | ||
#define PEM_END_PUBLIC_KEY "-----END PUBLIC KEY-----\n" | ||
|
||
#define PEM_BEGIN_PRIVATE_KEY "-----BEGIN PRIVATE KEY-----\n" | ||
#define PEM_END_PRIVATE_KEY "-----END PRIVATE KEY-----\n" | ||
|
||
#define PEM_BEGIN_PRIVATE_KEY_RSA "-----BEGIN RSA PRIVATE KEY-----\n" | ||
#define PEM_END_PRIVATE_KEY_RSA "-----END RSA PRIVATE KEY-----\n" | ||
#define PEM_BEGIN_PRIVATE_KEY_EC "-----BEGIN EC PRIVATE KEY-----\n" | ||
|
@@ -451,6 +454,19 @@ int mbedtls_pk_write_key_der( mbedtls_pk_context *key, unsigned char *buf, size_ | |
#define PRV_DER_MAX_BYTES RSA_PRV_DER_MAX_BYTES > ECP_PRV_DER_MAX_BYTES ? \ | ||
RSA_PRV_DER_MAX_BYTES : ECP_PRV_DER_MAX_BYTES | ||
|
||
/* | ||
* PKCS8 envelope: | ||
* PrivateKeyInfo ::= SEQUENCE { | ||
* version Version, | ||
* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, | ||
* privateKey PrivateKey, | ||
* attributes [0] IMPLICIT Attributes OPTIONAL } | ||
* } | ||
*/ | ||
|
||
#define PRV_PKCS8_DER_MAX_BYTES 22 + PRV_DER_MAX_BYTES | ||
|
||
|
||
int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size ) | ||
{ | ||
int ret; | ||
|
@@ -510,6 +526,65 @@ int mbedtls_pk_write_key_pem( mbedtls_pk_context *key, unsigned char *buf, size_ | |
|
||
return( 0 ); | ||
} | ||
|
||
int mbedtls_pkcs8_write_key_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size ) | ||
{ | ||
int ret; | ||
unsigned char output_buf[PRV_PKCS8_DER_MAX_BYTES]; | ||
const char *begin = PEM_BEGIN_PRIVATE_KEY; | ||
const char *end = PEM_END_PRIVATE_KEY; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it would be ideal if we used the header and footer for RSA or EC as in |
||
size_t olen = 0; | ||
unsigned char *c; | ||
int len = 0; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Its a length, should it be |
||
const char *oid; | ||
size_t oid_len; | ||
|
||
if( ( ret = mbedtls_pk_write_key_der( key, output_buf, sizeof(output_buf) ) ) < 0 ) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Minor: Please add spaces before |
||
return( ret ); | ||
#if defined(MBEDTLS_RSA_C) | ||
if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA ) | ||
{ | ||
} | ||
else | ||
#endif | ||
#if defined(MBEDTLS_ECP_C) | ||
if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY ) | ||
{ | ||
} | ||
else | ||
#endif | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Minor: Please add matching comment to the
|
||
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); | ||
|
||
len = ret; | ||
c = output_buf + sizeof(output_buf) - len; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Minor: Please add spaces before |
||
|
||
/* Wrap PKCS1 key in OCTET STRING */ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. PKCS1? |
||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, output_buf, len ) ); | ||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, output_buf, MBEDTLS_ASN1_OCTET_STRING ) ); | ||
|
||
/* privateKeyAlgorithm */ | ||
if( ( ret = mbedtls_oid_get_oid_by_pk_alg( mbedtls_pk_get_type( key ), | ||
&oid, &oid_len ) ) != 0 ) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please use spaces instead of tabs |
||
return ret; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Minor: Please add brackets around the return argument as required by the Mbed TLS coding standards. |
||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier(&c, output_buf, oid, oid_len, 0) ); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Minor: Please add spaces before ) and after ( |
||
|
||
/* version */ | ||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, output_buf, 0 ) ); | ||
|
||
/* sequence and length */ | ||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, output_buf, len ) ); | ||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, output_buf, MBEDTLS_ASN1_CONSTRUCTED | | ||
MBEDTLS_ASN1_SEQUENCE ) ); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Minor: Please replace tabs with spaces. |
||
|
||
if( ( ret = mbedtls_pem_write_buffer( begin, end, | ||
output_buf + sizeof(output_buf) - len, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Minor: Please add spaces before ) and after ( |
||
len, buf, size, &olen ) ) != 0 ) | ||
{ | ||
return( ret ); | ||
} | ||
|
||
return( 0 ); | ||
} | ||
#endif /* MBEDTLS_PEM_WRITE_C */ | ||
|
||
#endif /* MBEDTLS_PK_WRITE_C */ |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -102,6 +102,7 @@ int dev_random_entropy_poll( void *data, unsigned char *output, | |
|
||
#define FORMAT_PEM 0 | ||
#define FORMAT_DER 1 | ||
#define FORMAT_PEM_PKCS8 2 | ||
|
||
#define DFL_TYPE MBEDTLS_PK_RSA | ||
#define DFL_RSA_KEYSIZE 4096 | ||
|
@@ -154,10 +155,18 @@ static int write_private_key( mbedtls_pk_context *key, const char *output_file ) | |
size_t len = 0; | ||
|
||
memset(output_buf, 0, 16000); | ||
if( opt.format == FORMAT_PEM ) | ||
if( opt.format == FORMAT_PEM || opt.format == FORMAT_PEM_PKCS8) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please add space before the ) |
||
{ | ||
if( ( ret = mbedtls_pk_write_key_pem( key, output_buf, 16000 ) ) != 0 ) | ||
return( ret ); | ||
if (opt.format == FORMAT_PEM_PKCS8) | ||
{ | ||
if( ( ret = mbedtls_pkcs8_write_key_pem( key, output_buf, 16000 ) ) != 0 ) | ||
return( ret ); | ||
} | ||
else | ||
{ | ||
if( ( ret = mbedtls_pk_write_key_pem( key, output_buf, 16000 ) ) != 0 ) | ||
return( ret ); | ||
} | ||
|
||
len = strlen( (char *) output_buf ); | ||
} | ||
|
@@ -255,6 +264,8 @@ int main( int argc, char *argv[] ) | |
opt.format = FORMAT_PEM; | ||
else if( strcmp( q, "der" ) == 0 ) | ||
opt.format = FORMAT_DER; | ||
else if( strcmp( q, "pkcs8" ) == 0 ) | ||
opt.format = FORMAT_PEM_PKCS8; | ||
else | ||
goto usage; | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please document where the +22 comes from? Perhaps annotate the PrivateKeyInfo structure similar to https://github.com/ARMmbed/mbedtls/pull/1759/files#diff-788a5101fe2618b1e14eb09a62e1d7ecR436