/** * \file pk_internal.h * * \brief Public Key abstraction layer: internal (i.e. library only) functions * and definitions. */ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ #ifndef MBEDTLS_PK_INTERNAL_H #define MBEDTLS_PK_INTERNAL_H #include "mbedtls/pk.h" #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) #include "mbedtls/ecp.h" #endif #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #include "psa/crypto.h" #include "psa_util_internal.h" #define PSA_PK_TO_MBEDTLS_ERR … #define PSA_PK_RSA_TO_MBEDTLS_ERR … #define PSA_PK_ECDSA_TO_MBEDTLS_ERR … #endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ /* Headers/footers for PEM files */ #define PEM_BEGIN_PUBLIC_KEY … #define PEM_END_PUBLIC_KEY … #define PEM_BEGIN_PRIVATE_KEY_RSA … #define PEM_END_PRIVATE_KEY_RSA … #define PEM_BEGIN_PUBLIC_KEY_RSA … #define PEM_END_PUBLIC_KEY_RSA … #define PEM_BEGIN_PRIVATE_KEY_EC … #define PEM_END_PRIVATE_KEY_EC … #define PEM_BEGIN_PRIVATE_KEY_PKCS8 … #define PEM_END_PRIVATE_KEY_PKCS8 … #define PEM_BEGIN_ENCRYPTED_PRIVATE_KEY_PKCS8 … #define PEM_END_ENCRYPTED_PRIVATE_KEY_PKCS8 … #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_PK_USE_PSA_EC_DATA) /** * Public function mbedtls_pk_ec() can be used to get direct access to the * wrapped ecp_keypair structure pointed to the pk_ctx. However this is not * ideal because it bypasses the PK module on the control of its internal * structure (pk_context) fields. * For backward compatibility we keep mbedtls_pk_ec() when ECP_C is defined, but * we provide 2 very similar functions when only ECP_LIGHT is enabled and not * ECP_C. * These variants embed the "ro" or "rw" keywords in their name to make the * usage of the returned pointer explicit. Of course the returned value is * const or non-const accordingly. */ static inline const mbedtls_ecp_keypair *mbedtls_pk_ec_ro(const mbedtls_pk_context pk) { … } static inline mbedtls_ecp_keypair *mbedtls_pk_ec_rw(const mbedtls_pk_context pk) { … } #endif /* MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_PK_USE_PSA_EC_DATA */ #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) static inline mbedtls_ecp_group_id mbedtls_pk_get_ec_group_id(const mbedtls_pk_context *pk) { … } /* Helper for Montgomery curves */ #if defined(MBEDTLS_ECP_HAVE_CURVE25519) || defined(MBEDTLS_ECP_HAVE_CURVE448) #define MBEDTLS_PK_HAVE_RFC8410_CURVES #endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */ #define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) … static inline int mbedtls_pk_is_rfc8410(const mbedtls_pk_context *pk) { … } /* * Set the group used by this key. * * [in/out] pk: in: must have been pk_setup() to an ECC type * out: will have group (curve) information set * [in] grp_in: a supported group ID (not NONE) */ int mbedtls_pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id); /* * Set the private key material * * [in/out] pk: in: must have the group set already, see mbedtls_pk_ecc_set_group(). * out: will have the private key set. * [in] key, key_len: the raw private key (no ASN.1 wrapping). */ int mbedtls_pk_ecc_set_key(mbedtls_pk_context *pk, unsigned char *key, size_t key_len); /* * Set the public key. * * [in/out] pk: in: must have its group set, see mbedtls_pk_ecc_set_group(). * out: will have the public key set. * [in] pub, pub_len: the raw public key (an ECPoint). * * Return: * - 0 on success; * - MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the format is potentially valid * but not supported; * - another error code otherwise. */ int mbedtls_pk_ecc_set_pubkey(mbedtls_pk_context *pk, const unsigned char *pub, size_t pub_len); /* * Derive a public key from its private counterpart. * Computationally intensive, only use when public key is not available. * * [in/out] pk: in: must have the private key set, see mbedtls_pk_ecc_set_key(). * out: will have the public key set. * [in] prv, prv_len: the raw private key (see note below). * [in] f_rng, p_rng: RNG function and context. * * Note: the private key information is always available from pk, * however for convenience the serialized version is also passed, * as it's available at each calling site, and useful in some configs * (as otherwise we would have to re-serialize it from the pk context). * * There are three implementations of this function: * 1. MBEDTLS_PK_USE_PSA_EC_DATA, * 2. MBEDTLS_USE_PSA_CRYPTO but not MBEDTLS_PK_USE_PSA_EC_DATA, * 3. not MBEDTLS_USE_PSA_CRYPTO. */ int mbedtls_pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk, const unsigned char *prv, size_t prv_len, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng); #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ /* Helper for (deterministic) ECDSA */ #if defined(MBEDTLS_ECDSA_DETERMINISTIC) #define MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET … #else #define MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET … #endif #if defined(MBEDTLS_TEST_HOOKS) MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der( mbedtls_pk_context *pk, unsigned char *key, size_t keylen, const unsigned char *pwd, size_t pwdlen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng); #endif #if defined(MBEDTLS_FS_IO) int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n); #endif #endif /* MBEDTLS_PK_INTERNAL_H */