Dear mbedtls list members!
Sorry if this is the second time I ask, I'm not sure the previous question
is still on the list.
I'm asking if there's a way to export a private key into a buffer in an
encrypted format. So that mbedtls_pk_parse_key() has to be called with a
password.
In the example program key_app.c (I hope that's how it's called) I can see
there are password encrypted PEM formatted keys. But how to generate one?
For clarity, this is the type of header I'm looking for.
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,AB8E2B5B2D989271273F6730B6F9C687
……………………………………………….
……………………………………………….
………………………………………
—–END RSA PRIVATE KEY—–
I was only able to generate something like this by, using command line
openssl. But I'd like a better solution, in code, using mbedtls.
Yours
Zombor Máté
Hi All,
Gentle reminder about the Mbed TLS workshop tomorrow (Tuesday, November 3rd) from 2 to 6pm GMT.
See agenda and zoom link here - https://www.trustedfirmware.org/meetings/mbed-tls-workshop/
Thanks,
Shebu
-----Original Appointment-----
From: Trusted Firmware Public Meetings <linaro.org_havjv2figrh5egaiurb229pd8c(a)group.calendar.google.com>
Sent: Friday, October 23, 2020 12:32 AM
To: Trusted Firmware Public Meetings; Shebu Varghese Kuriakose; mbed-tls(a)lists.trustedfirmware.org; Don Harbin; psa-crypto(a)lists.trustedfirmware.org; Dave Rodgman
Subject: Mbed TLS Virtual Workshop
When: Tuesday, November 3, 2020 2:00 PM-6:00 PM (UTC+00:00) Dublin, Edinburgh, Lisbon, London.
Where: Zoom: https://linaro-org.zoom.us/j/95315200315?pwd=ZDJGc1BZMHZLV29DTmpGUllmMjB1UT…
You have been invited to the following event.
Mbed TLS Virtual Workshop
When
Tue Nov 3, 2020 7am – 11am Mountain Standard Time - Phoenix
Where
Zoom: https://linaro-org.zoom.us/j/95315200315?pwd=ZDJGc1BZMHZLV29DTmpGUllmMjB1UT… (map<https://www.google.com/maps/search/Zoom:+https:%2F%2Flinaro-org.zoom.us%2Fj…>)
Calendar
shebu.varghesekuriakose(a)arm.com<mailto:shebu.varghesekuriakose@arm.com>
Who
•
Don Harbin - creator
•
shebu.varghesekuriakose(a)arm.com<mailto:shebu.varghesekuriakose@arm.com>
•
mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>
•
psa-crypto(a)lists.trustedfirmware.org<mailto:psa-crypto@lists.trustedfirmware.org>
•
dave.rodgman(a)arm.com<mailto:dave.rodgman@arm.com>
more details »<https://www.google.com/calendar/event?action=VIEW&eid=NHVvY2FxY2o4Njk3MWZkd…>
Hi,
Trustedfirmware.org community project would like to invite you to the Mbed TLS Virtual Workshop.
The purpose of the workshop is to bring together the Mbed TLS community including maintainers, contributors and users to discuss
* The future direction of the project and
* Ways to improve community collaboration
Here is the agenda for the workshop.
Topic Time (in GMT)
Welcome 2.00 - 2.10pm
Constant-time code 2.10 – 2.30pm
Processes - how does work get scheduled? 2.30 – 2.50pm
PSA Crypto APIs 2.50 – 3.20pm
PSA Crypto for Silicon Labs Wireless
MCUs - Why, What, Where and When 3.20 – 3.50pm
Break
Roadmap, TLS1.3 Update 4.10 – 4.30pm
Mbed TLS 3.0 Plans, Scope 4.30 – 5.00pm
How do I contribute my first review
and be an effective Mbed TLS reviewer 5.00 – 5.30pm
Regards,
Don Harbin
Trusted Firmware Community Manager
==============Zoom details below:====================
Trusted Firmware is inviting you to a scheduled Zoom meeting.
Topic: Mbed TLS Virtual Workshop
Time: Nov 3, 2020 02:00 PM Greenwich Mean Time
Join Zoom Meeting
https://linaro-org.zoom.us/j/95315200315?pwd=ZDJGc1BZMHZLV29DTmpGUllmMjB1UT…<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9531520…>
Meeting ID: 953 1520 0315
Passcode: 143755
One tap mobile
+16699009128,,95315200315# US (San Jose)
+12532158782,,95315200315# US (Tacoma)
Dial by your location
+1 669 900 9128 US (San Jose)
+1 253 215 8782 US (Tacoma)
+1 346 248 7799 US (Houston)
+1 646 558 8656 US (New York)
+1 301 715 8592 US (Germantown)
+1 312 626 6799 US (Chicago)
888 788 0099 US Toll-free
877 853 5247 US Toll-free
Meeting ID: 953 1520 0315
Find your local number: https://linaro-org.zoom.us/u/apL3hgti4<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fu%2FapL3hgt…>
Going (shebu.varghesekuriakose(a)arm.com<mailto:shebu.varghesekuriakose@arm.com>)? Yes<https://www.google.com/calendar/event?action=RESPOND&eid=NHVvY2FxY2o4Njk3MW…> - Maybe<https://www.google.com/calendar/event?action=RESPOND&eid=NHVvY2FxY2o4Njk3MW…> - No<https://www.google.com/calendar/event?action=RESPOND&eid=NHVvY2FxY2o4Njk3MW…> more options »<https://www.google.com/calendar/event?action=VIEW&eid=NHVvY2FxY2o4Njk3MWZkd…>
Invitation from Google Calendar<https://www.google.com/calendar/>
You are receiving this courtesy email at the account shebu.varghesekuriakose(a)arm.com<mailto:shebu.varghesekuriakose@arm.com> because you are an attendee of this event.
To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.
Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More<https://support.google.com/calendar/answer/37135#forwarding>.
Dear mbedtls list members!
Is there a way to write a private key into a buffer, in PEM format, by
using a password for encryption? Mbedtls is able to parse encrypted PEM
files so can I write one? I couldn't really find any info regarding it,
only an older, unfinished github issue ...
Yours
Zombor Máté
Hello François,
The following is my understanding, I am not a maintainer but a user of
mbedtls. My response below only addresses a few of your questions.
PSA appears to be bound to what mbedtls currently supports, this does not
include Ed25519 or Ed448 at this time. A pull request is currently open for
this feature development https://github.com/ARMmbed/mbedtls/pull/3245
Further development may be necessary to include those in PSA.
The only implementation of PSA that I know of is one that wraps around
mbedtls.
Best,
Levi
On Wed, Oct 28, 2020 at 9:20 AM François Beerten via mbed-tls <
mbed-tls(a)lists.trustedfirmware.org> wrote:
> Hi everybody,
>
> After reading the PSA Crypto API specs (as on
> https://armmbed.github.io/mbed-crypto/html/overview/functionality.html)
> and looking at the mbed TLS library, a few questions came up.
>
> Is there some repository with the sources of the PSA Crypto API specs
> where one can follow the evolution and eventually send proposals and
> patches ?
>
> A note says "Hash suspend and resume is not defined for the SHA3 family of
> hash algorithms". Why are they not defined for SHA3 ?
>
> How can or should one add support in PSA Crypto AP for not yet defined
> algorithms (for example a KDF) ?
>
> In multipart operations, can the user reuse the input buffers immediately
> after doing an 'update' (for example after psa_hash_update()) ? And can
> he reuse the input buffers immediately after some "setup" functions like
> psa_cipher_set_iv() or psa_aead_set_nonce() ?
>
> Do you plan to support (pure) ED25519 and ED448 only via
> psa_sign_message() and psa_verify_message() ? What about messages in
> multiple chunks ?
>
> In psa_asymmetric_encrypt(), why is the salt provided explicitely.
> Shouldn't it be generated randomly internally when needed ?
>
> With PSA Crypto API, you define a flexible API for cryptographic
> operations. Apparently, other providers could make their own implementation
> of PSA Crypto API. Will mbed TLS then be able to use those alternate PSA
> Crypto API implementations ? How would that work practically ?
>
> Thank you for your attention,
>
> François.
>
>
> --
> mbed-tls mailing list
> mbed-tls(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
>
I make a CA certificate for JITR using BouncyCastle lib in the android app as the below example
And a device certificate is generated by this certificate in mbed_tls. At this time, JITR is not working.
Namely, a device certificate is not registered in AWS.
But In the case of making a ca certificate using OPENSSL, JITR works normally.
Below is CA certificate based BouncyCastle lib.
-----BEGIN CERTIFICATE-----
MIIB8jCCAZegAwIBAgIVAK0ct2HFXVdS/k2NblxYGoxyuabfMAoGCCqGSM49BAMC
MDIxCzAJBgNVBAYTAktSMRAwDgYDVQQKDAdUcnVzdEZpMREwDwYDVQQDDAhtZWdh
em9uZTAeFw0yMDEwMjcwMDAwMDBaFw0zNTAxMDEwMDAwMDBaMDIxCzAJBgNVBAYT
AktSMRAwDgYDVQQKDAdUcnVzdEZpMREwDwYDVQQDDAhtZWdhem9uZTBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABEknYdqI3CdVlmMkTmqKS63HnHc5PbyBff1RokGG
6NE6z31ilA8Yt2fGFHIln1kQtx//6stBA1bIqiqsSo8wad6jgYkwgYYwHQYDVR0O
BBYEFBHaQtHvagaDPkpWxQurErTekm2cMB8GA1UdIwQYMBaAFBHaQtHvagaDPkpW
xQurErTekm2cMA8GA1UdEwEB/wQFMAMBAf8wEQYJYIZIAYb4QgEBBAQDAgAHMAsG
A1UdDwQEAwIBBjATBgNVHSUEDDAKBggrBgEFBQcDAzAKBggqhkjOPQQDAgNJADBG
AiEA9HSXn3FpGUYLagsI3qaHz3VicMSuADUz/QBYEKN9STkCIQC+8BX/TPADpPOy
ClmBIkjxdDt0Fh7HTDn9UwBUxYA3/g==
-----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgU9pUZUfplZyhC+mH
Pt8pthLItdpbJ+Qy47r7gJKTNvCgCgYIKoZIzj0DAQehRANCAARJJ2HaiNwnVZZj
JE5qikutx5x3OT28gX39UaJBhujROs99YpQPGLdnxhRyJZ9ZELcf/+rLQQNWyKoq
rEqPMGne
-----END EC PRIVATE KEY-----
BRs.
Hyunung Park
Hi everybody,
After reading the PSA Crypto API specs (as on
https://armmbed.github.io/mbed-crypto/html/overview/functionality.html)
and looking at the mbed TLS library, a few questions came up.
Is there some repository with the sources of the PSA Crypto API specs
where one can follow the evolution and eventually send proposals and
patches ?
A note says "Hash suspend and resume is not defined for the SHA3 family
of hash algorithms". Why are they not defined for SHA3 ?
How can or should one add support in PSA Crypto AP for not yet defined
algorithms (for example a KDF) ?
In multipart operations, can the user reuse the input buffers
immediately after doing an 'update' (for example after
psa_hash_update()) ? And can he reuse the input buffers immediately
after some "setup" functions like psa_cipher_set_iv() or
psa_aead_set_nonce() ?
Do you plan to support (pure) ED25519 and ED448 only via
psa_sign_message() and psa_verify_message() ? What about messages in
multiple chunks ?
In psa_asymmetric_encrypt(), why is the salt provided explicitely.
Shouldn't it be generated randomly internally when needed ?
With PSA Crypto API, you define a flexible API for cryptographic
operations. Apparently, other providers could make their own
implementation of PSA Crypto API. Will mbed TLS then be able to use
those alternate PSA Crypto API implementations ? How would that work
practically ?
Thank you for your attention,
François.
Hi Frank,
The issue exists because you are downloading a tag and not the release. The 2.16.8 release is available here:
https://github.com/ARMmbed/mbedtls/archive/v2.16.8.tar.gz
Best regards,
Janos
On 28/10/2020, 12:15, "mbed-tls on behalf of Frank Bergmann via mbed-tls" <mbed-tls-bounces(a)lists.trustedfirmware.org on behalf of mbed-tls(a)lists.trustedfirmware.org> wrote:
Hi Gilles,
I noticed that the "double name" does still exist in some archive files:
$ wget -q -O - https://github.com/ARMmbed/mbedtls/archive/mbedtls-2.16.8.tar.gz|tar tzf -|head
mbedtls-mbedtls-2.16.8/
mbedtls-mbedtls-2.16.8/.github/
mbedtls-mbedtls-2.16.8/.github/issue_template.md
mbedtls-mbedtls-2.16.8/.github/pull_request_template.md
mbedtls-mbedtls-2.16.8/.gitignore
mbedtls-mbedtls-2.16.8/.globalrc
mbedtls-mbedtls-2.16.8/.pylintrc
mbedtls-mbedtls-2.16.8/.travis.yml
mbedtls-mbedtls-2.16.8/CMakeLists.txt
mbedtls-mbedtls-2.16.8/CONTRIBUTING.md
cheers,
Frank
On Tue, Aug 04, 2020 at 09:18:56PM +0000, Gilles Peskine via mbed-tls wrote:
[...]
> The naming with mbedtls-mbedtls- must be a bug in our release script.
[...]
--
Frank Bergmann, Pödinghauser Str. 5, D-32051 Herford, Tel. +49-5221-9249753
SAP Hybris & Linux LPIC-3, E-Mail tx2014(a)tuxad.de, USt-IdNr DE237314606
http://tdyn.de/freel -- Redirect to profile at freelancermap
http://www.gulp.de/freiberufler/2HNKY2YHW.html -- Profile at GULP
--
mbed-tls mailing list
mbed-tls(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
Hi Gilles,
I noticed that the "double name" does still exist in some archive files:
$ wget -q -O - https://github.com/ARMmbed/mbedtls/archive/mbedtls-2.16.8.tar.gz|tar tzf -|head
mbedtls-mbedtls-2.16.8/
mbedtls-mbedtls-2.16.8/.github/
mbedtls-mbedtls-2.16.8/.github/issue_template.md
mbedtls-mbedtls-2.16.8/.github/pull_request_template.md
mbedtls-mbedtls-2.16.8/.gitignore
mbedtls-mbedtls-2.16.8/.globalrc
mbedtls-mbedtls-2.16.8/.pylintrc
mbedtls-mbedtls-2.16.8/.travis.yml
mbedtls-mbedtls-2.16.8/CMakeLists.txt
mbedtls-mbedtls-2.16.8/CONTRIBUTING.md
cheers,
Frank
On Tue, Aug 04, 2020 at 09:18:56PM +0000, Gilles Peskine via mbed-tls wrote:
[...]
> The naming with mbedtls-mbedtls- must be a bug in our release script.
[...]
--
Frank Bergmann, Pödinghauser Str. 5, D-32051 Herford, Tel. +49-5221-9249753
SAP Hybris & Linux LPIC-3, E-Mail tx2014(a)tuxad.de, USt-IdNr DE237314606
http://tdyn.de/freel -- Redirect to profile at freelancermap
http://www.gulp.de/freiberufler/2HNKY2YHW.html -- Profile at GULP
Hi Sawyer,
Thank you for your interest in Mbed TLS. Currently the status of these CVE’s is:
- CVE-2020-16150 has been fixed in the latest Mbed TLS release
- CVE-2018-1000520 is not a security issue, it had been studied and rejected
- CVE-2016-3739 is a vulnerability in an application using Mbed TLS but not in Mbed TLS itself, also it too had been fixed.
Does this answer your question?
(Also, I would like to make a minor clarification: we are not Arm Support. As far as I know Arm does not offer official support for Mbed TLS. Arm only contributes engineers to the Mbed TLS project, and at the moment these engineers are the maintainers of Mbed TLS. We are on this mailing list and try to answer questions, but we are not doing that as official support provided by Arm, but as members of the community. Mbed TLS is supported by the community and this mailing list is indeed the right place to get that support. I apologise for the nitpick, I just wanted to make sure that we are not giving the wrong impressions.)
Best regards,
Janos
(Mbed TLS developer)
From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Sawyer Liu via mbed-tls <mbed-tls(a)lists.trustedfirmware.org>
Reply to: Sawyer Liu <sawyer.liu(a)nxp.com>
Date: Wednesday, 28 October 2020 at 01:59
To: "mbed-tls(a)lists.trustedfirmware.org" <mbed-tls(a)lists.trustedfirmware.org>
Subject: [mbed-tls] About mbedtls CVE
Hello ARM Support,
About below CVEs, any update? Thanks.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16150<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre…>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000520https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739
Best Regards
Sawyer Liu
Microcontrollers, NXP Semiconductors
From: 박현웅 <hupark(a)ictk.com>
Sent: Wednesday, October 28, 2020 6:21 PM
To: 'mbed-tls(a)lists.trustedfirmware.org.' <mbed-tls(a)lists.trustedfirmware.org.>
Subject: JITR in mbedtls
Hi
I make a certificate using BouncyCastle lib in android app as the below.
JITR is not working.
Namely a device certificate is not registered in aws iot.
In case of making ca certificate using openssl, JITR works normally.
Could you please help me?
-----BEGIN CERTIFICATE-----
MIIB8jCCAZegAwIBAgIVAK0ct2HFXVdS/k2NblxYGoxyuabfMAoGCCqGSM49BAMC
MDIxCzAJBgNVBAYTAktSMRAwDgYDVQQKDAdUcnVzdEZpMREwDwYDVQQDDAhtZWdh
em9uZTAeFw0yMDEwMjcwMDAwMDBaFw0zNTAxMDEwMDAwMDBaMDIxCzAJBgNVBAYT
AktSMRAwDgYDVQQKDAdUcnVzdEZpMREwDwYDVQQDDAhtZWdhem9uZTBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABEknYdqI3CdVlmMkTmqKS63HnHc5PbyBff1RokGG
6NE6z31ilA8Yt2fGFHIln1kQtx//6stBA1bIqiqsSo8wad6jgYkwgYYwHQYDVR0O
BBYEFBHaQtHvagaDPkpWxQurErTekm2cMB8GA1UdIwQYMBaAFBHaQtHvagaDPkpW
xQurErTekm2cMA8GA1UdEwEB/wQFMAMBAf8wEQYJYIZIAYb4QgEBBAQDAgAHMAsG
A1UdDwQEAwIBBjATBgNVHSUEDDAKBggrBgEFBQcDAzAKBggqhkjOPQQDAgNJADBG
AiEA9HSXn3FpGUYLagsI3qaHz3VicMSuADUz/QBYEKN9STkCIQC+8BX/TPADpPOy
ClmBIkjxdDt0Fh7HTDn9UwBUxYA3/g==
-----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgU9pUZUfplZyhC+mH
Pt8pthLItdpbJ+Qy47r7gJKTNvCgCgYIKoZIzj0DAQehRANCAARJJ2HaiNwnVZZj
JE5qikutx5x3OT28gX39UaJBhujROs99YpQPGLdnxhRyJZ9ZELcf/+rLQQNWyKoq
rEqPMGne
-----END EC PRIVATE KEY-----
BRs.
Hyunung Park