Dear mbedtls mailing list members!
I hope you recieve my message now, previously I had problems posting to this list. :(
My
first question is actually about the PEM format. As far as I'm aware
the PEM format either contains the Private key (signalled by the ----
BEGIN PRIVATE KEY ---- header) or a public key (---- BEGIN PUBLIC KEY
-----). In my application I have to work on an app that stores key pairs
in a special, secure storage solution (Secure Storage of OPTEE if
you've heard about it). I decided to export the keys in PEM format, so
that reading and handling them is equal to moving a large string buffer
around. Using the PEM format, is there a way to store both private and
public keys in the same "file"? Does mbedtls allow for such a solution
(does such a solution even exist?).
If
not, is there a simple way to get the public key from a private key
object? Does the mbedtls_pk_context, (that parsed up with a private key)
contain the information needed to export the public key into a PEM
buffer? As far as I know mbedtls allows for exporting the private key
and the public key with the functions mbedtls_write_key_pem and
...write_pubkey_pem (or something along those lines) does that mean I
can only export one at a time and there's no way to save the information
for both into one PEM buffer?
If there's a
way to save both private and public keys into one PEM file, do I have
to parse the private key and public key into separate objects then? With
parse_key and parse_pubkey? This isn't really a problem just
clarifying.
If you can point me to an actually good description of the PEM format and what CAN be stored inside of it, I'd be very grateful! :)
I also have a question regarding the example SSL server program. In it,
the server needs a private key and a certificate for obvious reasons. It
also loads a certificate and as far as I know, the certificate has to
be tied to a known CA for it to be valid.
I
would like to test the program with a self generated key pair, do I
need to change the Certificate and CAs to a new one as well? To
authenticate the new keypair? Does the mbedtls ssl_client1 example
program work with self signed certs? Or do I need to take care of the CA
validation myself (that would probably beyond the scope of the project
I'm working on).
Thank you in advance!
Yours truly,
Máté Zombor