Re: [mbed-tls] export keys in pkcs8. plain or encrypted - mbed-tls

10 Jun 2021


      Hi Andrey,
Thank you for your interest in Mbed TLS! In general we welcome
contributions to the project. Unfortunately, our limiting factor is
bandwidth for review. In 2021 the Mbed TLS team has grown, so we have
more time for reviews, but we are still struggling to catch up with the
large backlog.
There is already an old attempt to add unencrypted PKCS#8 writing
support (https://github.com/ARMmbed/mbedtls/issues/1695
https://github.com/ARMmbed/mbedtls/issues/1695). There is a long
pending request for encrypted PKCS#8 writing support
(https://github.com/ARMmbed/mbedtls/issues/1372
https://github.com/ARMmbed/mbedtls/issues/1372) but I'm not aware of
any prior implementation.
We would be glad to have your contribution, but I must be honest and say
it might take us several months to get around to it.
Best regards,
-- 
Gilles Peskine
Mbed TLS developer

On 09/06/2021 22:46, Андрей Макаров via mbed-tls wrote:
> Recently I used mbedtls library in my working project. In accordance
> with the needs of the project, I added some functions to mbedtls for
> saving and loading keys in plain and encrypted pem and der forms.
> The changes are still raw and should be brought up to pull request
> requirements - there are no tests, since the functions tested as part
> of a working project which uses mbedtls. I can, over time, finalize
> the changes to a pull request, but it will take some time and effort
> that you don't want to waste unnecessarily — this will have to be done
> at my home time.
> If there is an interest for this work, then I will try to do it, but
> if few people need it or do not coincide with the general direction of
> development of the project, then I would not bother.
> To be done: 1) added mbedtls_pk_write_key_pkcs8_der() write
> non-encrypted pkcs8 der key 2) added mbedtls_pk_write_key_pkcs8_pem()
> write non-encrypted pkcs8 pem key 3) added
> mbedtls_pk_write_key_encrypted_pem() write legacy encryped pem file
> with DEK-Info header 4) added
> mbedtls_pk_write_key_pkcs8_encrypted_der() write to encrypted pkcs8
> der key; pkcs5 pbes1, pkcs12 and pbes2 schemes are supported 5) added
> mbedtls_pk_write_key_pkcs8_encrypted_pem() same as above but pem key
> 6) changed mbedtls_pem_read_buffer() which reads legacy encrypted pem
> formats (with DEK-Info header) now it uses mbedtls_cipher_… functions
> which allow to use any supported cipher rather than four enforced (was
> limited to des-cbc, des-ede3-cbc, ars-128-cbc and aes-256-cbc) 7)
> changed pk_parse_key_pkcs8_encrypted_der() 7.1) added pkcs5 pbes1
> support MD5-DES-CB CpbeWithMD5AndDES-CBC) and SHA1-DES-CBC
> (pbeWithSHA1AndDES-CBC) 7.2) changed pkcs12 pbe (use same cipher for
> all SHA1-DES2-EDE-CBC (pbeWithSHAAnd2-KeyTripleDES-CBC),
> SHA1-DES3-EDE-CBC (pbeWithSHAAnd3-KeyTripleDES-CBC) and SHA1-RC4-128
> (pbeWithSHA1And128BitRC4); (the special
> mbedtls_pkcs12_pbe_sha1_rc4_128() is not used now and may be removed)
> 7.3) changed pkcs5 pbes2 support: added AES-128-CBC and AES-256-CBC
> ciphers Some «preview» is available at fork
> https://github.com/loafer-mka/mbedtls
> https://github.com/loafer-mka/mbedtls, branch ‘dev_clean’ Of course,
> many changes relate to obsolete formats, and may be undesirable … also
> I do not touch PSK at all.
> Please, give me some feedback — try to finish this with tests, pull
> request, etc or not. ----------- Regards, Andrey
>