How to sign/verify public key with another private/public key?

TL;DR how to I extract the raw form of the public key so I can do sha256 around it?

My chip’s ROM is super limited and I simply cannot afford to have certificate support compiled. Because, of the limitation, I only have RSA and SHA256 compiled in, that’s all.

So I am trying to make a very simplified setup:

• ca.pub - An CA alternative, a public key to a master key.
• device.pub / device.pem - A device’s RSA key pair
• device.sig - A “signature” of the device.pub, by basically doing rsa.sign(ca.pem, sha256(device.pub)) once and uploading it to the device

So devices can verify each other by rsa.verify(ca.pub, sha256(otherdevice.pub), otherdevice.sig)

The question would be, how to I extract the raw form of the public key so I can do sha256 around it? Something like openssl’s openssl rsa -in device.pub -pubin -outform der | openssl dgst -sha256

P.S. An offtopic question, is there a way to turn base64 off and do keys if “binary” so I can save ROM?

Okay I’ve found mbedtls_pk_write_key_der would export my key in der format. Would calculating sha256 of output produce same hash as openssl does?

Okay, apparently, it does.

T-thanks i g-guess.

@desertkunI am glad I could help;)

To disable PEM format, you should verify MBEDTLS_PEM_PARSE_C and MBEDTLS_PEM_WRITE_C are not defined in your configuration.
Regards,
Mbed TLS Team member
Ron