Mbedtls_pk_context handling

Hi,

I would like to copy an already populated mbedtls_pk_context structure into another mbedtls_pk_context structure which is dynamically allocated such that I can use it later.

Is there any API for copying a mbedtls_pk_context structure ?

Thanks,
Doru

Hi @doru91
Unfortunately , there isn’t such an API.
May I know your use case? Perhaps we could think of an alternative.

Regards,
Mbed TLS Team member
Ron

Hi, @roneld01

The use-case is the following one: I want to copy the pk field of an mbedtls_x509_crt structure.

A server-device signs each generated message using its private key. The client-device has to verify the authenticity of these messages using the public key of the of the server. The public-key of the server is taken from the pk field of the X509 certificate presented during the handshake. The problem is that the server-certificate (and its encapsulated mbedtls_pk_context structure) are freed shortly after the handshake.

The workaround used was to convert the pk context from the X509 certificate to DER format then parse the DER bytes in a dinamically allocated mbedtls_pk_context which I can use it later for signature verification.

Thanks,
Doru

Hi @doru91
Thank you for your information.
I see your point, however, as long as you are having a TLS session, your TLS context should remain, and not freed.
As long as you have your TLS context, the peer PK context is not freed.
As I see it, you need to have signature verification from the remote peer, during TLS sessions, so you should have the mbedtls_pk_context in the peer certificate of your mbedtls_ssl_context()
However, I see your point, we will consider having a way to get hte peer PK context.
Regards,
Mbed TLS Team member
Ron

I have created API to extract public key from parsed certificate · Issue #2294 · Mbed-TLS/mbedtls · GitHub that should address this