Mbed TLS is now part of TrustedFirmware.org.

Missing call to mbedtls_rsa_check_privkey

Mar 12, 2018 13:06
Fredrik Axelsson

In 2.7.0 a call to mbedtls_rsa_check_privkey is removed from pk_parse_key_pkcs1_der. Is this intentional? If so, why? My code relies on the check for ensuring that loaded keys are correct and that errors are detected so useful error reporting and logging can be done.

Mar 20, 2018 08:48
Krzysztof Stachowiak

Hi Fredrik,

Do you refer to this change? You can analyze this and the surrounding commits, to fully understand why the change was made.

The only part of MbedTLS that is guaranteed not to change is the public API. The function pk_parse_key_pkcs1_der() is not part of the public API and therefore may change (or even disappear completely) between versions. If checking of the loaded keys is necessary in your program, you may call the mbedtls_rsa_check_privkey() function explicitly.

Please bear in mind that any other undocumented behavior may also change in the future as long as it doesn't break the public API.

Best regards,

MbedTLS Team member,


Mar 20, 2018 09:32
Fredrik Axelsson

Hi Chris,

Thanks for the reply. I will call the mbedtls_rsa_check_privkey to verify the validity of the key after it's loaded. I just wanted to know if the removed call was an oversight or intentional. Now I know it was intentional.