Scenario

Your RSA private key is not available in an exported form, it is located inside a smartcard or a secure hardware module. As a consequence you are not able to load it the usual way.

Providing your own functions

mbed TLS has been designed to handle these situations and allows you to set your own functions that it should use for RSA decryption and signing during the SSL handshake.

With PolarSSL 1.2

You can set these functions using the function ssl_set_own_cert_alt(). This functions allows you to provide an arbitrary blob as your RSA private key and accepts function pointers to alternatives of rsa_pkcs1_decrypt(), rsa_pkcs1_sign() and a function that returns the length of the RSA key in bytes.

With PolarSSL and mbed TLS 1.3 and later

You can set these functions using mbedtls_pk_setup_rsa_alt() (known as pk_init_ctx_rsa_alt() in the 1.3 branch). This function allows your to provide an arbitrary blob as your RSA private key and accepts function pointers performing decryption and signature and returning the key size as above.

You can then use the normal mbedtls_set_own_cert() function, as from the perspective of the SSL module, your external RSA private key is just another PK context.

PKCS#11

In case you are using a smartcard you don't have to write your own logic and you can use the libpkcs11-helper library.

mbed TLS includes a helper class for using libpkcs11-helper, when you enable MBEDTLS_PKCS11_C in config.h, see "How do I configure mbed TLS". This requires the presence of libpkcs11-helper of course.

Did this help?