mbedtls.pk Module API

Public key (PK) library.

The library handles RSA certificates and ECC (elliptic curve cryptography).

The RSA and ECC classes offer compatible APIs. They may be used interchangeably.

ECDHServer and ECDHClient should be used for ephemeral Elliptic Curve Diffie-Hellman exchange.

mbedtls.pk.check_pair()

Check if a public-private pair of keys matches.

mbedtls.pk.get_supported_ciphers()
mbedtls.pk.get_supported_curves()

Return the list of supported curves in order of preference.

class mbedtls.pk.Curve

Elliptic curves.

BRAINPOOLP256R1 = b'brainpoolP256r1'
BRAINPOOLP384R1 = b'brainpoolP384r1'
BRAINPOOLP512R1 = b'brainpoolP512r1'
CURVE25519 = b'curve25519'
CURVE448 = b'curve448'
SECP192K1 = b'secp192k1'
SECP192R1 = b'secp192r1'
SECP224K1 = b'secp224k1'
SECP224R1 = b'secp224r1'
SECP256K1 = b'secp256k1'
SECP256R1 = b'secp256r1'
SECP384R1 = b'secp384r1'
SECP521R1 = b'secp521r1'
class mbedtls.pk.RSA

RSA public-key cryptosystem.

from_buffer()

Import a key (public or private half).

The public half is generated upon importing a private key.

Parameters
  • key (bytes) – The key in PEM or DER format.

  • password (bytes, optional) – The password for password-protected private keys.

generate()

Generate an RSA keypair.

Parameters
  • key_size (unsigned int) – size in bits.

  • exponent (int) – public RSA exponent.

Returns

The private key in DER format.

Return type

(bytes)

class mbedtls.pk.ECC

Elliptic-curve cryptosystems.

Parameters

optional) ((Curve,) – A curve returned by get_supported_curves().

See also

get_supported_curves()

export_key()

Return the private key.

If not key is present, return a falsy value.

Parameters

format (str) – One of “DER”, “PEM”, or “NUM”.

export_public_key()

Return the public key.

If no key is present, return a falsy value.

Parameters

format (str) – One of “DER”, “PEM”, or “POINT”.

from_buffer()

Import a key (public or private half).

The public half is generated upon importing a private key.

Parameters
  • key (bytes) – The key in PEM or DER format.

  • password (bytes, optional) – The password for password-protected private keys.

generate()

Generate an EC keypair.

Returns

The private key in DER format.

Return type

(bytes)

to_ECDH_client()

Return an ECDH client initialized with this context.

to_ECDH_server()

Return an ECDH server initialized with this context.

class mbedtls.pk.DHServer

The server side of the DH key exchange.

generate()

Generate a public key.

Returns

A TLS ServerKeyExchange payload.

Return type

bytes

import_CKE()

Read the ClientKeyExchange payload.

class mbedtls.pk.DHClient

The client side of the DH key exchange.

generate()

Generate the public key.

Returns

The byte representation (big endian) of: G^X mod P.

Return type

bytes

import_SKE()

Read the ServerKeyExchange payload.

class mbedtls.pk.ECDHServer

The server side of the ECDH key exchange.

Parameters

optional) ((Curve,) – A curve returned by get_supported_curves().

generate()

Generate a public key.

Returns

A TLS ServerKeyExchange payload.

Return type

bytes

import_CKE()

Read the ClientKeyExchange payload.

class mbedtls.pk.ECDHClient

The client side of the ephemeral ECDH key exchange.

Parameters

optional) ((Curve,) – A curve returned by get_supported_curves().

generate()

Generate a public key.

Returns

A TLS ClientKeyExchange payload.

Return type

bytes

import_SKE()

Read the ServerKeyExchange payload.

class mbedtls.pk.ECDHNaive

Naive ECDH key exchange.

Parameters

optional) ((Curve,) – b’curve25519’ or b’curve448’.

generate()

Generate a public key.

Returns

public key.

Return type

ECPoint

generate_secret()

Generate the shared secret.

import_peer_public()
import_peers_public()

Read peer public key.

class mbedtls.pk.Curve

Elliptic curves.

BRAINPOOLP256R1 = b'brainpoolP256r1'
BRAINPOOLP384R1 = b'brainpoolP384r1'
BRAINPOOLP512R1 = b'brainpoolP512r1'
CURVE25519 = b'curve25519'
CURVE448 = b'curve448'
SECP192K1 = b'secp192k1'
SECP192R1 = b'secp192r1'
SECP224K1 = b'secp224k1'
SECP224R1 = b'secp224r1'
SECP256K1 = b'secp256k1'
SECP256R1 = b'secp256r1'
SECP384R1 = b'secp384r1'
SECP521R1 = b'secp521r1'