mbedTLS简介

mbedTLS的背景介绍

关于mbedTLS的简要概括

• SSL/TLS 协议实施
• 一个加密库
• 一个 X.509 证书处理库

mbedTLS常用结构体

1. 公钥算法类型mbedtls_pk_type_t

/* * \brief Public key types */ typedef enum { 
    MBEDTLS_PK_NONE=0, MBEDTLS_PK_RSA, MBEDTLS_PK_ECKEY, MBEDTLS_PK_ECKEY_DH, MBEDTLS_PK_ECDSA, MBEDTLS_PK_RSA_ALT, MBEDTLS_PK_RSASSA_PSS, MBEDTLS_PK_SM2, } mbedtls_pk_type_t; 

2. 摘要算法类型mbedtls_md_type_t

typedef enum { 
    MBEDTLS_MD_NONE=0, MBEDTLS_MD_MD2, MBEDTLS_MD_MD4, MBEDTLS_MD_MD5, MBEDTLS_MD_SHA1, MBEDTLS_MD_SHA224, MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA384, MBEDTLS_MD_SHA512, MBEDTLS_MD_RIPEMD160, MBEDTLS_MD_SM3, } mbedtls_md_type_t; 

3. 公钥上下文mbedtls_pk_context

/ * \brief Public key container */ typedef struct { 
    const mbedtls_pk_info_t * pk_info; /< Public key informations 公钥信息 */ void * pk_ctx; /< Underlying public key context 底层公钥上下文*/ } mbedtls_pk_context; 

4. 解析证书得到的mbedtls_pk_info_t

struct mbedtls_pk_info_t //解析证书得到的 { 
    / Public key type */ mbedtls_pk_type_t type; / Type name */ const char *name; / Get key size in bits */ size_t (*get_bitlen)( const void * ); / Tell if the context implements this type (e.g. ECKEY can do ECDSA) */ int (*can_do)( mbedtls_pk_type_t type ); / Verify signature *///验证签名，证书，秘钥交换时服务器签名（如果有的话） int (*verify_func)( void *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len ); / Make signature *///用秘钥来加密 int (*sign_func)( void *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); / Decrypt message *///秘钥交换，服务器解密使用 int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); / Encrypt message */ //秘钥交换时加密秘钥用 int (*encrypt_func)( void *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); / Check public-private key pair */ int (*check_pair_func)( const void *pub, const void *prv ); / Allocate a new context */ void * (*ctx_alloc_func)( void ); / Free the given context */ void (*ctx_free_func)( void *ctx ); / Interface with the debug module */ void (*debug_func)( const void *ctx, mbedtls_pk_debug_item *items ); }; 

mbedTLS使用事例

#include  
     #include  
     #include "mbedtls/md.h" #define mbedtls_printf printf int main(void) { 
    int ret; unsigned char secret[] = "a secret"; unsigned char buffer[] = "some data to hash"; unsigned char digest[32]; mbedtls_md_context_t sha_ctx; mbedtls_md_init(&sha_ctx); memset(digest, 0x00, sizeof(digest)); ret = mbedtls_md_setup(&sha_ctx, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1); if (ret != 0) { 
    mbedtls_printf(" ! mbedtls_md_setup() returned -0x%04x\n", -ret); goto exit; } mbedtls_md_hmac_starts(&sha_ctx, secret, sizeof(secret) - 1); mbedtls_md_hmac_update(&sha_ctx, buffer, sizeof(buffer) - 1); mbedtls_md_hmac_finish(&sha_ctx, digest ); mbedtls_printf("HMAC: "); for (int i = 0; i < sizeof(digest); i++) mbedtls_printf("%02X", digest[i]); mbedtls_printf("\n"); exit: mbedtls_md_free( &sha_ctx ); return ret; } 

• hmac算法需要两个参数，一个称为秘钥，此处为secret，另一个称为消息，此处为buffer
• 消息认证码保留在 digest 数组中
• 此处hmac算法选择sha256算法作为单向散列函数，所以hmac的计算结果一定为32字节

在mbedtls中，消息认证码的生成分为三个步骤：

• mbedtls_md_hmac_starts 设置密钥
• mbedtls_md_hmac_update 填充消息，本示例仅填充了一次
• mbedtls_md_hmac_finish 生成消息认证码，结果保存至digest中

最后把digest使用HEX格式打印至控制台。

mbedTLS_API分析

参考文章