`X509.Private_key`

Private keys

Private keys as defined in PKCS 8: decoding and encoding in PEM format

`type t = [ `

`|`

``RSA of Mirage_crypto_pk.Rsa.priv`

`|`

``ED25519 of Mirage_crypto_ec.Ed25519.priv`

`|`

``P224 of Mirage_crypto_ec.P224.Dsa.priv`

`|`

``P256 of Mirage_crypto_ec.P256.Dsa.priv`

`|`

``P384 of Mirage_crypto_ec.P384.Dsa.priv`

`|`

``P521 of Mirage_crypto_ec.P521.Dsa.priv`

` ]`

The polymorphic variant of private keys.

`val generate : ?seed:Cstruct.t -> ?bits:int -> Key_type.t -> t`

`generate ~seed ~bits type`

generates a private key of the given key type. The argument `bits`

is only used for the bit length of RSA keys. If `seed`

is provided, this is used to seed the random number generator.

```
val of_cstruct :
Cstruct.t ->
Key_type.t ->
(t, [> `Msg of string ]) Stdlib.result
```

`of_cstruct data type`

decodes the buffer as private key. Only supported for elliptic curve keys.

```
val of_string :
?seed_or_data:[ `Seed | `Data ] ->
?bits:int ->
Key_type.t ->
string ->
(t, [> `Msg of string ]) Stdlib.result
```

`of_string ~seed_or_data ~bits type data`

attempts to decode the data as a private key. If `seed_or_data`

is provided and ``Seed`

, the `data`

is taken as seed and `generate`

is used. If it is ``Data`

, `of_cstruct`

is used with the Base64 decoded `data`

. By default, if `type`

is RSA, the data is used as seed, otherwise directly as the private key data.

`val key_type : t -> Key_type.t`

`key_type priv`

is the key type of `priv`

.

`val public : t -> Public_key.t`

`public priv`

is the corresponding public key of `priv`

.

```
val sign :
Mirage_crypto.Hash.hash ->
?scheme:Key_type.signature_scheme ->
t ->
[ `Digest of Cstruct.t | `Message of Cstruct.t ] ->
(Cstruct.t, [> `Msg of string ]) Stdlib.result
```

`sign hash ~scheme key data`

signs `data`

with `key`

using `hash`

and `scheme`

. If `data`

is ``Message _`

, the `hash`

will be applied before the signature. The `scheme`

defaults to ``RSA_PSS`

for RSA keys, ``ED25519`

for ED25519, and ``ECDSA`

for other EC keys.

`val decode_der : Cstruct.t -> (t, [> `Msg of string ]) Stdlib.result`

`decode_der der`

is `t`

, where the private key of `der`

is extracted. It must be in PKCS8 (RFC 5208, Section 5) PrivateKeyInfo structure.

`val encode_der : t -> Cstruct.t`

`encode_der key`

is `der`

, the encoded private key as PKCS8 (RFC 5208, Section 5) PrivateKeyInfo structure.

`val decode_pem : Cstruct.t -> (t, [> `Msg of string ]) Stdlib.result`

`decode_pem pem`

is `t`

, where the private key of `pem`

is extracted. Both RSA PRIVATE KEY and PRIVATE KEY stanzas are supported.

`val encode_pem : t -> Cstruct.t`

`encode_pem key`

is `pem`

, the encoded private key (using `PRIVATE KEY`

).