Module X509.Private_key

Private keys

Private keys as defined in PKCS 8: decoding and encoding in PEM format

The type for private keys

type t = [
  1. | `RSA of Mirage_crypto_pk.Rsa.priv
  2. | `ED25519 of Mirage_crypto_ec.Ed25519.priv
  3. | `P256 of Mirage_crypto_ec.P256.Dsa.priv
  4. | `P384 of Mirage_crypto_ec.P384.Dsa.priv
  5. | `P521 of Mirage_crypto_ec.P521.Dsa.priv
]

The polymorphic variant of private keys.

Constructing private keys

val generate : ?seed:string -> ?bits:int -> Key_type.t -> t

generate ~seed ~bits type generates a private key of the given key type. The argument bits is only used for the bit length of RSA keys. If seed is provided, this is used to seed the random number generator.

val of_octets : string -> Key_type.t -> (t, [> `Msg of string ]) Stdlib.result

of_octets data type decodes the buffer as private key. Only supported for elliptic curve keys.

val of_string : ?seed_or_data:[ `Seed | `Data ] -> ?bits:int -> Key_type.t -> string -> (t, [> `Msg of string ]) Stdlib.result

of_string ~seed_or_data ~bits type data attempts to decode the data as a private key. If seed_or_data is provided and `Seed, the data is taken as seed and generate is used. If it is `Data, of_octets is used with the Base64 decoded data. By default, if type is RSA, the data is used as seed, otherwise directly as the private key data.

Operations on private keys

val key_type : t -> Key_type.t

key_type priv is the key type of priv.

val public : t -> Public_key.t

public priv is the corresponding public key of priv.

Cryptographic sign operation

val sign : Digestif.hash' -> ?scheme:Key_type.signature_scheme -> t -> [ `Digest of string | `Message of string ] -> (string, [> `Msg of string ]) Stdlib.result

sign hash ~scheme key data signs data with key using hash and scheme. If data is `Message _, the hash will be applied before the signature. The scheme defaults to `RSA_PSS for RSA keys, `ED25519 for ED25519, and `ECDSA for other EC keys.

Decoding and encoding in ASN.1 DER and PEM format

val decode_der : string -> (t, [> `Msg of string ]) Stdlib.result

decode_der der is t, where the private key of der is extracted. It must be in PKCS8 (RFC 5208, Section 5) PrivateKeyInfo structure.

val encode_der : t -> string

encode_der key is der, the encoded private key as PKCS8 (RFC 5208, Section 5) PrivateKeyInfo structure.

val decode_pem : string -> (t, [> `Msg of string ]) Stdlib.result

decode_pem pem is t, where the private key of pem is extracted. Both RSA PRIVATE KEY and PRIVATE KEY stanzas are supported.

val encode_pem : t -> string

encode_pem key is pem, the encoded private key (using PRIVATE KEY).