lib: tls_credentials_shell: protect private key

maxd-nordic · maxd-nordic · commit f3c2a40d1637 · 2025-12-10T12:34:04.000+01:00
Add kconfig option to decide whether private keys
are allowed to be read out.

Signed-off-by: Maximilian Deubel &lt;maximilian.deubel@nordicsemi.no&gt;
diff --git a/subsys/net/lib/tls_credentials/Kconfig.shell b/subsys/net/lib/tls_credentials/Kconfig.shell
@@ -32,6 +32,11 @@ config TLS_CREDENTIALS_SHELL_DIGEST_BUF_SIZE
 
 	   Also used to print error messages if digest generation fails.
 
+config TLS_CREDENTIALS_ALLOW_READ_PK
+	int "Allow reading out private keys"
+	help
+	   Allow reading out private keys. If disabled, public key is read out instead.
+
 if TLS_CREDENTIALS_BACKEND_VOLATILE
 
 config HEAP_MEM_POOL_ADD_SIZE_TLS_CRED_SHELL
diff --git a/subsys/net/lib/tls_credentials/tls_credentials_shell.c b/subsys/net/lib/tls_credentials/tls_credentials_shell.c
@@ -765,6 +765,74 @@ static int tls_cred_cmd_get(const struct shell *sh, size_t argc, char *argv[])
 	 */
 	cred_written = cred_len;
 
+#if !defined(CONFIG_TLS_CREDENTIALS_ALLOW_READ_PK)
+	/* If private key retrieval is not allowed, extract public key from the private key */
+	if (type == TLS_CREDENTIAL_PRIVATE_KEY) {
+		shell_fprintf(sh, SHELL_WARNING,
+			      "Private key retrieval is not allowed. Extracting public key from "
+			      "private key.\n");
+
+#if defined(CONFIG_PSA_CRYPTO) && defined(MBEDTLS_PEM_WRITE_C)
+		/* Extract public key from PEM-encoded private key */
+		size_t pub_key_der_len = sizeof(cred_buf) / 2;
+		uint8_t pub_key_der[sizeof(cred_buf) / 2];
+
+		int pk_err = 0;
+		mbedtls_pk_context pk;
+
+		mbedtls_pk_init(&pk);
+
+		/* Parse the PEM private key */
+		pk_err = mbedtls_pk_parse_key(&pk, (const unsigned char *)cred_buf,
+					      cred_written + 1, NULL, 0);
+		if (pk_err != 0) {
+			shell_fprintf(sh, SHELL_ERROR, "Failed to parse private key (Error: %d)\n",
+				      pk_err);
+			err = pk_err;
+			mbedtls_pk_free(&pk);
+			goto cleanup;
+		}
+
+		/* Write the public key in DER format */
+		pk_err = mbedtls_pk_write_pubkey_der(&pk, pub_key_der, pub_key_der_len);
+		if (pk_err < 0) {
+			shell_fprintf(sh, SHELL_ERROR, "Failed to extract public key (Error: %d)\n",
+				      pk_err);
+			err = pk_err;
+			mbedtls_pk_free(&pk);
+			goto cleanup;
+		}
+
+		pub_key_der_len = pk_err;
+		mbedtls_pk_free(&pk);
+
+		/* Convert DER public key to PEM */
+		size_t pub_key_pem_len;
+		uint8_t pub_key_pem[sizeof(cred_buf)];
+
+		pk_err = mbedtls_pem_write_buffer(
+			"-----BEGIN PUBLIC KEY-----\n", "-----END PUBLIC KEY-----\n", pub_key_der,
+			pub_key_der_len, pub_key_pem, sizeof(pub_key_pem), &pub_key_pem_len);
+		if (pk_err != 0) {
+			shell_fprintf(sh, SHELL_ERROR,
+				      "Failed to convert public key to PEM (Error: %d)\n", pk_err);
+			err = pk_err;
+			goto cleanup;
+		}
+
+		/* Replace the buffer contents with the public key */
+		memcpy(cred_buf, pub_key_pem, pub_key_pem_len);
+		cred_written = pub_key_pem_len;
+#else
+		shell_fprintf(sh, SHELL_ERROR,
+			      "Cannot extract public key: PSA_CRYPTO or MBEDTLS_PEM_WRITE_C not "
+			      "enabled\n");
+		err = -ENOTSUP;
+		goto cleanup;
+#endif
+	}
+#endif
+
 	/* If the stored credential is NULL-terminated, do not include NULL termination in output */
 	if (terminated) {
 		if (cred_buf[cred_written - 1] != 0) {
