EAP-TLS: How to set private key password?

grsr wrote: Did you try setting the password in mbedtls_pk_parse_key()? It is called in tls_load_certificate_key(). It is set to NULL by default.

It's not set to NULL by default, it is hard-coded NULL so there is no way to pass the password to tls_load_certificate_key.

This is a bug in join_ent & wiced_tls_init_identity/tls_load_certificate_key APIs, it just cannot support private key with password protected.

But the low level mbedTLS API mbedtls_pk_parse_key( &credential->private_key, (const unsigned char *) private_key, key_length, NULL, 0 ) can support private key password. You can change the last two arguments in the function for the password. You can customize the higher level APIs or join_ent command to support private key password argument so that the argument would be passed to mbedtls_pk_parse_key(). If you check the call hierarchy of mbedtls_pk_parse_key(), you will find that it is called by join_ent()->besl_supplicant_init()->wiced_tls_init_identity()->tls_load_certificate_key()->mbedtls_pk_parse_key(). So you can customize to pass the password across the call hierarchy.

I know the low level mbedTLS API can set private key password.

The point is "the problem is in high-level WICED API" which does not allow passing private key password.

If cypress don't want to fix the WICED API it means you have to ask every users that needs private key password to HACK your API.

Is this encourage? (I won't call that change as customize the higher level APIs)

In additional, it means cypress does not test a private key with password at all.

From my point of view, this is a bug report to help improving your sdk.

BTW, I just found the key with below format cannot be loaded:

-----BEGIN ENCRYPTED PRIVATE KEY-----

...

-----END ENCRYPTED PRIVATE KEY-----