Mbed-TLS · bjwtaylor · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025 · Dec 11, 2025
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
@@ -315,6 +315,16 @@ mbedtls_x509_san_list;
  */
 int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn);
 
+
+/**
+ * \brief            Convert the pk_key_type to a string.
+ *
+ * \param[in] pk     A mbedtls_pk_context struct containing the pk_key_type to
+                     convert
+ * \return           A pointer to a string containing the pk_key_type.
+ */
+const char *mbedtls_pk_key_type_to_string(const mbedtls_pk_context *pk);
+
 /**
  * \brief            Convert the certificate DN string \p name into
  *                   a linked list of mbedtls_x509_name (equivalent to

diff --git a/library/x509.c b/library/x509.c
@@ -122,6 +122,23 @@ int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
     return 0;
 }
 
+/*
+ * Convert pk_key_type to a string
+ */
+const char *mbedtls_pk_key_type_to_string(const mbedtls_pk_context *pk)
+{
+    psa_key_type_t key_type;
+
+    key_type = mbedtls_pk_get_key_type(pk);
+    if (PSA_KEY_TYPE_IS_RSA(key_type)) {
+        return "RSA";
+    } else if (PSA_KEY_TYPE_IS_ECC(key_type)) {
+        return "EC";
+    } else {
+        return "NONE";
+    }
+}
+
 /*
  * Convert md type to string
  */

diff --git a/library/x509_crt.c b/library/x509_crt.c
@@ -1806,7 +1806,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
 
     /* Key size */
     if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON,
-                                            mbedtls_pk_get_name(&crt->pk))) != 0) {
+                                            mbedtls_pk_key_type_to_string(&crt->pk))) != 0) {
         return ret;
     }
 

diff --git a/library/x509_csr.c b/library/x509_csr.c
@@ -551,7 +551,7 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
     MBEDTLS_X509_SAFE_SNPRINTF;
 
     if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON,
-                                            mbedtls_pk_get_name(&csr->pk))) != 0) {
+                                            mbedtls_pk_key_type_to_string(&csr->pk))) != 0) {
         return ret;
     }
 

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
@@ -1770,7 +1770,7 @@ int main(int argc, char *argv[])
 
     mbedtls_printf(" ok (key type: %s)\n",
                    strlen(opt.key_file) || strlen(opt.key_opaque_alg1) ?
-                   mbedtls_pk_get_name(&pkey) : "none");
+                   mbedtls_pk_key_type_to_string(&pkey) : "none");
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 
     /*

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
@@ -2723,8 +2723,8 @@ int main(int argc, char *argv[])
     }
 
     mbedtls_printf(" ok (key types: %s, %s)\n",
-                   key_cert_init ? mbedtls_pk_get_name(&pkey) : "none",
-                   key_cert_init2 ? mbedtls_pk_get_name(&pkey2) : "none");
+                   key_cert_init ? mbedtls_pk_key_type_to_string(&pkey) : "none",
+                   key_cert_init2 ? mbedtls_pk_key_type_to_string(&pkey2) : "none");
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 
 #if defined(SNI_OPTION)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
@@ -2365,8 +2365,8 @@ run_test    "TLS 1.3 opaque key: no suitable algorithm found" \
             "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,none" \
             "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \
             1 \
-            -c "key type: Opaque" \
-            -s "key types: Opaque, Opaque" \
+            -c "key type: RSA" \
+            -s "key types: RSA, EC" \
             -c "error" \
             -s "no suitable signature algorithm"
 
@@ -2378,8 +2378,8 @@ run_test    "TLS 1.3 opaque key: suitable algorithm found" \
             "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \
             "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \
             0 \
-            -c "key type: Opaque" \
-            -s "key types: Opaque, Opaque" \
+            -c "key type: RSA" \
+            -s "key types: RSA, EC" \
             -C "error" \
             -S "error"
 
@@ -2391,7 +2391,7 @@ run_test    "TLS 1.3 opaque key: first client sig alg not suitable" \
             "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pss-sha512,none" \
             "$P_CLI debug_level=4 sig_algs=rsa_pss_rsae_sha256,rsa_pss_rsae_sha512" \
             0 \
-            -s "key types: Opaque, Opaque" \
+            -s "key types: RSA, EC" \
             -s "CertificateVerify signature failed with rsa_pss_rsae_sha256" \
             -s "CertificateVerify signature with rsa_pss_rsae_sha512" \
             -C "error" \
@@ -2405,8 +2405,8 @@ run_test    "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \
             "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs2=ecdsa-sign,none key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \
             "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \
             0 \
-            -c "key type: Opaque" \
-            -s "key types: Opaque, Opaque" \
+            -c "key type: RSA" \
+            -s "key types: RSA, EC" \
             -C "error" \
             -S "error" \