2021-09-21 11:55:00 +00:00
|
|
|
This document describes the compile-time configuration option
|
2022-04-20 13:58:00 +00:00
|
|
|
`MBEDTLS_USE_PSA_CRYPTO` from a user's perspective.
|
2021-09-20 11:21:25 +00:00
|
|
|
|
2022-05-11 11:31:47 +00:00
|
|
|
This option makes the X.509 and TLS library use PSA for cryptographic
|
|
|
|
operations, and enables new APIs for using keys handled by PSA Crypto.
|
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
General considerations
|
|
|
|
----------------------
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**Application code:** when this option is enabled, you need to call
|
2022-05-11 11:31:47 +00:00
|
|
|
`psa_crypto_init()` before calling any function from the SSL/TLS, X.509 or PK
|
|
|
|
module.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2023-03-10 11:33:15 +00:00
|
|
|
**Scope:** `MBEDTLS_USE_PSA_CRYPTO` has no effect on the most of the TLS 1.3
|
|
|
|
code, which always uses PSA crypto. The parts of the TLS 1.3 code that will
|
|
|
|
use PSA Crypto or not depending on the value of this option are:
|
|
|
|
- record protection;
|
|
|
|
- running handshake hash;
|
|
|
|
- asymmetric signature verification & generation;
|
|
|
|
- X.509 certificate chain verification.
|
|
|
|
You need to enable `MBEDTLS_USE_PSA_CRYPTO` if you want TLS 1.3 to use PSA
|
|
|
|
everywhere.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2023-03-22 15:17:54 +00:00
|
|
|
**Important note:** Even with this option disabled, some modules may still use
|
|
|
|
PSA Crypto. However, it is then their responsibility to make sure it's safe to
|
|
|
|
do so; in particular those modules do not require `psa_crypto_init()` to be
|
|
|
|
called. So, enabling `MBEDTLS_USE_PSA_CRYPTO` basically means:
|
|
|
|
- as a user, you promise to call `psa_crypto_init()` before using any function
|
|
|
|
from PK, X.509 or TLS;
|
|
|
|
- in return, those modules will use PSA Crypto as much as possible (see
|
|
|
|
exceptions belos).
|
|
|
|
Conversely, not enabling this option means you have no obligation to call
|
|
|
|
`psa_crypto_init()` (unless as documented by other options such as TLS 1.3),
|
|
|
|
but modules can still decide to use PSA if they can determine it is available
|
|
|
|
and initialized.
|
|
|
|
|
2021-09-21 09:21:23 +00:00
|
|
|
New APIs / API extensions
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
### PSA-held (opaque) keys in the PK layer
|
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**New API function:** `mbedtls_pk_setup_opaque()` - can be used to
|
|
|
|
wrap a PSA key pair into a PK context. The key can be used for private-key
|
2021-09-24 08:14:32 +00:00
|
|
|
operations and its public part can be exported.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**Benefits:** isolation of long-term secrets, use of PSA Crypto drivers.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**Limitations:** can only wrap a key pair, can only use it for private key
|
2022-04-20 13:58:00 +00:00
|
|
|
operations. (That is, signature generation, and for RSA decryption too.)
|
|
|
|
Note: for ECDSA, currently this uses randomized ECDSA while Mbed TLS uses
|
|
|
|
deterministic ECDSA by default. The following operations are not supported
|
2021-09-24 08:14:32 +00:00
|
|
|
with a context set this way, while they would be available with a normal
|
2022-06-10 09:09:03 +00:00
|
|
|
context: `mbedtls_pk_check_pair()`, `mbedtls_pk_debug()`, all public key
|
|
|
|
operations.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**Use in X.509 and TLS:** opt-in. The application needs to construct the PK context
|
2021-09-21 09:21:23 +00:00
|
|
|
using the new API in order to get the benefits; it can then pass the
|
|
|
|
resulting context to the following existing APIs:
|
|
|
|
|
|
|
|
- `mbedtls_ssl_conf_own_cert()` or `mbedtls_ssl_set_hs_own_cert()` to use the
|
2022-06-10 09:09:03 +00:00
|
|
|
key together with a certificate for certificate-based key exchanges;
|
2021-09-21 09:21:23 +00:00
|
|
|
- `mbedtls_x509write_csr_set_key()` to generate a CSR (certificate signature
|
2022-06-10 09:09:03 +00:00
|
|
|
request);
|
2022-04-20 13:58:00 +00:00
|
|
|
- `mbedtls_x509write_crt_set_issuer_key()` to generate a certificate.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2021-09-24 08:17:07 +00:00
|
|
|
### PSA-held (opaque) keys for TLS pre-shared keys (PSK)
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**New API functions:** `mbedtls_ssl_conf_psk_opaque()` and
|
2021-09-24 08:14:32 +00:00
|
|
|
`mbedtls_ssl_set_hs_psk_opaque()`. Call one of these from an application to
|
2021-09-21 09:21:23 +00:00
|
|
|
register a PSA key for use with a PSK key exchange.
|
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**Benefits:** isolation of long-term secrets.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**Limitations:** none.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**Use in TLS:** opt-in. The application needs to register the key using one of
|
|
|
|
the new APIs to get the benefits.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
|
|
|
### PSA-based operations in the Cipher layer
|
|
|
|
|
2021-09-24 08:14:32 +00:00
|
|
|
There is a new API function `mbedtls_cipher_setup_psa()` to set up a context
|
|
|
|
that will call PSA to store the key and perform the operations.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2022-04-20 13:58:00 +00:00
|
|
|
This function only worked for a small number of ciphers. It is now deprecated
|
|
|
|
and it is recommended to use `psa_cipher_xxx()` or `psa_aead_xxx()` functions
|
|
|
|
directly instead.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
2022-06-10 09:09:03 +00:00
|
|
|
**Warning:** This function will be removed in a future version of Mbed TLS. If
|
|
|
|
you are using it and would like us to keep it, please let us know about your
|
|
|
|
use case.
|
2021-09-21 09:21:23 +00:00
|
|
|
|
|
|
|
Internal changes
|
|
|
|
----------------
|
|
|
|
|
|
|
|
All of these internal changes are active as soon as `MBEDTLS_USE_PSA_CRYPTO`
|
|
|
|
is enabled, no change required on the application side.
|
|
|
|
|
2022-04-20 13:58:00 +00:00
|
|
|
### TLS: most crypto operations based on PSA
|
2021-09-20 11:21:25 +00:00
|
|
|
|
2022-04-20 13:58:00 +00:00
|
|
|
Current exceptions:
|
2021-09-20 11:21:25 +00:00
|
|
|
|
2022-12-06 11:00:33 +00:00
|
|
|
- Finite-field (non-EC) Diffie-Hellman (used in key exchanges: DHE-RSA,
|
|
|
|
DHE-PSK).
|
|
|
|
- Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
|
|
|
|
the documentation of that option).
|
2021-09-21 11:55:00 +00:00
|
|
|
|
2022-04-20 13:58:00 +00:00
|
|
|
Other than the above exceptions, all crypto operations are based on PSA when
|
|
|
|
`MBEDTLS_USE_PSA_CRYPTO` is enabled.
|
2021-09-21 11:55:00 +00:00
|
|
|
|
2022-04-20 13:58:00 +00:00
|
|
|
### X.509: most crypto operations based on PSA
|
2021-09-24 08:06:04 +00:00
|
|
|
|
2022-12-06 11:00:33 +00:00
|
|
|
Current exceptions:
|
2021-09-24 08:06:04 +00:00
|
|
|
|
2022-12-06 11:00:33 +00:00
|
|
|
- Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
|
|
|
|
the documentation of that option).
|
2021-09-24 08:06:04 +00:00
|
|
|
|
2022-07-12 07:27:39 +00:00
|
|
|
Other than the above exception, all crypto operations are based on PSA when
|
2022-04-20 13:58:00 +00:00
|
|
|
`MBEDTLS_USE_PSA_CRYPTO` is enabled.
|
2021-09-24 08:06:04 +00:00
|
|
|
|
2022-04-20 13:58:00 +00:00
|
|
|
### PK layer: most crypto operations based on PSA
|
2021-09-21 11:55:00 +00:00
|
|
|
|
2022-12-06 11:00:33 +00:00
|
|
|
Current exceptions:
|
2021-09-21 11:55:00 +00:00
|
|
|
|
2022-12-21 08:59:33 +00:00
|
|
|
- Verification of RSA-PSS signatures with an MGF hash that's different from
|
|
|
|
the message hash.
|
2022-12-06 11:00:33 +00:00
|
|
|
- Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
|
|
|
|
the documentation of that option).
|
2021-09-21 11:55:00 +00:00
|
|
|
|
2022-12-21 08:59:33 +00:00
|
|
|
Other than the above exceptions, all crypto operations are based on PSA when
|
2022-04-20 13:58:00 +00:00
|
|
|
`MBEDTLS_USE_PSA_CRYPTO` is enabled.
|
2021-09-21 11:55:00 +00:00
|
|
|
|