Below, two scenarios are discussed relating to Mbed TLS:
- Migrate an application that uses Mbed TLS cryptography functions through the PSA Certified Crypto API from the Mbed TLS crypto implementation to Oberon PSA Crypto.
- Migrating an application that uses Mbed TLS as a TLS stack, so that it continues using the protocol implementation of Mbed TLS, but without the crypto implementation that comes with Mbed TLS, using Oberon PSA Crypto instead.
If an application that uses the crypto part of the Mbed TLS software stack via the PSA Certified Crypto API, but does not use its TLS protocol part, should be migrated to Oberon PSA Crypto:
-
Make sure that your application only uses the PSA Certified Crypto API for all crypto calls.
-
Make sure that your application only uses the modern crypto algorithms that Oberon PSA Crypto supports, e.g., not MD5. See Appendix A: Supported Crypto Features for more information.
-
Copy your existing
mbedtls/mbedtls_config.h
configuration file to the corresponding location in Oberon PSA Crypto. Oberon PSA Crypto provides the Mbed TLS implementations forMBEDTLS_PSA_CRYPTO_STORAGE_C
andMBEDTLS_PSA_ITS_FILE_C
by default, but can use other provided implementations of these PSA Storage APIs. -
Copy your existing
psa/crypto_config.h
file toinclude/psa/crypto_config.h
in Oberon PSA Crypto. -
Make sure that the
include/psa/crypto_config.h
file defines the "wanted" crypto features as described above. -
In the
include/psa/crypto_config.h
file, define the "used" hardware drivers as described above.
If the TLS protocol part of the Mbed TLS software stack is used with Oberon
PSA Crypto, there are settings in include/mbedtls/mbedtls_config.h
that may
have to be configured as well.
See README-SSL
for more information.