Skip to content

Latest commit

 

History

History
47 lines (35 loc) · 2.01 KB

Appendix_D_Mbed_TLS.md

File metadata and controls

47 lines (35 loc) · 2.01 KB

Appendix D: Mbed TLS

Below, two scenarios are discussed relating to Mbed TLS:

  1. Migrate an application that uses Mbed TLS cryptography functions through the PSA Certified Crypto API from the Mbed TLS crypto implementation to Oberon PSA Crypto.
  2. Migrating an application that uses Mbed TLS as a TLS stack, so that it continues using the protocol implementation of Mbed TLS, but without the crypto implementation that comes with Mbed TLS, using Oberon PSA Crypto instead.

Migrate an Application to Oberon PSA Crypto

If an application that uses the crypto part of the Mbed TLS software stack via the PSA Certified Crypto API, but does not use its TLS protocol part, should be migrated to Oberon PSA Crypto:

  1. Make sure that your application only uses the PSA Certified Crypto API for all crypto calls.

  2. Make sure that your application only uses the modern crypto algorithms that Oberon PSA Crypto supports, e.g., not MD5. See Appendix A: Supported Crypto Features for more information.

  3. Copy your existing mbedtls/mbedtls_config.h configuration file to the corresponding location in Oberon PSA Crypto. Oberon PSA Crypto provides the Mbed TLS implementations for MBEDTLS_PSA_CRYPTO_STORAGE_C and MBEDTLS_PSA_ITS_FILE_C by default, but can use other provided implementations of these PSA Storage APIs.

  4. Copy your existing psa/crypto_config.h file to include/psa/crypto_config.h in Oberon PSA Crypto.

  5. Make sure that the include/psa/crypto_config.h file defines the "wanted" crypto features as described above.

  6. In the include/psa/crypto_config.h file, define the "used" hardware drivers as described above.

Use the Mbed TLS Protocol Stack Without its Crypto Implementation

If the TLS protocol part of the Mbed TLS software stack is used with Oberon PSA Crypto, there are settings in include/mbedtls/mbedtls_config.h that may have to be configured as well. See README-SSL for more information.