use-psa-crypto.md - OpenGrok cross reference for /third_party/mbedtls/docs/use-psa-crypto.md

Lines Matching +full:all +full:- +full:apis
1 This document describes the compile-time configuration option
5 - makes the X.509 and TLS libraries use PSA for cryptographic operations as
7 - enables new APIs for using keys handled by PSA Crypto, such as
9 "New APIs / API extensions" below.
12 ----------------------
21 for ECDSA, ECDH and EC J-PAKE in those modules. However, note that even with
28 - `MBEDTLS_PSA_CRYPTO_C` enables the implementation of the PSA Crypto API.
29   When it is enabled, `psa_xxx()` APIs are available and you must call
31 modules in the library (non-PSA crypto APIs, X.509, TLS) may or may not use
33 non-PSA functions, unless explicitly documented (TLS 1.3).
34 - `MBEDTLS_USE_PSA_CRYPTO` means that X.509 and TLS will use PSA Crypto as
45 - record protection;
46 - running handshake hash;
47 - asymmetric signature verification & generation;
48 - X.509 certificate chain verification.
54 opt-in: by default, these modules would keep using the stable,
55 production-ready legacy (pre-PSA) crypto APIs. So, the scope of was X.509 and
58 its use in other modules opt-in. However, PSA Crypto functions require that
60 compatibility reasons we can't impose this requirement on non-PSA functions
67 New APIs / API extensions
68 -------------------------
70 ### PSA-held (opaque) keys in the PK layer
72 **New API function:** `mbedtls_pk_setup_opaque()` - can be used to
73 wrap a PSA key pair into a PK context. The key can be used for private-key
76 **Benefits:** isolation of long-term secrets, use of PSA Crypto drivers.
83 context: `mbedtls_pk_check_pair()`, `mbedtls_pk_debug()`, all public key
86 **Use in X.509 and TLS:** opt-in. The application needs to construct the PK context
88 resulting context to the following existing APIs:
90 - `mbedtls_ssl_conf_own_cert()` or `mbedtls_ssl_set_hs_own_cert()` to use the
91   key together with a certificate for certificate-based key exchanges;
92 - `mbedtls_x509write_csr_set_key()` to generate a CSR (certificate signature
94 - `mbedtls_x509write_crt_set_issuer_key()` to generate a certificate.
96 ### PSA-held (opaque) keys for TLS pre-shared keys (PSK)
102 **Benefits:** isolation of long-term secrets.
106 **Use in TLS:** opt-in. The application needs to register the key using one of
107 the new APIs to get the benefits.
109 ### PSA-held (opaque) keys for TLS 1.2 EC J-PAKE key exchange
113 TLS 1.2 EC J-PAKE key exchange.
115 **Benefits:** isolation of long-term secrets.
119 **Use in TLS:** opt-in. The application needs to register the key using one of
120 the new APIs to get the benefits.
122 ### PSA-based operations in the Cipher layer
136 ----------------
138 All of these internal changes are active as soon as `MBEDTLS_USE_PSA_CRYPTO`
145 - Finite-field (non-EC) Diffie-Hellman (used in key exchanges: DHE-RSA,
146   DHE-PSK).
147 - Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
150 Other than the above exceptions, all crypto operations are based on PSA when
157 - Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
160 Other than the above exception, all crypto operations are based on PSA when
167 - Verification of RSA-PSS signatures with an MGF hash that's different from
169 - Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
172 Other than the above exceptions, all crypto operations are based on PSA when