Hi
We are using mbedtls 2.28.9 and want to offload crypto operations to HSM
from NXP imx-secure-enclave.
is the below approach correct or please suggest alternate approaches if any?
1.Transition all apis from traditional apis to psa in modules
Use PSA crypto module
https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-transition.md
2. Integrate PSA module with imx-secure-enclave in our custom mbedtls
3. All modules will use custom mbedtls which will internally offload crypto
operations to HSM
or Do you recommend to use MBEDTLS_PK_RSA_ALT_SUPPORT? and implement the
key creation/signing/export of public key operations ?
Thanks,
Kavitha
Hi!
We are working with Mbed TLS 3.6.0 library and need the following information:
1.
Is there any End-Of-Life date planned for this library?
2. What is the current version?
3. How can we obtain support for the library enquiries? Does this support has a cost?
4.
How is the library update? Does this update has a cost?
5.
Are this library Open Source?
Thanks in advance for your help! 🙂
Have a great day!
Héctor J. Solís Castillo
Embedded Engr I
Honeywell | HTS Building Automation
990, Av. Eje 5 Norte, Mexico City
CDMX
hectorjose.solis(a)honeywell.com<mailto:hectorjose.solis@honeywell.com>
honeywell.com<http://www.honeywell.com/>
Pronouns: He/Him<https://www.mypronouns.org/what-and-why>
Hello,
I have the following two certificate chains: server <- intermediateCA <-
rootCA and client <- intermediateCA <- rootCA.
Currently there are two ways the client is authenticated by the server:
both the intermediateCA and rootCA certificates are configured as CAs on
the server or if only intermediateCA is configured.
I am using a custom verify callback set by mbedtls_ssl_conf_verify().
I would like to achieve two separate cases:
1) Make the MbedTLS' built-in pre-verify be successful, even when only
the rootCA certificate is set as the server's CA.
2) Always obtain the whole certificate chain up to the root in the
verify callback.
For case 1) this is how our OpenSSL TLS implementation works, it is
discussed here <https://github.com/openssl/openssl/issues/7871>. From my
understanding the server should be able to build the certificate chain
by inquiring the client about its certificate's issuer, etc.
For case 2), whenever both rootCA and intermediateCA are configured on
the server, only the chain client <- intermediateCA is received by the
callback. I would like to be able to receive the chain client <-
intermediateCA <- rootCA.
Are these two cases achievable with mbedTLS? For reference I am using
mbedTLS 3.5.2. For my server I would like to utilize both cases 1) and
2) and for the client only the case 1).
Kind regards,
Roman Janota
