Hi,
I was referring to below URLs for understanding key exchange using
certificate in TLS framework:
https://tls12.xargs.org/https://tls13.xargs.org/
I have some confusion related to above TLS 1.2 and 1.3 flows and require
guidance from your side accordingly. I understand the key exchange using
certificates highly depends on configuration and capabilities setup.
But then how do we know what goes on a TLS connection based on
configuration and setup capabilities? What are the different configurations
and when should we set them?
I need the same details with reference to a TLS connection setup from a
client in our codebase while other for EAP TLS using the below example
available in the url below:
https://github.com/prplfoundation/hostap/blob/master/eap_example/eap_exampl…
Firstly in the above code we do see a lot of configuration and
initialization like below:
eap_cb.get_config = peer_get_config;
eap_cb.get_bool = peer_get_bool;
eap_cb.set_bool = peer_set_bool;
eap_cb.get_int = peer_get_int;
eap_cb.set_int = peer_set_int;
eap_cb.get_eapReqData = peer_get_eapReqData;
eap_cb.set_config_blob = peer_set_config_blob;
eap_cb.get_config_blob = peer_get_config_blob;
eap_cb.notify_pending = peer_notify_pending;
Whereas our client code which connects to the cloud using certificates to
obtain some data in below mentioned way:
keyman_creds_for_purpose() - get the creds read and parse the crt.pem,
key.pem and trusted_ca.pem files. It make uses of below APis:readfile() -
read the file from key storageparse_private_key() & mbedtls_pk_parse_key()
- I believe it is for parsing the keys read from file
Setup MBed TLS
mbedtls_ssl_config_init() - Initialize
mbedtls_ssl_configmbedtls_ctr_drbg_init() - CTR_DRBG context initialization
mbedtls_ctr_drbg_seed()
mbedtls_ssl_conf_rng()
mbedtls_ssl_conf_ca_chain()
mbedtls_ssl_conf_own_cert()
mbedtls_ssl_conf_authmode()
t_socket()
I am quite new to this code so could have missed or provided wrong info -
but I hope I give the overall picture of code implementation - note that
this client code is a working code with no issues.
My queries are mentioned below:
1) Does the same TLS message flow occur in both cases - our client code and
EAP TLS? If not then what's the difference in-between them?
2) How do we understand exact implementation and message flows?
3) What are the different ways to implement TLS connection using certs?
4) Any additional information that can helpful to me like - some references
to tutorials / examples / guide would be an added advantage
Thanks in advance.
Regards,
Prakash
Hi,
when upgrading MBed TLS from 2.16.x to the LTS 2.28.x version on an ARM
32 bit system,
I realized that the byte-order macros were collected to one file
(common.h) with the possibility to replace them.
After writing ARM optimized macros, I checked this topic in the 3.5.x
version where it was implemented in a similar way in alignment.h.
With this input the following solution was made for the 2.28.x branch:
https://github.com/jojwoos/MbedTLS_wrapper
A bit late, but maybe someone can still use it:)
Perhaps the 64 bit swap, build from two optimized 32bit swaps, can
provide some input for the actual 3.5.x version.
You can find it at:
"// general 64 bit optimization if only 32 bit optimization is available"
(32bit ARM systems usually don't have optimized 64bit swap functions)
Best regards,
Jürgen
Hi,
Referring to the example as in
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/mbedtls-tutorial/
(secure connection) does the secret key exchange takes place in-between
server and client.
Is there any flowchart / diagram that states what happens during the server
client connection - how the keys are exchanged and what types of certs are
exchanged, I mean like .pem, X.509 etc?
Can we take this way that be it any type of certificate the code
implementation is the same for all TLS communication?
Thanks in advance.
Regards,
Prakash
Hello,
In psa_validate_key_attributes(), when the key ID is invalid for persistent keys the function returns PSA_ERROR_INVALID_ARGUMENT. See https://github.com/Mbed-TLS/mbedtls/blob/development/library/psa_crypto.c#L….
The comments for PSA_ERROR_INVALID_ARGUMENT explicitly states that this error should not be returned when key identifier is invalid, instead PSA_ERROR_INVALID_HANDLE should be returned.
For the above psa_validate_key_attributes() usecase, which is the correct return code - PSA_ERROR_INVALID_ARGUMENT or PSA_ERROR_INVALID_HANDLE?
Regards,
Archanaa
Hello,
The mbedtls docs (psa_driver_interface.md) mention that only opaque driver supports the use of built-in keys with PSA APIs. Why does a transparent driver not support built-in key feature?
Regards,
Archanaa
Hi all.
We are currently planning on improving our coverage and adding accessor functionality for members marked as MBEDTLS_PRIVATE. I have created an issue ( #8529 )<https://github.com/Mbed-TLS/mbedtls/issues/8529> to consolidate all the information and design-review the task.
It would really help to hear from the community as to which members they are still using, and what is their use-case.
Feel free to comment on the issue, or discuss it here. There may be members that we have decided not to include and are essential to your integration or are completely missing/not being considered.
Best Regards,
Minos Galanakis
Hi,
We need to integrate the TLS Code in our codebase. I have downloaded Mbed
TLS 3.5.1 @ https://github.com/Mbed-TLS/mbedtls/releases and compiled it.
I understand that we can just use the code in mbedtls-3.5.1\library
directory for the TLS functionality - can anyone please confirm. Are there
any other directories where TLS Code exists in the MbedTLS 3.5.1 repo?
Please confirm how we can only integrate MbedTLS TLS functionality code in
other applications / repo. There are so many other directories in MbedTLS
3.5.1 repo - how is the code in repo organized? Do we need all the code
in MbedTLS 3.5.1 repo?
Your valid input will help me to integrate the MbedTLS Code in our codebase?
Please provide all other details as required or will be helpful for the
same.
Thanks in advance.
Regards,
Prakash
Hi,
I downloaded Mbed TLS 3.5.1 @ https://github.com/Mbed-TLS/mbedtls/releases.
Please let me know how to configure and compile the same.
Also please let me know how to run some sample tests there or manually to
verify.
Thanks in advance.
Regards,
Prakash
I am trying to use psa_import_key() after loading private keys from PEM
files. I am succeeding when parsing an "RSA PRIVATE KEY", but no such
luck for "EC PRIVATE KEY". I assume that I am not setting attributes
correctly. A code sample would be nice!
Or, maybe I could just use mbedtls_pk_parse_keyfile(), but then I would
need to "import" a PSA key from the "mbedtls" context, ad I did not find
sample code for that either.
-- Christian Huitema