- mbed-tls - lists.trustedfirmware.org

Credential validation BEFORE first TLS handshake: the present and future of mbedtls_pk_sign/verify()

by Almut Herzog

Hi, Prior to the first TLS handshake our application is required to perform input validation of the provided credentials (from file or smart card) for this peer. One of those checks is to verify that private and public key match. We used to use mbedtls_pk_sign() with a custom mbedtls_pk_context for that. But in version 3.X mbedtls_pk_info_t was made private so mbedtls_pk_setup() with a custom mbedtls_pk_info_t whose sign_func would call into our smart card wrapper is no longer possible. Is there still a way to provide custom callback functions for signing in 3.6.4 somehow? Or any other workaround for early check of a key pair? Looking at 4.0.0-beta, also pk.h is no longer public. Will it still be possible to perform early validation of this peer's credentials prior to a first TLS handshake? How? While I am at it, it would be good to implement something that is future-proof. What else I have looked at: * mbedtls_pk_setup_opaque() might be the way to go but I do not find an example of how to link a key id to a custom signature function. * mbedtls_pk_setup_rsa_alt() would be useful if our application was always using RSA. * Both functions are no longer public in 4.0 Related: Early validation of a CRL (whether it was signed by the expected CA) used to be possible with mbedtls_pk_verify_ext(). But to properly set the input parameters requires access to private members of mbedtls_x509_crl in 3.6.4 (maybe an acceptable move?) but in 4.0.0 mbedtls_pk_verify_ext() is no longer public. How perform explicit/"manual" CRL validation especially given the possibly skipped CRL validation in mbedtls_x509_crt_verify() as per the comment below? "It is your responsibility to provide up-to-date CRLs for all trusted CAs. If no CRL is provided for the CA that was used t sign the certificate, CRL verification is skipped silently..." Any future-proof ideas for this? Best regards, /Almut

10 months

2
1
0 0

Re: MBed-TLS Technical Forum - Asia

by Gilles Peskine

Hello, Due to holidays, Arm will be unable to host a meeting on 14 July 2025. Slides are available at https://github.com/TrustedFirmwareWebsite/website/pull/652/files#diff-ee947… and will be on the archive web site shortly. Short summary of the past 2 weeks: the 3.6.4 release is out. We are now focusing on the last tasks for the 1.0/4.0 big release at end of Q3. Best regards, -- Gilles Peskine Mbed TLS developer and PSA Crypto architect ________________________________ From: Trusted Firmware Public Meetings Sent: 21 May 2025 14:56 To: Trusted Firmware Public Meetings <linaro.org_havjv2figrh5egaiurb229pd8c(a)group.calendar.google.com>; mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org>; psa-crypto(a)lists.trustedfirmware.org <psa-crypto(a)lists.trustedfirmware.org> Subject: MBed-TLS Technical Forum - Asia When: 14 July 2025 11:00-11:50. Where: Trusted Firmware is inviting you to a scheduled Zoom meeting. Topic: MBed-TLS Technical Forum - Asia Time: Jun 16, 2025 10:00 AM London Every 4 weeks on Mon, 39 occurrence(s) Please download and import the following iCalendar (.ics) files to your calendar system. Weekly: https://linaro-org.zoom.us/meeting/tJMqcuGuqDotGtIbACm498ytl0ZhydWKdu1b/ics…<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fmeeting%2Ft…> Join Zoom Meeting https://linaro-org.zoom.us/j/97758661706?pwd=baMjUvnWbY20z3ignQca7QVahhozkI…<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9775866…> Meeting ID: 977 5866 1706 Passcode: 577208 --- One tap mobile +16892781000,,97758661706# US +17193594580,,97758661706# US --- Dial by your location • +1 689 278 1000 US • +1 719 359 4580 US • +1 253 205 0468 US • +1 253 215 8782 US (Tacoma) • +1 301 715 8592 US (Washington DC) • +1 305 224 1968 US • +1 309 205 3325 US • +1 312 626 6799 US (Chicago) • +1 346 248 7799 US (Houston) • +1 360 209 5623 US • +1 386 347 5053 US • +1 507 473 4847 US • +1 564 217 2000 US • +1 646 558 8656 US (New York) • +1 646 931 3860 US • +1 669 444 9171 US • +1 669 900 9128 US (San Jose) • 833 548 0282 US Toll-free • 833 928 4608 US Toll-free • 833 928 4609 US Toll-free • 833 928 4610 US Toll-free • 877 853 5247 US Toll-free • 888 788 0099 US Toll-free • 833 548 0276 US Toll-free Meeting ID: 977 5866 1706 Find your local number: https://linaro-org.zoom.us/u/acdtApJNbc<https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fu%2FacdtApJ…> When Every 4 weeks from 10am to 10:50am on Monday (United Kingdom Time) Guests mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org> psa-crypto(a)lists.trustedfirmware.org<mailto:psa-crypto@lists.trustedfirmware.org> View all guest info<https://calendar.google.com/calendar/event?action=VIEW&eid=NjI4c3NnYjFoZHRh…> RSVP for psa-crypto(a)lists.trustedfirmware.org<mailto:psa-crypto@lists.trustedfirmware.org> for all events in this series Yes<https://calendar.google.com/calendar/event?action=RESPOND&eid=NjI4c3NnYjFoZ…> No<https://calendar.google.com/calendar/event?action=RESPOND&eid=NjI4c3NnYjFoZ…> Maybe<https://calendar.google.com/calendar/event?action=RESPOND&eid=NjI4c3NnYjFoZ…> More options<https://calendar.google.com/calendar/event?action=VIEW&eid=NjI4c3NnYjFoZHRh…> Invitation from Google Calendar<https://calendar.google.com/calendar/> You are receiving this email because you are an attendee on the event. Forwarding this invitation could allow any recipient to send a response to the organizer, be added to the guest list, invite others regardless of their own invitation status, or modify your RSVP. Learn more<https://support.google.com/calendar/answer/37135#forwarding>

10 months, 3 weeks

1
0
0 0

Strategic Financing & Brokerage Collaboration Opportunity

by LIAM GILL

We are pleased to introduce Velositi Consultancy Group, a Finnish-owned brokerage and consultancy firm headquartered in Ontario, Canada. As the exclusive representative of leading financial institutions across Oman, Saudi Arabia, and Dubai, we offer customized financing solutions globally. Through our partners, we provide loan facilities at a competitive 3% annual interest, featuring a 2-year grace period and no physical collateral—a unique offer tailored for today’s business environment. This opportunity is extended especially to recognized business leaders like yourself. Your recent listing by your country’s Chamber of Commerce as “Reliable to do business with” during the Saudi Business Summit highlights the potential for meaningful collaboration. Beyond direct financing, we also welcome broker partnerships for referring businesses in need of funding. We would be pleased to discuss how we can support your growth and financial objectives. Warm regards, Liam Gill Chairman, Business Development Velositi Consultancy Group 300 John Street, Suite 506, Thornhill, ON L3T 6M8, Canada LIAM GILL 300 John Street, Suite 506 , ON , Thornhill , L3T 6M8 Unsubscribe ( https://u45460243.ct.sendgrid.net/wf/unsubscribe?upn=u001.AzuRT3u7SiTsBx5mQ… ) - Unsubscribe Preferences ( https://u45460243.ct.sendgrid.net/wf/unsubscribe?upn=u001.AzuRT3u7SiTsBx5mQ… )

10 months, 3 weeks

1
0
0 0

Mbed TLS 4.0.0-beta & TF-PSA-Crypto 1.0.0-beta releases.

by Minos Galanakis

I am happy to announce the joint-release of Mbed TLS 4.0.0-beta & TF-PSA-Crypto 1.0.0-beta PSA-Crypto now lives in its own repository while TLS and X.509 remain in Mbed TLS. This beta release breaks compatibility with earlier versions of Mbed TLS. Please do not use it in production. It’s intended for the community to verify codebase integrations against the split and API changes, and for early adopters to experiment and provide feedback. For full details, please see the release pages: Mbed TLS 4.0.0-beta: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.0.0-beta TF-PSA-Crypto 1.0.0-beta: https://github.com/Mbed-TLS/TF-PSA-Crypto/releases/tag/tf-psa-crypto-1.0.0-…

10 months, 4 weeks

1
0
0 0

[Mbed-tls-announce] Mbed TLS 4.0.0-beta & TF-PSA-Crypto 1.0.0-beta

by Minos Galanakis via Mbed-tls-announce

I am happy to announce the joint-release of Mbed TLS 4.0.0-beta & TF-PSA-Crypto 1.0.0-beta PSA-Crypto now lives in its own repository while TLS and X.509 remain in Mbed TLS. This beta release breaks compatibility with earlier versions of Mbed TLS. Please do not use it in production. It’s intended for the community to verify codebase integrations against the split and API changes, and for early adopters to experiment and provide feedback. For full details, please see the release pages: Mbed TLS 4.0.0-beta: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.0.0-beta TF-PSA-Crypto 1.0.0-beta: https://github.com/Mbed-TLS/TF-PSA-Crypto/releases/tag/tf-psa-crypto-1.0.0-… IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org

10 months, 4 weeks

1
0
0 0

[Mbed-tls-announce] Mbed TLS 3.6.4 Released

by Minos Galanakis via Mbed-tls-announce

Hi Mbed TLS users, We have released Mbed TLS versions 3.6.4. These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4). We recommend all users to consider whether they are impacted, and to upgrade appropriately. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org

11 months

1
0
0 0

imx-secure-enclave with mbedtls 2.28.9

by kavitha bk

Hi We are using mbedtls 2.28.9 and want to offload crypto operations to HSM from NXP imx-secure-enclave. is the below approach correct or please suggest alternate approaches if any? 1.Transition all apis from traditional apis to psa in modules Use PSA crypto module https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-transition.md 2. Integrate PSA module with imx-secure-enclave in our custom mbedtls 3. All modules will use custom mbedtls which will internally offload crypto operations to HSM or Do you recommend to use MBEDTLS_PK_RSA_ALT_SUPPORT? and implement the key creation/signing/export of public key operations ? Thanks, Kavitha

11 months, 3 weeks

2
2
0 0

Mbed TLS information request

by Solis, Hector

Hi! We are working with Mbed TLS 3.6.0 library and need the following information: 1. Is there any End-Of-Life date planned for this library? 2. What is the current version? 3. How can we obtain support for the library enquiries? Does this support has a cost? 4. How is the library update? Does this update has a cost? 5. Are this library Open Source? Thanks in advance for your help! 🙂 Have a great day! Héctor J. Solís Castillo Embedded Engr I Honeywell | HTS Building Automation 990, Av. Eje 5 Norte, Mexico City CDMX hectorjose.solis(a)honeywell.com<mailto:hectorjose.solis@honeywell.com> honeywell.com<http://www.honeywell.com/> Pronouns: He/Him<https://www.mypronouns.org/what-and-why>

11 months, 3 weeks

2
1
0 0

Question about partial certificate chains

by Roman Janota

Hello, I have the following two certificate chains: server <- intermediateCA <- rootCA and client <- intermediateCA <- rootCA. Currently there are two ways the client is authenticated by the server: both the intermediateCA and rootCA certificates are configured as CAs on the server or if only intermediateCA is configured. I am using a custom verify callback set by mbedtls_ssl_conf_verify(). I would like to achieve two separate cases: 1) Make the MbedTLS' built-in pre-verify be successful, even when only the rootCA certificate is set as the server's CA. 2) Always obtain the whole certificate chain up to the root in the verify callback. For case 1) this is how our OpenSSL TLS implementation works, it is discussed here <https://github.com/openssl/openssl/issues/7871>. From my understanding the server should be able to build the certificate chain by inquiring the client about its certificate's issuer, etc. For case 2), whenever both rootCA and intermediateCA are configured on the server, only the chain client <- intermediateCA is received by the callback. I would like to be able to receive the chain client <- intermediateCA <- rootCA. Are these two cases achievable with mbedTLS? For reference I am using mbedTLS 3.5.2. For my server I would like to utilize both cases 1) and 2) and for the client only the case 1). Kind regards, Roman Janota

11 months, 4 weeks

1
0
0 0

PSA Crypto API version compliance

by Zak, Kevin

Hello, I notice in 'crypto.h' of mbedTLS 3.6.3, PSA_CRYPTO_API_VERSION_MAJOR & PSA_CRYPTO_API_VERSION_MINOR show the version implemented as v1.0. Per the github page of TF-PSA-Crypto (https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/README.md), the implementation is of v1.1. I verified that this mismatch between the README and crypto.h exists on the development branch of TF-PSA-Crypto as well. What is the correct version implemented, as of mbedTLS 3.6.3? Regards, Kevin

1 year

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

mbed-tls