Hi guys,
I’m new to the list and bringing the discussion over here from https://github.com/ARMmbed/mbedtls/issues/3413 <https://github.com/ARMmbed/mbedtls/issues/3413>.
I’m creating a certificate using mbedtls and setting it’s issuer and and subject using the mbedtls_x509write_crt_set_subject_name, and mbedtls_x509write_crt_set_issuer_name.
The name passed in is in UTF8 and contains a sequence 0xe2 0x80 0x99 (apostrophe) in the CN string. If I debugged this correctly, the underlying sequence of bytes is correctly encoded in ASN.1 and tagged as 12 (UTF-8).
When I later parse the cert and try to extract its subject back using mbedtls_x509_dn_gets from crt.subject and crt.issuer the UTF-8 gets corrupted.
The code in mbedtls_x509_dn_gets fails to properly handle the UTF-8 multibyte sequence 0xe2 0x80 0x99 and turns it into 0xe2 0x80 0x3f.
There is a fix floating around development branch mentioned here https://github.com/ARMmbed/mbedtls/pull/3326/files <https://github.com/ARMmbed/mbedtls/pull/3326/files> which essentially replaces all control chars with question marks.
I think this is a bug and the dn_gets should simply leave the UTF-8 multibyte untouched when parsing it out from a field tagged with ASN.1 tag 12 (utf-8).
What’s your opinion?
Martin
Hi Palomo
All the documentation we have to share is already available, either in the upstream codebase, the wiki (https://developer.trustedfirmware.org/w/mbed-tls/) or the legacy website (https://tls.mbed.org/). Some of the info on the latter is out of date.
The core development team at Arm do not offer training. Arm has a Partner Enablement Group that does this kind of thing but I don't think they offer Mbed TLS specific training currently. I've asked them if they would consider this in future but I guess that's not going to help you in the short term.
Good luck with your learning and we'll try to answer any specific questions you have.
Regards
Dan.
From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> On Behalf Of Jesus Gualberto Palomo Garcia via mbed-tls
Sent: 08 June 2020 04:46
To: Gilles Peskine <Gilles.Peskine(a)arm.com>
Cc: mbed-tls(a)lists.trustedfirmware.org
Subject: Re: [mbed-tls] support mbedTLS no entropy source
Hi Gilles.
Thanks for follow my questions and attend it, regarding trainings, I want to understand how the encryption works, how the algorithms works inside the library, I can read the code and google the concepts but I want to accelerate the knowledge transfer, maybe for implement some optimization, I don't if that is possible, at the moment my PoC using uClinux works perfectly and the TLS 1.2 ir running over 80Mhz, so that is pretty awesome, but I want to learn more about encryption, maybe if you can share me some literature regarding this point?
Thank you very much and regards from Mexico!
On Tue, Jun 2, 2020 at 6:21 PM Gilles Peskine <gilles.peskine(a)arm.com<mailto:gilles.peskine@arm.com>> wrote:
Hi Palomo,
I don't think there's any other way at the moment. The patch in my email
is one possible solution, but I'm not sure if it's right, because not
all platforms with a Linux kernel have /dev/urandom.
I think the best solution would be to make the existence of /dev/urandom
a platform configuration option. But platform options are a little messy
already, between the MBEDTLS_HAVE_xxx options, the
MBEDTLS_PLATFORM_STD_xxx options, the MBEDTLS_PLATFORM_xxx_MACRO
options, the MBEDTLS_PLATFORM_xxx_ALT options. And this new option
wouldn't behave like any of the existing ones since it should have three
settings: guess (the default, identical to the current behavior of
observing preprocessor symbols like __unix__), off and on. We should
figure out what to do about platform options in 3.0 before making this
even more complex.
me.todo.add("collect my thoughts on simplifying platform customization
and post them to the list")
Regarding trainings, my team doesn't normally do that, but there are
other teams in Arm that do. What topic are you interested in?
--
Gilles Peskine
Mbed TLS developer
On 31/05/2020 20:06, Jesus Gualberto Palomo Garcia wrote:
> Hello Gilles thanks for your support, yes finally I could compile the
> library in the architecture that I used, I forced the compilation to
> entry in the "if _unix_" conditional compilation, but I assume that
> exist another way to do this. Do you have a example for enable that
> conditional compilation flags?
>
> regarding to my dev/urandom, yes my platform has this feature, the
> library runs very well, but I just have the point related to "force"
> the compilation because the library doesn't recognize the unix
> architecture.
>
> Thanks and we keep in touch!
>
> Regards from Mexico!
>
> BTW If I want to professional training, Do you offered this service?
>
> On Mon, May 25, 2020 at 11:07 AM Gilles Peskine via mbed-tls
> <mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>
> <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>>> wrote:
>
> Hi Palomo,
>
> You seem to be compiling for a system with a Linux kernel, but
> with only
> a partial Unix userland. The “Unix” code in the entropy_poll module
> might work on your system, but it is only enabled if __unix__ or
> __unix
> (or a few others) is defined.
>
> Can you please try the attached patch? Does your runtime environment
> have /dev/urandom ?
>
> Regarding the knowledge base article, you need to remove the "."
> character at the end of the URL:
> https://tls.mbed.org/kb/how-to/add-a-random-generator--
>
> Gilles Peskine
> Mbed TLS developer
>
> On 19/05/2020 21:43, Jesus Gualberto Palomo Garcia via mbed-tls wrote:
> > Hello Hanno, Thanks for your thanks for you quickly replay.
> >
> > I have an error compilation, I'm using nios2-linux-uclibc for my
> cross
> > compilation and uclinux architecture,
> > the linux kernel is 2.60 but I have this error when I try to compile
> > the library, I want to use the library as a simple client using
> TLS1.2
> >
> > $ make static
> > CC aes.c
> > CC aesni.c
> > CC arc4.c
> > CC aria.c
> > CC asn1parse.c
> > CC asn1write.c
> > CC base64.c
> > CC bignum.c
> > CC blowfish.c
> > CC camellia.c
> > CC ccm.c
> > CC chacha20.c
> > CC chachapoly.c
> > CC cipher.c
> > CC cipher_wrap.c
> > CC cmac.c
> > CC ctr_drbg.c
> > CC des.c
> > CC dhm.c
> > CC ecdh.c
> > CC ecdsa.c
> > CC ecjpake.c
> > CC ecp.c
> > CC ecp_curves.c
> > CC entropy.c
> > CC entropy_poll.c
> > entropy_poll.c:56:2: #error "Platform entropy sources only work on
> > Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
> > Makefile:285: recipe for target 'entropy_poll.o' failed
> > make: *** [entropy_poll.o] Error 1
> >
> > BTW the article is not
> > found https://tls.mbed.org/kb/how-to/add-a-random-generator.
> > <https://tls.mbed.org/kb/how-to/add-a-random-generator.>
> >
> > Many thanks!!
> >
> >
> > On Tue, May 19, 2020 at 9:01 AM Hanno Becker
> <Hanno.Becker(a)arm.com<mailto:Hanno.Becker@arm.com> <mailto:Hanno.Becker@arm.com<mailto:Hanno.Becker@arm.com>>
> > <mailto:Hanno.Becker@arm.com<mailto:Hanno.Becker@arm.com> <mailto:Hanno.Becker@arm.com<mailto:Hanno.Becker@arm.com>>>> wrote:
> >
> > Hi Palomo,
> >
> > Please take a look at the recent
> >
> thread https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000069.html
> > which should give you a better understanding of how Mbed TLS
> > manages and uses entropy from the underlying system.
> >
> > Regards,
> > Hanno
> >
> ------------------------------------------------------------------------
> > *From:* mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org<mailto:mbed-tls-bounces@lists.trustedfirmware.org>
> <mailto:mbed-tls-bounces@lists.trustedfirmware.org<mailto:mbed-tls-bounces@lists.trustedfirmware.org>>
> > <mailto:mbed-tls-bounces@lists.trustedfirmware.org<mailto:mbed-tls-bounces@lists.trustedfirmware.org>
> <mailto:mbed-tls-bounces@lists.trustedfirmware.org<mailto:mbed-tls-bounces@lists.trustedfirmware.org>>>> on behalf of
> > Jesus Gualberto Palomo Garcia via mbed-tls
> > <mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>
> <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>>
> > <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>
> <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>>>>
> > *Sent:* Tuesday, May 19, 2020 2:56 PM
> > *To:* mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>
> <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>>
> > <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>
> <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>>>
> > <mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>
> <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>>
> > <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>
> <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>>>>
> > *Subject:* [mbed-tls] support mbedTLS no entropy source
> >
> > Hi all!
> >
> > I'm Palomo and I've been working with your library a few weeks
> > ago, I'm using Linux kernel 2.60 but my embedded system has a
> > limit entropy source, i now that this is a critical point,
> but How
> > can I use your library if I want to use a other entropy source?
> >
> > Thanks and waiting for you!
> >
> > --
> > *¡Saludos! Best wishes!*
> > *
> > *
> > *
> > /*Jesus** Palomo*/
> >
> > México, D.F.
> >
> > *
> >
> >
> >
> > --
> > *¡Saludos! Best wishes!*
> > *
> > *
> > *
> > /*Jesus** Palomo*/
> >
> > México, D.F.
> >
> > *
> >
>
> --
> mbed-tls mailing list
> mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>
> <mailto:mbed-tls@lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>>
> https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
>
>
>
> --
> *¡Saludos! Best wishes!*
> *
> *
> *
> /*Jesus** Palomo*/
>
> México, D.F.
>
> *
--
¡Saludos! Best wishes!
Jesus Palomo
México, D.F.
Hello Gilles thanks for your support, yes finally I could compile the
library in the architecture that I used, I forced the compilation to entry
in the "if _unix_" conditional compilation, but I assume that exist another
way to do this. Do you have a example for enable that conditional
compilation flags?
regarding to my dev/urandom, yes my platform has this feature, the library
runs very well, but I just have the point related to "force" the
compilation because the library doesn't recognize the unix architecture.
Thanks and we keep in touch!
Regards from Mexico!
BTW If I want to professional training, Do you offered this service?
On Mon, May 25, 2020 at 11:07 AM Gilles Peskine via mbed-tls <
mbed-tls(a)lists.trustedfirmware.org> wrote:
> Hi Palomo,
>
> You seem to be compiling for a system with a Linux kernel, but with only
> a partial Unix userland. The “Unix” code in the entropy_poll module
> might work on your system, but it is only enabled if __unix__ or __unix
> (or a few others) is defined.
>
> Can you please try the attached patch? Does your runtime environment
> have /dev/urandom ?
>
> Regarding the knowledge base article, you need to remove the "."
> character at the end of the URL:
> https://tls.mbed.org/kb/how-to/add-a-random-generator--
>
> Gilles Peskine
> Mbed TLS developer
>
> On 19/05/2020 21:43, Jesus Gualberto Palomo Garcia via mbed-tls wrote:
> > Hello Hanno, Thanks for your thanks for you quickly replay.
> >
> > I have an error compilation, I'm using nios2-linux-uclibc for my cross
> > compilation and uclinux architecture,
> > the linux kernel is 2.60 but I have this error when I try to compile
> > the library, I want to use the library as a simple client using TLS1.2
> >
> > $ make static
> > CC aes.c
> > CC aesni.c
> > CC arc4.c
> > CC aria.c
> > CC asn1parse.c
> > CC asn1write.c
> > CC base64.c
> > CC bignum.c
> > CC blowfish.c
> > CC camellia.c
> > CC ccm.c
> > CC chacha20.c
> > CC chachapoly.c
> > CC cipher.c
> > CC cipher_wrap.c
> > CC cmac.c
> > CC ctr_drbg.c
> > CC des.c
> > CC dhm.c
> > CC ecdh.c
> > CC ecdsa.c
> > CC ecjpake.c
> > CC ecp.c
> > CC ecp_curves.c
> > CC entropy.c
> > CC entropy_poll.c
> > entropy_poll.c:56:2: #error "Platform entropy sources only work on
> > Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
> > Makefile:285: recipe for target 'entropy_poll.o' failed
> > make: *** [entropy_poll.o] Error 1
> >
> > BTW the article is not
> > found https://tls.mbed.org/kb/how-to/add-a-random-generator.
> > <https://tls.mbed.org/kb/how-to/add-a-random-generator.>
> >
> > Many thanks!!
> >
> >
> > On Tue, May 19, 2020 at 9:01 AM Hanno Becker <Hanno.Becker(a)arm.com
> > <mailto:Hanno.Becker@arm.com>> wrote:
> >
> > Hi Palomo,
> >
> > Please take a look at the recent
> > thread
> https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000069.html
>
> > which should give you a better understanding of how Mbed TLS
> > manages and uses entropy from the underlying system.
> >
> > Regards,
> > Hanno
> >
> ------------------------------------------------------------------------
> > *From:* mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org
> > <mailto:mbed-tls-bounces@lists.trustedfirmware.org>> on behalf of
> > Jesus Gualberto Palomo Garcia via mbed-tls
> > <mbed-tls(a)lists.trustedfirmware.org
> > <mailto:mbed-tls@lists.trustedfirmware.org>>
> > *Sent:* Tuesday, May 19, 2020 2:56 PM
> > *To:* mbed-tls(a)lists.trustedfirmware.org
> > <mailto:mbed-tls@lists.trustedfirmware.org>
> > <mbed-tls(a)lists.trustedfirmware.org
> > <mailto:mbed-tls@lists.trustedfirmware.org>>
> > *Subject:* [mbed-tls] support mbedTLS no entropy source
> >
> > Hi all!
> >
> > I'm Palomo and I've been working with your library a few weeks
> > ago, I'm using Linux kernel 2.60 but my embedded system has a
> > limit entropy source, i now that this is a critical point, but How
> > can I use your library if I want to use a other entropy source?
> >
> > Thanks and waiting for you!
> >
> > --
> > *¡Saludos! Best wishes!*
> > *
> > *
> > *
> > /*Jesus** Palomo*/
> >
> > México, D.F.
> >
> > *
> >
> >
> >
> > --
> > *¡Saludos! Best wishes!*
> > *
> > *
> > *
> > /*Jesus** Palomo*/
> >
> > México, D.F.
> >
> > *
> >
>
> --
> mbed-tls mailing list
> mbed-tls(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
>
--
*¡Saludos! Best wishes!*
*Jesus PalomoMéxico, D.F.*
Hello,
Arm is seeking early feedback on a proposed interface for cryptographic
drivers that can be plugged into an implementation of the PSA
Cryptography API. A copy of the current specification is attached. You
can find the current draft of the specification of this interface at
https://github.com/gilles-peskine-arm/mbedtls/blob/psa-unified-driver-proto…
Please note that this is work in progress. The document is not complete
yet. At this stage, it is intended to offer a general overview of the
design, not as an implementable specification. Our intention is to
continue refining this design, however we may change it based on the
feedback that we will receive and there is even a small chance that we
will abandon it.
The primary intent of this specification is to allow manufacturers of
cryptographic hardware to distribute drivers that can be added to a
pure-software, portable implementation of the PSA Cryptography API such
as Mbed TLS. The interface was designed to support three types of hardware:
* Cryptographic accelerators that operate on a key which is provided in
cleartext at the beginning of the operation. This type of driver can
also be used to plug in software engines.
* Protected environments that operate on a wrapped key which is stored
outside the protected environment.
* Protected environments that have internal key storage and operate on
keys designated by an identifier.
Concretely, a driver manufacturer would distribute:
* A JSON file specifying the driver's capabilities.
* C headers declaring the types and functions provided by the driver.
* The implementation of the functions provided by the driver, either in
the form of C source code or in the form of compiled code.
Then when an application uses a key:
* If the key is in the memory or local storage of the PSA crypto
subsystem and a driver is available for the requested cryptographic
mechanism, the core (e.g. Mbed TLS) dispatches the cryptographic
operation to the driver.
* If the key is in local storage and no driver is available, the core
performs the cryptographic operation itself.
* If the key is in some other location (as specified by its lifetime),
the core invokes the protected environment driver corresponding to that
location.
This proposal supersedes the previous drafts “PSA cryptographic
accelerator interface” (psa_crypto_accel.h) and “PSA secure element
driver interface” (crypto_se_driver.h).
We intend to implement this specification in Mbed TLS in such a way that
a platform distributor can combine drivers and distribute C source code,
object files or a mixture of the two in their system development kit. In
the long term, the accelerator interface defined here will replace the
current MBEDTLS_xxx_ALT mechanism.
Comments are welcome through the following venues:
* Public email to the psa-crypto or mbed-tls mailing list at
TrustedFirmware.
* Public comments on GitHub on the pull request
https://github.com/ARMmbed/mbedtls/pull/3313 .
* Private email to <mbed-crypto(a)arm.com>. These emails will only be
shared inside Arm. We may use your feedback to influence the design of
PSA Crypto, but your identity and the specifics will be kept confidential.
We do not have a specific deadline for feedback, however we intend to
start implementing this interface in Mbed TLS in June 2020, so feedback
received later will have a reduced chance of influencing the design if
it would entail major changes.
Best regards,
--
Gilles Peskine
Mbed TLS developer and PSA Cryptography architect
Hi Palomo,
You seem to be compiling for a system with a Linux kernel, but with only
a partial Unix userland. The “Unix” code in the entropy_poll module
might work on your system, but it is only enabled if __unix__ or __unix
(or a few others) is defined.
Can you please try the attached patch? Does your runtime environment
have /dev/urandom ?
Regarding the knowledge base article, you need to remove the "."
character at the end of the URL:
https://tls.mbed.org/kb/how-to/add-a-random-generator--
Gilles Peskine
Mbed TLS developer
On 19/05/2020 21:43, Jesus Gualberto Palomo Garcia via mbed-tls wrote:
> Hello Hanno, Thanks for your thanks for you quickly replay.
>
> I have an error compilation, I'm using nios2-linux-uclibc for my cross
> compilation and uclinux architecture,
> the linux kernel is 2.60 but I have this error when I try to compile
> the library, I want to use the library as a simple client using TLS1.2
>
> $ make static
> CC aes.c
> CC aesni.c
> CC arc4.c
> CC aria.c
> CC asn1parse.c
> CC asn1write.c
> CC base64.c
> CC bignum.c
> CC blowfish.c
> CC camellia.c
> CC ccm.c
> CC chacha20.c
> CC chachapoly.c
> CC cipher.c
> CC cipher_wrap.c
> CC cmac.c
> CC ctr_drbg.c
> CC des.c
> CC dhm.c
> CC ecdh.c
> CC ecdsa.c
> CC ecjpake.c
> CC ecp.c
> CC ecp_curves.c
> CC entropy.c
> CC entropy_poll.c
> entropy_poll.c:56:2: #error "Platform entropy sources only work on
> Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
> Makefile:285: recipe for target 'entropy_poll.o' failed
> make: *** [entropy_poll.o] Error 1
>
> BTW the article is not
> found https://tls.mbed.org/kb/how-to/add-a-random-generator.
> <https://tls.mbed.org/kb/how-to/add-a-random-generator.>
>
> Many thanks!!
>
>
> On Tue, May 19, 2020 at 9:01 AM Hanno Becker <Hanno.Becker(a)arm.com
> <mailto:Hanno.Becker@arm.com>> wrote:
>
> Hi Palomo,
>
> Please take a look at the recent
> thread https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000069.html
> which should give you a better understanding of how Mbed TLS
> manages and uses entropy from the underlying system.
>
> Regards,
> Hanno
> ------------------------------------------------------------------------
> *From:* mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org
> <mailto:mbed-tls-bounces@lists.trustedfirmware.org>> on behalf of
> Jesus Gualberto Palomo Garcia via mbed-tls
> <mbed-tls(a)lists.trustedfirmware.org
> <mailto:mbed-tls@lists.trustedfirmware.org>>
> *Sent:* Tuesday, May 19, 2020 2:56 PM
> *To:* mbed-tls(a)lists.trustedfirmware.org
> <mailto:mbed-tls@lists.trustedfirmware.org>
> <mbed-tls(a)lists.trustedfirmware.org
> <mailto:mbed-tls@lists.trustedfirmware.org>>
> *Subject:* [mbed-tls] support mbedTLS no entropy source
>
> Hi all!
>
> I'm Palomo and I've been working with your library a few weeks
> ago, I'm using Linux kernel 2.60 but my embedded system has a
> limit entropy source, i now that this is a critical point, but How
> can I use your library if I want to use a other entropy source?
>
> Thanks and waiting for you!
>
> --
> *¡Saludos! Best wishes!*
> *
> *
> *
> /*Jesus** Palomo*/
>
> México, D.F.
>
> *
>
>
>
> --
> *¡Saludos! Best wishes!*
> *
> *
> *
> /*Jesus** Palomo*/
>
> México, D.F.
>
> *
>
Hi Palomo,
Please take a look at the recent thread https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000069.html
which should give you a better understanding of how Mbed TLS manages and uses entropy from the underlying system.
Regards,
Hanno
________________________________
From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Jesus Gualberto Palomo Garcia via mbed-tls <mbed-tls(a)lists.trustedfirmware.org>
Sent: Tuesday, May 19, 2020 2:56 PM
To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org>
Subject: [mbed-tls] support mbedTLS no entropy source
Hi all!
I'm Palomo and I've been working with your library a few weeks ago, I'm using Linux kernel 2.60 but my embedded system has a limit entropy source, i now that this is a critical point, but How can I use your library if I want to use a other entropy source?
Thanks and waiting for you!
--
¡Saludos! Best wishes!
Jesus Palomo
México, D.F.
Hi all!
I'm Palomo and I've been working with your library a few weeks ago, I'm
using Linux kernel 2.60 but my embedded system has a limit entropy source,
i now that this is a critical point, but How can I use your library if I
want to use a other entropy source?
Thanks and waiting for you!
--
*¡Saludos! Best wishes!*
*Jesus PalomoMéxico, D.F.*
Hello,
If you enable the use PSA for cryptography in TLS
(MBEDTLS_USE_PSA_CRYPTO) and configure the PSK with
mbedtls_ssl_conf_psk_opaque(), the key derivation is done through the
PSA API. You can then keep your key in the secure world. You'll need to
have a PSA crypto implementation where the PSA crypto core is in the
secure world and the frontend is in the application that performs the
TLS handshake. PSA crypto is designed for this, but you or your TEE
vendor will need to port the Mbed TLS code to your platform.
--
Gilles Peskine
Mbed TLS developer
On 13/05/2020 11:10, mayuri janawad via mbed-tls wrote:
> Hello,
>
> I am currently trying to establish pre shared key based tls handshake
> using mbedtls. However, I want to store the pre shared key in the
> trustzone and derive the session key inside the trustzone. Is it
> possible using mbedtls? Can I provide alternate implementation for psk
> based tls in mbedtls library?
>
> It would be really helpful if this could be answered as soon as
> possible. Thank you in advance for your assistance.
>
> Regards,
> Mayuri Janawad
>
Hello,
I am currently trying to establish pre shared key based tls handshake using
mbedtls. However, I want to store the pre shared key in the trustzone and
derive the session key inside the trustzone. Is it possible using mbedtls?
Can I provide alternate implementation for psk based tls in mbedtls library?
It would be really helpful if this could be answered as soon as possible.
Thank you in advance for your assistance.
Regards,
Mayuri Janawad