Hello mbedtls mailing list,

 

I’m working to modify mbedTLS (3.6.2) to use our PSA Crypto Implementation in a separate library. Our solution does not make use of PSA ‘drivers’ that mbedTLS refers to. I’ve modified makefiles to not build PSA Crypto files, and have enabled MBEDTLS_PSA_CRYPTO_C & MBEDTLS_USE_PSA_CRYPTO. I’ve also defined MBEDTLS_PSA_ACCEL_ALG_XXX for our supported algorithms.

 

1. Is there a good way to determine whether a given TLS/X509 configuration would require a certain ‘legacy’ (maybe a better term is ‘non-PSA’) crypto file to be built into the mbedTLS library?
   1. The goal is to build as few crypto source files into the mbedTLS source files as possible, maximizing usage of our separate PSA implementation
2. Example: My test application using mbedtls_x509_crt_parse() receives linking errors for mbedtls_ecp_(group/point)_xxx() and mbedtls_mpi_xxx() that are referenced in pkparse.c (which I am building into the library).
   1. Ecp.c is currently excluded from the build (as is its define) – if I add it, I add significantly more linking errors for mbedtls_mpi APIs. I was under the impression that ECP and MPI APIs could be avoided with the correct configuration.
   2. If ecp/mpi helper APIs are needed still for x509, this would be good to know. However, I’d like to avoid usage of MPI APIs that perform actual software calculations.

 

See the screenshot for a list of non-PSA crypto files I am currently building to test with. I imagine I may have to add more incrementally.

 

Any insights on this general use case or my ECP troubles with x509 would be appreciated. I plan to extend the strategy as these are the findings from an attempt to use just one x509 API.

 

Best,

Kevin Zak