Lines Matching refs:key

61 * Creating a key with the legacy API and consuming it in the PSA API.
62 * Creating a key with the PSA API and consuming it in the legacy API.
94 Hashes are often used as building blocks for other mechanisms (HMAC, signatures, key derivation, et…
118 The legacy API only has generic support for two key types: RSA and ECC, via the pk module. ECC keys…
120 An RSA or ECC key can potentially be used for different algorithms in the scope of the pk module:
123 * ECC: ECDSA signature (randomized or deterministic), ECDH key agreement (via `mbedtls_pk_ec`).
127 …re does not seem to be a need to convert between legacy and PSA asymmetric key types on their own.…
139 * Simultaneously supporting **a key type and an algorithm**.
145 #### Using a legacy key pair or public key with PSA
147 …rios where an application has a legacy key pair or public key (`mbedtls_pk_context`) and needs to …
149 Reasons for first creating a legacy key object, where it's impossible or impractical to directly cr…
151 * A very common case where the input is a legacy key object is parsing. PSA does not (yet) have an …
152 * The PSA key creation interface is less flexible in some cases. In particular, PSA RSA key generat…
155 Reasons for needing a PSA key object:
157key with third-party interface that takes a PSA key identifier as input. (Mbed TLS itself has a fe…
160key object from an `mbedtls_pk_context`. This partially exists in the form of `mbedtls_pk_wrap_as_…
162 #### Using a PSA key as a PK context
164key and needs to use it through an interface that wants an `mbedtls_pk_context` object. Typically,…
168 * It creates a PK key of type `MBEDTLS_PK_OPAQUE` that wraps the PSA key. This is good enough in so…
169 * It ties the lifetime of the PK object to the PSA key, which is error-prone: if the PSA key is des…
172 It therefore appears that we need two ways to “convert” a PSA key to PK:
174 …s what `mbedtls_pk_setup_opaque` does. This works for any PSA key but is limited by the key's life…
175 * Copying, which requires a new function. This requires an exportable key but creates a fully indep…
177 Gap: a way to copy a PSA key into a PK context. This can only be expected to work if the PSA key is…
244 … The two APIs are different in crucial ways, with different splits between key type, policy inform…
245 …Thinking so far: there isn't really a nice way to present this conversion. For a specific key, `mb…
247 #### API to create a PSA key from a PK context
249 Based on the [gap analysis](#using-a-legacy-key-pair-or-public-key-with-psa):
251key with the same key material and algorithm. “Same key material” is straightforward, but “same al…
253 When creating a PSA key, apart from the key material, the key is determined by attributes, which fa…
255 * Type and size. These are directly related to the key material and can be deduced from it if the k…
256 …ictive usage can call `psa_copy_key` and `psa_destroy_key` to obtain a PSA key object with a more …
257 …on function and then call `psa_copy_key` and `psa_destroy_key` to move the key to its desired loca…
259 …tent key more convenient, the conversion function shall take a `const psa_key_attributes_t *` inpu…
261 … but does not bake in the implementation-specific consideration that a PSA key has exactly two alg…
274 …oes not change the id/lifetime fields of the attributes (which indicate a volatile key by default).
275 …it reset them to 0? Resetting is more convenient for the case where the pk key is a `MBEDTLS_PK_OP…
277key type is a key pair if the context contains a private key and the indicated usage is a private-
282 …error if `usage` has more than one flag set, or has a usage that is incompatible with the key type.
283 * `mbedtls_pk_get_psa_attributes` sets the algorithm usage policy based on information in the key o…
284 …* For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RS…
285key with the `MBEDTLS_RSA_PKCS_V21` padding mode, the algorithm policy is `PSA_ALG_RSA_PSS_ANY_SAL…
288 …of the existing PK key and copies them (without overriding the lifetime and key identifier in `att…
289key restriction: if `usage` is a public-key usage, change the type to the corresponding public-key
290 …with the content of the `mbedtls_pk_context` object (RSA/ECC, and availability of the private key).
291     * The key type can be a public key even if the private key is available.
295 #### API to copy a PSA key to a PK context
297 Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
307 * It is an error if the key is neither a key pair nor a public key.
308 * It is an error if the key is not exportable.
310 * Once this function returns, the pk object is completely independent of the PSA key.
311 …lting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm…
313key, the output key will allow both encrypt/decrypt and sign/verify regardless of the original key
314key material (for example to benefit from a PSA accelerator driver, or to start using a secure ele…
316 #### API to create a PK object that wraps a PSA key
318 Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
320 …tion of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `…