wolfSSL using Platform Security Architecture (PSA)
Overview
wolfSSL can be configured to use a PSA library for the following operations:
- hashes: SHA-1, SHA-224, SAH-256
- AES: AES-ECB, AES-CBC, AES-CTR, AES-GCM, AES-CCM
- ECDH PK callbacks (P-256)
- ECDSA PK callbacks (P-256)
- RNG
Client certificates are not supported.
Build
Basic configuration
To enable PSA support in wolfSSL you need to provide the name of the library
that implements the PSA interface using --with-psa-lib-name=LIBNAME. You may
also provide the path to the library headers (with --with-psa-include) and to
to the PSA library itself (with --with-psa-lib). As an example, to use mbedtls
PSA implementation you may use:
./configure --enable-psa --with-psa-include=/dir/to/mbedtls/include --with-psa-lib=/dir/to/mbedtls/library --with-psa-lib-name=mbedcrypto
Customize build
You can switch off some of the algorithms supported using the following defines:
WOLFSSL_PSA_NO_RNG: disable PSA random generator supportWOLFSSL_PSA_NO_HASH: disable PSA hashing supportWOLFSSL_PSA_NO_AES: disable PSA AES supportWOLFSSL_PSA_NO_PKCBS: disable PK callbacks support
Supporting non-thread safe PSA implementation
If the PSA implementation used is not thread-safe, you can serialize all calls
to the PSA library using the define WOLFSSL_PSA_GLOBAL_LOCK.
Using PSA PK callbacks
To use Public Key PSA callbacks you need to enable them using the function:
wolfSSL_CTX_psa_enable(WOLFSSL_CTX *ctx)
Context information regarding a single SSL session is stored inside a struct psa_ssl_ctx. The user needs to define and setup a struct psa_ssl_ctx, then
to attach it to an ssl session with wolfSSL_set_psa_ctx(WOLFSSL *ssl, struct psa_ssl_ctx *ctx). When the session is over, the application should free the
psa context with wolfSSL_free_psa_ctx(struct psa_ssl_ctx *ctx).
Example:
struct psa_ssl_ctx psa_ctx = { 0 };
WOLFSSL_CTX* ctx;
WOLFSSL* ssl;
int ret
/* WOLFSSL_CTX initialization here */
ret = wolfSSL_CTX_psa_enable(ctx);
if (ret != WOLFSSL_SUCCESS)
printf("can't enable PSA on ctx");
ssl = wolfSSL_new(ctx);
ret = wolfSSL_set_psa_ctx(ssl, &psa_ctx);
if (ret != WOLFSSL_SUCCESS)
printf("can't enable PSA on ctx");
/* SSL communication */
wolfSSL_free_psa_ctx(&psa_ctx);
SSL_free(ssl); ssl = NULL;
SSL_CTX_free(ctx); ctx = NULL;
Setup server side private key
On the server side, the private key of the server should be loaded inside the
PSA engine storage. To use the key inside the ssl session you have to invoke
wolfSSL_psa_set_private_key_id(struct psa_ssl_ctx *ctx, psa_key_id_t id);. The
key needs to have PSA_KEY_USAGE_SIGN_HASH usage flag set. Example:
psa_key_attributes_t key_attr = { 0 };
struct psa_ssl_ctx psa_ctx = { 0 };
psa_key_type_t key_type;
psa_key_id_t key_id;
psa_status_t status;
key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1);
psa_set_key_type(&key_attr, key_type);
psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_SIGN_HASH);
psa_set_key_algorithm(&key_attr, PSA_ALG_ECDSA_ANY);
status = psa_import_key(&key_attr, ecc_key_256,
sizeof(ecc_key_256), &key_id);
if (status != PSA_SUCCESS) {
fprintf(stderr,
"ERROR: provisioning of private key failed: [%d] \n", status);
exit(-1);
}
wolfSSL_psa_set_private_key_id(&psa_ctx, key_id);
}
Additional note
- AES-GCM, AES-CTR, AES-CCM are not implemented directly. The software
implementation uses the AES-ECB PSA one to implement them.