Move NIST_KW to PSA API #9382
Labels
api-break
This issue/PR breaks the API and must wait for a new major version
component-crypto
Crypto primitives and low-level interfaces
size-s
Estimated task size: small (~2d)
Migrate the NIST KW/KWP interface (
nist_kw.h
) to rely on the PSA API instead ofcipher.h
.Justification: KW/KWP are an encrypted authentication modes built on a block cipher (currently only AES). They doesn't fit the PSA crypto API well (no nonce, no AEAD, awkward to make multipart), so at least for the time being we aren't exposing it through a PSA API. The implementation relies on the block cipher in ECB mode. Currently,
nist_kw.c
relies onmbedtls_cipher_xxx
functions for AES-ECB. The goal of this task is to make the implementation rely onpsa_cipher_encrypt/psa_cipher_decrypt
instead.New prototypes:
The changes are:
Validation: check that the key type is
PSA_KEY_TYPE_AES
. This isn't really necessary, but expanding support to other 128-bit block ciphers is out of scope, even if all it would take is to add test cases.Implementation: use the
psa_cipher_xxx
multipart API. Return PSA error codes instead of legacy error codes.The text was updated successfully, but these errors were encountered: