net: sockets: tls: support PSA-resident private keys#111841
Open
PavelVPV wants to merge 1 commit into
Open
Conversation
PavelVPV
force-pushed
the
tls_credentials_add_support_for_psa_generated_key
branch
from
8bfaafb to
1e44da3
Compare
rlubos
approved these changes
Jun 23, 2026
pdgendt
reviewed
Jun 23, 2026
pdgendt
left a comment
pdgendt
left a comment
Contributor
There was a problem hiding this comment.
Please change the Co-Authored-By to Assisted-By as mentioned in the contribution guidelines.
PavelVPV
force-pushed
the
tls_credentials_add_support_for_psa_generated_key
branch
from
1e44da3 to
19d43ba
Compare
Contributor
Author
Done! |
pdgendt
approved these changes
Jun 23, 2026
pdgendt
left a comment
pdgendt
left a comment
Contributor
There was a problem hiding this comment.
Nit: It's Assisted-by (lowercase b), my bad 😅
Add a TLS_CREDENTIAL_PRIVATE_KEY_PSA credential type so a private key already resident in PSA can be referenced by its psa_key_id_t instead of being supplied as exported key material. When this credential type is used, the TLS socket builds an opaque Mbed TLS PK context with mbedtls_pk_wrap_psa() rather than parsing raw key bytes. As a result the private key never leaves PSA: handshake signatures are performed through psa_sign_hash(). This enables flows where the key is generated on-device (non-exportable, stored in ITS) and used for TLS client authentication without ever exporting it. The credential buffer holds a psa_key_id_t; the public certificate is still registered as TLS_CREDENTIAL_PUBLIC_CERTIFICATE and paired with the opaque key by sec tag, unchanged. Assisted-by: Claude:claude-opus-4.8 Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
PavelVPV
force-pushed
the
tls_credentials_add_support_for_psa_generated_key
branch
from
19d43ba to
586aa4d
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a TLS_CREDENTIAL_PRIVATE_KEY_PSA credential type so a private key already resident in PSA can be referenced by its psa_key_id_t instead of being supplied as exported key material.
When this credential type is used, the TLS socket builds an opaque Mbed TLS PK context with mbedtls_pk_wrap_psa() rather than parsing raw key bytes. As a result the private key never leaves PSA: handshake signatures are performed through psa_sign_hash(). This enables flows where the key is generated on-device (non-exportable, stored in ITS) and used for TLS client authentication without ever exporting it.
The credential buffer holds a psa_key_id_t; the public certificate is still registered as TLS_CREDENTIAL_PUBLIC_CERTIFICATE and paired with the opaque key by sec tag, unchanged.