Move the Mbed TLS/Mbed Crypto specific code in its own crate

[hug-dev]

The psa-crypto crate should ideally be a generic wrapper around the PSA Crypto API. Currently we are also offering in that crate the building and linking with Mbed Crypto (in Mbed TLS), one of its implementation.

We should maybe try to separate those two things with maybe a mbedcrypto crate that contains the finding, building and linking with Mbed Crypto. It could also contain the bindings for Mbed Crypto so will remove the need of bindgen!

[hug-dev]

See #88

[mcr]

I am trying to understand what the relationship between rust-psa-crypto and https://github.com/fortanix/rust-mbedtls .
My impression is that each is wrapping a different part of mbedtls, but maybe I'm wrong and there is significant overlap.
My target environment will have PSA implemented crypto (via hardware acceleration), which I'd like to use for object security (COSE), and also for TLS communications.

[ionut-arm]

Hi @mcr - we have no affiliation with the mbedtls crate, but from what I can gather from their public documentation, it seems that crate is intended to work as an abstraction to the (high-level) functionality of MbedTLS, whereas our crates are intended as an abstraction to the cryptographic implementation used under the hood in MbedTLS, namely an implementation of PSA Crypto.

My target environment will have PSA implemented crypto (via hardware acceleration), which I'd like to use for object security (COSE), and also for TLS communications.

My guess would be that you're better served by this crate (psa-crypto) for the first use case (object security), but mbedtls might be more useful for TLS communications, unless you're interested in building your own TLS engine on top of PSA crypto, or backending some other TLS implementation with PSA crypto!

May I ask what your overarching use-case/project is, if it's something public? Another option would be for you to offload the low-level interactions to Parsec, and use the Rust native Parsec client to then implement your high-level objectives.

[mcr]

Hi, sorry to take so long to get back you. I want/need to use psa-crypto to sign RFC8366 vouchers, which are then sent across a TLS connection. So I need the psa functions, and I need mbedtls ones too. When I link both rust-psa-crypto and mbedtls(-sys-auto), I get duplicate symbols.
Not really a surprise, I was mostly expecting this, but I'm now finally at the point where it matters.

A reason to want PSA is so that, on embedded M-class systems, I'll get whatever accelerations that PSA/etc. can provide.

I'm rather unclear why PARSEC enters the discussion.
Will mbedtls link against it? If not, it just seems to be yet another moving part. For some reason I think that PSA ought to be linking against it.

Since the mbedtls-sys-auto crate also provides all the mbedtls code, I wonder if I can convince the rust-psa-crypto to not compile the mbedtls code itself. This would "easy" if I just cared about native builds, I could use "-lmbedtls", etc. but I need the entire cross features of cargo.