Bytesrw_crypto.PsaThin bindings to PSA Crypto API.
The binding is low-level and mostly one-to-one with C. It does not try to embelish the API for OCaml idioms. However given a memory-safe implementation of PSA Crypto, this binding allows no unsafe usage.
Key material. When key material is manipulated explicitly (Psa.import_key, Psa.export_key, etc.) we use Psa.bigbytes to store the bytes. Since a bigbytes value wraps a C malloced pointer, it prevents the garbage collector from copying the key material and Bytesrw_crypto.Clearing it destroys it. Of course if you use Bigbytes.of_string or Bigbytes.of_bytes to create the bigbytes value that defeats the purpose. Note that OCaml 5.2 added functions to directly read and write bigbytes values with channels and file descriptors.
Naming convention. Any C identifier of the form psa_xxx_yyy_zzz or PSA_XXX_YYY_ZZZ is mapped in OCaml to on one of Psa.xxx_yyy_zzz, Psa.Xxx.yyy_zzz. There may be a few exception to the rule (e.g. Psa.Cipher.block_length).
Return value convention. When C functions return by setting a value passed by reference (e.g. a key identifier or number of bytes written) if and only the call is a success we return that value in an OCaml Ok value and otherwise Error value with the error status code. See for example Psa.generate_key, Psa.export_key, etc.
Supported version and references. For now we bind the version 1.2 of the API with what is available in the TF-PSA-Crypto implementation of the specification (a few entry points are missing).
Note. These are OCaml artefacts, not part of the PSA Crypto API.
type bigbytes =
(int, Stdlib.Bigarray.int8_unsigned_elt, Stdlib.Bigarray.c_layout)
Stdlib.Bigarray.Array1.tThe type for bigarrays of bytes. See also Bytesrw_crypto.Bigbytes.
module Status : sig ... endStatus codes.
val success : Status.tval operation_incomplete : Status.tmodule Error : sig ... endError statuses.
crypto_api_version () is the version of this implementation of the PSA Crypto API.
val crypto_init : unit -> Status.tNote. A call to this function is made in the initialisation of the Bytesrw_crypto module.
module Alg : sig ... endAlgorithms.
module Key_id : sig ... endKey identifiers.
module Key_attributes : sig ... endKey attributes.
val get_key_attributes : Key_id.t -> Key_attributes.t -> Status.tval reset_key_attributes : Key_attributes.t -> unitval get_key_id : Key_attributes.t -> Key_id.tval set_key_id : Key_attributes.t -> Key_id.t -> unitmodule Key_location : sig ... endKey locations.
module Key_persistence : sig ... endKey persistence.
module Key_lifetime : sig ... endKey lifetimes.
val get_key_lifetime : Key_attributes.t -> Key_lifetime.tval set_key_lifetime : Key_attributes.t -> Key_lifetime.t -> unitmodule Key_usage : sig ... endKey usages.
val get_key_algorithm : Key_attributes.t -> Alg.tval set_key_algorithm : Key_attributes.t -> Alg.t -> unitval get_key_usage_flags : Key_attributes.t -> Key_usage.tval set_key_usage_flags : Key_attributes.t -> Key_usage.t -> unitmodule Ecc_family : sig ... endElliptic curve keys.
module Dh_family : sig ... endDiffie-Hellman keys.
module Key_type : sig ... endKey types.
val get_key_type : Key_attributes.t -> Key_type.tval set_key_type : Key_attributes.t -> Key_type.t -> unitval get_key_bits : Key_attributes.t -> intval set_key_bits : Key_attributes.t -> int -> unitval import_key :
?length:int ->
Key_attributes.t ->
bigbytes ->
(Key_id.t, Status.t) Stdlib.resultpsa_import_key is Ok kid if the key was imported by reading length bytes of the bigbytes (defaults to the size of the bigbytes).
val generate_key : Key_attributes.t -> (Key_id.t, Status.t) Stdlib.resultpsa_generate_key is Ok kid if the was generated.
val copy_key :
Key_id.t ->
Key_attributes.t ->
(Key_id.t, Status.t) Stdlib.resultpsa_copy_key is Ok kid if the key was copied.
psa_export_key is Ok n iff n bytes were written.
psa_export_public_key is Ok n iff n bytes were written.
val export_key_output_size : Key_type.t -> bits:int -> intval export_public_key_output_size : Key_type.t -> bits:int -> intmodule Hash : sig ... endMessage digests.
module Mac : sig ... endMessage authentication codes (MAC).
module Cipher : sig ... endUnauthenticated ciphers.
module Aead : sig ... endAuthenticated encryption with associated data (AEAD).
module Key_derivation : sig ... endKey derivation.
module Sign : sig ... endAsymmetric signatures.
module Asymmetric : sig ... endAsymmetric encryption.
module Key_agreement : sig ... endKey agreement.
val generate_random : Bytesrw.Bytes.Slice.t -> Status.tgenerate_random s writes the bytes in the slice range with psa_generate_random.
generate_random_bigbytes s writes the bigbytes bytes with psa_generate_random.