Use psa_key_derivation multipart operation for TLS 1.3 key

[qgrembertwitekio]

The psa_key_derivation multipart operation allows only one key derivation operation which make it not suitable for the TLS 1.3 key derivation schedule.
For example, mbedtls uses psa_raw_key_agreement and multiples HKDF_EXTRACT/HKDF_EXPAND operations. With those operations, the secrets are temporarily outside of the TrustZone.
I see there are some specificis support for TLS 1.2 in PSA. Do you plan to do the same for TLS 1.3 ?

[athoelke]

I agree that it is desirable for all the key material to be inside the Crypto implementation, and not need to be extracted as part of the derivation processes.

Based on the key schedule, and the KDF API, can you do the following for TLS 1.3:

1. Use the psa_key_derivation_key_agreement() to put the initial DHE shared secret into a PSA_ALG_HKDF_EXTRACT() key derivation operation, with the Salt value as specified in the key schedule.
2. Get a new PSA_KEY_TYPE_DERIVE key as output from KDF in step 1 using psa_key_derivation_output_key(), with permitted algorithm PSA_ALG_HKDF_EXPAND().
3. Create another key derivation operation to perform PSA_ALG_HKDF_EXPAND(), and input the key from step 2 as the secret, and the relevant info/label from the key schedule.
4. Extract the result of the step 3 KDF as another derivation key
5. Repeat step 3 & 4 for additional HKDF-EXPAND derivations from the key that was output in step 2, as required for the schedule.

And continue this pattern, working through the entire key schedule.

If this is not possible, can you specifically highlight where the API fails to meet the key schedule requirements for TLS1.3?