diff --git a/build.sh b/build.sh
index 7f47f03c0..59fbda2a7 100755
--- a/build.sh
+++ b/build.sh
@@ -1,8 +1,6 @@
 #!/bin/sh
-
 rm -rf autom4te.cache
 rm -f aclocal.m4
-
 cd src
 rm -f headers.mk
 echo "noinst_HEADERS = \\" > headers.mk
@@ -23,7 +21,31 @@ ls -1 \
     engine/*.h \
     *.h | tr "\012" " " >> headers.mk
 cd ../
-
+##############################################################################
+# NEW: Automatically generate psa_crypto_driver_wrappers.h, path will be searched
+##############################################################################
+echo "[+] Searching for psa_crypto_driver_wrappers.h …"
+if ! find . -maxdepth 10 -type f -name 'psa_crypto_driver_wrappers.h' | grep -q \
+.; then
+    echo "[+] File not found, searching for generate_driver_wrappers.py …"
+    GEN_SCRIPT=$(find . -maxdepth 10 -type f -name 'generate_driver_wrappers.py' | head -n 1)
+    if [ -n "$GEN_SCRIPT" ]; then
+        GEN_DIR=$(dirname "$GEN_SCRIPT")
+        echo "[+] Generator script found in: $GEN_DIR"
+        (
+            cd "$GEN_DIR" || exit 1
+            # optional: silently install Python dependencies
+            python3 -m pip install --user jinja2 jsonschema >/dev/null 2>&1 || true
+            echo "[+] Running: python3 $(basename "$GEN_SCRIPT")"
+            python3 "$(basename "$GEN_SCRIPT")"
+        )
+    else
+        echo "[!] No generate_driver_wrappers.py found – skipping this step."
+    fi
+else
+    echo "[+] psa_crypto_driver_wrappers.h already exists, nothing to do."
+fi
+##############################################################################
 case `uname` in Darwin*) glibtoolize --force --copy ;;
   *) libtoolize --force --copy ;; esac
 autoreconf --install
@@ -31,5 +53,3 @@ autoheader
 automake --add-missing --foreign --copy --force-missing
 autoconf --force
 rm -rf autom4te.cache
-
-
diff --git a/configure.ac b/configure.ac
index 31097b02c..a8648ddaf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -77,7 +77,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de
 AC_SUBST([LIBINJECTION_VERSION])
 
 # Check for Mbed TLS
-if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
+if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then
 AC_MSG_ERROR([\
 
 
@@ -372,6 +372,15 @@ case $assertions in
 esac
 GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $ASSERTIONS_CPPCFLAGS"
 
+MBEDTLS_CPPFLAGS='-DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \
+-I$(top_srcdir)/others/mbedtls/include \
+-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \
+-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
+-I$(top_srcdir)/others/mbedtls/include \
+-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \
+-I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src'
+GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $MBEDTLS_CPPFLAGS"
+
 AC_SUBST(GLOBAL_LDADD)
 AC_SUBST(GLOBAL_CPPFLAGS)
 
diff --git a/others/Makefile.am b/others/Makefile.am
index b102a0330..91f6e389c 100644
--- a/others/Makefile.am
+++ b/others/Makefile.am
@@ -15,19 +15,99 @@ noinst_HEADERS = \
 	libinjection/src/libinjection_sqli.h \
 	libinjection/src/libinjection_sqli_data.h \
 	libinjection/src/libinjection_xss.h \
-	mbedtls/include/mbedtls/base64.h \
-	mbedtls/include/mbedtls/check_config.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/base64.h \
+	mbedtls/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h \
 	mbedtls/include/mbedtls/mbedtls_config.h \
-	mbedtls/include/mbedtls/md5.h \
-	mbedtls/include/mbedtls/platform.h \
-	mbedtls/include/mbedtls/sha1.h
+	mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \
+	mbedtls/tf-psa-crypto/include/mbedtls/platform.h \
+	mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h
+
+MBED_PSA_CORE_SOURCES = \
+        mbedtls/tf-psa-crypto/core/psa_crypto.c \
+        mbedtls/tf-psa-crypto/core/psa_crypto_client.c \
+        mbedtls/tf-psa-crypto/core/psa_crypto_slot_management.c \
+        mbedtls/tf-psa-crypto/core/psa_crypto_storage.c \
+        mbedtls/tf-psa-crypto/core/psa_its_file.c \
+        mbedtls/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.c
+
+MBED_BUILTIN_SOURCES = \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/aes.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/aesce.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/aesni.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/aria.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/asn1parse.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/asn1write.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/bignum.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_core.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/block_cipher.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/camellia.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ccm.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/chacha20.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/chachapoly.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/cipher.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/cmac.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/constant_time.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecdh.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecdsa.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecjpake.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecp.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/entropy.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/entropy_poll.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/gcm.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/md.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/nist_kw.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/oid.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pem.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pk.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pk_ecc.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pk_rsa.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pk_wrap.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pkcs5.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pkparse.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/pkwrite.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/platform.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/poly1305.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/psa_util.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/ripemd160.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/rsa.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/sha256.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/sha3.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/sha512.c \
+        mbedtls/tf-psa-crypto/drivers/builtin/src/threading.c
 
 libmbedtls_la_SOURCES = \
-	mbedtls/library/base64.c \
-	mbedtls/library/md5.c \
-	mbedtls/library/sha1.c \
-	mbedtls/library/platform_util.c
+        $(MBED_PSA_CORE_SOURCES) \
+        $(MBED_BUILTIN_SOURCES)
 
-libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include
-libmbedtls_la_CPPFLAGS =
+libmbedtls_la_CPPFLAGS = \
+        -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" \
+        -I$(top_srcdir)/others/mbedtls/include \
+        -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \
+        -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \
+        -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \
+        -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/src
+
+#libmbedtls_la_CPPFLAGS =
 libmbedtls_la_LIBADD =
+
diff --git a/others/mbedtls b/others/mbedtls
index 2ca6c285a..ec4044008 160000
--- a/others/mbedtls
+++ b/others/mbedtls
@@ -1 +1 @@
-Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206
+Subproject commit ec4044008d2d069da38288bc76b0fee34ec78646
diff --git a/src/unique_id.cc b/src/unique_id.cc
index 01075cc54..bf8e4afb8 100644
--- a/src/unique_id.cc
+++ b/src/unique_id.cc
@@ -56,7 +56,8 @@
 #endif
 #include <string.h>
 
-#include "src/utils/sha1.h"
+/*#include "src/utils/sha1.h"*/
+#include "src/utils/sha256.h"
 
 namespace modsecurity {
 
@@ -72,7 +73,7 @@ void UniqueId::fillUniqueId() {
 
     data = macAddress + name;
 
-    this->uniqueId_str = Utils::Sha1::hexdigest(data);
+    this->uniqueId_str = Utils::Sha256::hexdigest(data);
 }
 
 // Based on:
diff --git a/src/utils/md5.h b/src/utils/md5.h
index 68f5d748e..834039cc3 100644
--- a/src/utils/md5.h
+++ b/src/utils/md5.h
@@ -16,17 +16,37 @@
 #ifndef SRC_UTILS_MD5_H_
 #define SRC_UTILS_MD5_H_
 
-#include "src/utils/sha1.h"
-#include "mbedtls/md5.h"
+#include "src/utils/sha1.h"   // uses DigestImpl + detail::ensure_psa_init()
 #include <string>
 
-namespace modsecurity::Utils {
-
+#include <psa/crypto.h>       // optional (since sha1.h already includes it), but ok
 
-class Md5 : public DigestImpl<&mbedtls_md5, 16> {
-};
+namespace modsecurity::Utils {
 
+// PSA wrapper with legacy signature
+inline int modsec_psa_md5(const unsigned char *input,
+                          size_t ilen,
+                          unsigned char output[16])
+{
+    if (!detail::ensure_psa_init()) {
+        return -1;
+    }
+
+    size_t out_len = 0;
+    psa_status_t status = psa_hash_compute(
+        PSA_ALG_MD5,
+        input,
+        ilen,
+        output,
+        16,
+        &out_len
+    );
+
+    return (status == PSA_SUCCESS && out_len == 16) ? 0 : -1;
+}
+
+class Md5 : public DigestImpl<&modsec_psa_md5, 16> {};
 
 }  // namespace modsecurity::Utils
 
-#endif  // SRC_UTILS_MD5_H_
\ No newline at end of file
+#endif  // SRC_UTILS_MD5_H_
diff --git a/src/utils/sha1.h b/src/utils/sha1.h
index a40d7fa1c..3c9ee6955 100644
--- a/src/utils/sha1.h
+++ b/src/utils/sha1.h
@@ -16,60 +16,104 @@
 #ifndef SRC_UTILS_SHA1_H_
 #define SRC_UTILS_SHA1_H_
 
+#include <array>
+#include <cstddef>
+#include <cstring>
+#include <mutex>
 #include <string>
-#include <cassert>
+#include <string_view>
 
 #include "src/utils/string.h"
-#include "mbedtls/sha1.h"
+#include <psa/crypto.h>
 
 namespace modsecurity::Utils {
 
+namespace detail {
 
-using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []);
+// Thread-safe PSA initialization shared by all digests
+inline bool ensure_psa_init() {
+    static std::once_flag once;
+    static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR;
 
+    std::call_once(once, []() { init_status = psa_crypto_init(); });
 
-template<DigestOp digestOp, int DigestSize>
+    return init_status == PSA_SUCCESS;
+}
+
+}  // namespace detail
+
+// C-friendly digest function signature (matches legacy wrappers like modsec_psa_md5)
+template <std::size_t DigestSize>
+using DigestOp = int (*)(const unsigned char* input,
+                         std::size_t input_len,
+                         unsigned char* output);
+
+// Generic digest implementation
+template <auto DigestFn, std::size_t DigestSize>
 class DigestImpl {
  public:
-
     static std::string digest(const std::string& input) {
-        return digestHelper(input, [](const auto digest) { 
-            return std::string(digest);
+        return digestHelper(input, [](std::string_view d) {
+            return std::string{d};
         });
     }
 
     static void digestReplace(std::string& value) {
-        digestHelper(value, [&value](const auto digest) mutable { 
-            value = digest;
-        });
+        value = digest(value);
     }
 
-    static std::string hexdigest(const std::string &input) {
-        return digestHelper(input, [](const auto digest) { 
-            return utils::string::string_to_hex(digest);
+    static std::string hexdigest(const std::string& input) {
+        return digestHelper(input, [](std::string_view d) {
+            return utils::string::string_to_hex(d);
         });
     }
 
-private:
+ private:
+    template <typename ConvertOp>
+    static auto digestHelper(const std::string& input, ConvertOp convertOp)
+        -> decltype(convertOp(std::string_view{})) {
 
-    template<typename ConvertOp>
-    static auto digestHelper(const std::string &input,
-        ConvertOp convertOp) -> auto {
-        char digest[DigestSize];
+        std::array<unsigned char, DigestSize> out{};
+        const std::string_view sv{input};
 
-        const auto ret = (*digestOp)(reinterpret_cast<const unsigned char *>(input.c_str()),
-                 input.size(), reinterpret_cast<unsigned char *>(digest));
-        assert(ret == 0);
+        const auto* in_ptr =
+            reinterpret_cast<const unsigned char*>(sv.data());
+        const std::size_t in_len = sv.size();
 
-        return convertOp(std::string_view(digest, DigestSize));
+        if (DigestFn(in_ptr, in_len, out.data()) != 0) {
+            return convertOp(std::string_view{});
+        }
+
+        std::string raw(DigestSize, '\0');
+        std::memcpy(raw.data(), out.data(), DigestSize);
+        return convertOp(std::string_view{raw});
     }
 };
 
+// PSA wrapper for SHA-1 (0 = success, non-zero = error)
+inline int modsec_psa_sha1(const unsigned char* input,
+                           std::size_t ilen,
+                           unsigned char* output) {
+    if (!detail::ensure_psa_init()) {
+        return -1;
+    }
 
-class Sha1 : public DigestImpl<&mbedtls_sha1, 20> {
-};
+    size_t out_len = 0;
+    psa_status_t status = psa_hash_compute(
+        PSA_ALG_SHA_1,
+        input,
+        ilen,
+        output,
+        20,
+        &out_len
+    );
 
+    return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1;
+}
+
+class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {};
 
 }  // namespace modsecurity::Utils
 
 #endif  // SRC_UTILS_SHA1_H_
+
diff --git a/src/utils/sha256.h b/src/utils/sha256.h
new file mode 100644
index 000000000..401c8aa34
--- /dev/null
+++ b/src/utils/sha256.h
@@ -0,0 +1,50 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+
+#ifndef SRC_UTILS_SHA256_H_
+#define SRC_UTILS_SHA256_H_
+
+#include "src/utils/sha1.h"   // provides DigestImpl + detail::ensure_psa_init()
+#include <psa/crypto.h>
+
+namespace modsecurity::Utils {
+
+inline int modsec_psa_sha256(const unsigned char *input,
+                             size_t ilen,
+                             unsigned char output[32])
+{
+    if (!detail::ensure_psa_init()) {
+        return -1;
+    }
+
+    size_t out_len = 0;
+    psa_status_t status = psa_hash_compute(
+        PSA_ALG_SHA_256,
+        input,
+        ilen,
+        output,
+        32,
+        &out_len
+    );
+
+    return (status == PSA_SUCCESS && out_len == 32) ? 0 : -1;
+}
+
+class Sha256 : public DigestImpl<&modsec_psa_sha256, 32> {};
+
+}  // namespace modsecurity::Utils
+
+#endif  // SRC_UTILS_SHA256_H_
diff --git a/test/test-cases/secrules-language-tests b/test/test-cases/secrules-language-tests
index a3d4405e5..c6e880236 160000
--- a/test/test-cases/secrules-language-tests
+++ b/test/test-cases/secrules-language-tests
@@ -1 +1 @@
-Subproject commit a3d4405e5a2c90488c387e589c5534974575e35b
+Subproject commit c6e8802366ec3182b8c2612e23d14e19e3545b47