diff --git a/docs/architecture/psa-migration/strategy.md b/docs/architecture/psa-migration/strategy.md
index adf8cfc75..98a681933 100644
--- a/docs/architecture/psa-migration/strategy.md
+++ b/docs/architecture/psa-migration/strategy.md
@@ -311,7 +311,7 @@ readability or testability.
 
 **Strategy for step 3:**
 
-There are currently two (competing) ways for crypto-using code to check if a
+There are currently two (complementary) ways for crypto-using code to check if a
 particular algorithm is supported: using `MBEDTLS_xxx` macros, and using
 `PSA_WANT_xxx` macros. For example, PSA-based code that want to use SHA-256
 will check for `PSA_WANT_ALG_SHA_256`, while legacy-based code that wants to
@@ -331,7 +331,7 @@ information tables that are not tied to a particular crypto API, and may be
 used by functions that are either purely PSA-based, purely legacy-based, or
 hybrid governed by `MBEDTL_USE_PSA_CRYPTO` should use `MBEDTLS_xxx ||
 PSA_WANT_xxx` - for example, `oid_md_alg` from `oid.c`, used by both X.509 and
-RSA.
+RSA. A new family of macros `MBEDTLS_OR_PSA_WANT_xxx` is defined for this.
 
 To sum up, there are 4 categories:
 
@@ -340,7 +340,7 @@ To sum up, there are 4 categories:
 - hybrid code governed by `MBEDTLS_USE_PSA_CRYPTO` can use
   `MBEDTLS_USE_PSA_WANT_xxx` to express dependencies in common parts;
 - data and crypto-agnostic helpers that can be used by code from at least two
-  of the above categories should depend on `MBEDTLS_xxx || PSA_WANT_xxx`.
+  of the above categories should depend on `MBEDTLS_OR_PSA_WANT_xxx`.
 
 
 Migrating away from the legacy API
diff --git a/library/md_internal.h b/library/md_internal.h
index 12bc2180a..1f216437c 100644
--- a/library/md_internal.h
+++ b/library/md_internal.h
@@ -24,6 +24,7 @@
 #include "common.h"
 
 #include "mbedtls/md.h"
+#include "or_psa_helpers.h"
 
 /** Get the output length of the given hash type
  *
@@ -35,29 +36,29 @@ static inline unsigned char mbedtls_md_internal_get_size( mbedtls_md_type_t md_t
 {
     switch( md_type )
     {
-#if defined(MBEDTLS_MD5_C) || defined(PSA_WANT_ALG_MD5)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_MD5)
         case MBEDTLS_MD_MD5:
             return( 16 );
 #endif
-#if defined(MBEDTLS_RIPEMD160_C) || defined(PSA_WANT_ALG_RIPEMD160) || \
-    defined(MBEDTLS_SHA1_C) || defined(PSA_WANT_ALG_SHA_1)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_RIPEMD160) || \
+    defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_1)
         case MBEDTLS_MD_RIPEMD160:
         case MBEDTLS_MD_SHA1:
             return( 20 );
 #endif
-#if defined(MBEDTLS_SHA224_C) || defined(PSA_WANT_ALG_SHA_224)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_224)
         case MBEDTLS_MD_SHA224:
             return( 28 );
 #endif
-#if defined(MBEDTLS_SHA256_C) || defined(PSA_WANT_ALG_SHA_256)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_256)
         case MBEDTLS_MD_SHA256:
             return( 32 );
 #endif
-#if defined(MBEDTLS_SHA384_C) || defined(PSA_WANT_ALG_SHA_384)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_384)
         case MBEDTLS_MD_SHA384:
             return( 48 );
 #endif
-#if defined(MBEDTLS_SHA512_C) || defined(PSA_WANT_ALG_SHA_512)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_512)
         case MBEDTLS_MD_SHA512:
             return( 64 );
 #endif
diff --git a/library/oid.c b/library/oid.c
index 1ee35173b..aba256bc9 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -27,6 +27,8 @@
 #include "mbedtls/rsa.h"
 #include "mbedtls/error.h"
 
+#include "or_psa_helpers.h"
+
 #include <stdio.h>
 #include <string.h>
 
@@ -596,43 +598,43 @@ typedef struct {
 
 static const oid_md_alg_t oid_md_alg[] =
 {
-#if defined(MBEDTLS_MD5_C) || defined(PSA_WANT_ALG_MD5)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_MD5)
     {
         OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_MD5,       "id-md5",       "MD5" ),
         MBEDTLS_MD_MD5,
     },
 #endif
-#if defined(MBEDTLS_SHA1_C) || defined(PSA_WANT_ALG_SHA_1)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_1)
     {
         OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA1,      "id-sha1",      "SHA-1" ),
         MBEDTLS_MD_SHA1,
     },
 #endif
-#if defined(MBEDTLS_SHA224_C) || defined(PSA_WANT_ALG_SHA_224)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_224)
     {
         OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA224,    "id-sha224",    "SHA-224" ),
         MBEDTLS_MD_SHA224,
     },
 #endif
-#if defined(MBEDTLS_SHA256_C) || defined(PSA_WANT_ALG_SHA_256)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_256)
     {
         OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA256,    "id-sha256",    "SHA-256" ),
         MBEDTLS_MD_SHA256,
     },
 #endif
-#if defined(MBEDTLS_SHA384_C) || defined(PSA_WANT_ALG_SHA_384)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_384)
     {
         OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA384,    "id-sha384",    "SHA-384" ),
         MBEDTLS_MD_SHA384,
     },
 #endif
-#if defined(MBEDTLS_SHA512_C) || defined(PSA_WANT_ALG_SHA_512)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_SHA_512)
     {
         OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA512,    "id-sha512",    "SHA-512" ),
         MBEDTLS_MD_SHA512,
     },
 #endif
-#if defined(MBEDTLS_RIPEMD160_C) || defined(PSA_WANT_ALG_RIPEMD160)
+#if defined(MBEDTLS_OR_PSA_WANT_ALG_RIPEMD160)
     {
      OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_RIPEMD160, "id-ripemd160", "RIPEMD-160" ),
         MBEDTLS_MD_RIPEMD160,
diff --git a/library/or_psa_helpers.h b/library/or_psa_helpers.h
new file mode 100644
index 000000000..105449f6a
--- /dev/null
+++ b/library/or_psa_helpers.h
@@ -0,0 +1,56 @@
+/**
+ *  Internal macros for parts of the code that depend on an algorithm being
+ *  available either via the legacy API or the PSA Crypto API.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef MBEDTLS_OR_PSA_HELPERS_H
+#define MBEDTLS_OR_PSA_HELPERS_H
+
+#include "common.h"
+
+/* Hash algorithms */
+#if defined(MBEDTLS_MD5_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_MD5) )
+#define MBEDTLS_OR_PSA_WANT_ALG_MD5
+#endif
+#if defined(MBEDTLS_RIPEMD160_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_RIPEMD160) )
+#define MBEDTLS_OR_PSA_WANT_ALG_RIPEMD160
+#endif
+#if defined(MBEDTLS_SHA1_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_1) )
+#define MBEDTLS_OR_PSA_WANT_ALG_SHA_1
+#endif
+#if defined(MBEDTLS_SHA224_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_224) )
+#define MBEDTLS_OR_PSA_WANT_ALG_SHA_224
+#endif
+#if defined(MBEDTLS_SHA256_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256) )
+#define MBEDTLS_OR_PSA_WANT_ALG_SHA_256
+#endif
+#if defined(MBEDTLS_SHA384_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_384) )
+#define MBEDTLS_OR_PSA_WANT_ALG_SHA_384
+#endif
+#if defined(MBEDTLS_SHA512_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_512) )
+#define MBEDTLS_OR_PSA_WANT_ALG_SHA_512
+#endif
+
+#endif /* MBEDTLS_OR_PSA_HELPERS_H */