diff options
author | Valerio Setti <valerio.setti@nordicsemi.no> | 2024-03-01 08:42:44 +0100 |
---|---|---|
committer | Valerio Setti <valerio.setti@nordicsemi.no> | 2024-03-01 08:42:44 +0100 |
commit | 4b2700e14934b815e73f9ef39a08705b732b7acc (patch) | |
tree | 2c3adfab04dc74f099eb7ac16b667fc7f7c78ec5 | |
parent | fd4dcbfe8e428a5530121a215e4f822679aad5a2 (diff) | |
download | mbedtls-dev/gilles-peskine-arm/issue8710.zip mbedtls-dev/gilles-peskine-arm/issue8710.tar.gz mbedtls-dev/gilles-peskine-arm/issue8710.tar.bz2 |
use-psa-crypto: remove references to mbedtls_pk_setup_opaque()dev/gilles-peskine-arm/issue8710
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
-rw-r--r-- | docs/use-psa-crypto.md | 29 |
1 files changed, 1 insertions, 28 deletions
diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index 92d0985..2e0c5c4 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -4,8 +4,7 @@ This document describes the compile-time configuration option This option: - makes the X.509 and TLS libraries use PSA for cryptographic operations as much as possible, see "Internal changes" below; -- enables new APIs for using keys handled by PSA Crypto, such as - `mbedtls_pk_setup_opaque()` and `mbedtls_ssl_conf_psk_opaque()`, see +- enables new APIs for using keys handled by PSA Crypto, see "New APIs / API extensions" below. General considerations @@ -67,32 +66,6 @@ as TLS 1.3, can be introduced with a requirement to call `psa_crypto_init()`. New APIs / API extensions ------------------------- -### PSA-held (opaque) keys in the PK layer - -**New API function:** `mbedtls_pk_setup_opaque()` - can be used to -wrap a PSA key pair into a PK context. The key can be used for private-key -operations and its public part can be exported. - -**Benefits:** isolation of long-term secrets, use of PSA Crypto drivers. - -**Limitations:** can only wrap a key pair, can only use it for private key -operations. (That is, signature generation, and for RSA decryption too.) -Note: for ECDSA, currently this uses randomized ECDSA while Mbed TLS uses -deterministic ECDSA by default. The following operations are not supported -with a context set this way, while they would be available with a normal -context: `mbedtls_pk_check_pair()`, `mbedtls_pk_debug()`, all public key -operations. - -**Use in X.509 and TLS:** opt-in. The application needs to construct the PK context -using the new API in order to get the benefits; it can then pass the -resulting context to the following existing APIs: - -- `mbedtls_ssl_conf_own_cert()` or `mbedtls_ssl_set_hs_own_cert()` to use the - key together with a certificate for certificate-based key exchanges; -- `mbedtls_x509write_csr_set_key()` to generate a CSR (certificate signature - request); -- `mbedtls_x509write_crt_set_issuer_key()` to generate a certificate. - ### PSA-held (opaque) keys for TLS pre-shared keys (PSK) **New API functions:** `mbedtls_ssl_conf_psk_opaque()` and |