Define the export format for a SPAKE2+ key pair

[athoelke]

_From Oberon (Referencing the SPAKE2+ draft2 rendering of the PAKE Extension):_

The spec draft states on page 54, section 2.3.4 SPAKE2+ keys:

The calculation of w0, w1, and L then proceeds as described in the RFC.

Implementation note

The values of w0 and w1 are required as part of the SPAKE2+ key pair. It is IMPLEMENTATION DEFINED whether L is computed during key derivation, and stored as part of the key pair; or only computed when required from the key pair.

However, a defined export format for secret keys is required to support:

• key import and export,
• standard key data handling in the API of transparent drivers.

Even if import and export of secret PAKE keys is not needed in typical use cases, it should be defined for completeness, for testing, and to support predefined keys.

[athoelke]

Should we add a note or warning to the key-pair export format, to make clear that SPAKE2+ keys should be initially derived using psa_key_derivation_output_key() (which implements the RFC9383 process); and that psa_key_derivation_output_bytes() -> psa_import_key() does not result in the same/valid/safe/secure key pair?