Make enrollement "optional" in `pk_can_do_ext()`

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.

https://www.trustedfirmware.org/projects/mbed-tls/

Other

5.26k stars 2.57k forks source link

Make enrollement "optional" in `pk_can_do_ext()` #8602

Closed mpg closed 10 months ago

mpg commented 10 months ago

Suggested enhancement

In pk_can_do_ext(), guard the portion of the code calling psa_get_key_enrollment_algorithm() with #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) - which indicates that the Mbed TLS implementation of PSA Crypto is being used. (Add a comment explaining that while we don't officially support using other implementations of PSA Crypto with TLS & X.509 now, we're still trying to simplify the life of people who would like to try it before it's officially supported, or something to that effect.)

Justification

Mbed TLS needs this because we want to avoid dependencies on non-standard PSA Crypto extensions.

joerchan commented 10 months ago

Is there a separate issue for use of psa_set_key_enrollment_algorithm in mbedtls_pk_wrap_as_opaque?

gilles-peskine-arm commented 10 months ago

We're planning to replace mbedtls_pk_wrap_as_opaque by a slightly different interface, with a similar function that takes a psa_key_attributes_t input and another function to populate a psa_key_attributes_t structure. Neither function will replace psa_set_key_enrollment_algorithm.

The remaining use of psa_get_key_enrollment_algorithm in mbedtls_pk_can_do_ext is not settled yet.

valeriosetti commented 10 months ago

Is there a separate issue for use of psa_set_key_enrollment_algorithm in mbedtls_pk_wrap_as_opaque?

This should be managed in https://github.com/Mbed-TLS/mbedtls/issues/7760 as mentioned https://github.com/Mbed-TLS/mbedtls/pull/8449#issuecomment-1838484728