Closed mpg closed 10 months ago
Is there a separate issue for use of psa_set_key_enrollment_algorithm
in mbedtls_pk_wrap_as_opaque
?
We're planning to replace mbedtls_pk_wrap_as_opaque
by a slightly different interface, with a similar function that takes a psa_key_attributes_t
input and another function to populate a psa_key_attributes_t
structure. Neither function will replace psa_set_key_enrollment_algorithm
.
The remaining use of psa_get_key_enrollment_algorithm
in mbedtls_pk_can_do_ext
is not settled yet.
Is there a separate issue for use of
psa_set_key_enrollment_algorithm
inmbedtls_pk_wrap_as_opaque
?
This should be managed in https://github.com/Mbed-TLS/mbedtls/issues/7760 as mentioned https://github.com/Mbed-TLS/mbedtls/pull/8449#issuecomment-1838484728
Suggested enhancement
In
pk_can_do_ext()
, guard the portion of the code callingpsa_get_key_enrollment_algorithm()
with#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
- which indicates that the Mbed TLS implementation of PSA Crypto is being used. (Add a comment explaining that while we don't officially support using other implementations of PSA Crypto with TLS & X.509 now, we're still trying to simplify the life of people who would like to try it before it's officially supported, or something to that effect.)Justification
Mbed TLS needs this because we want to avoid dependencies on non-standard PSA Crypto extensions.