Dear MbedTLS dev,
I am writing an opaque driver (equivalent of PSA_CRYPTO_TEST_DRIVER_LOCATION/PSA_KEY_PERSISTENCE_READ_ONLY in the test suite) with the PSA API compiled with MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS.
But I am not sure if I have to use "psa_import_key" before "psa_driver_wrapper_sign_message" or if I have to "read/generate" the builtin key on the fly, at each psa_driver_wrapper_* operation ?
Would it be possible to add this example in the test suite ? Or explain how builtin key + opaque driver is supposed to be used with, for example, "psa_driver_wrapper_sign_message" ?
I put more details below.
Thank you in advance, Best regards,
Rehan
#############################################################################
I would like to write an example doing :
I) psa_sign_message (ECDSA SECP256R1 SHA-256) II) psa_export_public_key III) psa_verify_message (with the public key from II)
I am following the examples provided by the test suite, especially :
1) sign_message transparent driver: calculate in driver ECDSA SECP256R1 SHA-256 using the API : - psa_import_key - psa_sign_message with the attributes : - key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)
2) PSA opaque driver builtin pubkey export: secp256r1 using the API : - psa_export_public_key with the attributes : - key_id = MBEDTLS_PSA_KEY_ID_BUILTIN_MIN + 1 - key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) and the driver code : - platform_builtin_keys.c : mbedtls_psa_platform_get_builtin_key() (PSA_KEY_PERSISTENCE_READ_ONLY, PSA_CRYPTO_TEST_DRIVER_LOCATION) - test_driver_key_management.c : mbedtls_test_opaque_export_public_key()
3) verify_message transparent driver: calculate in driver ECDSA SECP256R1 SHA-256 using the API : - psa_import_key - psa_verify_message with the attributes : - key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)
It seems to me that II)=2) and 3) should be pretty similar to III) because I assume that neither transparent vs opaque, nor PSA_KEY_TYPE_ECC_KEY_PAIR vs PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE, is gonna change much here.
But the signature I) is less clear... Has the built-in key feature been thought such that the read-only key is read each time we call a different PSA API function ?
Long story short, an "opaque driver + builtin keys" equivalent of the "sign_message transparent driver: calculate in driver ECDSA SECP256R1 SHA-256" example in the test-suite would be really helpful :)