Hi Stefano,

The pk module has limited support for opaque RSA keys, by using the RSA_ALT functionality (https://tls.mbed.org/kb/cryptography/use-external-rsa-private-key). There's no support for opaque EC keys.

For a TLS server, you can use the asynchronous callback feature to use an opaque key. See https://tls.mbed.org/kb/how-to/ssl_async

The PSA crypto API supports opaque keys. On the application side, you need to use functions like psa_asymmetric_sign instead of mbedtls_pk_sign. On the hardware side, you need to implement a secure element driver for your crypto chip. Driver support is work in progress, and documentation and tooling are still sparse. The driver specifications are in https://github.com/ARMmbed/mbedtls/tree/development/docs/proposed . To add driver support, you currently need to edit library/psa_crypto_driver_wrappers.c and replace calls to the test driver by calls to your real driver.

Best regards,

--
Gilles Peskine
Mbed TLS developer and PSA Crypto architect

On 03/06/2021 17:20, stefano664 via mbed-tls wrote:
Hi all,
  I'm using mbedTLS libraries with an OPTIGA cryptochip. At the moment, when I call the sign function:

err = mbedtls_pk_sign(&priv_key, MBEDTLS_MD_SHA384, hash, 0, sign, &olen, mbedtls_ctr_drbg_random, &ctr_drbg);

I need to pass it a valid private key else if it isn't used, because alternative sign routine use the one into cryptochip.

It is possible to avoid passing this key?

Best regards,
Stefano Mologni