Re: [mbed-tls] Signing without explicit private key - mbed-tls

7 Jun 2021


      Hi Stefano,
The pk module has limited support for opaque RSA keys, by using the
RSA_ALT functionality
(https://tls.mbed.org/kb/cryptography/use-external-rsa-private-key
https://tls.mbed.org/kb/cryptography/use-external-rsa-private-key).
There's no support for opaque EC keys.
For a TLS server, you can use the asynchronous callback feature to use
an opaque key. See https://tls.mbed.org/kb/how-to/ssl_async
https://tls.mbed.org/kb/how-to/ssl_async
The PSA crypto API supports opaque keys. On the application side, you
need to use functions like psa_asymmetric_sign instead of
mbedtls_pk_sign. On the hardware side, you need to implement a secure
element driver for your crypto chip. Driver support is work in progress,
and documentation and tooling are still sparse. The driver
specifications are in
https://github.com/ARMmbed/mbedtls/tree/development/docs/proposed
https://github.com/ARMmbed/mbedtls/tree/development/docs/proposed . To
add driver support, you currently need to edit
library/psa_crypto_driver_wrappers.c and replace calls to the test
driver by calls to your real driver.
Best regards,
-- 
Gilles Peskine
Mbed TLS developer and PSA Crypto architect

On 03/06/2021 17:20, stefano664 via mbed-tls wrote:
> Hi all,
>   I'm using mbedTLS libraries with an OPTIGA cryptochip. At the
> moment, when I call the sign function:
>
> err = mbedtls_pk_sign(&priv_key, MBEDTLS_MD_SHA384, hash, 0, sign,
> &olen, mbedtls_ctr_drbg_random, &ctr_drbg);
>
> I need to pass it a valid private key else if it isn't used, because
> alternative sign routine use the one into cryptochip.
>
> It is possible to avoid passing this key?
>
> Best regards,
> Stefano Mologni
>