From ac81e23c33189c3d65c03233a71d6724eae03616 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 21 Mar 2024 16:49:02 +0100 Subject: [PATCH] pk: add check_pair info to mbedtls_pk_setup_opaque() documentation This also updates use-psa-crypto.md accordingly. Signed-off-by: Valerio Setti --- docs/use-psa-crypto.md | 9 ++------- include/mbedtls/pk.h | 3 +++ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index 92d098524..f2983bd37 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -75,13 +75,8 @@ operations and its public part can be exported. **Benefits:** isolation of long-term secrets, use of PSA Crypto drivers. -**Limitations:** can only wrap a key pair, can only use it for private key -operations. (That is, signature generation, and for RSA decryption too.) -Note: for ECDSA, currently this uses randomized ECDSA while Mbed TLS uses -deterministic ECDSA by default. The following operations are not supported -with a context set this way, while they would be available with a normal -context: `mbedtls_pk_check_pair()`, `mbedtls_pk_debug()`, all public key -operations. +**Limitations:** please refer to the documentation of `mbedtls_pk_setup_opaque()` +for a full list of supported operations and limitations. **Use in X.509 and TLS:** opt-in. The application needs to construct the PK context using the new API in order to get the benefits; it can then pass the diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index e33702fe8..a3b13633d 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -377,6 +377,9 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info); * In order for the above operations to succeed, the policy of the wrapped PSA * key must allow the specified algorithm. * + * Opaque PK contexts wrapping an EC keys also support \c mbedtls_pk_check_pair(), + * whereas RSA ones do not. + * * \warning The PSA wrapped key must remain valid as long as the wrapping PK * context is in use, that is at least between the point this function * is called and the point mbedtls_pk_free() is called on this context.