TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/dev/gilles-peskine-arm/issue8710^! / .
commit4b2700e14934b815e73f9ef39a08705b732b7acc[log] [tgz]
authorValerio Setti <valerio.setti@nordicsemi.no>Fri Mar 01 08:42:44 2024 +0100
committerValerio Setti <valerio.setti@nordicsemi.no>Fri Mar 01 08:42:44 2024 +0100
tree2c3adfab04dc74f099eb7ac16b667fc7f7c78ec5
parentfd4dcbfe8e428a5530121a215e4f822679aad5a2 [diff]
use-psa-crypto: remove references to mbedtls_pk_setup_opaque()

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index 92d0985..2e0c5c4 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md

@@ -4,8 +4,7 @@
 This option:
 - makes the X.509 and TLS libraries use PSA for cryptographic operations as
   much as possible, see "Internal changes" below;
-- enables new APIs for using keys handled by PSA Crypto, such as
-  `mbedtls_pk_setup_opaque()` and `mbedtls_ssl_conf_psk_opaque()`, see
+- enables new APIs for using keys handled by PSA Crypto, see
 "New APIs / API extensions" below.
 
 General considerations
@@ -67,32 +66,6 @@
 New APIs / API extensions
 -------------------------
 
-### PSA-held (opaque) keys in the PK layer
-
-**New API function:** `mbedtls_pk_setup_opaque()` - can be used to
-wrap a PSA key pair into a PK context. The key can be used for private-key
-operations and its public part can be exported.
-
-**Benefits:** isolation of long-term secrets, use of PSA Crypto drivers.
-
-**Limitations:** can only wrap a key pair, can only use it for private key
-operations. (That is, signature generation, and for RSA decryption too.)
-Note: for ECDSA, currently this uses randomized ECDSA while Mbed TLS uses
-deterministic ECDSA by default. The following operations are not supported
-with a context set this way, while they would be available with a normal
-context: `mbedtls_pk_check_pair()`, `mbedtls_pk_debug()`, all public key
-operations.
-
-**Use in X.509 and TLS:** opt-in. The application needs to construct the PK context
-using the new API in order to get the benefits; it can then pass the
-resulting context to the following existing APIs:
-
-- `mbedtls_ssl_conf_own_cert()` or `mbedtls_ssl_set_hs_own_cert()` to use the
-  key together with a certificate for certificate-based key exchanges;
-- `mbedtls_x509write_csr_set_key()` to generate a CSR (certificate signature
-  request);
-- `mbedtls_x509write_crt_set_issuer_key()` to generate a certificate.
-
 ### PSA-held (opaque) keys for TLS pre-shared keys (PSK)
 
 **New API functions:** `mbedtls_ssl_conf_psk_opaque()` and