nRF9160: Offloaded sockets can't use MBEDTLS_USE_PSA_CRYPTO with RSA Certificates

I have app that's using MBedTLS and offloaded sockets on the nRF9160 modem. I'm using NCS 2.9.0 and it appears to me that it's not possible to set CONFIG_MBEDTLS_USE_PSA_CRYPTO when RSA certificates are required.

I have tried many combinations of config options but parsing RSA certificates without MBEDTLS_RSA_C always fails.

MBEDTLS_HAS_RSA_CIPHERSUITE_REQUIREMENTS depends on MBEDTLS_RSA_C which depends on MBEDTLS_LEGACY_CRYPTO_C.

CONFIG_MBEDTLS_USE_PSA_CRYPTO is incompatible with MBEDTLS_LEGACY_CRYPTO_C.

Is it possible to use RSA certificates in NCS without selecting the deprecated CONFIG_MBEDTLS_LEGACY_CRYPTO_C?

  • Voxorin,

    You seem right, seems like there is this dependency of MBEDTLS_RSA on a deprecated  CONFIG_MBEDTLS_LEGACY_CRYPTO_C. I think the best alternative for you, if you do not want to rely on deprecated configs, for future proofing your design, it might be best to use ECC certificates (which are supported by the PSA_CRYPTO  API in our solution) rather than RSA.  

  • I would like to use ECC certificates, but both vendors I work with only have servers that use RSA certificates (ISRG Root X1 and Amazon Root CA 1).

    It seems a bit strange that RSA certificates would be considered deprecated when they're still widely in use.

    Maybe I missed something, but the MbedTLS PSA Crypto API supports RSA and it doesn't appear to be deprecated by MbedTLS. So why doesn't the NCS version of the PSA Crypto API support RSA?

    See: "The PSA Crypto API supports encrypting, decrypting, signing and verifying messages using public key signature algorithms, such as RSA or ECDSA."

  • Voxorin, it seems like we still need legacy crypto for some cases. I think by sdk release version 3.0.0 we might be able to break the dependency on the legacy crypto completely. But this is not a promise but just a guideline on our intention. Keeping that in mind, you can probably ignore that warning and continue your development and in few months you wont see this warning when you upgrade the sdk.