nRF9160: Offloaded sockets can't use MBEDTLS_USE_PSA_CRYPTO with RSA Certificates

Voxorin,

You seem right, seems like there is this dependency of MBEDTLS_RSA on a deprecated  CONFIG_MBEDTLS_LEGACY_CRYPTO_C. I think the best alternative for you, if you do not want to rely on deprecated configs, for future proofing your design, it might be best to use ECC certificates (which are supported by the PSA_CRYPTO  API in our solution) rather than RSA.  

Voxorin,

You seem right, seems like there is this dependency of MBEDTLS_RSA on a deprecated  CONFIG_MBEDTLS_LEGACY_CRYPTO_C. I think the best alternative for you, if you do not want to rely on deprecated configs, for future proofing your design, it might be best to use ECC certificates (which are supported by the PSA_CRYPTO  API in our solution) rather than RSA.  

I would like to use ECC certificates, but both vendors I work with only have servers that use RSA certificates (ISRG Root X1 and Amazon Root CA 1).

It seems a bit strange that RSA certificates would be considered deprecated when they're still widely in use.

Maybe I missed something, but the MbedTLS PSA Crypto API supports RSA and it doesn't appear to be deprecated by MbedTLS. So why doesn't the NCS version of the PSA Crypto API support RSA?

See: "The PSA Crypto API supports encrypting, decrypting, signing and verifying messages using public key signature algorithms, such as RSA or ECDSA."

Voxorin, it seems like we still need legacy crypto for some cases. I think by sdk release version 3.0.0 we might be able to break the dependency on the legacy crypto completely. But this is not a promise but just a guideline on our intention. Keeping that in mind, you can probably ignore that warning and continue your development and in few months you wont see this warning when you upgrade the sdk.