nRF9160: Offloaded sockets can't use MBEDTLS_USE_PSA_CRYPTO with RSA Certificates

Voxorin,

You seem right, seems like there is this dependency of MBEDTLS_RSA on a deprecated  CONFIG_MBEDTLS_LEGACY_CRYPTO_C. I think the best alternative for you, if you do not want to rely on deprecated configs, for future proofing your design, it might be best to use ECC certificates (which are supported by the PSA_CRYPTO  API in our solution) rather than RSA.  

I would like to use ECC certificates, but both vendors I work with only have servers that use RSA certificates (ISRG Root X1 and Amazon Root CA 1).

It seems a bit strange that RSA certificates would be considered deprecated when they're still widely in use.

Maybe I missed something, but the MbedTLS PSA Crypto API supports RSA and it doesn't appear to be deprecated by MbedTLS. So why doesn't the NCS version of the PSA Crypto API support RSA?

See: "The PSA Crypto API supports encrypting, decrypting, signing and verifying messages using public key signature algorithms, such as RSA or ECDSA."

Voxorin, it seems like we still need legacy crypto for some cases. I think by sdk release version 3.0.0 we might be able to break the dependency on the legacy crypto completely. But this is not a promise but just a guideline on our intention. Keeping that in mind, you can probably ignore that warning and continue your development and in few months you wont see this warning when you upgrade the sdk.

Voxorin, it seems like we still need legacy crypto for some cases. I think by sdk release version 3.0.0 we might be able to break the dependency on the legacy crypto completely. But this is not a promise but just a guideline on our intention. Keeping that in mind, you can probably ignore that warning and continue your development and in few months you wont see this warning when you upgrade the sdk.

Hi Voxorion, hi Susheel,

we have exactly the same problem, that we cannot parse the RSA certificate provided by our server.
Same error code -0x262e, same config dependency between MBEDTLS_RSA_C  <--> CONFIG_MBEDTLS_USE_PSA_CRYPTO. Using ECC certificates is also not an option since we have no control over the provided certificate.

We are currently on NCS release 3.0.2 so apparently the teased dependency breaks have not released so far.

Therefore my question:

a) Is there any known workaround so far to somehow parse RSA certificates with CONFIG_MBEDTLS_USE_PSA_CRYPTO enabled?

b) Is there any roadmap on when the dependencies to the (soon to be) deprecated MBEDTLS_LEGACY API will be released?

If you have any helpful information, we would really much appreciate your feedback.

Thanks in advance!

Jaro