Hello, I am working with a nRF54L15 and using a TF-M build (cpuapp_ns). SDK and toolchain are currently v3.0.2. NRF_SECURTY is enabled (by default) and here's the relevant config options I added:
MBEDTLS_PSA_CRYPTO_C
MBEDTLS_TLS_LIBRARY
PSA_CRYPTO_DRIVER_CRACEN
PSA_WANT_ALG_ECDSA
PSA_WANT_ALG_RSA_PKCS1V15_SIGN
PSA_WANT_ALG_RSA_PSS
PSA_WANT_ALG_SHA_256
PSA_WANT_ECC_SECP_R1_256
PSA_WANT_GENERATE_RANDOM
PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
PSA_WANT_RSA_KEY_SIZE_1024
PSA_WANT_RSA_KEY_SIZE_2048
I am trying to parse a X509 certificate signed with a RSA 1024bit key using mbedtls_x509_crt_parse_der() and get a -9774 error (which seems to mean unrecognized signing algo).
After troubleshooting found out I can parse another cert signed with secp256r1 key just fine, and mbedTLS does not appear to support RSA by default, only NIST curves?
In fact in the auto-generated nrf-config.h I cannot even find MBEDTLS_RSA_C.
But also seems like adding custom mbedtls config header is not supported when using TF-M, so I am stuck with the auto-generated nrf-config.h.
Looking at config_adjust_legacy_from_psa.h, seems like MBEDTLS_RSA_C should automatically get defined when I have PSA_WANT_ALG_RSA_PKCS1V15_SIGN enabled, yet it doesn't seem to work as it's not in the auto-generated nrf-config.h?
Am I missing something important? I just can't figure out how to do this