Better interface to specify the public exponent when generating an RSA key

[gilles-peskine-arm]

In an early draft of the PSA API, the interface for generating a key was

psa_status_t psa_generate_key(psa_key_slot_t key,
                              psa_key_type_t type,
                              size_t bits,
                              const void *extra,
                              size_t extra_size);

The extra buffer allowed specifying extra parameters with a format that depends on the key type. This was used only for RSA, to specify a different public exponent.

We removed this interface because it violated algorithm agility (the interpretation of extra depends on the key type), and because domain parameters could be used for this purpose. With the benefit of hindsight, domain parameters are a poor fit: the public exponent is redundant on import or copy (with the extra approach, psa_import_key and psa_copy_key don't have an extra parameter), and it isn't useful when querying the attributes with psa_get_key_attributes (if you want to know the public exponent, call psa_export_public_key).

This is currently not an official PSA API. It's a beta API which is being tried out in Mbed TLS. In Mbed TLS, the interface is declared as experimental.

The goal of this task is to define a better interface for specifying the public exponent when generating an RSA key. This may well be a return to the early draft (but with a different function name, e.g. psa_generate_key_ext).

Follow-ups:

• Implement the new interface and deprecate the use of domain parameters.
• Remove the use of domain parameters.