Remove support for domain parameters

[gilles-peskine-arm]

Domain parameters are an experimental feature which is:

• Implemented only for RSA keys, in the following ways:
  • On key creation (import or generate), set the public exponent (without this interface, it has to be 65537).
  • In psa_get_key_attributes, get the public exponent. This is not useful since you can get it from the public key and you basically never need it separately.
• Specified for DH and DSA with finite fields, which are not implemented in Mbed TLS. (FFDH is coming, but without support for custom groups, so not using domain parameters yet).

At this point, it's unlikely that we'll ever implement custom groups for FFDH. We won't implement FFDSA. So we don't really have a planned use for domain parameters. They might come up again with other algorithms (e.g. for PQC, depending on exactly standardization goes), but it's not a given and if they do a different design might work better.

For RSA, the use of domain parameters was grafted on: we needed a way to select a custom public exponent when generating a key, the key attributes were the only way to pass information, and there was this field in the attributes that wasn't used for anything else and kind of fit. If we remove domain parameters, we need a different way to specify the public exponent when generating an RSA key.

Goal of this task: remove support for domain parameters from the API. Prerequisite: implement the alternative method for RSA generation (#8815), and get to a point where we're comfortable with removing support for the old method. Once that's done, the domain parameter functions will be just stubs that do nothing.

Definition of done: domain parameters are removed from the public interface. If they are still present internally, file a follow-up task to clean up.

Advantages:

• Simplify the code.
• Will make Rework the validation of RSA domain parameters in psa_import_key(). #4095 and Add domain parameter support to the driver interface #3887 moot.
• Reduce the code size. See also Merge psa_core_key_attributes_t back into psa_key_attributes_t #6496

[DemiMarie]

• Specified for DH and DSA with finite fields, which are not implemented in Mbed TLS. (FFDH is coming, but without support for custom groups, so not using domain parameters yet).

FFDH is deprecated IIUC.

[mpg]

• Specified for DH and DSA with finite fields, which are not implemented in Mbed TLS. (FFDH is coming, but without support for custom groups, so not using domain parameters yet).

FFDH is deprecated IIUC.

My understanding is that only FFDH with custom domain parameters (as is done in TLS 1.2) is deprecated, but FFDH with well-known groups (as done in TLS 1.3) is still considered OK (except for the high resource usage compared to ECDH of course) AFAIK.

So, pretty consistent with the goal of this issue.

[mpg]

Note: when doing this we can also remove the hack that was implemented in #8616 and documented in #8644 around the lack of driver support.