jwt: remove support for legacy RSA crypto

CONFIG_JWT_SIGN_RSA_LEGACY was already deprecated, but we agreed on removing all usages of legacy Mbed TLS crypto from Zephyr codebase quickly in order to prepare for the transition to Mbed TLS 4.0/TF-PSA-Crypto 1.0. Therefore this commit remvoes support for CONFIG_JWT_SIGN_RSA_LEGACY before the deprecation period expires. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2025-11-21 11:45:11 +01:00
parent d5d8bb17fa
commit 597fc3bbe1
4 changed files with 3 additions and 75 deletions
--- a/subsys/jwt/CMakeLists.txt
+++ b/subsys/jwt/CMakeLists.txt
@@ -2,11 +2,6 @@

 zephyr_library()
 zephyr_library_sources(jwt.c)
-
-zephyr_library_sources_ifdef(CONFIG_JWT_SIGN_RSA_LEGACY jwt_legacy_rsa.c)
-
-if(CONFIG_JWT_SIGN_RSA_PSA OR CONFIG_JWT_SIGN_ECDSA_PSA)
-  zephyr_library_sources(jwt_psa.c)
-endif()
+zephyr_library_sources(jwt_psa.c)

 zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)
--- a/subsys/jwt/Kconfig
+++ b/subsys/jwt/Kconfig
@@ -16,17 +16,6 @@ choice
 	help
 	  Select which algorithm to use for signing JWT tokens.

-config JWT_SIGN_RSA_LEGACY
-	bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library [DEPRECATED]"
-	depends on ENTROPY_NODE_ENABLED
-	select DEPRECATED
-	select MBEDTLS
-	select MBEDTLS_MD_C
-	select MBEDTLS_RSA_C
-	select MBEDTLS_PKCS1_V15
-	select MBEDTLS_PKCS1_V21
-	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-
 config JWT_SIGN_RSA_PSA
 	bool "Use RSA signature (RS-256). Use PSA Crypto API."
 	select PSA_CRYPTO
--- a/subsys/jwt/jwt.c
+++ b/subsys/jwt/jwt.c
@@ -14,7 +14,7 @@

 #include "jwt.h"

-#if defined(CONFIG_JWT_SIGN_RSA_PSA) || defined(CONFIG_JWT_SIGN_RSA_LEGACY)
+#if defined(CONFIG_JWT_SIGN_RSA_PSA)
 #define JWT_SIGNATURE_LEN 256
 #else /* CONFIG_JWT_SIGN_ECDSA_PSA */
 #define JWT_SIGNATURE_LEN 64
@@ -143,7 +143,7 @@ static int jwt_add_header(struct jwt_builder *builder)
 	 * Use https://www.base64encode.org/ for update
 	 */
 	const char jwt_header[] =
-#if defined(CONFIG_JWT_SIGN_RSA_PSA) || defined(CONFIG_JWT_SIGN_RSA_LEGACY)
+#if defined(CONFIG_JWT_SIGN_RSA_PSA)
 		/* {"alg":"RS256","typ":"JWT"} */
 		"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9";
 #else /* CONFIG_JWT_SIGN_ECDSA_PSA */
--- a/subsys/jwt/jwt_legacy_rsa.c
+++ b/subsys/jwt/jwt_legacy_rsa.c
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2024 BayLibre SAS
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-
-#include <string.h>
-#include <zephyr/types.h>
-#include <errno.h>
-
-#include <zephyr/data/jwt.h>
-#include <zephyr/data/json.h>
-
-#include <mbedtls/pk.h>
-#include <mbedtls/rsa.h>
-#include <mbedtls/sha256.h>
-#include <zephyr/random/random.h>
-
-#include "jwt.h"
-
-static int csprng_wrapper(void *ctx, unsigned char *dest, size_t size)
-{
-	ARG_UNUSED(ctx);
-
-	return sys_csrand_get((void *)dest, size);
-}
-
-int jwt_sign_impl(struct jwt_builder *builder, const unsigned char *der_key, size_t der_key_len,
-		  unsigned char *sig, size_t sig_size)
-{
-	int res;
-	mbedtls_pk_context ctx;
-	size_t sig_len_out;
-
-	mbedtls_pk_init(&ctx);
-
-	res = mbedtls_pk_parse_key(&ctx, der_key, der_key_len, NULL, 0, csprng_wrapper, NULL);
-	if (res != 0) {
-		return res;
-	}
-
-	uint8_t hash[32];
-
-	/*
-	 * The '0' indicates to mbedtls to do a SHA256, instead of
-	 * 224.
-	 */
-	res = mbedtls_sha256(builder->base, builder->buf - builder->base, hash, 0);
-	if (res != 0) {
-		return res;
-	}
-
-	res = mbedtls_pk_sign(&ctx, MBEDTLS_MD_SHA256, hash, sizeof(hash), sig, sig_size,
-			      &sig_len_out, csprng_wrapper, NULL);
-	return res;
-}