library: bulk replace MBEDTLS_RSA_C with PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC

Follow the same pattern that was used in the past to remove dependency on MBEDTLS_RSA_C and use PSA_WANT instead. Relying on MBEDTLS_RSA_C is fine only when builtin drivers are compiled since all PSA_WANT are converted to legacy build symbols. However when builtin drivers are not built (ex: in case of TF-M), then part of the code in TLS/X509 won't be compiled because MBEDTLS_RSA_C is not set. OTOH it's not possible to declare that symbol in a configuration file because it's a legacy one and it will be rejected by buildtime checks. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2026-03-20 19:21:09 +01:00 · 2026-02-10 11:17:27 +01:00
parent 488dbf8bcb
commit ae885590fb
5 changed files with 23 additions and 22 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2468,7 +2468,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
    }

    switch (sig) {
-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
        case MBEDTLS_SSL_SIG_RSA:
            break;
 #endif
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5271,17 +5271,17 @@ static const uint16_t ssl_preset_default_sig_algs[] = {
    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
 #endif

-#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_512)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) && defined(PSA_WANT_ALG_SHA_512)
    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
-#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_512 */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC && PSA_WANT_ALG_SHA_512 */

-#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_384)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) && defined(PSA_WANT_ALG_SHA_384)
    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
-#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_384 */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC && PSA_WANT_ALG_SHA_384 */

-#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_256)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) && defined(PSA_WANT_ALG_SHA_256)
    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
-#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC && PSA_WANT_ALG_SHA_256 */

    MBEDTLS_TLS_SIG_NONE
 };
@@ -5297,7 +5297,7 @@ static const uint16_t ssl_tls12_preset_default_sig_algs[] = {
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
 #endif
-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
    MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
 #endif
 #endif /* PSA_WANT_ALG_SHA_512 */
@@ -5309,7 +5309,7 @@ static const uint16_t ssl_tls12_preset_default_sig_algs[] = {
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
 #endif
-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
    MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
 #endif
 #endif /* PSA_WANT_ALG_SHA_384 */
@@ -5321,7 +5321,7 @@ static const uint16_t ssl_tls12_preset_default_sig_algs[] = {
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
 #endif
-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
    MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
 #endif
 #endif /* PSA_WANT_ALG_SHA_256 */
@@ -5615,7 +5615,8 @@ void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
 }

 #if defined(MBEDTLS_PK_C) && \
-    (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
+    (defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
 /*
 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
 */
@@ -5623,7 +5624,7 @@ unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
 {
    psa_key_type_t key_type = mbedtls_pk_get_key_type(pk);

-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
    if (PSA_KEY_TYPE_IS_RSA(key_type)) {
        return MBEDTLS_SSL_SIG_RSA;
    }
@@ -5651,7 +5652,7 @@ unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type)
 mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig)
 {
    switch (sig) {
-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
        case MBEDTLS_SSL_SIG_RSA:
            return MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
 #endif
@@ -5664,7 +5665,7 @@ mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig)
    }
 }
 #endif /* MBEDTLS_PK_C &&
-          ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
+          ( PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */

 /*
 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -1299,7 +1299,7 @@ static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
            MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
                                               MBEDTLS_SSL_HASH_SHA1),
 #endif
-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
            MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
                                               MBEDTLS_SSL_HASH_SHA1),
 #endif
@@ -2246,7 +2246,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
     */
    ct_len = 0;

-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
 #endif
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -210,7 +210,7 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
 {
    const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type(pk);

-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
    if (pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS) {
        if (mbedtls_pk_get_bitlen(pk) >= profile->rsa_min_bitlen) {
            return 0;
@@ -218,7 +218,7 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,

        return -1;
    }
-#endif /* MBEDTLS_RSA_C */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */

 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
    if (pk_alg == MBEDTLS_PK_ECDSA ||
--- a/library/x509_oid.c
+++ b/library/x509_oid.c
@@ -386,7 +386,7 @@ typedef struct {

 static const oid_sig_alg_t oid_sig_alg[] =
 {
-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
 #if defined(PSA_WANT_ALG_MD5)
    {
        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_MD5,        "md5WithRSAEncryption",     "RSA with MD5"),
@@ -433,7 +433,7 @@ static const oid_sig_alg_t oid_sig_alg[] =
        MBEDTLS_MD_SHA1,     MBEDTLS_PK_SIGALG_RSA_PKCS1V15,
    },
 #endif /* PSA_WANT_ALG_SHA_1 */
-#endif /* MBEDTLS_RSA_C */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
 #if defined(PSA_HAVE_ALG_SOME_ECDSA)
 #if defined(PSA_WANT_ALG_SHA_1)
    {
@@ -466,12 +466,12 @@ static const oid_sig_alg_t oid_sig_alg[] =
    },
 #endif /* PSA_WANT_ALG_SHA_512 */
 #endif /* PSA_HAVE_ALG_SOME_ECDSA */
-#if defined(MBEDTLS_RSA_C)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
    {
        OID_DESCRIPTOR(MBEDTLS_OID_RSASSA_PSS,        "RSASSA-PSS",           "RSASSA-PSS"),
        MBEDTLS_MD_NONE,     MBEDTLS_PK_SIGALG_RSA_PSS,
    },
-#endif /* MBEDTLS_RSA_C */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
    {
        NULL_OID_DESCRIPTOR,
        MBEDTLS_MD_NONE, MBEDTLS_PK_SIGALG_NONE,