Skip to content

Replace legacy rsa symbols followup#10642

Open
valeriosetti wants to merge 15 commits intoMbed-TLS:developmentfrom
valeriosetti:replace-legacy-rsa-symbols-followup
Open

Replace legacy rsa symbols followup#10642
valeriosetti wants to merge 15 commits intoMbed-TLS:developmentfrom
valeriosetti:replace-legacy-rsa-symbols-followup

Conversation

@valeriosetti
Copy link
Copy Markdown
Contributor

@valeriosetti valeriosetti commented Mar 16, 2026

Description

This is the follow-up of #10591. Its goal is to address comments being raised in that PR concerning testing.

PR checklist

  • changelog not required because: only test changes
  • development PR not required because: this one
  • TF-PSA-Crypto PR not required because: no change there
  • framework PR not required
  • 3.6 PR not required because: not backported
  • tests provided

@valeriosetti
library: bulk replace MBEDTLS_RSA_C with PSA_WANT_KEY_TYPE_RSA_KEY_PA…
ae88559 
…IR_BASIC

Follow the same pattern that was used in the past to remove dependency
on MBEDTLS_RSA_C and use PSA_WANT instead.

Relying on MBEDTLS_RSA_C is fine only when builtin drivers are compiled
since all PSA_WANT are converted to legacy build symbols. However when
builtin drivers are not built (ex: in case of TF-M), then part of the code
in TLS/X509 won't be compiled because MBEDTLS_RSA_C is not set. OTOH
it's not possible to declare that symbol in a configuration file because
it's a legacy one and it will be rejected by buildtime checks.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: bulk replace MBEDTLS_RSA_C with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
ff26306 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: bulk replace MBEDTLS_RSA_C with PSA_HAVE_ALG_SOME_RSA_VERIFY
2fab513 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: bulk replace MBEDTLS_RSA_C with PSA_HAVE_ALG_SOME_RSA_SIGN
ed0aebd 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: ssl: replace remaining occurrences of legacy RSA algorithms
0dfc52e 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: pkcs7: ease requirements for parse tests
2258cb7 
replace PSA_HAVE_ALG_SOME_RSA_VERIFY with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: ssl: replace dependency from RSA PSS to PKCS v1.5 in one hands…
3a760f7 
…hake test

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: pkcs7: remove RSA dependency from pkcs7_verify()
c8fb0d4 
PKCS7 supports ECC as well so the test function should not be guarded or
limited to RSA build symbols. Those guards must be added to test data
as required by the test itself. This allows for test extension to also
include ECC testing (not present now).

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: x509parse: add only PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY to non-ve…
9d5a7ab 
…rify tests

Replace PSA_HAVE_ALG_SOME_RSA_VERIFY -> PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
for all tests that are just parsing but not doing any verification.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: x509: improve guards on some RSA signature verification limiti…
c31c21d 
…ng to only PKCS v1.5

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: ssl: require only RSA PKCS v1.5 in TLS 1.2 tests
adc4467 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: ssl: require only RSA PKCS v1.5 in DTLS tests
f2ac067 
Mbed TLS only implements DTLS 1.2, so RSA is limited to PKCS v1.5.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: ssl: require RSA PKCS v1.5 for certificates and v2.2 for hands…
1d78a31 
…hake

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: ssl: adjust depends_on for RSA in move_handshake_to_state()
fa3379e 
Since this can be used for both TLS 1.2 and TLS 1.3 tests, require both
PKCS v1.5 and v2.2.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
tests: ssl: adjust requirements for mbedtls_endpoint_sanity()
9f4294f 
The function has a guard that only limits it to TLS 1.2, which means only
RSA PKCS v1.5 is required, not PSS.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti valeriosetti mentioned this pull request Mar 16, 2026
Merged
5 tasks
@valeriosetti valeriosetti requested a review from mpg March 16, 2026 14:04
@valeriosetti valeriosetti added needs-ci Needs to pass CI tests needs-reviewer This PR needs someone to pick it up for review priority-high High priority - will be reviewed soon size-xs Estimated task size: extra small (a few hours at most) labels Mar 16, 2026
@gilles-peskine-arm gilles-peskine-arm requested review from gilles-peskine-arm and removed request for mpg April 2, 2026 14:57
@gilles-peskine-arm gilles-peskine-arm added needs-work size-s Estimated task size: small (~2d) and removed needs-reviewer This PR needs someone to pick it up for review size-xs Estimated task size: extra small (a few hours at most) labels Apr 2, 2026
@gilles-peskine-arm
Copy link
Copy Markdown
Contributor

gilles-peskine-arm commented Apr 2, 2026

There's a trivial merge conflict. It would be more convenient to resolve it before review.

Also there's a genuine failure of depends.py.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gilles-peskine-arm gilles-peskine-arm Awaiting requested review from gilles-peskine-arm

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

needs-ci Needs to pass CI tests needs-work priority-high High priority - will be reviewed soon size-s Estimated task size: small (~2d)

Projects

Roadmap pull requests (new board)
Status: In Development

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@valeriosetti @gilles-peskine-arm