jwt: remove TinyCrypt usage

As part of TinyCrypt deprecation process (zephyrproject-rtos#79566) this commit removes usage of this library from the JWT subsystem and its related tests. Signed-off-by: Valerio Setti <[email protected]>
valeriosetti · Oct 10, 2024 · 85031f0 · 85031f0
1 parent d44e0bd
commit 85031f0
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 150 deletions.
diff --git a/doc/releases/migration-guide-4.0.rst b/doc/releases/migration-guide-4.0.rst
@@ -540,10 +540,17 @@ JWT (JSON Web Token)
 ====================
 
 * By default, the signature is now computed through PSA Crypto API for both RSA and ECDSA.
-  The newly-added :kconfig:option:`CONFIG_JWT_USE_LEGACY` can be used to switch
-  back to previous libraries (TinyCrypt for ECDSA and Mbed TLS for RSA).
-  The conversion to the PSA Crypto API is being done in preparation for the
-  deprecation of TinyCrypt. (:github:`78243` and :github:`43712`)
+  (:github:`78243`). The conversion to the PSA Crypto API is part of the adoption
+  of a standard interface for crypto operations (:github:`43712`). Moreover,
+  following the deprecation of the TinyCrypt library (:github:`79566`) usage
+  of TinyCrypt was removed from the JWT subsystem (:github:`79653`).
+
+* The following new symbols were added to allow specifying both the signature
+  algorithm and crypto library:
+
+  * :kconfig:option:`JWT_SIGN_RSA_PSA` (default) RSA signature using PSA Crypto APIs;
+  * :kconfig:option:`JWT_SIGN_RSA_LEGACY`RSA signature using Mbed TLS;
+  * :kconfig:option:`JWT_SIGN_ECDSA_PSA` ECDSA signature using PSA Crypto APIs.
 
 Architectures
 *************
diff --git a/subsys/jwt/CMakeLists.txt b/subsys/jwt/CMakeLists.txt
@@ -3,7 +3,6 @@
 zephyr_library()
 zephyr_library_sources(jwt.c)
 
-zephyr_library_sources_ifdef(CONFIG_JWT_SIGN_ECDSA_LEGACY jwt_legacy_ecdsa.c)
 zephyr_library_sources_ifdef(CONFIG_JWT_SIGN_RSA_LEGACY jwt_legacy_rsa.c)
 zephyr_library_sources_ifdef(CONFIG_JWT_USE_PSA jwt_psa.c)
 

diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig
@@ -12,69 +12,30 @@ if JWT
 
 choice
 	prompt "JWT signature algorithm"
-	default JWT_SIGN_RSA
+	default JWT_SIGN_RSA_PSA
 	help
 	  Select which algorithm to use for signing JWT tokens.
 
-config JWT_SIGN_RSA
-	bool "Use RSA signature (RS-256)"
-
-config JWT_SIGN_ECDSA
-	bool "Use ECDSA signature (ES-256)"
-
-endchoice
-
-choice
-	default JWT_USE_PSA
-	prompt "Select crypto library to be used"
-
-config JWT_USE_PSA
-	bool "PSA crypto API library"
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
-
-config JWT_USE_LEGACY
-	bool "Legacy library: TinyCrypt for ECDSA, Mbed TLS for RSA"
+config JWT_SIGN_RSA_LEGACY
+	bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library."
+	depends on CSPRNG_ENABLED
+	select MBEDTLS
+	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 
-endchoice
+config JWT_SIGN_RSA_PSA
+	bool "Use RSA signature (RS-256). Use PSA Crypto APIs."
+	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
+	select PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+	select PSA_WANT_ALG_SHA_256
 
-# Prompless Kconfigs to effectively select which algorithm and library will be used
-# to sign the JWT. User's selections on the above choices will determine which
-# element will be picked here.
 config JWT_SIGN_ECDSA_PSA
-	bool
-	default y
-	depends on JWT_SIGN_ECDSA && JWT_USE_PSA
+	bool "Use ECDSA signature (ES-256). Use PSA Crypto APIs."
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_ECC_SECP_R1_256
 	select PSA_WANT_ALG_SHA_256
 
-config JWT_SIGN_ECDSA_LEGACY
-	bool
-	default y
-	depends on JWT_SIGN_ECDSA && JWT_USE_LEGACY
-	select TINYCRYPT
-	select TINYCRYPT_SHA256
-	select TINYCRYPT_ECC_DSA
-	select TINYCRYPT_CTR_PRNG
-	select TINYCRYPT_AES
-
-config JWT_SIGN_RSA_PSA
-	bool
-	default y
-	depends on JWT_SIGN_RSA && JWT_USE_PSA
-	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
-	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-	select PSA_WANT_ALG_RSA_PKCS1V15_SIGN
-	select PSA_WANT_ALG_SHA_256
-
-config JWT_SIGN_RSA_LEGACY
-	bool
-	default y
-	depends on JWT_SIGN_RSA && JWT_USE_LEGACY
-	depends on CSPRNG_ENABLED
-	select MBEDTLS
-	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+endchoice
 
 endif # JWT
diff --git a/subsys/jwt/jwt_legacy_ecdsa.c b/subsys/jwt/jwt_legacy_ecdsa.c
diff --git a/tests/subsys/jwt/testcase.yaml b/tests/subsys/jwt/testcase.yaml
@@ -9,24 +9,17 @@ common:
   extra_configs:
     - CONFIG_TEST_RANDOM_GENERATOR=y
 tests:
-  libraries.encoding.jwt.ecdsa.legacy:
-    extra_configs:
-      - CONFIG_JWT_SIGN_ECDSA=y
-      - CONFIG_JWT_USE_LEGACY=y
   libraries.encoding.jwt.ecdsa.psa:
     extra_configs:
-      - CONFIG_JWT_SIGN_ECDSA=y
-      - CONFIG_JWT_USE_PSA=y
+      - CONFIG_JWT_SIGN_ECDSA_PSA=y
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
   libraries.encoding.jwt.rsa.legacy:
     filter: CSPRNG_ENABLED
     extra_configs:
-      - CONFIG_JWT_SIGN_RSA=y
-      - CONFIG_JWT_USE_LEGACY=y
+      - CONFIG_JWT_SIGN_RSA_LEGACY=y
   libraries.encoding.jwt.rsa.psa:
     extra_configs:
-      - CONFIG_JWT_SIGN_RSA=y
-      - CONFIG_JWT_USE_PSA=y
+      - CONFIG_JWT_SIGN_RSA_PSA=y
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y