Skip to content

mbedtls: Add missing MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option (IDFGH-17174)#18182

Closed
Yuerchu wants to merge 1 commit intoespressif:masterfrom
Yuerchu:fix/kconfig-mbedtls-pk-rsa-alt-support
Closed

mbedtls: Add missing MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option (IDFGH-17174)#18182
Yuerchu wants to merge 1 commit intoespressif:masterfrom
Yuerchu:fix/kconfig-mbedtls-pk-rsa-alt-support

Conversation

@Yuerchu
Copy link

@Yuerchu Yuerchu commented Jan 29, 2026

This pull request may fix #18181 .

The ESP-TLS component's ESP_TLS_USE_DS_PERIPHERAL config option depends on MBEDTLS_PK_RSA_ALT_SUPPORT, but this symbol was never defined in the Kconfig system. It only existed as a preprocessor macro in esp_config.h.

This caused the DS peripheral option to be unavailable in menuconfig, even on chips that support it (ESP32-S2, ESP32-S3, ESP32-C3, etc.), resulting in build errors when using ds_data in esp_http_client_config_t.

Add the missing Kconfig option with proper dependencies on MBEDTLS_RSA_C and SOC_DIG_SIGN_SUPPORTED.

Description

Related

Testing


Checklist

Before submitting a Pull Request, please ensure the following:

  • [ *] 🚨 This PR does not introduce breaking changes.
  • All CI checks (GH Actions) pass.
  • Documentation is updated as needed.
  • Tests are updated or added as necessary.
  • Code is well-commented, especially in complex areas.
  • Git history is clean — commits are squashed to the minimum necessary.

Note

Low Risk
Low risk: this only adds a missing Kconfig symbol with conservative dependencies, affecting menuconfig visibility/build config rather than runtime crypto behavior.

Overview
Adds the previously-missing MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option to the mbedTLS Asymmetric Ciphers menu.

The new option defaults to enabled and is gated by MBEDTLS_RSA_C and SOC_DIG_SIGN_SUPPORTED, allowing features (e.g., DS-peripheral-backed RSA signing via mbedtls_pk_setup_rsa_alt()) to be selected via menuconfig instead of relying on an undefined symbol.

Written by Cursor Bugbot for commit 5402097. This will update automatically on new commits. Configure here.

@CLAassistant
Copy link

CLAassistant commented Jan 29, 2026

CLA assistant check
All committers have signed the CLA.

@github-actions
Copy link

github-actions bot commented Jan 29, 2026

Messages
📖 🎉 Good Job! All checks are passing!

👋 Hello Yuerchu, we appreciate your contribution to this project!


📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.

🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.

Click to see more instructions ...


This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...


We do welcome contributions in the form of bug reports, feature requests and pull requests via this public GitHub repository.

This GitHub project is public mirror of our internal git repository

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved, we synchronize it into our internal git repository.
4. In the internal git repository we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
5. If the change is approved and passes the tests it is merged into the default branch.
5. On next sync from the internal git repository merged change will appear in this public GitHub repository.

Generated by 🚫 dangerJS against 5402097

@github-actions github-actions bot changed the title mbedtls: Add missing MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option mbedtls: Add missing MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option (IDFGH-17174) Jan 29, 2026
@espressif-bot espressif-bot added the Status: Opened Issue is new label Jan 29, 2026
The ESP-TLS component's ESP_TLS_USE_DS_PERIPHERAL config option depends
on MBEDTLS_PK_RSA_ALT_SUPPORT, but this symbol was never defined in the
Kconfig system. It only existed as a preprocessor macro in esp_config.h.

This caused the DS peripheral option to be unavailable in menuconfig,
even on chips that support it (ESP32-S2, ESP32-S3, ESP32-C3, etc.),
resulting in build errors when using ds_data in esp_http_client_config_t.

Add the missing Kconfig option with proper dependencies on MBEDTLS_RSA_C
and SOC_DIG_SIGN_SUPPORTED.
@Yuerchu Yuerchu force-pushed the fix/kconfig-mbedtls-pk-rsa-alt-support branch from 6193fe7 to 5402097 Compare January 29, 2026 16:48
@Yuerchu Yuerchu marked this pull request as ready for review January 29, 2026 16:49
Copilot AI review requested due to automatic review settings January 29, 2026 16:49
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

When enabled, the application can use mbedtls_pk_setup_rsa_alt() to
register a custom RSA signature callback.

See ESP-TLS documentation for more details about using DS peripheral.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kconfig option missing corresponding macro definition mapping

High Severity

The new MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option creates CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT in sdkconfig, but there's no corresponding mapping in esp_config.h to define the actual MBEDTLS_PK_RSA_ALT_SUPPORT macro for mbedTLS. Without this mapping, the mbedTLS library won't see the macro as defined, and mbedtls_pk_setup_rsa_alt() won't be compiled in, rendering the configuration option ineffective.

Fix in Cursor Fix in Web

config MBEDTLS_PK_RSA_ALT_SUPPORT
bool "Support external private RSA keys (eg from a HSM) in the PK layer"
default y
depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing dependency on MBEDTLS_PK_C in Kconfig

Medium Severity

The MBEDTLS_PK_RSA_ALT_SUPPORT option depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED but is missing a dependency on MBEDTLS_PK_C. The mbedtls_pk_setup_rsa_alt() function is part of the PK layer, so enabling this option without MBEDTLS_PK_C creates an inconsistent configuration. If MBEDTLS_MD_C is disabled (which disables MBEDTLS_PK_C), this option can still be enabled despite the PK layer not being available.

Fix in Cursor Fix in Web

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds a missing Kconfig option MBEDTLS_PK_RSA_ALT_SUPPORT to make the Digital Signature (DS) peripheral feature properly configurable through menuconfig. The issue reported (#18181) indicated that users couldn't enable ESP_TLS_USE_DS_PERIPHERAL functionality, resulting in build errors when trying to use the ds_data field.

Changes:

  • Adds MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option with dependencies on MBEDTLS_RSA_C and SOC_DIG_SIGN_SUPPORTED
  • Sets default to 'y' for chips supporting digital signature peripheral
  • Provides documentation about using external RSA keys and DS peripheral integration

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +1009 to +1010
When enabled, the application can use mbedtls_pk_setup_rsa_alt() to
register a custom RSA signature callback.
Copy link

Copilot AI Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The help text mentions "mbedtls_pk_setup_rsa_alt()" function, but this function doesn't appear to exist in the current codebase. Please verify that this is the correct function name or update the help text to reflect the actual API being used. If this is a standard mbedTLS function that should be available, please confirm the implementation is present.

Suggested change
When enabled, the application can use mbedtls_pk_setup_rsa_alt() to
register a custom RSA signature callback.
When enabled, the application can register a custom RSA signature
callback in the PK layer (for example, to delegate private-key
operations to an external device such as an HSM).

Copilot uses AI. Check for mistakes.
Comment on lines +1003 to +1007
bool "Support external private RSA keys (eg from a HSM) in the PK layer"
default y
depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
help
Support external private RSA keys (eg from a HSM) in the PK layer.
Copy link

Copilot AI Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor typo: "eg" should be "e.g." (with periods) for proper abbreviation of "exempli gratia" (for example).

Suggested change
bool "Support external private RSA keys (eg from a HSM) in the PK layer"
default y
depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
help
Support external private RSA keys (eg from a HSM) in the PK layer.
bool "Support external private RSA keys (e.g. from a HSM) in the PK layer"
default y
depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
help
Support external private RSA keys (e.g. from a HSM) in the PK layer.

Copilot uses AI. Check for mistakes.
Comment on lines +1003 to +1007
bool "Support external private RSA keys (eg from a HSM) in the PK layer"
default y
depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
help
Support external private RSA keys (eg from a HSM) in the PK layer.
Copy link

Copilot AI Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor typo: "eg" should be "e.g." (with periods) for proper abbreviation of "exempli gratia" (for example).

Suggested change
bool "Support external private RSA keys (eg from a HSM) in the PK layer"
default y
depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
help
Support external private RSA keys (eg from a HSM) in the PK layer.
bool "Support external private RSA keys (e.g. from a HSM) in the PK layer"
default y
depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
help
Support external private RSA keys (e.g. from a HSM) in the PK layer.

Copilot uses AI. Check for mistakes.
Comment on lines +1002 to +1013
config MBEDTLS_PK_RSA_ALT_SUPPORT
bool "Support external private RSA keys (eg from a HSM) in the PK layer"
default y
depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
help
Support external private RSA keys (eg from a HSM) in the PK layer.

When enabled, the application can use mbedtls_pk_setup_rsa_alt() to
register a custom RSA signature callback.

See ESP-TLS documentation for more details about using DS peripheral.

Copy link

Copilot AI Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT option is being added but there's no corresponding code that checks for this config option or defines the MBEDTLS_PK_RSA_ALT_SUPPORT preprocessor macro.

Typically, Kconfig options like CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT need to be converted to MBEDTLS_PK_RSA_ALT_SUPPORT macros in components/mbedtls/port/include/mbedtls/esp_config.h following the established pattern (similar to how CONFIG_MBEDTLS_RSA_C is converted to MBEDTLS_RSA_C).

Additionally, if ESP_TLS_USE_DS_PERIPHERAL truly depends on this option, then components/esp-tls/Kconfig should be updated to add "depends on MBEDTLS_PK_RSA_ALT_SUPPORT" or "select MBEDTLS_PK_RSA_ALT_SUPPORT" to the ESP_TLS_USE_DS_PERIPHERAL config option.

Copilot uses AI. Check for mistakes.
@Yuerchu
Copy link
Author

Yuerchu commented Feb 2, 2026

It seems I submitted to the wrong branch. This fix is intended to address the issue that occurred in v5.5.x. The problem has already been resolved for the master branch through PSA migration and no modification is needed. I will close this submission and create a new pull request to the release/v5.5 branch.

@Yuerchu Yuerchu closed this Feb 2, 2026
@Yuerchu Yuerchu deleted the fix/kconfig-mbedtls-pk-rsa-alt-support branch February 2, 2026 08:31
@espressif-bot espressif-bot added Status: Done Issue is done internally Resolution: Done Issue is done internally and removed Status: Opened Issue is new labels Feb 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Resolution: Done Issue is done internally Status: Done Issue is done internally

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ESP_TLS_USE_DS_PERIPHERAL 选项永远也无法被开启 (IDFGH-17173)

4 participants