mbedtls: Add missing MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option (IDFGH-17174)

[Yuerchu]

This pull request may fix #18181 .

The ESP-TLS component's ESP_TLS_USE_DS_PERIPHERAL config option depends on MBEDTLS_PK_RSA_ALT_SUPPORT, but this symbol was never defined in the Kconfig system. It only existed as a preprocessor macro in esp_config.h.

This caused the DS peripheral option to be unavailable in menuconfig, even on chips that support it (ESP32-S2, ESP32-S3, ESP32-C3, etc.), resulting in build errors when using ds_data in esp_http_client_config_t.

Add the missing Kconfig option with proper dependencies on MBEDTLS_RSA_C and SOC_DIG_SIGN_SUPPORTED.

Description

Related

Testing

---

Checklist

Before submitting a Pull Request, please ensure the following:

• [ *] 🚨 This PR does not introduce breaking changes.
• All CI checks (GH Actions) pass.
• Documentation is updated as needed.
• Tests are updated or added as necessary.
• Code is well-commented, especially in complex areas.
• Git history is clean — commits are squashed to the minimum necessary.

---

Note

Low Risk
Low risk: this only adds a missing Kconfig symbol with conservative dependencies, affecting menuconfig visibility/build config rather than runtime crypto behavior.

Overview
Adds the previously-missing MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option to the mbedTLS Asymmetric Ciphers menu.

The new option defaults to enabled and is gated by MBEDTLS_RSA_C and SOC_DIG_SIGN_SUPPORTED, allowing features (e.g., DS-peripheral-backed RSA signing via mbedtls_pk_setup_rsa_alt()) to be selected via menuconfig instead of relying on an undefined symbol.

^{Written by Cursor Bugbot for commit 5402097. This will update automatically on new commits. Configure here.}

[CLAassistant]

All committers have signed the CLA.

[github-actions]

	Messages
📖	🎉 Good Job! All checks are passing!

👋 Hello Yuerchu, we appreciate your contribution to this project!

---

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.

---

🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.

---

Click to see more instructions ...

This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests via this public GitHub repository.

This GitHub project is public mirror of our internal git repository

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved, we synchronize it into our internal git repository.
4. In the internal git repository we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
5. If the change is approved and passes the tests it is merged into the default branch.
5. On next sync from the internal git repository merged change will appear in this public GitHub repository.

Generated by 🚫 dangerJS against 5402097

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Kconfig option missing corresponding macro definition mapping

High Severity

The new MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option creates CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT in sdkconfig, but there's no corresponding mapping in esp_config.h to define the actual MBEDTLS_PK_RSA_ALT_SUPPORT macro for mbedTLS. Without this mapping, the mbedTLS library won't see the macro as defined, and mbedtls_pk_setup_rsa_alt() won't be compiled in, rendering the configuration option ineffective.

 

[cursor]

Missing dependency on MBEDTLS_PK_C in Kconfig

Medium Severity

The MBEDTLS_PK_RSA_ALT_SUPPORT option depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED but is missing a dependency on MBEDTLS_PK_C. The mbedtls_pk_setup_rsa_alt() function is part of the PK layer, so enabling this option without MBEDTLS_PK_C creates an inconsistent configuration. If MBEDTLS_MD_C is disabled (which disables MBEDTLS_PK_C), this option can still be enabled despite the PK layer not being available.

 

[Copilot]

Pull request overview

This pull request adds a missing Kconfig option MBEDTLS_PK_RSA_ALT_SUPPORT to make the Digital Signature (DS) peripheral feature properly configurable through menuconfig. The issue reported (#18181) indicated that users couldn't enable ESP_TLS_USE_DS_PERIPHERAL functionality, resulting in build errors when trying to use the ds_data field.

Changes:

• Adds MBEDTLS_PK_RSA_ALT_SUPPORT Kconfig option with dependencies on MBEDTLS_RSA_C and SOC_DIG_SIGN_SUPPORTED
• Sets default to 'y' for chips supporting digital signature peripheral
• Provides documentation about using external RSA keys and DS peripheral integration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The help text mentions "mbedtls_pk_setup_rsa_alt()" function, but this function doesn't appear to exist in the current codebase. Please verify that this is the correct function name or update the help text to reflect the actual API being used. If this is a standard mbedTLS function that should be available, please confirm the implementation is present.

Suggested change

	When enabled, the application can use mbedtls_pk_setup_rsa_alt() to
	register a custom RSA signature callback.
	When enabled, the application can register a custom RSA signature
	callback in the PK layer (for example, to delegate private-key
	operations to an external device such as an HSM).

[Copilot]

Minor typo: "eg" should be "e.g." (with periods) for proper abbreviation of "exempli gratia" (for example).

Suggested change

	bool "Support external private RSA keys (eg from a HSM) in the PK layer"
	default y
	depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
	help
	Support external private RSA keys (eg from a HSM) in the PK layer.
	bool "Support external private RSA keys (e.g. from a HSM) in the PK layer"
	default y
	depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
	help
	Support external private RSA keys (e.g. from a HSM) in the PK layer.

[Copilot]

Minor typo: "eg" should be "e.g." (with periods) for proper abbreviation of "exempli gratia" (for example).

Suggested change

	bool "Support external private RSA keys (eg from a HSM) in the PK layer"
	default y
	depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
	help
	Support external private RSA keys (eg from a HSM) in the PK layer.
	bool "Support external private RSA keys (e.g. from a HSM) in the PK layer"
	default y
	depends on MBEDTLS_RSA_C && SOC_DIG_SIGN_SUPPORTED
	help
	Support external private RSA keys (e.g. from a HSM) in the PK layer.

[Copilot]

The CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT option is being added but there's no corresponding code that checks for this config option or defines the MBEDTLS_PK_RSA_ALT_SUPPORT preprocessor macro.

Typically, Kconfig options like CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT need to be converted to MBEDTLS_PK_RSA_ALT_SUPPORT macros in components/mbedtls/port/include/mbedtls/esp_config.h following the established pattern (similar to how CONFIG_MBEDTLS_RSA_C is converted to MBEDTLS_RSA_C).

Additionally, if ESP_TLS_USE_DS_PERIPHERAL truly depends on this option, then components/esp-tls/Kconfig should be updated to add "depends on MBEDTLS_PK_RSA_ALT_SUPPORT" or "select MBEDTLS_PK_RSA_ALT_SUPPORT" to the ESP_TLS_USE_DS_PERIPHERAL config option.

[Yuerchu]

It seems I submitted to the wrong branch. This fix is intended to address the issue that occurred in v5.5.x. The problem has already been resolved for the master branch through PSA migration and no modification is needed. I will close this submission and create a new pull request to the release/v5.5 branch.