zephyrproject-rtos · valeriosetti · Nov 21, 2025 · Nov 21, 2025 · Nov 21, 2025
diff --git a/doc/releases/migration-guide-4.4.rst b/doc/releases/migration-guide-4.4.rst
@@ -105,6 +105,13 @@ Networking
 Other subsystems
 ****************
 
+JWT
+===
+
+* Previously deprecated ``CONFIG_JWT_SIGN_RSA_LEGACY`` is removed. This removal happens before
+  the usual deprecation period of 2 releases because it has been agreed (see :github:`97660`)
+  that Mbed TLS is an external module, so normal deprecation rules do not apply in this case.
+
 Modules
 *******
 

diff --git a/subsys/jwt/CMakeLists.txt b/subsys/jwt/CMakeLists.txt
@@ -2,11 +2,6 @@
 
 zephyr_library()
 zephyr_library_sources(jwt.c)
-
-zephyr_library_sources_ifdef(CONFIG_JWT_SIGN_RSA_LEGACY jwt_legacy_rsa.c)
-
-if(CONFIG_JWT_SIGN_RSA_PSA OR CONFIG_JWT_SIGN_ECDSA_PSA)
-  zephyr_library_sources(jwt_psa.c)
-endif()
+zephyr_library_sources(jwt_psa.c)
 
 zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)
diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig
@@ -16,17 +16,6 @@ choice
 	help
 	  Select which algorithm to use for signing JWT tokens.
 
-config JWT_SIGN_RSA_LEGACY
-	bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library [DEPRECATED]"
-	depends on ENTROPY_NODE_ENABLED
-	select DEPRECATED
-	select MBEDTLS
-	select MBEDTLS_MD_C
-	select MBEDTLS_RSA_C
-	select MBEDTLS_PKCS1_V15
-	select MBEDTLS_PKCS1_V21
-	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-
 config JWT_SIGN_RSA_PSA
 	bool "Use RSA signature (RS-256). Use PSA Crypto API."
 	select PSA_CRYPTO

diff --git a/subsys/jwt/jwt.c b/subsys/jwt/jwt.c
@@ -14,7 +14,7 @@
 
 #include "jwt.h"
 
-#if defined(CONFIG_JWT_SIGN_RSA_PSA) || defined(CONFIG_JWT_SIGN_RSA_LEGACY)
+#if defined(CONFIG_JWT_SIGN_RSA_PSA)
 #define JWT_SIGNATURE_LEN 256
 #else /* CONFIG_JWT_SIGN_ECDSA_PSA */
 #define JWT_SIGNATURE_LEN 64
@@ -143,7 +143,7 @@ static int jwt_add_header(struct jwt_builder *builder)
 	 * Use https://www.base64encode.org/ for update
 	 */
 	const char jwt_header[] =
-#if defined(CONFIG_JWT_SIGN_RSA_PSA) || defined(CONFIG_JWT_SIGN_RSA_LEGACY)
+#if defined(CONFIG_JWT_SIGN_RSA_PSA)
 		/* {"alg":"RS256","typ":"JWT"} */
 		"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9";
 #else /* CONFIG_JWT_SIGN_ECDSA_PSA */

diff --git a/subsys/jwt/jwt_legacy_rsa.c b/subsys/jwt/jwt_legacy_rsa.c
diff --git a/tests/subsys/jwt/src/jwt-test-private.c b/tests/subsys/jwt/src/jwt-test-private.c
@@ -4,7 +4,7 @@
  *
  */
 
-#if defined(CONFIG_JWT_SIGN_RSA_PSA) || defined(CONFIG_JWT_SIGN_RSA_LEGACY)
+#if defined(CONFIG_JWT_SIGN_RSA_PSA)
 
 /* To generate the key in the correct format use the following command:
  * $ openssl genrsa 2048 | openssl rsa -outform DER | xxd -i

diff --git a/tests/subsys/jwt/testcase.yaml b/tests/subsys/jwt/testcase.yaml
@@ -19,10 +19,6 @@ tests:
       # source.
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
-  libraries.encoding.jwt.rsa.legacy:
-    filter: CSPRNG_ENABLED
-    extra_configs:
-      - CONFIG_JWT_SIGN_RSA_LEGACY=y
   libraries.encoding.jwt.rsa.psa:
     extra_configs:
       - CONFIG_JWT_SIGN_RSA_PSA=y