1# SPDX-License-Identifier: GPL-2.0 2menuconfig ASYMMETRIC_KEY_TYPE 3 bool "Asymmetric (public-key cryptographic) key type" 4 depends on KEYS 5 help 6 This option provides support for a key type that holds the data for 7 the asymmetric keys used for public key cryptographic operations such 8 as encryption, decryption, signature generation and signature 9 verification. 10 11if ASYMMETRIC_KEY_TYPE 12 13config ASYMMETRIC_PUBLIC_KEY_SUBTYPE 14 tristate "Asymmetric public-key crypto algorithm subtype" 15 select MPILIB 16 select CRYPTO_HASH_INFO 17 select CRYPTO_AKCIPHER 18 select CRYPTO_SIG 19 select CRYPTO_HASH 20 help 21 This option provides support for asymmetric public key type handling. 22 If signature generation and/or verification are to be used, 23 appropriate hash algorithms (such as SHA-1) must be available. 24 ENOPKG will be reported if the requisite algorithm is unavailable. 25 26config X509_CERTIFICATE_PARSER 27 tristate "X.509 certificate parser" 28 depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE 29 select ASN1 30 select CRYPTO_LIB_SHA256 31 select OID_REGISTRY 32 help 33 This option provides support for parsing X.509 format blobs for key 34 data and provides the ability to instantiate a crypto key from a 35 public key packet found inside the certificate. 36 37config PKCS8_PRIVATE_KEY_PARSER 38 tristate "PKCS#8 private key parser" 39 depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE 40 select ASN1 41 select OID_REGISTRY 42 help 43 This option provides support for parsing PKCS#8 format blobs for 44 private key data and provides the ability to instantiate a crypto key 45 from that data. 46 47config PKCS7_MESSAGE_PARSER 48 tristate "PKCS#7 message parser" 49 depends on X509_CERTIFICATE_PARSER 50 select CRYPTO_HASH 51 select ASN1 52 select OID_REGISTRY 53 help 54 This option provides support for parsing PKCS#7 format messages for 55 signature data and provides the ability to verify the signature. 56 57config PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA 58 bool "Waive rejection of authenticatedAttributes for ML-DSA" 59 depends on PKCS7_MESSAGE_PARSER 60 depends on CRYPTO_MLDSA 61 help 62 Due to use of CMS_NOATTR with ML-DSA not being supported in 63 OpenSSL < 4.0 (and thus any released version), enabling this 64 allows authenticatedAttributes to be used with ML-DSA for 65 module signing. Use of authenticatedAttributes in this 66 context is normally rejected. 67 68config PKCS7_TEST_KEY 69 tristate "PKCS#7 testing key type" 70 depends on SYSTEM_DATA_VERIFICATION 71 help 72 This option provides a type of key that can be loaded up from a 73 PKCS#7 message - provided the message is signed by a trusted key. If 74 it is, the PKCS#7 wrapper is discarded and reading the key returns 75 just the payload. If it isn't, adding the key will fail with an 76 error. 77 78 This is intended for testing the PKCS#7 parser. 79 80config SIGNED_PE_FILE_VERIFICATION 81 bool "Support for PE file signature verification" 82 depends on PKCS7_MESSAGE_PARSER=y 83 depends on SYSTEM_DATA_VERIFICATION 84 select CRYPTO_HASH 85 select ASN1 86 select OID_REGISTRY 87 help 88 This option provides support for verifying the signature(s) on a 89 signed PE binary. 90 91config FIPS_SIGNATURE_SELFTEST 92 tristate "Run FIPS selftests on the X.509+PKCS7 signature verification" 93 help 94 This option causes some selftests to be run on the signature 95 verification code, using some built in data. This is required 96 for FIPS. 97 depends on KEYS 98 depends on ASYMMETRIC_KEY_TYPE 99 depends on PKCS7_MESSAGE_PARSER=X509_CERTIFICATE_PARSER 100 depends on X509_CERTIFICATE_PARSER 101 depends on CRYPTO_RSA 102 depends on CRYPTO_SHA256 103 104config FIPS_SIGNATURE_SELFTEST_RSA 105 bool 106 default y 107 depends on FIPS_SIGNATURE_SELFTEST 108 depends on CRYPTO_SHA256=y || CRYPTO_SHA256=FIPS_SIGNATURE_SELFTEST 109 depends on CRYPTO_RSA=y || CRYPTO_RSA=FIPS_SIGNATURE_SELFTEST 110 111config FIPS_SIGNATURE_SELFTEST_ECDSA 112 bool 113 default y 114 depends on FIPS_SIGNATURE_SELFTEST 115 depends on CRYPTO_SHA256=y || CRYPTO_SHA256=FIPS_SIGNATURE_SELFTEST 116 depends on CRYPTO_ECDSA=y || CRYPTO_ECDSA=FIPS_SIGNATURE_SELFTEST 117 118endif # ASYMMETRIC_KEY_TYPE 119