xref: /linux/crypto/asymmetric_keys/Kconfig (revision 6f7e6393d1ce636bb7ec77a7fe7b77458fddf701)
1# SPDX-License-Identifier: GPL-2.0
2menuconfig ASYMMETRIC_KEY_TYPE
3	bool "Asymmetric (public-key cryptographic) key type"
4	depends on KEYS
5	help
6	  This option provides support for a key type that holds the data for
7	  the asymmetric keys used for public key cryptographic operations such
8	  as encryption, decryption, signature generation and signature
9	  verification.
10
11if ASYMMETRIC_KEY_TYPE
12
13config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
14	tristate "Asymmetric public-key crypto algorithm subtype"
15	select MPILIB
16	select CRYPTO_HASH_INFO
17	select CRYPTO_AKCIPHER
18	select CRYPTO_SIG
19	select CRYPTO_HASH
20	help
21	  This option provides support for asymmetric public key type handling.
22	  If signature generation and/or verification are to be used,
23	  appropriate hash algorithms (such as SHA-1) must be available.
24	  ENOPKG will be reported if the requisite algorithm is unavailable.
25
26config X509_CERTIFICATE_PARSER
27	tristate "X.509 certificate parser"
28	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
29	select ASN1
30	select OID_REGISTRY
31	help
32	  This option provides support for parsing X.509 format blobs for key
33	  data and provides the ability to instantiate a crypto key from a
34	  public key packet found inside the certificate.
35
36config PKCS8_PRIVATE_KEY_PARSER
37	tristate "PKCS#8 private key parser"
38	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
39	select ASN1
40	select OID_REGISTRY
41	help
42	  This option provides support for parsing PKCS#8 format blobs for
43	  private key data and provides the ability to instantiate a crypto key
44	  from that data.
45
46config PKCS7_MESSAGE_PARSER
47	tristate "PKCS#7 message parser"
48	depends on X509_CERTIFICATE_PARSER
49	select CRYPTO_HASH
50	select ASN1
51	select OID_REGISTRY
52	help
53	  This option provides support for parsing PKCS#7 format messages for
54	  signature data and provides the ability to verify the signature.
55
56config PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
57	bool "Waive rejection of authenticatedAttributes for ML-DSA"
58	depends on PKCS7_MESSAGE_PARSER
59	depends on CRYPTO_MLDSA
60	help
61	  Due to use of CMS_NOATTR with ML-DSA not being supported in
62	  OpenSSL < 4.0 (and thus any released version), enabling this
63	  allows authenticatedAttributes to be used with ML-DSA for
64	  module signing.  Use of authenticatedAttributes in this
65	  context is normally rejected.
66
67config PKCS7_TEST_KEY
68	tristate "PKCS#7 testing key type"
69	depends on SYSTEM_DATA_VERIFICATION
70	help
71	  This option provides a type of key that can be loaded up from a
72	  PKCS#7 message - provided the message is signed by a trusted key.  If
73	  it is, the PKCS#7 wrapper is discarded and reading the key returns
74	  just the payload.  If it isn't, adding the key will fail with an
75	  error.
76
77	  This is intended for testing the PKCS#7 parser.
78
79config SIGNED_PE_FILE_VERIFICATION
80	bool "Support for PE file signature verification"
81	depends on PKCS7_MESSAGE_PARSER=y
82	depends on SYSTEM_DATA_VERIFICATION
83	select CRYPTO_HASH
84	select ASN1
85	select OID_REGISTRY
86	help
87	  This option provides support for verifying the signature(s) on a
88	  signed PE binary.
89
90config FIPS_SIGNATURE_SELFTEST
91	tristate "Run FIPS selftests on the X.509+PKCS7 signature verification"
92	help
93	  This option causes some selftests to be run on the signature
94	  verification code, using some built in data.  This is required
95	  for FIPS.
96	depends on KEYS
97	depends on ASYMMETRIC_KEY_TYPE
98	depends on PKCS7_MESSAGE_PARSER=X509_CERTIFICATE_PARSER
99	depends on X509_CERTIFICATE_PARSER
100	depends on CRYPTO_RSA
101	depends on CRYPTO_SHA256
102
103config FIPS_SIGNATURE_SELFTEST_RSA
104	bool
105	default y
106	depends on FIPS_SIGNATURE_SELFTEST
107	depends on CRYPTO_SHA256=y || CRYPTO_SHA256=FIPS_SIGNATURE_SELFTEST
108	depends on CRYPTO_RSA=y || CRYPTO_RSA=FIPS_SIGNATURE_SELFTEST
109
110config FIPS_SIGNATURE_SELFTEST_ECDSA
111	bool
112	default y
113	depends on FIPS_SIGNATURE_SELFTEST
114	depends on CRYPTO_SHA256=y || CRYPTO_SHA256=FIPS_SIGNATURE_SELFTEST
115	depends on CRYPTO_ECDSA=y || CRYPTO_ECDSA=FIPS_SIGNATURE_SELFTEST
116
117endif # ASYMMETRIC_KEY_TYPE
118