X-Git-Url: https://www.wagner.pp.ru/gitweb/?a=blobdiff_plain;f=README.md;h=3ee1942e4c488bf186ad6d0633bb6bd009745b38;hb=556afe8dc2f0bcc32247ac99b649977dd3808d33;hp=5e4f302512d731fbf49ef9f0dc40cc4a649982b1;hpb=e6baf33e557c187eebd1eb1b777f213ceabc351e;p=oss%2Fctypescrypto.git diff --git a/README.md b/README.md index 5e4f302..3ee1942 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,6 @@ Also, this extension takes some care of correctly converting textual information from ASN.1 structures into unicode. - Digest calculation ------------------ @@ -45,6 +44,23 @@ ctypescrypto modules, so it would work with engine-provided digests. Additionally there is **DigestType** class which may be needed to construct CMS SignedData objects or add signatures to them. + +MAC calculation +--------------- + +Mac is Message Authentication Code - it is like keyed digest, which +depends not only on message, but also on key, which should be used both +when initially computing MAC and when verifying it. MACs can be viewed +as "digital signatures with symmetric keys". + +Most common type of MAC is HMAC (i.e. hash-based MAC), described in +[RFC 2104](https://tools.ietf.org/html/rfc2104), but there are other, +for instance [GOST 28147-89](https://tools.ietf.org/html/rfc5830) defines MAC based on symmetric cipher. +Also GSM 0348 uses DES symmetric cipher as MAC. OpenSSL supports +GOST mac via loadable engine module, but doesn't seem to support any +non-HMAC MAC in the core. So, MAC is only test in the test suite which +requires loadable engine. + Symmetric ciphers ----------------- @@ -78,6 +94,19 @@ python big integer. X509 certificates ----------------- +Certificates are cryptographically signed documents, which tie together +public key and some attributes of key owner (certificate subject). +Certificates are signed by some trusted organizations called Certificate +Authorities (one which have issued given certificate, is called +certificate issuer). Your browser or operating system typically have +predefined store of the trusted CA certificates (although nothing +prevent you from running your own CA using openssl command line utility, +and trust only it). + + + +Certificates are described in [RFC 5280](http://tools.ietf.org/html/rfc5280) + Module **ctypescrypto.x509** contains objects **X509** which represents certificate (and can be constructed from string, contained PEM or DER certificate) and object **X509Store** which is a store of trusted @@ -103,6 +132,16 @@ some operations with CMS and certificate verification. CMS documents ------------- +CMS stands for Cryptographic Message Syntax. It is defined in the +[RFC 5652](http://tools.ietf.org/html/rfc5652). +CMS defines several types of documents. There is **SignedData**, +which can be read by anyone, but is protected from authorized changes +by digital signature of its author. There is **EnvelopedData** protected +from unauthorized reading by cipher and allowed to be read only by +owners of certain private keys, and there is **EncryptedData**, which +are protected by symmetric cipher keys. + + There is basic factory function **CMS()**, which parses PEM or der representation of cryptographic message and generates appropriate object. There are **SignedData**, **EnvelopedData** and @@ -170,6 +209,17 @@ Tests can be run using Test suite is fairly incomplete. Contributions are welcome. +Note that you need properly installed OpenSSL library with set of CA +certificates in the certs directory, otherwise default certstore test +would fail. + +You also need gost engine to be available (check with + + openssl engine gost + +) otherwise mac test would crash with error. Unfortunately there is no +non-HMAC MAC in the openssl core, so GOST MAC is only option. + Possible future enhancements ---------------------------- @@ -178,5 +228,5 @@ Possible future enhancements 3. OCSP ([RFC 6960](http://tools.ietf.org/html/rfc6960))request creation and response parsing 4. Timestamping ([RFC 3161](http://tools.ietf.org/html/rfc3161)) support. -6. MAC support. Few people know that there is more MACs than just HMAC, -and even fewer, that OpenSSL supports them. + + vim: spelllang=en tw=72