X-Git-Url: https://www.wagner.pp.ru/gitweb/?a=blobdiff_plain;f=README.md;h=3ee1942e4c488bf186ad6d0633bb6bd009745b38;hb=556afe8dc2f0bcc32247ac99b649977dd3808d33;hp=cd91063ec370c97dc1091b5b02152976adb7c377;hpb=26cea2b5ab48f099b08a1cde56cf1bec0062a584;p=oss%2Fctypescrypto.git diff --git a/README.md b/README.md index cd91063..3ee1942 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,6 @@ Also, this extension takes some care of correctly converting textual information from ASN.1 structures into unicode. - Digest calculation ------------------ @@ -45,6 +44,23 @@ ctypescrypto modules, so it would work with engine-provided digests. Additionally there is **DigestType** class which may be needed to construct CMS SignedData objects or add signatures to them. + +MAC calculation +--------------- + +Mac is Message Authentication Code - it is like keyed digest, which +depends not only on message, but also on key, which should be used both +when initially computing MAC and when verifying it. MACs can be viewed +as "digital signatures with symmetric keys". + +Most common type of MAC is HMAC (i.e. hash-based MAC), described in +[RFC 2104](https://tools.ietf.org/html/rfc2104), but there are other, +for instance [GOST 28147-89](https://tools.ietf.org/html/rfc5830) defines MAC based on symmetric cipher. +Also GSM 0348 uses DES symmetric cipher as MAC. OpenSSL supports +GOST mac via loadable engine module, but doesn't seem to support any +non-HMAC MAC in the core. So, MAC is only test in the test suite which +requires loadable engine. + Symmetric ciphers ----------------- @@ -78,6 +94,19 @@ python big integer. X509 certificates ----------------- +Certificates are cryptographically signed documents, which tie together +public key and some attributes of key owner (certificate subject). +Certificates are signed by some trusted organizations called Certificate +Authorities (one which have issued given certificate, is called +certificate issuer). Your browser or operating system typically have +predefined store of the trusted CA certificates (although nothing +prevent you from running your own CA using openssl command line utility, +and trust only it). + + + +Certificates are described in [RFC 5280](http://tools.ietf.org/html/rfc5280) + Module **ctypescrypto.x509** contains objects **X509** which represents certificate (and can be constructed from string, contained PEM or DER certificate) and object **X509Store** which is a store of trusted @@ -103,6 +132,16 @@ some operations with CMS and certificate verification. CMS documents ------------- +CMS stands for Cryptographic Message Syntax. It is defined in the +[RFC 5652](http://tools.ietf.org/html/rfc5652). +CMS defines several types of documents. There is **SignedData**, +which can be read by anyone, but is protected from authorized changes +by digital signature of its author. There is **EnvelopedData** protected +from unauthorized reading by cipher and allowed to be read only by +owners of certain private keys, and there is **EncryptedData**, which +are protected by symmetric cipher keys. + + There is basic factory function **CMS()**, which parses PEM or der representation of cryptographic message and generates appropriate object. There are **SignedData**, **EnvelopedData** and @@ -164,15 +203,30 @@ cryptographic algorithms, provided by **gost** engine. Test Suite ---------- +Tests can be run using + + python setup.py test + Test suite is fairly incomplete. Contributions are welcome. +Note that you need properly installed OpenSSL library with set of CA +certificates in the certs directory, otherwise default certstore test +would fail. + +You also need gost engine to be available (check with + + openssl engine gost + +) otherwise mac test would crash with error. Unfortunately there is no +non-HMAC MAC in the openssl core, so GOST MAC is only option. + Possible future enhancements ---------------------------- -1. Create and signing of the certificate requests (PKCS#10) +1. Creation and signing of the certificate requests (PKCS#10) 2. Parsing and analyzing CRLs -3. OCSP request creation and response parsing -4. Timestamping ([RFC 3161](http://www.ietf.org/rfc/rfc3161.txt)) +3. OCSP ([RFC 6960](http://tools.ietf.org/html/rfc6960))request creation and response parsing +4. Timestamping ([RFC 3161](http://tools.ietf.org/html/rfc3161)) support. -6. MAC support. Few people know that there is more MACs than just HMAC, -and even fewer, that OpenSSL supports them. + + vim: spelllang=en tw=72