diff options
author | Rob Austein <sra@hactrn.net> | 2017-05-09 22:59:04 -0400 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2017-05-09 22:59:04 -0400 |
commit | 743ec40231db809d22487ee60f64d00b7b845807 (patch) | |
tree | 251b98507a91d92851c8f0afcf5702056da6630b | |
parent | 89f03d199f820f3de967ee2a72b7d9a4cf21ea7f (diff) |
Update README.md.
-rw-r--r-- | README.md | 25 |
1 files changed, 13 insertions, 12 deletions
@@ -14,7 +14,11 @@ Along with the PKCS #11 library itself, the package includes a companion Python interface ("cryptech.py11"), which uses the ctypes module from the Python standard library to talk to the PKCS #11 implementation. The Python implementation is intended primarily to -simplify testing the C code, but can be used for other purposes. +simplify testing the C code, but can be used for other purposes; while +it seems unlikely that anything could ever make PKCS #11 "fun", the +`cryptech.py11` library attempts to make it a bit less awful by +providing both direct acess to the raw PKCS #11 API and a somewhat +more "pythonic" API layered on top of the raw API. ## Novel design features ## @@ -40,17 +44,15 @@ The underlying cryptographic support comes from the [Cryptech][] Testing to date has been done using the `bin/pkcs11/` tools from the BIND9 distribution, the `hsmcheck` and `ods-hsmutil` tools from the -OpenDNSSEC distribution, the `hsmbully` diagnostic tool, and a -preliminary set of unit tests using Python's unittest library. Beyond -the test results (such as they are) reported by these tools, the -primary test of whether the PKCS #11 code is working as expected has -been validation of the signed DNSSEC data generated by `hsmcheck -s`, -via a script using [DNSPython][]. +OpenDNSSEC distribution, the `hsmbully` diagnostic tool, the Google +`pkcs11test` test suite, and a somewhat ad hoc set of unit tests using +Python's unittest library along with our own `cryptech.py11` library. -In a nutshell, the current state is that the code runs without -throwing any obvious errors, generates what DNSPython thinks are good -signatures, and passes some fairly basic tests. More testing would be -a really good idea. +The library is also known to work as an `OpenSSL` engine when used +with the `engine-pkcs11` package spun out of the OpenSC project. This +has not been tested extensively, but key generation, signature, and +verification all work (with RSA keys -- the engine appears not to +understand ECDSA keys, we have not investigated into details here). ## Copyright status ## @@ -63,5 +65,4 @@ Code written for the [Cryptech][] project is under the usual Cryptech BSD-style license. [PKCS11]: http://www.cryptsoft.com/pkcs11doc/STANDARD/ "PKCS #11" -[DNSPython]: http://www.dnspython.org/ "DNSPython" [Cryptech]: https://cryptech.is/ "Cryptech" |