aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md25
1 files changed, 13 insertions, 12 deletions
diff --git a/README.md b/README.md
index 0671398..d846fe2 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,11 @@ Along with the PKCS #11 library itself, the package includes a
companion Python interface ("cryptech.py11"), which uses the ctypes
module from the Python standard library to talk to the PKCS #11
implementation. The Python implementation is intended primarily to
-simplify testing the C code, but can be used for other purposes.
+simplify testing the C code, but can be used for other purposes; while
+it seems unlikely that anything could ever make PKCS #11 "fun", the
+`cryptech.py11` library attempts to make it a bit less awful by
+providing both direct acess to the raw PKCS #11 API and a somewhat
+more "pythonic" API layered on top of the raw API.
## Novel design features ##
@@ -40,17 +44,15 @@ The underlying cryptographic support comes from the [Cryptech][]
Testing to date has been done using the `bin/pkcs11/` tools from the
BIND9 distribution, the `hsmcheck` and `ods-hsmutil` tools from the
-OpenDNSSEC distribution, the `hsmbully` diagnostic tool, and a
-preliminary set of unit tests using Python's unittest library. Beyond
-the test results (such as they are) reported by these tools, the
-primary test of whether the PKCS #11 code is working as expected has
-been validation of the signed DNSSEC data generated by `hsmcheck -s`,
-via a script using [DNSPython][].
+OpenDNSSEC distribution, the `hsmbully` diagnostic tool, the Google
+`pkcs11test` test suite, and a somewhat ad hoc set of unit tests using
+Python's unittest library along with our own `cryptech.py11` library.
-In a nutshell, the current state is that the code runs without
-throwing any obvious errors, generates what DNSPython thinks are good
-signatures, and passes some fairly basic tests. More testing would be
-a really good idea.
+The library is also known to work as an `OpenSSL` engine when used
+with the `engine-pkcs11` package spun out of the OpenSC project. This
+has not been tested extensively, but key generation, signature, and
+verification all work (with RSA keys -- the engine appears not to
+understand ECDSA keys, we have not investigated into details here).
## Copyright status ##
@@ -63,5 +65,4 @@ Code written for the [Cryptech][] project is under the usual Cryptech
BSD-style license.
[PKCS11]: http://www.cryptsoft.com/pkcs11doc/STANDARD/ "PKCS #11"
-[DNSPython]: http://www.dnspython.org/ "DNSPython"
[Cryptech]: https://cryptech.is/ "Cryptech"