From 743ec40231db809d22487ee60f64d00b7b845807 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Tue, 9 May 2017 22:59:04 -0400 Subject: Update README.md. --- README.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 0671398..d846fe2 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,11 @@ Along with the PKCS #11 library itself, the package includes a companion Python interface ("cryptech.py11"), which uses the ctypes module from the Python standard library to talk to the PKCS #11 implementation. The Python implementation is intended primarily to -simplify testing the C code, but can be used for other purposes. +simplify testing the C code, but can be used for other purposes; while +it seems unlikely that anything could ever make PKCS #11 "fun", the +`cryptech.py11` library attempts to make it a bit less awful by +providing both direct acess to the raw PKCS #11 API and a somewhat +more "pythonic" API layered on top of the raw API. ## Novel design features ## @@ -40,17 +44,15 @@ The underlying cryptographic support comes from the [Cryptech][] Testing to date has been done using the `bin/pkcs11/` tools from the BIND9 distribution, the `hsmcheck` and `ods-hsmutil` tools from the -OpenDNSSEC distribution, the `hsmbully` diagnostic tool, and a -preliminary set of unit tests using Python's unittest library. Beyond -the test results (such as they are) reported by these tools, the -primary test of whether the PKCS #11 code is working as expected has -been validation of the signed DNSSEC data generated by `hsmcheck -s`, -via a script using [DNSPython][]. +OpenDNSSEC distribution, the `hsmbully` diagnostic tool, the Google +`pkcs11test` test suite, and a somewhat ad hoc set of unit tests using +Python's unittest library along with our own `cryptech.py11` library. -In a nutshell, the current state is that the code runs without -throwing any obvious errors, generates what DNSPython thinks are good -signatures, and passes some fairly basic tests. More testing would be -a really good idea. +The library is also known to work as an `OpenSSL` engine when used +with the `engine-pkcs11` package spun out of the OpenSC project. This +has not been tested extensively, but key generation, signature, and +verification all work (with RSA keys -- the engine appears not to +understand ECDSA keys, we have not investigated into details here). ## Copyright status ## @@ -63,5 +65,4 @@ Code written for the [Cryptech][] project is under the usual Cryptech BSD-style license. [PKCS11]: http://www.cryptsoft.com/pkcs11doc/STANDARD/ "PKCS #11" -[DNSPython]: http://www.dnspython.org/ "DNSPython" [Cryptech]: https://cryptech.is/ "Cryptech" -- cgit v1.2.3