python-pskc branch master updated. e96c7466d8b82bc37c99aa6b4639433e90eb9fff
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
python-pskc branch master updated. e96c7466d8b82bc37c99aa6b4639433e90eb9fff
- From: Commits of the python-pskc project <python-pskc-commits [at] lists.arthurdejong.org>
- To: python-pskc-commits [at] lists.arthurdejong.org
- Reply-to: python-pskc-users [at] lists.arthurdejong.org
- Subject: python-pskc branch master updated. e96c7466d8b82bc37c99aa6b4639433e90eb9fff
- Date: Mon, 19 May 2014 22:25:56 +0200 (CEST)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "python-pskc".
The branch, master has been updated
via e96c7466d8b82bc37c99aa6b4639433e90eb9fff (commit)
via edf4d24469f8b43f51171e9e97cabe0719b35ae6 (commit)
via 92a994dd5ff84d12e7277307aa016cbe5b605aea (commit)
via cc9bbb5082fe2b7e018fb8d61c5be04ad8249fa7 (commit)
from d0a78147aeafb5e38cebe8103fb454d8c8db3729 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://arthurdejong.org/git/python-pskc/commit/?id=e96c7466d8b82bc37c99aa6b4639433e90eb9fff
commit e96c7466d8b82bc37c99aa6b4639433e90eb9fff
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Mon May 19 22:18:48 2014 +0200
Provide Sphinx documentation
diff --git a/docs/_templates/autosummary/module.rst
b/docs/_templates/autosummary/module.rst
new file mode 100644
index 0000000..9a74f8d
--- /dev/null
+++ b/docs/_templates/autosummary/module.rst
@@ -0,0 +1,5 @@
+{{ fullname }}
+{{ underline }}
+
+.. automodule:: {{ fullname }}
+ :members:
diff --git a/docs/conf.py b/docs/conf.py
new file mode 100644
index 0000000..0ab5e14
--- /dev/null
+++ b/docs/conf.py
@@ -0,0 +1,191 @@
+# -*- coding: utf-8 -*-
+#
+# python-pksc documentation build configuration file, created by
+# sphinx-quickstart
+#
+# This file is execfile()d with the current directory set to its containing
dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import sys, os
+
+import pskc
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#sys.path.insert(0, os.path.abspath('..'))
+
+# -- General configuration
-----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = [
+ 'sphinx.ext.autodoc', 'sphinx.ext.doctest', 'sphinx.ext.todo',
+ 'sphinx.ext.coverage', 'sphinx.ext.autosummary'
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+source_encoding = 'utf-8'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'python-pskc'
+copyright = u'2014, Arthur de Jong'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+version = pskc.__version__
+# The full version, including alpha/beta/rc tags.
+release = version
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = ['_*', '.svn', '.git']
+
+# The reST default role (used for this markup: `text`) to use for all
documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+modindex_common_prefix = ['pskc.', ]
+
+# Automatically generate stub pages for autosummary entries.
+autosummary_generate = True
+
+
+# -- Options for HTML output
---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages. See the documentation for
+# a list of builtin themes.
+html_theme = 'default'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further. For a list of options available for each theme, see the
+# documentation.
+#html_theme_options = {}
+
+# Add any paths that contain custom themes here, relative to this directory.
+#html_theme_path = []
+
+# The name for this set of Sphinx documents. If None, it defaults to
+# "<project> v<release> documentation".
+#html_title = None
+
+# A shorter title for the navigation bar. Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#html_logo = None
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+#html_static_path = ['_static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_domain_indices = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+html_show_sourcelink = False
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+#html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it. The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = None
+
+# Suffix for generated links to HTML files.
+#html_link_suffix = ''
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'python-pskcdoc'
+
+
+# -- Options for manual page output
--------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+ ('index', 'python-pskc', u'python-pskc Documentation',
+ [u'Arthur de Jong'], 1)
+]
+
+# If true, show URL addresses after external links.
+#man_show_urls = False
diff --git a/docs/encryption.rst b/docs/encryption.rst
new file mode 100644
index 0000000..8213e8e
--- /dev/null
+++ b/docs/encryption.rst
@@ -0,0 +1,54 @@
+PSKC encryption
+===============
+
+.. module:: pskc.encryption
+
+The keys (and some other data) in PSKC files can be encrypted. Encryption of
+embedded data is defined in a PSKC file with either pre-shared keys,
+passphrase-based keys or asymmetric keys (asymmetric keys are currently
+unimplemented).
+
+Embedded PSKC encryption is handled inside the :class:`Encryption` class that
+defines encryption key and means of deriving keys. It is accessed from
+:attr:`pskc.PSKC.encryption`::
+
+ from pskc import PSKC
+ pskc = PSKC('somefile.pskcxml')
+ pskc.encryption.key = '12345678901234567890123456789012'.decode('hex')
+
+or::
+
+ pskc.encryption.derive_key('qwerty')
+
+Once the encryption key has been set up any encrypted key values from the
+PSKC file are available transparently.
+
+.. class:: Encryption
+
+ .. attribute:: id
+
+ Optional identifier of the encryption key.
+
+ .. attribute:: key_names
+
+ List of names provided for the encryption key.
+
+ .. attribute:: key_name
+
+ Since usually only one name is defined for a key but the schema allows
+ for multiple names, this is a shortcut for accessing the first value of
+ :attr:`key_names`.
+
+ .. attribute:: key
+
+ The binary value of the encryption key. In the case of pre-shared keys
+ this value should be set before trying to access encrypted information
+ in the PSKC file.
+
+ When using key derivation the secret key is available in this attribute
+ after calling :func:`derive_key`.
+
+ .. function:: derive_key(password)
+
+ Derive a key from the supplied password and information in the PSKC
+ file (generally algorithm, salt, etc.).
diff --git a/docs/index.rst b/docs/index.rst
new file mode 100644
index 0000000..131eb76
--- /dev/null
+++ b/docs/index.rst
@@ -0,0 +1,21 @@
+.. include:: ../README
+ :end-before: API
+
+
+Contents
+--------
+
+.. toctree::
+ :maxdepth: 2
+
+ usage
+ encryption
+ mac
+ policy
+
+
+Security considerations
+-----------------------
+
+.. include:: ../README
+ :start-after: -----------------------
diff --git a/docs/mac.rst b/docs/mac.rst
new file mode 100644
index 0000000..1df1dae
--- /dev/null
+++ b/docs/mac.rst
@@ -0,0 +1,29 @@
+Integrity checking
+==================
+
+.. module:: pskc.mac
+
+The PSKC format allows for `message authentication and integrity checking
+<https://tools.ietf.org/html/rfc6030#section-6.1.1>`_ for some of the values
+stored within the PSKC file.
+
+.. class:: MAC
+
+ .. attribute:: algorithm
+
+ The name of the MAC algorithm to use (currently only ``HMAC_SHA1`` is
+ supported).
+
+ .. attribute:: key
+
+ For HMAC checking, this contains the binary value of the MAC key. The
+ MAC key is generated specifically for each PSKC file and encrypted with
+ the PSKC encryption key, so the PSKC file should be decrypted first
+ (see :doc:`encryption`).
+
+Once the PSKC encryption key has been set up key values can be checked using
+the :func:`pskc.key.Key.check` method::
+
+ pskc = PSKC('somefile.pskcxml')
+ pskc.encryption.derive_key('qwerty')
+ all(key.check() for key in pskc.keys)
diff --git a/docs/policy.rst b/docs/policy.rst
new file mode 100644
index 0000000..54a1490
--- /dev/null
+++ b/docs/policy.rst
@@ -0,0 +1,169 @@
+Key usage policy
+================
+
+.. module:: pskc.policy
+
+The PSKC format allows for specifying `key and pin usage policy
<https://tools.ietf.org/html/rfc6030#section-5>`__.
+
+Instances of the :class:`Policy` class provide attributes that describe
+limits that are placed on key usage and requirements for key PIN protection.
+
+.. class:: Policy
+
+ .. attribute:: start_date
+
+ :class:`datetime.datetime` value that indicates that the key must not
+ be used before this date.
+
+ .. attribute:: expiry_date
+
+ :class:`datetime.datetime` value that indicates that the key must not
+ be used after this date. Systems should not rely upon the device to
+ enforce key usage date restrictions, as some devices do not have an
+ internal clock.
+
+ .. attribute:: number_of_transactions
+
+ The value indicates the maximum number of times a key carried within
+ the PSKC document may be used by an application after having received
+ it.
+
+ .. attribute:: key_usage
+
+ A list of `valid usage scenarios
+ <https://www.iana.org/assignments/pskc/pskc.xml#key-usage>`__ for the
+ key that the recipient should check against the intended usage of the
+ key. Also see :func:`may_use` and :ref:`the list of key usage constants
+ below <key-use-constants>`.
+
+ .. attribute:: pin_key_id
+
+ The unique `id` value used to reference the key within the PSKC file
+ that contains the value of the PIN that protects this key.
+
+ .. attribute:: pin_key
+
+ Instance of the :class:`pskc.key.Key` (if any) that contains the value
+ of the PIN referenced by :attr:`pin_key_id`.
+
+ .. attribute:: pin
+
+ PIN value referenced by :attr:`pin_key_id` (if any). The value is
+ transparently decrypted if possible.
+
+ .. attribute:: pin_usage
+
+ Describe how the PIN is used during the usage of the key. See :ref:`the
+ list of pin usage constants below <pin-use-constants>`.
+
+ .. attribute:: pin_max_failed_attemtps
+
+ The maximum number of times the PIN may be entered wrongly before it
+ MUST NOT be possible to use the key any more.
+
+ .. attribute:: pin_min_length
+
+ The minimum length of a PIN that can be set to protect the associated
+ key.
+
+ .. attribute:: pin_max_length
+
+ The maximum length of a PIN that can be set to protect this key.
+
+ .. attribute:: pin_encoding
+
+ The encoding of the PIN which is one of ``DECIMAL``, ``HEXADECIMAL``,
+ ``ALPHANUMERIC``, ``BASE64``, or ``BINARY`` (see
+ :attr:`pskc.key.Key.challenge_encoding`).
+
+ .. attribute:: unknown_policy_elements
+
+ Boolean that is set to ``True`` if the PSKC policy information contains
+ unknown or unsupported definitions or values. A conforming
+ implementation must assume that key usage is not permitted if this
+ value is ``True`` to ensure that the lack of understanding of certain
+ extensions does not lead to unintended key usage.
+
+ .. function:: may_use(usage)
+
+ Check whether the key may be used for the provided purpose. See
+ :ref:`the list of key usage constants below <key-use-constants>`.
+
+.. _key-use-constants:
+
+The :class:`Policy` class provides the following key use constants (see
+:attr:`Policy.key_usage` and :func:`Policy.may_use`):
+
+ .. autoattribute:: Policy.KEY_USE_OTP
+
+ Key is used for OTP generation.
+
+ .. autoattribute:: Policy.KEY_USE_CR
+
+ The key is used for challenge-response purposes.
+
+ .. autoattribute:: Policy.KEY_USE_ENCRYPT
+
+ The key is used for data encryption purposes.
+
+ .. autoattribute:: Policy.KEY_USE_INTEGRITY
+
+ The key is used to generate a keyed message digest for data integrity or
+ authentication purposes.
+
+ .. autoattribute:: Policy.KEY_USE_VERIFY
+
+ The key is used to verify a keyed message digest for data integrity or
+ authentication purposes (this is the opposite of
+ :attr:`KEY_USE_INTEGRITY`).
+
+ .. autoattribute:: Policy.KEY_USE_UNLOCK
+
+ The key is used for an inverse challenge-response in the case where a
+ user has locked the device by entering a wrong PIN too many times (for
+ devices with PIN-input capability).
+
+ .. autoattribute:: Policy.KEY_USE_DECRYPT
+
+ The key is used for data decryption purposes.
+
+ .. autoattribute:: Policy.KEY_USE_KEYWRAP
+
+ The key is used for key wrap purposes.
+
+ .. autoattribute:: Policy.KEY_USE_UNWRAP
+
+ The key is used for key unwrap purposes.
+
+ .. autoattribute:: Policy.KEY_USE_DERIVE
+
+ The key is used with a key derivation function to derive a new key.
+
+ .. autoattribute:: Policy.KEY_USE_GENERATE
+
+ The key is used to generate a new key based on a random number and the
+ previous value of the key.
+
+.. _pin-use-constants:
+
+The following constants for PIN use are defined in the :class:`Policy`
+class (see :attr:`Policy.pin_usage`):
+
+ .. autoattribute:: Policy.PIN_USE_LOCAL
+
+ The PIN is checked locally on the device before allowing the key to be
+ used in executing the algorithm.
+
+ .. autoattribute:: Policy.PIN_USE_PREPEND
+
+ The PIN is prepended to the algorithm response. It must be checked by
+ the party validating the response.
+
+ .. autoattribute:: Policy.PIN_USE_APPEND
+
+ The PIN is appended to the algorithm response. It must be checked by
+ the party validating the response.
+
+ .. autoattribute:: Policy.PIN_USE_ALGORITHMIC
+
+ The PIN is used as part of the algorithm computation.
diff --git a/docs/usage.rst b/docs/usage.rst
new file mode 100644
index 0000000..1216058
--- /dev/null
+++ b/docs/usage.rst
@@ -0,0 +1,251 @@
+Basic usage
+===========
+
+The :mod:`pskc` module implements a simple and efficient API for parsing PSKC
+files.
+
+
+Opening a PSKC file
+-------------------
+
+.. module:: pskc
+
+Importing data from a PSKC file can be done by instantiating a :class:`PSKC`
+class::
+
+ from pskc import PSKC
+ pskc = PSKC('somefile.pskcxml')
+
+.. class:: PSKC(filename)
+
+ The :class:`PSKC` class is used as a wrapper to access information from a
+ PSKC file. The whole file is parsed in one go. Instances of this class
+ provide the following attributes:
+
+ .. attribute:: version
+
+ The PSKC format version used. Only version ``1.0`` is currently specified
+ in `RFC6030 <https://tools.ietf.org/html/rfc6030#section-1.2>`__.
+
+ .. attribute:: id
+
+ A unique identifier for the container.
+
+ .. attribute:: keys
+
+ A list of :class:`pskc.key.Key` instances that represent the keys
+ within the PSKC file.
+
+ .. attribute:: encryption
+
+ Instance of the :class:`pskc.encryption.Encryption` class that handles
+ PSKC file encryption.
+
+ .. attribute:: mac
+
+ Instance of the :class:`pskc.mac.MAC` class that handles integrity
+ checking.
+
+
+Examining keys
+--------------
+
+.. module:: pskc.key
+
+The :attr:`pskc.PSKC.keys` attribute provides access to the keys contained in
+the PSKC file. Instances of the :class:`Key` class provide access to a number
+of attributes that provide information on the transmitted keys::
+
+ pskc = PSKC('somefile.pskcxml')
+ first_key = pskc.keys[0]
+
+Attribute values will be ``None`` if it the value is not present in the PSKC
+file.
+
+.. class:: Key()
+
+ .. attribute:: id
+
+ A unique identifier for the key. If there are multiple interactions
+ with the same key in multiple instances of PSKC files the `id` is
+ supposed to remain the same.
+
+ .. attribute:: algorithm
+
+ A URI that identifies the PSKC algorithm profile. The algorithm profile
+ associates specific semantics to the key. Some `known profiles
+ <https://www.iana.org/assignments/pskc/pskc.xml#alg-profiles>`__ are:
+
+ * ``urn:ietf:params:xml:ns:keyprov:pskc:pin``:
+ `Symmetric static credential comparison
<https://tools.ietf.org/html/rfc6030#section-10.2>`_
+ * ``urn:ietf:params:xml:ns:keyprov:pskc:hotp``:
+ `OATH event-based OTP
<https://tools.ietf.org/html/rfc6030#section-10.1>`_
+ * ``urn:ietf:params:xml:ns:keyprov:pskc#totp`` or
+ ``urn:ietf:params:xml:ns:keyprov:pskc:totp``:
+ `OATH time-based OTP
<http://tools.ietf.org/html/draft-hoyer-keyprov-pskc-algorithm-profiles-01#section-4>`_
+ * ``urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1``:
+ `OATH challenge-response algorithm
<https://tools.ietf.org/html/draft-hoyer-keyprov-pskc-algorithm-profiles-01#section-3>`_
+
+ .. attribute:: secret
+
+ The binary value of the transported secret key. If the key information
+ is encrypted in the PSKC file it is transparently decrypted if
+ possible.
+
+ .. attribute:: counter
+
+ The event counter for event-based OTP algorithms.
+
+ .. attribute:: time_offset
+
+ The time offset offset for time-based OTP algorithms. If time intervals
+ are used it carries the number of time intervals passed from an
+ algorithm-dependent start point.
+
+ .. attribute:: time_interval
+
+ The time interval in seconds for time-based OTP algorithms (usually
+ ``30`` or ``60``).
+
+ .. attribute:: time_drift
+
+ For time-based OTP algorithms this contains the device clock drift in
+ number of intervals.
+
+ .. attribute:: issuer
+
+ The name of the party that issued the key. This may be different from
+ the :attr:`manufacturer` of the device.
+
+ .. attribute:: key_profile
+
+ A reference to a pre-shared key profile agreed upon between the sending
+ and receiving parties. The profile information itself is not
+ transmitted within the container.
+ See `RFC6030 <https://tools.ietf.org/html/rfc6030#section-4.4>`__.
+
+ .. attribute:: key_reference
+
+ A reference to an external key that is not contained within the PSKC
+ file (e.g., a PKCS #11 key label). If this attribute is present, the
+ :attr:`secret` attribute will generally be missing.
+
+ .. attribute:: friendly_name
+
+ A human-readable name for the secret key.
+
+ .. attribute:: key_userid
+
+ The distinguished name of the user associated with the key.
+ Also see :attr:`device_userid`.
+
+ .. attribute:: manufacturer
+
+ The name of the manufacturer of the device to which the key is
+ provisioned. `RFC6030
<https://tools.ietf.org/html/rfc6030#section-4.3.1>`__
+ prescribes that the value is of the form ``oath.prefix`` for `OATH
+ Manufacturer Prefixes
<http://www.openauthentication.org/oath-id/prefixes/>`_
+ or ``iana.organisation`` for `IANA Private Enterprise Numbers
+
<https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers>`_
+ however, it is generally just a string. The value may be different from
+ the :attr:`issuer` of the key on the device.
+
+ .. attribute:: serial
+
+ The serial number of the device to which the key is provisioned.
+ Together with :attr:`manufacturer` (and perhaps :attr:`issue_no`)
+ this should uniquely identify the device.
+
+ .. attribute:: model
+
+ A manufacturer specific description of the model of the device.
+
+ .. attribute:: issue_no
+
+ The issue number in case there are devices with the same :attr:`serial`
+ number so that they can be distinguished by different issue numbers.
+
+ .. attribute:: device_binding
+
+ Reference to a device identifier (e.g. IMEI) that allows a provisioning
+ server to ensure that the key is going to be loaded into a specific
+ device.
+
+ .. attribute:: start_date
+
+ :class:`datetime.datetime` value that indicates that the device should
+ only be used after this date.
+
+ .. attribute:: expiry_date
+
+ :class:`datetime.datetime` value that indicates that the device should
+ only be used before this date. Systems should not rely upon the device
+ to enforce key usage date restrictions, as some devices do not have an
+ internal clock.
+
+ .. attribute:: device_userid
+
+ The distinguished name of the user associated with the device.
+ Also see :attr:`key_userid`.
+
+ .. attribute:: crypto_module
+
+ Implementation specific unique identifier of the cryptographic module
+ on the device to which the keys have been (or will be) provisioned.
+
+ .. attribute:: algorithm_suite
+
+ Additional algorithm specific characteristics. For example, in an
+ HMAC-based algorithm it could designate the hash algorithm used (SHA1
+ or SHA256).
+
+ .. attribute:: challenge_encoding
+
+ Encoding of the challenge accepted by the device for challenge-response
+ authentication. One of:
+
+ * ``DECIMAL``: only numerical digits
+ * ``HEXADECIMAL``: hexadecimal
+ * ``ALPHANUMERIC``: all letters and numbers (case sensitive)
+ * ``BASE64``: base-64 encoded
+ * ``BINARY``: binary data
+
+ .. attribute:: challenge_min_length
+
+ The minimum size of the challenge accepted by the device.
+
+ .. attribute:: challenge_max_length
+
+ The maximum size of the challenge accepted by the device.
+
+ .. attribute:: challenge_check
+
+ Boolean that indicates whether the device will check an embedded
+ `Luhn check digit
<http://arthurdejong.org/python-stdnum/doc/0.9/stdnum.luhn.html>`_
+ contained in the challenge.
+
+ .. attribute:: response_encoding
+
+ Format of the response that is generated by the device. If must be one
+ of the values as described under :attr:`challenge_encoding`.
+
+ .. attribute:: response_length
+
+ The length of the response generated by the device.
+
+ .. attribute:: response_check
+
+ Boolean that indicates whether the device will append a
+ `Luhn check digit
<http://arthurdejong.org/python-stdnum/doc/0.9/stdnum.luhn.html>`_
+ to the response.
+
+ .. attribute:: policy
+
+ Instance of :class:`pskc.policy.Policy` that provides key and PIN
+ policy information. See :doc:`policy`.
+
+ .. function:: check()
+
+ Check if any MACs in the key data embedded in the PSKC file are valid.
+ Will return a boolean or ``None`` if no MACs are defined for the key.
+ See :doc:`mac`.
http://arthurdejong.org/git/python-pskc/commit/?id=edf4d24469f8b43f51171e9e97cabe0719b35ae6
commit edf4d24469f8b43f51171e9e97cabe0719b35ae6
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun May 18 21:32:34 2014 +0200
Add missing policy constant
diff --git a/pskc/policy.py b/pskc/policy.py
index 1074fce..6b2bc79 100644
--- a/pskc/policy.py
+++ b/pskc/policy.py
@@ -52,6 +52,9 @@ class Policy(object):
# Key is used for Challenge/Response purposes.
KEY_USE_CR = 'CR'
+ # Key is used for data encryption purposes.
+ KEY_USE_ENCRYPT = 'Encrypt'
+
# For generating keyed message digests.
KEY_USE_INTEGRITY = 'Integrity'
http://arthurdejong.org/git/python-pskc/commit/?id=92a994dd5ff84d12e7277307aa016cbe5b605aea
commit 92a994dd5ff84d12e7277307aa016cbe5b605aea
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun May 18 15:53:12 2014 +0200
Fix attribute name in docstring
diff --git a/pskc/key.py b/pskc/key.py
index bf00d0c..6fc41bb 100644
--- a/pskc/key.py
+++ b/pskc/key.py
@@ -112,7 +112,7 @@ class Key(object):
algorithm: identifier of the PSKC algorithm profile (URI)
secret: the secret key itself (binary form, automatically decrypted)
counter: event counter for event-based OTP
- time: time offset for time-based OTP algorithms (in intervals)
+ time_offset: time offset for time-based OTP algorithms (in intervals)
time_interval: time interval for time-based OTP in seconds
time_drift: device clock drift (negative means device is slow)
issuer: party that issued the key
http://arthurdejong.org/git/python-pskc/commit/?id=cc9bbb5082fe2b7e018fb8d61c5be04ad8249fa7
commit cc9bbb5082fe2b7e018fb8d61c5be04ad8249fa7
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun Apr 20 00:25:12 2014 +0200
Update README
diff --git a/README b/README
index fe50f9e..a2f44d5 100644
--- a/README
+++ b/README
@@ -1,8 +1,10 @@
-# Python PSKC module #
+Python PSKC module
+==================
A Python module to handle Portable Symmetric Key Container (PSKC) files as
-defined in RFC6030. PSKC files are used to transport and provision
-symmetric keys to different types of crypto modules, commonly one-time
+defined in `RFC6030 <https://tools.ietf.org/html/rfc6030>`_. PSKC files are
+used to transport and provision symmetric keys and key related meta data to
+different types of crypto modules. The format is commonly used for one-time
password tokens or other authentication devices.
The goal of this module is mainly to provide parsing of PSKC files in
@@ -12,7 +14,27 @@ later time support for writing files may be added.
http://arthurdejong.org/python-pskc/
-## Security considerations ##
+API
+---
+
+The module provides a straightforward API that is mostly geared towards
+parsing existing PSKC files.
+
+Extracting key matarial from PSKC files is as simple as.
+
+>>> from pskc import PSKC
+>>> pskc = PSKC('tests/rfc6030-figure7.pskc')
+>>> pskc.encryption.derive_key('qwerty')
+>>> for key in pskc.keys:
+... print key.serial, key.secret
+987654321 12345678901234567890
+
+The key object has a number of properties. See the pskc.key.Key documentation
+for details.
+
+
+Security considerations
+-----------------------
This code handles private key material and is written in Python. No
precautions have been taken to lock pages in memory to prevent swapping.
@@ -20,7 +42,8 @@ Also no attempt is currently made to security dispose of
memory that may
have held private key material.
-## Copyright ##
+Copyright
+---------
Copyright (C) 2014 Arthur de Jong
-----------------------------------------------------------------------
Summary of changes:
README | 33 ++++-
docs/_templates/autosummary/module.rst | 5 +
docs/conf.py | 191 ++++++++++++++++++++++++
docs/encryption.rst | 54 +++++++
docs/index.rst | 21 +++
docs/mac.rst | 29 ++++
docs/policy.rst | 169 +++++++++++++++++++++
docs/usage.rst | 251 ++++++++++++++++++++++++++++++++
pskc/key.py | 2 +-
pskc/policy.py | 3 +
10 files changed, 752 insertions(+), 6 deletions(-)
create mode 100644 docs/_templates/autosummary/module.rst
create mode 100644 docs/conf.py
create mode 100644 docs/encryption.rst
create mode 100644 docs/index.rst
create mode 100644 docs/mac.rst
create mode 100644 docs/policy.rst
create mode 100644 docs/usage.rst
hooks/post-receive
--
python-pskc
--
To unsubscribe send an email to
python-pskc-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/python-pskc-commits/
- python-pskc branch master updated. e96c7466d8b82bc37c99aa6b4639433e90eb9fff,
Commits of the python-pskc project