File: mac.rst

package info (click to toggle)
python-pskc 1.4-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 1,212 kB
  • sloc: python: 2,075; xml: 151; makefile: 22; sh: 9
file content (73 lines) | stat: -rw-r--r-- 3,078 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
Integrity checking
==================

.. module:: pskc.mac

The PSKC format allows for `message authentication and integrity checking
<https://tools.ietf.org/html/rfc6030#section-6.1.1>`_ for some of the values
stored within the PSKC file.

Integrity checking is done transparently when accessing attributes that
are encrypted and contain a ValueMAC.

Once the PSKC encryption key has been set up, key values can be explicitly
checked using the :func:`~pskc.key.Key.check` method::

   >>> pskc = PSKC('somefile.pskcxml')
   >>> pskc.encryption.derive_key('qwerty')
   >>> pskc.mac.algorithm
   'http://www.w3.org/2000/09/xmldsig#hmac-sha1'
   >>> all(key.check() for key in pskc.keys)
   True


The MAC class
-------------

.. class:: MAC

   .. attribute:: algorithm
      :type: str | None

      A URI of the MAC algorithm used for message authentication. See the
      section :ref:`mac-algorithms` below for a list of algorithm URIs.

      Assigned values to this attribute will be converted to the canonical
      URI for the algorithm if it is known. For instance, the value
      ``HMAC-SHA-256`` will automatically be converted into
      ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha256``.

   .. attribute:: key
      :type: bytes | None

      For HMAC checking, this contains the binary value of the MAC key. The
      MAC key is generated specifically for each PSKC file and encrypted with
      the PSKC encryption key, so the PSKC file should be decrypted first
      (see :doc:`encryption`).

   .. automethod:: setup


.. _mac-algorithms:

Supported MAC algorithms
------------------------

The module should support all HMAC algorithms that can be constructed from
hash algorithms that are available in the standard Python :mod:`hashlib`
module. At the least the following algorithms should be supported:

+-----------------------------------------------------------+--------------------------+
| URI                                                       | Description              |
+===========================================================+==========================+
| ``http://www.w3.org/2001/04/xmldsig-more#hmac-md5``       | MD5-based HMAC           |
+-----------------------------------------------------------+--------------------------+
| ``http://www.w3.org/2000/09/xmldsig#hmac-sha1``           | SHA-1 based HMAC         |
+-----------------------------------------------------------+--------------------------+
| ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha224``    | SHA-2 family based HMACs |
| ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha256``    |                          |
| ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha384``    |                          |
| ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha512``    |                          |
+-----------------------------------------------------------+--------------------------+
| ``http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160`` | RIPEMD-160 based HMAC    |
+-----------------------------------------------------------+--------------------------+