blob: 0e8e5d5fba00e12105336c7e367ef234e9c082f1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
Integrity checking
==================
.. module:: pskc.mac
The PSKC format allows for `message authentication and integrity checking
<https://tools.ietf.org/html/rfc6030#section-6.1.1>`_ for some of the values
stored within the PSKC file.
Integrity checking is done transparently when accessing attributes that
are encrypted and contain a ValueMAC.
Once the PSKC encryption key has been set up, key values can be explicitly
checked using the :func:`~pskc.key.Key.check` method::
>>> pskc = PSKC('somefile.pskcxml')
>>> pskc.encryption.derive_key('qwerty')
>>> pskc.mac.algorithm
'http://www.w3.org/2000/09/xmldsig#hmac-sha1'
>>> all(key.check() for key in pskc.keys)
True
The MAC class
-------------
.. class:: MAC
.. attribute:: algorithm
The name of the MAC algorithm to use (currently ``HMAC-MD5``,
``HMAC-SHA1``, ``HMAC-SHA224``, ``HMAC-SHA256``, ``HMAC-SHA384`` and
``HMAC-SHA512`` are supported).
.. attribute:: key
For HMAC checking, this contains the binary value of the MAC key. The
MAC key is generated specifically for each PSKC file and encrypted with
the PSKC encryption key, so the PSKC file should be decrypted first
(see :doc:`encryption`).
.. function:: setup(...)
Configure an encrypted MAC key.
:param str algorithm: encryption algorithm
:param binary key: the encryption key to use
None of the arguments are required. By default HMAC-SHA1 will be used
as a MAC algorithm. If no key is configured a random key will be
generated with the length of the output of the configured hash.
|