Some tidy up of document

schroeder- · Nov 1, 2021 · 9c2f46e · 9c2f46e
1 parent 4d6111d
commit 9c2f46e
Showing 1 changed file with 14 additions and 10 deletions.
diff --git a/docs/crypto.md b/docs/crypto.md
@@ -14,16 +14,17 @@ to a pure Rust crypto library.
 
 OPC UA for Rust is implemented in various crates that encapsulate server, client and common code.
 
-All of the crypto functionality is contained in the `opcua-crypto` crate that both the server and client depend on.
+The crypto functionality is contained in the `opcua-crypto` crate that both the server and client depend on.
 This provides functions and wrappers that call the `openssl` crate without exposing the internals to the rest of the
 code base.
 
-The issue with OpenSSL is that it drags in a dependency on a library which is external to Rust and implemented in C.
-The `openssl` crate tries its best to hide the complexity but in reality it can cause configuration problems. Replacing OpenSSL 
-with a pure Rust encryption would be highly desirable.
+OpenSSL is external to Rust and implemented in C so it does add complexity. The `openssl` crate tries its best to
+hide it but in reality it can cause configuration problems. Replacing OpenSSL with a pure Rust encryption would be
+highly desirable in future.
 
-There are a number of crypto / PKI related crates that offer pure Rust implementations of various cryptographic services but as yet
-most are not sufficient to replace OpenSSL. For example, these crates are frequently cited and popular.
+There are a number of crypto / PKI related crates that offer pure Rust implementations of various cryptographic
+services but as yet most are not sufficient to replace OpenSSL. For example, these crates are frequently cited and
+popular.
 
 * [`ring`](https://github.com/briansmith/ring) - this is basically a bag of cryptographic functions and so is capable of doing
  everything except X509. However it lacks OAEP padding and perhaps other functions.
@@ -57,7 +58,8 @@ Hashing functions are used to produce message authentication codes and for signi
 ## Pseudo-random generator
 
 OPC UA for Rust creates nonces through through a secure random function provided by OpenSSL. OpenSSL in turn utilizes 
-functions provided by the operating system that ensure sufficient entropy in their result. This is encapsulated by a couple of functions:
+functions provided by the operating system that ensure sufficient entropy in their result. This is encapsulated by a
+couple of functions:
 
 * `rand::bytes()` fills a buffer with random values
 * `rand::byte_string()` returns a `ByteString` with the number of bytes.
@@ -88,15 +90,17 @@ with an initialization vector that was created during key derivation.
 
 ## Asymmetric ciphers
 
-Public / private keys are used for asymmetric encryption at a variety of key lengths especially during the handshake before symmetric
-encryption kicks in, but also when passing encrypted user-name password identity tokens to the server. 
+Public / private keys are used for asymmetric encryption at a variety of key lengths especially during the handshake 
+before symmetric encryption kicks in, but also when passing encrypted user-name password identity tokens to the server. 
 
 OPC UA for Rust doesn't enforce a minimum key length although the OPC UA Specification refers to NIST when it suggests
 no less than 1024 bits for the Basic128Rsa15 profile and 2048 bits or more for other profiles. It also recommends
 that a key length of < 2048 bits be deprecated.
 
 Private keys are stored in DER and public certs are stored on disk in PEM format and loaded into memory when required.
 
+NOTE: Future impls may favour .pem for both certs & keys to allow for chained signing of certificates.
+
 ### Padding
 
 Encrypted data is padded to randomly salt the message and make it harder to decrypt without the correct key.
@@ -137,7 +141,7 @@ viable for encoding / decoding them.
 
 ### X509 Fields
 
-X509 Certs can be generated subject to the requirements of OPC UA which requires a serial number and the first alt subject
+X509 Certs are generated subject to the requirements of OPC UA which requires a serial number and the first alt subject
 name to be an application URI. Subsequent alt subjects can be IP or DNS entries of the host. 
 
 Ordinarily a valid self signed cert can be produced by using the `certificate-creator` tool.