On Tue, Apr 01, 2003, Chris Jarshant wrote: > > Well... do what you need to do. I'm going with the evil short-term > hack cause the alternative is our user base sitting their twiddling > their thumbs looking up the number of the sales guy that sold them > crappy app that hangs for 10 minutes :-) >
What kind of system did you test this one? For example what does: openssl speed rsa1024 give? I tried creating 1000 certificates on the fly and adding to the store. The actual add took a couple of seconds. Having said that this is a fairly fast system. I've attached the program I used: let me know if that also takes a long time to run. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
/* Certificate creation. Demonstrates some certificate related * operations. */ #include <stdio.h> #include <stdlib.h> #include <openssl/pem.h> #include <openssl/conf.h> #include <openssl/x509v3.h> #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif #define NUM_CERTS 1000 int mkcert(X509 **x509p, EVP_PKEY *pk, int serial, int days); int add_ext(X509 *cert, int nid, char *value); int main(int argc, char **argv) { int i; BIO *bio_err; RSA *rsa; X509 *certs[NUM_CERTS]; EVP_PKEY *pkey=NULL; X509_STORE *st; bio_err=BIO_new_fp(stderr, BIO_NOCLOSE); pkey = EVP_PKEY_new(); rsa=RSA_generate_key(1024,RSA_F4,NULL,NULL); if (!EVP_PKEY_assign_RSA(pkey,rsa)) abort(); printf("Creating %d Certificates\n", NUM_CERTS); for (i = 0; i < NUM_CERTS; i++) { certs[i] = NULL; mkcert(&certs[i],pkey,i,365); } EVP_PKEY_free(pkey); st = X509_STORE_new(); printf("Adding %d Certificates\n", NUM_CERTS); for(i = 0; i < NUM_CERTS; i++) X509_STORE_add_cert(st, certs[i]); printf("Done\n"); BIO_free(bio_err); return(0); } int mkcert(X509 **x509p, EVP_PKEY *pk, int serial, int days) { X509 *x; RSA *rsa; X509_NAME *name=NULL; char cnstr[128]; if ((x=X509_new()) == NULL) goto err; X509_set_version(x,2); ASN1_INTEGER_set(X509_get_serialNumber(x),serial); X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); X509_set_pubkey(x,pk); name=X509_get_subject_name(x); /* This function creates and adds the entry, working out the * correct string type and performing checks on its length. * Normally we'd check the return value for errors... */ sprintf(cnstr, "Certificate Number %d", serial); X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, "UK", -1, -1, 0); X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, cnstr, -1, -1, 0); /* Its self signed so set the issuer name to be the same as the * subject. */ X509_set_issuer_name(x,name); /* Add various extensions: standard extensions */ add_ext(x, NID_basic_constraints, "critical,CA:TRUE"); add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign"); add_ext(x, NID_subject_key_identifier, "hash"); /* Some Netscape specific extensions */ add_ext(x, NID_netscape_cert_type, "sslCA"); add_ext(x, NID_netscape_comment, "example comment extension"); if (!X509_sign(x,pk,EVP_md5())) goto err; *x509p=x; return(1); err: return(0); } /* Add extension using V3 code: we can set the config file as NULL * because we wont reference any other sections. */ int add_ext(X509 *cert, int nid, char *value) { X509_EXTENSION *ex; X509V3_CTX ctx; /* This sets the 'context' of the extensions. */ /* No configuration database */ X509V3_set_ctx_nodb(&ctx); /* Issuer and subject certs: both the target since it is self signed, * no request and no CRL */ X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0); ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value); if (!ex) return 0; X509_add_ext(cert,ex,-1); X509_EXTENSION_free(ex); return 1; }