Disabling the PKCS #11 on Solaris 10
Hello all, I'm aware that the default installation of the Solaris 10 OS provides a PKCS#11-based OpenSSL implementation. I'm trying to take some metrics to figure out how much more efficient certain processes are with the PKCS engine. How would I disable the PKCS engine on an UltraSPARC T1 processor? -Chris -- View this message in context: http://www.nabble.com/Disabling-the-PKCS--11-on-Solaris-10-tp18587438p18587438.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
On Tue, 22 Jul 2008, sadronmeldir wrote: I'm aware that the default installation of the Solaris 10 OS provides a PKCS#11-based OpenSSL implementation. I'm trying to take some metrics to figure out how much more efficient certain processes are with the PKCS engine. How would I disable the PKCS engine on an UltraSPARC T1 processor? an application must explicitly initialize the engine so that it can use it. The only app that uses the engine by default on S10 is Apache. You can also use -engine pkcs11 with openssl(1) command. J. -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
Jan, Thanks for the information! How can I explicitly initialize the PKCS11 engine when writing in C? I've looked at examples, but I think I'm missing a step because when I verify or sign using OpenSSL, I'm seeing no improvement in performance. -Chris On Tue, Jul 22, 2008 at 8:38 AM, Jan Pechanec [EMAIL PROTECTED] wrote: On Tue, 22 Jul 2008, sadronmeldir wrote: I'm aware that the default installation of the Solaris 10 OS provides a PKCS#11-based OpenSSL implementation. I'm trying to take some metrics to figure out how much more efficient certain processes are with the PKCS engine. How would I disable the PKCS engine on an UltraSPARC T1 processor? an application must explicitly initialize the engine so that it can use it. The only app that uses the engine by default on S10 is Apache. You can also use -engine pkcs11 with openssl(1) command. J. -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
On Tue, 22 Jul 2008, Christopher Ivory wrote: Jan, Thanks for the information! How can I explicitly initialize the PKCS11 engine when writing in C? I've looked at examples, but I think I'm missing a step because when I verify or sign using OpenSSL, I'm seeing no improvement in performance. see how openssl does that in apps/ subdirectory in the OpenSSL tarball. You can see what is going on by trussing your app with -ulibcrypto:: and -ulibpkcs11::. J. -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
I'm afraid I don't quite follow. I'm compiling my code with the command lines below: gcc -Wall -ggdb -DDEBUG LoadDataFromFile.c -c LoadDataFromFile.o gcc -Wall -ggdb -DDEBUG WriteDataToFile.c -c WriteDataToFile.o gcc -Wall -ggdb -DDEBUG sign.c -c sign.o gcc -I /usr/sfw/include -L /usr/sfw/lib -lcrypto LoadDataFromFile.o WriteDataToFile.o sign.o -o sign Does this initialize the PKCS11 engine? Or do I need to implement it inside sign.c? If so, how? And if I am already initializing it, how do I stop? Thanks for all your help so far. I'm new to OpenSSL and the PKCS11 and I'm trying to pick up on a project where someone else left off. -Chris On Tue, Jul 22, 2008 at 9:26 AM, Jan Pechanec [EMAIL PROTECTED] wrote: On Tue, 22 Jul 2008, Christopher Ivory wrote: Jan, Thanks for the information! How can I explicitly initialize the PKCS11 engine when writing in C? I've looked at examples, but I think I'm missing a step because when I verify or sign using OpenSSL, I'm seeing no improvement in performance. see how openssl does that in apps/ subdirectory in the OpenSSL tarball. You can see what is going on by trussing your app with -ulibcrypto:: and -ulibpkcs11::. J. -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
I think I figured out my problem but I'd like someone to confirm for me that this seems like a reasonable conclusion. I've been wondering whether or not I had properly initiated the PKCS11 chip for OpenSSL because I wasn't seeing much improvement in processing time. I'm trying to sign using the following seciton of code: EVP_MD_CTX_init( ctx ); EVP_SignInit_ex( ctx, EVP_sha1(), NULL ); /*update*/ EVP_SignUpdate( ctx, signedData, dataLength); /*Finalize*/ signatureLength = EVP_PKEY_size( pkey ); signatureData = (unsigned char *) calloc( signatureLength, sizeof( unsigned char ) ); EVP_SignFinal( ctx, signatureData, signatureLength, pkey); EVP_MD_CTX_cleanup( ctx ); I decided to test the speeds of the processor for OpenSSL with SHA-1. When I ran the speed tests without the pkcs11 initialized (speed sha1), I recieved the following: The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes sha1 1927.00k 6624.70k15229.53k29638.31k 40211.80k When I ran the same test with the pkcs chip initialized (speed sha1 -engine pkcs11) the results were: The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes sha1 408.02k 1508.91k 5448.41k15804.53k 34058.17k This leads me to believe that while the pkcs11 might not improve the performance of SHA-1. Would this be a fair assessment, or am I missing something? -C On Tue, Jul 22, 2008 at 9:44 AM, Christopher Ivory [EMAIL PROTECTED] wrote: I'm afraid I don't quite follow. I'm compiling my code with the command lines below: gcc -Wall -ggdb -DDEBUG LoadDataFromFile.c -c LoadDataFromFile.o gcc -Wall -ggdb -DDEBUG WriteDataToFile.c -c WriteDataToFile.o gcc -Wall -ggdb -DDEBUG sign.c -c sign.o gcc -I /usr/sfw/include -L /usr/sfw/lib -lcrypto LoadDataFromFile.o WriteDataToFile.o sign.o -o sign Does this initialize the PKCS11 engine? Or do I need to implement it inside sign.c? If so, how? And if I am already initializing it, how do I stop? Thanks for all your help so far. I'm new to OpenSSL and the PKCS11 and I'm trying to pick up on a project where someone else left off. -Chris On Tue, Jul 22, 2008 at 9:26 AM, Jan Pechanec [EMAIL PROTECTED] wrote: On Tue, 22 Jul 2008, Christopher Ivory wrote: Jan, Thanks for the information! How can I explicitly initialize the PKCS11 engine when writing in C? I've looked at examples, but I think I'm missing a step because when I verify or sign using OpenSSL, I'm seeing no improvement in performance. see how openssl does that in apps/ subdirectory in the OpenSSL tarball. You can see what is going on by trussing your app with -ulibcrypto:: and -ulibpkcs11::. J. -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
On Tue, 22 Jul 2008, Christopher Ivory wrote: When I ran the same test with the pkcs chip initialized (speed sha1 -engine pkcs11) the results were: The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes sha1 408.02k 1508.91k 5448.41k15804.53k 34058.17k This leads me to believe that while the pkcs11 might not improve the performance of SHA-1. Would this be a fair assessment, or am I missing something? T1 has ncp(7d) which accelerates RSA/DSA/DH only, see cryptoadm list -m. What you see is soft token. Given the inherent overhead of the crypto framework the soft token is slower than OpenSSL. in OpenSolaris, there is a project that mechanisms that are not implemented in hw will stay in the soft token. if you want acceleration for symmetric crypto and digests you must use T2 or SCA-6000 (which is significantly slower than n2cp that is shipped with Niagara2). -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
On Tue, 22 Jul 2008, Jan Pechanec wrote: in OpenSolaris, there is a project that mechanisms that are not implemented in hw will stay in the soft token. of course, I meant will stay in OpenSSL -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
I see what you mean, however, when I get the processor info with the command uname -a it returns: SunOS t5200tx 5.10 Generic_120011-14 sun4v sparc SUNW,SPARC-Enterprise-T5220 I was working under the impression that this is a T2. Was I misinformed? -Chris PS - Thanks for your conitnued help! On Tue, Jul 22, 2008 at 2:22 PM, Jan Pechanec [EMAIL PROTECTED] wrote: On Tue, 22 Jul 2008, Jan Pechanec wrote: in OpenSolaris, there is a project that mechanisms that are not implemented in hw will stay in the soft token. of course, I meant will stay in OpenSSL -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
If it helps, I ran the cryptoadm and got the following results: User-level providers: = Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Mechanisms: CKM_DES_CBC CKM_DES_ECB CKM_DES3_CBC CKM_DES3_ECB CKM_AES_CBC CKM_AES_ECB CKM_RC4 Mechanisms: CKM_DSA CKM_RSA_X_509 CKM_RSA_PKCS Provider: /usr/lib/security/$ISA/pkcs11_softtoken_extra.so Mechanisms: CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES_ECB CKM_DES_KEY_GEN CKM_DES_MAC_GENERAL CKM_DES_MAC CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_DES3_ECB CKM_DES3_KEY_GEN CKM_AES_CBC CKM_AES_CBC_PAD CKM_AES_ECB CKM_AES_KEY_GEN CKM_BLOWFISH_CBC CKM_BLOWFISH_KEY_GEN CKM_SHA_1 CKM_SHA_1_HMAC CKM_SHA_1_HMAC_GENERAL CKM_SHA256 CKM_SHA256_HMAC CKM_SHA256_HMAC_GENERAL CKM_SHA384 CKM_SHA384_HMAC CKM_SHA384_HMAC_GENERAL CKM_SHA512 CKM_SHA512_HMAC CKM_SHA512_HMAC_GENERAL CKM_SSL3_SHA1_MAC CKM_MD5 CKM_MD5_HMAC CKM_MD5_HMAC_GENERAL CKM_SSL3_MD5_MAC CKM_RC4 CKM_RC4_KEY_GEN CKM_DSA CKM_DSA_SHA1 CKM_DSA_KEY_PAIR_GEN CKM_RSA_PKCS CKM_RSA_PKCS_KEY_PAIR_GEN CKM_RSA_X_509 CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS CKM_SHA256_RSA_PKCS CKM_SHA384_RSA_PKCS CKM_SHA512_RSA_PKCS CKM_DH_PKCS_KEY_PAIR_GEN CKM_DH_PKCS_DERIVE CKM_MD5_KEY_DERIVATION CKM_SHA1_KEY_DERIVATION CKM_SHA256_KEY_DERIVATION CKM_SHA384_KEY_DERIVATION CKM_SHA512_KEY_DERIVATION CKM_PBE_SHA1_RC4_128 CKM_PKCS5_PBKD2 CKM_SSL3_PRE_MASTER_KEY_GEN CKM_TLS_PRE_MASTER_KEY_GEN CKM_SSL3_MASTER_KEY_DERIVE CKM_TLS_MASTER_KEY_DERIVE CKM_SSL3_MASTER_KEY_DERIVE_DH CKM_TLS_MASTER_KEY_DERIVE_DH CKM_SSL3_KEY_AND_MAC_DERIVE CKM_TLS_KEY_AND_MAC_DERIVE CKM_TLS_PRF Kernel software providers: == des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC aes256: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR arcfour2048: CKM_RC4 blowfish448: CKM_BLOWFISH_ECB,CKM_BLOWFISH_CBC sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL sha2: CKM_SHA256,CKM_SHA256_HMAC,CKM_SHA256_HMAC_GENERAL,CKM_SHA384,CKM_SHA384_HMAC,CKM_SHA384_HMAC_GENERAL,CKM_SHA512,CKM_SHA512_HMAC,CKM_SHA512_HMAC_GENERAL md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS swrand: No mechanisms presented. Kernel hardware providers: == n2cp/0: CKM_DES_CBC,CKM_DES_ECB,CKM_DES3_CBC,CKM_DES3_ECB,CKM_AES_CBC,CKM_AES_ECB,CKM_AES_CTR,CKM_RC4,CKM_MD5,CKM_SHA_1,CKM_SHA256,CKM_MD5_HMAC,CKM_SHA_1_HMAC,CKM_SHA256_HMAC,CKM_MD5_HMAC_GENERAL,CKM_SHA_1_HMAC_GENERAL,CKM_SHA256_HMAC_GENERAL,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS n2rng/0: No mechanisms presented. On Tue, Jul 22, 2008 at 2:44 PM, Christopher Ivory [EMAIL PROTECTED] wrote: I see what you mean, however, when I get the processor info with the command uname -a it returns: SunOS t5200tx 5.10 Generic_120011-14 sun4v sparc SUNW,SPARC-Enterprise-T5220 I was working under the impression that this is a T2. Was I misinformed? -Chris PS - Thanks for your conitnued help! On Tue, Jul 22, 2008 at 2:22 PM, Jan Pechanec [EMAIL PROTECTED] wrote: On Tue, 22 Jul 2008, Jan Pechanec wrote: in OpenSolaris, there is a project that mechanisms that are not implemented in hw will stay in the soft token. of course, I meant will stay in OpenSSL -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Disabling the PKCS #11 on Solaris 10
On Tue, 22 Jul 2008, Christopher Ivory wrote: I see what you mean, however, when I get the processor info with the command uname -a it returns: SunOS t5200tx 5.10 Generic_120011-14 sun4v sparc SUNW,SPARC-Enterprise-T5220 I was working under the impression that this is a T2. Was I misinformed? no, it's T2. You mentioned earlier that you had T1. it stays in soft token, I vaguely remember a bug there. check with kstat -m n2cp before and after. If the counters don't change it stays in the soft token. You can also try other mechs, AES, for example. BTW you should use -elapsed with the -engine options; if it goes to the hw then the final numbers would be wrong without that option. for Solaris specific crypto stuff I suggest to use [EMAIL PROTECTED] J. -Chris PS - Thanks for your conitnued help! On Tue, Jul 22, 2008 at 2:22 PM, Jan Pechanec [EMAIL PROTECTED] wrote: On Tue, 22 Jul 2008, Jan Pechanec wrote: in OpenSolaris, there is a project that mechanisms that are not implemented in hw will stay in the soft token. of course, I meant will stay in OpenSSL -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Jan Pechanec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
