Hi, It's Friday and I'd like to share a small success story using OpenSSL to sign a document using the CrypTech Alpha board rev3 and a Debian Stretch system.
One takeaway is that it takes close to five minutes to generate a RSA3072 key and 6.5s to hash (SHA256) and sign a 2.1 MiB document with that key. I'm using environment.sh from Rob's excellent [0] to set a few things up. --8<---------------cut here---------------start------------->8--- $ curl -s -A "" -x socks4a://127.0.0.1:9050/ -O http://171.25.193.9:443/tor/status-vote/current/consensus $ wc consensus 39387 224654 2173744 consensus $ . environment.sh $ time pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label my3072 --key-type rsa:3072 Using slot 0 with a present token (0x0) Key pair generated: Private Key Object; RSA label: my3072 ID: 01 Usage: decrypt, sign, unwrap warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11) Public Key Object; RSA 3072 bits label: my3072 ID: 01 Usage: encrypt, verify, wrap real 4m49.997s user 0m0.032s sys 0m0.028s $ time openssl dgst -sha256 -keyform ENGINE -engine pkcs11 -sign label_my3072 -out consensus.sig consensus engine "pkcs11" set. No private keys found. Missing CKA_ALWAYS_AUTHENTICATE attribute real 0m6.517s user 0m0.076s sys 0m0.028s $ time openssl dgst -sha256 -keyform ENGINE -engine pkcs11 -verify label_my3072 -signature consensus.sig consensus engine "pkcs11" set. No public keys found. Verified OK real 0m2.422s user 0m0.040s sys 0m0.056s --8<---------------cut here---------------end--------------->8--- The only change I had to make was to the name of the Debian package looked at in environment.sh to determine where openssl should find pkcs11.so. Debian Stretch seems to support both openssl-1.0.2 and openssl-1.1 so there were some head scratching before openssl was happy. --8<---------------cut here---------------start------------->8--- diff --git a/environment.sh b/environment.sh index 078b5a6..bc08498 100644 --- a/environment.sh +++ b/environment.sh @@ -17,7 +17,7 @@ export OPENSSL_CONF=`pwd`/openssl.conf # Where to find the engine module this week (its name changes with # architecture, OpenSSL version, and phase of the moon). -export ENGINE_MODULE=`dpkg -L libengine-pkcs11-openssl | egrep '/(engine_)?pkcs11[.]so$'` +export ENGINE_MODULE=`dpkg -L libengine-pkcs11-openssl1.1 | egrep '/(engine_)?pkcs11[.]so$'` # If USE_PKCS11SPY is set, it should be an absolute path to the OpenSC # pkcs11-spy.so debugging tool, which we will splice between OpenSSL --8<---------------cut here---------------end--------------->8--- [0] https://wiki.cryptech.is/wiki/GitRepositories/user/sra/openssl-engine _______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
