I think I figured out my problem but I'd like someone to confirm for me that
this seems like a reasonable conclusion. I've been wondering whether or not
I had properly initiated the PKCS11 chip for OpenSSL because I wasn't seeing
much improvement in processing time. I'm trying to sign using the following
seciton of code:
EVP_MD_CTX_init( &ctx );
EVP_SignInit_ex( &ctx, EVP_sha1(), NULL );
/*update*/
EVP_SignUpdate( &ctx, signedData, dataLength);
/*Finalize*/
signatureLength = EVP_PKEY_size( pkey );
signatureData = (unsigned char *) calloc( signatureLength,
sizeof( unsigned char ) );
EVP_SignFinal( &ctx, signatureData, &signatureLength, pkey);
EVP_MD_CTX_cleanup( &ctx );
I decided to test the speeds of the processor for OpenSSL with SHA-1. When I
ran the speed tests without the pkcs11 initialized ("speed sha1"), I
recieved the following:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
sha1 1927.00k 6624.70k 15229.53k 29638.31k
40211.80k
When I ran the same test with the pkcs chip initialized ("speed sha1 -engine
pkcs11") the results were:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
sha1 408.02k 1508.91k 5448.41k 15804.53k
34058.17k
This leads me to believe that while the pkcs11 might not improve the
performance of SHA-1. Would this be a fair assessment, or am I missing
something?
-C
On Tue, Jul 22, 2008 at 9:44 AM, Christopher Ivory <[EMAIL PROTECTED]>
wrote:
> I'm afraid I don't quite follow.
>
> I'm compiling my code with the command lines below:
> gcc -Wall -ggdb -DDEBUG LoadDataFromFile.c -c LoadDataFromFile.o
> gcc -Wall -ggdb -DDEBUG WriteDataToFile.c -c WriteDataToFile.o
> gcc -Wall -ggdb -DDEBUG sign.c -c sign.o
> gcc -I /usr/sfw/include -L /usr/sfw/lib -lcrypto LoadDataFromFile.o
> WriteDataToFile.o sign.o -o sign
>
> Does this initialize the PKCS11 engine? Or do I need to implement it inside
> sign.c? If so, how? And if I am already initializing it, how do I stop?
>
> Thanks for all your help so far. I'm new to OpenSSL and the PKCS11 and I'm
> trying to pick up on a project where someone else left off.
>
> -Chris
>
>
> On Tue, Jul 22, 2008 at 9:26 AM, Jan Pechanec <[EMAIL PROTECTED]>
> wrote:
>
>> On Tue, 22 Jul 2008, Christopher Ivory wrote:
>>
>> >Jan,
>> >
>> >Thanks for the information! How can I explicitly initialize the PKCS11
>> >engine when writing in C? I've looked at examples, but I think I'm
>> missing a
>> >step because when I verify or sign using OpenSSL, I'm seeing no
>> improvement
>> >in performance.
>>
>> see how openssl does that in apps/ subdirectory in the OpenSSL
>> tarball. You can see what is going on by trussing your app with
>> -u"libcrypto::" and -u"libpkcs11::". J.
>>
>> --
>> Jan Pechanec
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager [EMAIL PROTECTED]
>>
>
>
