Simple example of using RSA acceleration from OpenSSL

In the OpenSSL demos/sign subdirectory there is a simple demo code (sign.c), that signs and verifies a short message, leveraging RSA.

The modifications required in order to offload the RSA operations to the accelerator are fairly simple. At the start of main, the following is required to instruct OpenSSL to leverage the PKCS11 engine:

  ENGINE *e;

  ENGINE_load_builtin_engines();
  e = ENGINE_by_id("pkcs11");
  if(!e) exit(1);
  ENGINE_set_default_RSA(e);

[For reference, the modified application can be found here]

Its also necessary to leverage the version of the OpenSSL which ships with Solaris:

cc -fast -I /usr/sfw/include -L /usr/sfw/lib -lcrypto sign.c -o sign.out

You can check to ensure that the HW accelerators where utilized via kstat:

kstat -m ncp | grep rsa

If you check the counters before running the test:

 kstat -m ncp | grep rsa
	rsaprivate                      33003
	rsapublic                       5

and after running the test:

  kstat -m ncp | grep rsa
	rsaprivate                      33004
	rsapublic                       6

it is apparent that both the sign and verify operations where offloaded to the HW accelerators.

Basically, as long as you as using the EVP_ functions, rather than using the low-level OpenSSL functions directly, it is a simple matter to modify an application to use the accelerators.

Posted on: Sep 13, 2007

Posted by: sprack

Category: Crypto

Permanent link to this entry

Comments:

Any chance of Sun-specific additions of going back into OpenSSL? If so, when?

Posted by UX-admin on October 11, 2007 at 04:07 AM PDT #

Some details can be found here:
http://blogs.sun.com/chichang1/entry/how_to_integrate_pkcs11_engine

Posted by Lawrence Spracklen on October 11, 2007 at 11:41 AM PDT #

Post a Comment:
Comments are closed for this entry.

This blog copyright 2008 by sprack