[Bug 794793] New: Review Request: openssl-ibmpkcs11 - An openssl PKCS#11 engine

bugzilla at redhat.com bugzilla at redhat.com
Fri Feb 17 16:44:20 UTC 2012 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

Summary: Review Request: openssl-ibmpkcs11 - An openssl PKCS#11 engine

https://bugzilla.redhat.com/show_bug.cgi?id=794793

           Summary: Review Request: openssl-ibmpkcs11 - An openssl PKCS#11
                    engine
           Product: Fedora
           Version: rawhide
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: medium
          Priority: medium
         Component: Package Review
        AssignedTo: nobody at fedoraproject.org
        ReportedBy: key at linux.vnet.ibm.com
         QAContact: extras-qa at fedoraproject.org
                CC: notting at redhat.com,
                    package-review at lists.fedoraproject.org
    Classification: Fedora
      Story Points: ---
              Type: ---
        Regression: ---
        Mount Type: ---
     Documentation: ---


Spec URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11.spec
SRPM URL: http://kyoder.users.sourceforge.net/openssl-ibmpkcs11-1.0.0-0.src.rpm
Description: This package contains a shared object OpenSSL dynamic engine for
the use with a PKCS#11 implementation such as openCryptoki.

This package provides a library that will bridge the gap between a PKCS#11
implementation, which provides support for storage of keys and certificates and
cryptographic hardware support, to the openssl libcrypto library.

Testing:
1. Install openCryptoki:
# rpm -ivh opencryptoki-2.3.3-2.fc15.i686.rpm
opencryptoki-libs-2.3.3-2.fc15.i686.rpm
opencryptoki-swtok-2.3.3-2.fc15.i686.rpm

2. Configure openCryptoki:
# /etc/init.d/pkcsslotd start
[root at localhost ~]# pkcsconf -t
Token #0 Info:
 Label: IBM OS PKCS#11                  
 Manufacturer: IBM Corp.                       
 Model: IBM SoftTok     
 Serial Number: 123             
 Flags: 0x880045
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
 Sessions: -1/-1
 R/W Sessions: -1/-1
 PIN Length: 4-8
 Public Memory: 0xFFFFFFFF/0xFFFFFFFF
 Private Memory: 0xFFFFFFFF/0xFFFFFFFF
 Hardware Version: 1.0
 Firmware Version: 1.0
 Time: 10:01:00 AM
[root at localhost ~]# pkcsconf -I -c 0
Enter the SO PIN:                                  # (default is 87654321)
Enter a unique token label: kentinit
[root at localhost ~]# pkcsconf -P -c 0
Enter the SO PIN: 
Enter the new SO PIN: 
Re-enter the new SO PIN: 
[root at localhost ~]# pkcsconf -u -c 0
Enter the SO PIN: 
Enter the new user PIN: 
Re-enter the new user PIN: 
[root at localhost ~]# pkcsconf -t
Token #0 Info:
 Label: kentinit                        
 Manufacturer: IBM Corp.                       
 Model: IBM SoftTok     
 Serial Number: 123             
 Flags: 0x44D
(RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
 Sessions: -1/-1
 R/W Sessions: -1/-1
 PIN Length: 4-8
 Public Memory: 0xFFFFFFFF/0xFFFFFFFF
 Private Memory: 0xFFFFFFFF/0xFFFFFFFF
 Hardware Version: 1.0
 Firmware Version: 1.0
 Time: 10:01:44 AM

3. Point openssl at the new engine:
[root at localhost ~]# openssl engine -t
(aesni) Intel AES-NI engine (no-aesni)
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
[root at localhost ~]#
OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl
engine -t
(aesni) Intel AES-NI engine (no-aesni)
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]
(ibmpkcs11) PKCS#11 hardware engine support
     [ available ]

4. Run an openssl speed test using the engine:
[root at localhost ~]#
OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl
engine -c
(aesni) Intel AES-NI engine (no-aesni)
(dynamic) Dynamic engine loading support
(ibmpkcs11) PKCS#11 hardware engine support
 [RSA, RAND, DES-ECB, DES-CBC, DES-EDE3, DES-EDE3-CBC, AES-128-ECB,
AES-128-CBC, AES-192-ECB, AES-192-CBC, AES-256-ECB, AES-256-CBC, MD5, SHA1,
RSA-SHA1, hmacWithSHA1]
[root at localhost ~]#
OPENSSL_CONF=/usr/share/doc/openssl-ibmpkcs11-1.0.0/openssl.cnf.sample openssl
speed -engine ibmpkcs11 -evp des-ecb
engine "ibmpkcs11" set.
Doing des-ecb for 3s on 16 size blocks: 3601074 des-ecb's in 2.97s
Doing des-ecb for 3s on 64 size blocks: 1724899 des-ecb's in 2.97s
Doing des-ecb for 3s on 256 size blocks: 545990 des-ecb's in 2.90s
Doing des-ecb for 3s on 1024 size blocks: 156847 des-ecb's in 2.97s
Doing des-ecb for 3s on 8192 size blocks: 19434 des-ecb's in 2.97s
OpenSSL 1.0.0e-fips 6 Sep 2011
built on: Wed Sep  7 18:44:05 UTC 2011
options:bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) aes(partial)
blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom
-fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_BN_ASM_PART_WORDS
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
des-ecb          19399.73k    37169.54k    48197.74k    54077.89k    53603.81k
[root at localhost ~]#

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the package-review mailing list