[Cryptech Tech] I sign

Linus Nordberg linus at nordberg.se
Fri Apr 13 15:23:21 UTC 2018

Previous message (by thread): [Cryptech Tech] New packages
Next message (by thread): [Cryptech Tech] testing builds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

It's Friday and I'd like to share a small success story using OpenSSL to
sign a document using the CrypTech Alpha board rev3 and a Debian Stretch
system.

One takeaway is that it takes close to five minutes to generate a
RSA3072 key and 6.5s to hash (SHA256) and sign a 2.1 MiB document with
that key.

I'm using environment.sh from Rob's excellent [0] to set a few things up.

--8<---------------cut here---------------start------------->8---
$ curl -s  -A "" -x socks4a://127.0.0.1:9050/ -O http://171.25.193.9:443/tor/status-vote/current/consensus
$ wc consensus
  39387  224654 2173744 consensus
$ . environment.sh
$ time pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label my3072 --key-type rsa:3072
Using slot 0 with a present token (0x0)

Key pair generated:
Private Key Object; RSA
  label:      my3072
  ID:         01
  Usage:      decrypt, sign, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)

Public Key Object; RSA 3072 bits
  label:      my3072
  ID:         01
  Usage:      encrypt, verify, wrap

real    4m49.997s
user    0m0.032s
sys     0m0.028s
$ time openssl dgst -sha256 -keyform ENGINE -engine pkcs11 -sign label_my3072 -out consensus.sig consensus
engine "pkcs11" set.
No private keys found.
Missing CKA_ALWAYS_AUTHENTICATE attribute

real    0m6.517s
user    0m0.076s
sys     0m0.028s
$ time openssl dgst -sha256 -keyform ENGINE -engine pkcs11 -verify label_my3072 -signature consensus.sig consensus
engine "pkcs11" set.
No public keys found.
Verified OK

real    0m2.422s
user    0m0.040s
sys     0m0.056s
--8<---------------cut here---------------end--------------->8---


The only change I had to make was to the name of the Debian package
looked at in environment.sh to determine where openssl should find
pkcs11.so. Debian Stretch seems to support both openssl-1.0.2 and
openssl-1.1 so there were some head scratching before openssl was happy.

--8<---------------cut here---------------start------------->8---
diff --git a/environment.sh b/environment.sh
index 078b5a6..bc08498 100644
--- a/environment.sh
+++ b/environment.sh
@@ -17,7 +17,7 @@ export OPENSSL_CONF=`pwd`/openssl.conf
 # Where to find the engine module this week (its name changes with
 # architecture, OpenSSL version, and phase of the moon).
 
-export ENGINE_MODULE=`dpkg -L libengine-pkcs11-openssl | egrep '/(engine_)?pkcs11[.]so$'`
+export ENGINE_MODULE=`dpkg -L libengine-pkcs11-openssl1.1 | egrep '/(engine_)?pkcs11[.]so$'`
 
 # If USE_PKCS11SPY is set, it should be an absolute path to the OpenSC
 # pkcs11-spy.so debugging tool, which we will splice between OpenSSL
--8<---------------cut here---------------end--------------->8---


[0] https://wiki.cryptech.is/wiki/GitRepositories/user/sra/openssl-engine

Previous message (by thread): [Cryptech Tech] New packages
Next message (by thread): [Cryptech Tech] testing builds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list