By sprack on Sep 13, 2007
In the OpenSSL demos/sign subdirectory there is a simple demo code (sign.c), that signs and verifies a short message, leveraging RSA.
The modifications required in order to offload the RSA operations to the accelerator are fairly simple. At the start of main, the following is required to instruct OpenSSL to leverage the PKCS11 engine:
ENGINE \*e; ENGINE_load_builtin_engines(); e = ENGINE_by_id("pkcs11"); if(!e) exit(1); ENGINE_set_default_RSA(e); [For reference, the modified application can be found here]
Its also necessary to leverage the version of the OpenSSL which ships with Solaris:
cc -fast -I /usr/sfw/include -L /usr/sfw/lib -lcrypto sign.c -o sign.out
You can check to ensure that the HW accelerators where utilized via kstat:
kstat -m ncp | grep rsa
If you check the counters before running the test:
kstat -m ncp | grep rsa rsaprivate 33003 rsapublic 5
and after running the test:
kstat -m ncp | grep rsa rsaprivate 33004 rsapublic 6
it is apparent that both the sign and verify operations where offloaded to the HW accelerators.
Basically, as long as you as using the EVP_ functions, rather than using the low-level OpenSSL functions directly, it is a simple matter to modify an application to use the accelerators.