On 08/31/2009 11:07 PM, Nelson B Bolyard wrote:
On 2009-08-31 14:49 PDT, Klaus Heinrich Kiwi wrote:
Is it possible/feasible to configure NSS to use an external PKCS#11
provider and run the test suite to check if everything is running fine?
Yes, certainly. First, tell us
1) what crypto functions you expect to offload to the external PKCS#11
module,
openCryptoki is a generic API that can support multiple hardware types,
so essentially every mechanism supported by PKCS#11 v2.01.
In my specific case (for my specific token type):
* CKM_RSA_* and CKM_DSA_* mechanisms (generate key pair, encrypt,
decrypt, wrap, unwrap, verify..)
* CKM_DES[3]* mechanisms (generate keys, encrypt, decrypt, wrap, unwrap)
* CKM_SHA*, CKM_MD2* and CKM_MD5* mechanisms (digest)
* CKM_AES* mechanisms (encrypt, decrypt, wrap, unwrap, sign, verify...)
* CKM_SSL3* mechanisms
2) what PKCS#11 "mechanisms" are supported by the module
answered above
3) Does the module store certificates and private keys?
yes
4) Is the module willing to input and output unwrapped symmetric key values?
yes, but we'd also like to test the wrapped-key case (for another token
type)
Then we can tell you what to do.
Thanks for the help!
Is there any tests like 'openssl speed' for NSS?
what does that program do?
It's simple way to do a speed (benchmark) test covering most algorithms
in openssl. In my case, I can specify the engine to use (-engine ibmca)
and compare it to the native (software) results.
-Klaus
--
Klaus Heinrich Kiwi | kla...@br.ibm.com | http://blog.klauskiwi.com
Open Source Security blog : http://www.ratliff.net/blog
IBM Linux Technology Center : http://www.ibm.com/linux/ltc
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
