Skip to content

Instantly share code, notes, and snippets.

@jpmens

jpmens/log.md Secret

Created September 27, 2022 11:12
Show Gist options
  • Save jpmens/9101978adab09cf39acb7b3301abca3a to your computer and use it in GitHub Desktop.
Save jpmens/9101978adab09cf39acb7b3301abca3a to your computer and use it in GitHub Desktop.
SoftHSMv2, SQLite3 backed, with 1000 keys in it.

softhsm 2.6.1 (commit ac70dc398b236e4522101930e790008936489e2d) with sqlite backend

% ./configure --with-objectstore-backend-db --prefix=/usr/local/softhsmv2

uname -m = x86_64
uname -r = 4.18.0-277.el8.x86_64
uname -s = Linux
uname -v = #1 SMP Wed Feb 3 20:35:19 UTC 2021
% cat $OPENSSL_CONF
openssl.cnf
openssl_conf = openssl_init

# JPM

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines-1.1/pkcs11.so
MODULE_PATH = /usr/local/softhsmv2/lib/softhsm/libsofthsm2.so
init = 0
PIN = 1234

% cat $SOFTHSM_CONF
directories.tokendir = /usr/local/softhsmv2/var/lib/softhsm/tokens/
objectstore.backend = db
objectstore.umask = 0077

# ERROR, WARNING, INFO, DEBUG
log.level = ERROR

# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false

# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = ALL

# If the library should reset the state on fork
library.reset_on_fork = false
% /usr/local/softhsmv2/bin/softhsm2-util --init-token --slot 0 --label jptest
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ****
Please reenter SO PIN: ****
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
The token has been initialized and is reassigned to slot 229861393

% l /usr/local/softhsmv2/var/lib/softhsm/tokens/8fbb4ca5-06a7-2790-81c6-83840db36811/
total 40
-rw-------. 1 root root 40960 Sep 27 10:14 sqlite3.db

% pkcs11-tool --module /usr/local/softhsmv2/lib/softhsm/libsofthsm2.so -l -k --key-type EC:prime256v1 --label jp01.de-ksk --id 10001 --pin 1234
Using slot 0 with a present token (0xdb36811)
Key pair generated:
Private Key Object; EC
  label:      jp01.de-ksk
  ID:         010001
  Usage:      decrypt, sign, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104ab06f428af26b2855f8f3cf44d24660b5f603bba9cc20fc0e84df9db5571aeb54811299ed4013063f0ea8d6d2cf80e3ec9765d6b16c6b822f0179838f4e480a3
  EC_PARAMS:  06082a8648ce3d030107
  label:      jp01.de-ksk
  ID:         010001
  Usage:      encrypt, verify, wrap, derive
  Access:     local
  
% time dnssec-keyfromlabel -E pkcs11 -a 13 -l "token=jptest;object=jp01.de-ksk" -f KSK jp01.de
Kjp01.de.+013+42450

real    0m0.078s
user    0m0.031s
sys     0m0.017s

% dnssec-signzone -E pkcs11 -t -z -S -o jp01.de jp01.de
Fetching jp01.de/ECDSAP256SHA256/42450 (KSK) from key repository.
Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                            ZSKs: 0 active, 0 stand-by, 0 revoked
jp01.de.signed
Signatures generated:                        4
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.012
Signatures per second:                 333.333
Runtime in seconds:                      0.066

create lots of keys

% for n in $(seq 1 1000); do time pkcs11-tool --module /usr/local/softhsmv2/lib/softhsm/libsofthsm2.so -l -k --key-type EC:prime256v1 --label jp01.de-$n-ksk --id 200$n --pin 1234; done

Using slot 0 with a present token (0xdb36811)
Key pair generated:
Private Key Object; EC
  label:      jp01.de-1-ksk
  ID:         2001
  Usage:      decrypt, sign, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   0441043c3e436cea00d7074d37540dcd57218bde835189e9760f96339cac09039a9918$63b0e6ea496bda0f1f0870abe95c041c2149dc2f0d974f15c231c1c19e865b3
  EC_PARAMS:  06082a8648ce3d030107
  label:      jp01.de-1-ksk
  ID:         2001
  Usage:      encrypt, verify, wrap, derive
  Access:     local

real    0m0.358s
user    0m0.037s
sys     0m0.035s

...

Using slot 0 with a present token (0xdb36811)
Key pair generated:
Private Key Object; EC
  label:      jp01.de-554-ksk
  ID:         200554
  Usage:      decrypt, sign, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   04410424545c078f6d75c46243d284a8b9e8d930aac2cd4146b7f9bf3c083208ab1496eb05c35480940321dd3909762d4ca40371711d43764b70c91dd452b8db65bda8
  EC_PARAMS:  06082a8648ce3d030107
  label:      jp01.de-554-ksk
  ID:         200554
  Usage:      encrypt, verify, wrap, derive
  Access:     local

real    0m1.092s
user    0m0.766s
sys     0m0.056s

...

Using slot 0 with a present token (0xdb36811)
Key pair generated:
Private Key Object; EC
  label:      jp01.de-1000-ksk
  ID:         02001000
  Usage:      decrypt, sign, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104f5aca558cc8d18f433aa0ccd1812d8257f5c4444486a30a5617f56ad1fb6f5dfaa44244f3168d43a71bfcd7e11c58eb8466b8382abbb17bf1e3d8bac73bdc4cd
  EC_PARAMS:  06082a8648ce3d030107
  label:      jp01.de-1000-ksk
  ID:         02001000
  Usage:      encrypt, verify, wrap, derive
  Access:     local

real    0m1.455s
user    0m1.094s
sys     0m0.059s


% l /usr/local/softhsmv2/var/lib/softhsm/tokens/8fbb4ca5-06a7-2790-81c6-83840db36811/
total 1096
-rw-------. 1 root root 1122304 Sep 27 10:34 sqlite3.db

% mv Kjp01.de.+013+42450.* old/

% time dnssec-keyfromlabel -E pkcs11 -a 13 -l "token=jptest;object=jp01.de-ksk" -f KS
K jp01.de
Kjp01.de.+013+42450

real    3m36.381s
user    3m8.400s
sys     0m6.344s

% dnssec-signzone -E pkcs11 -t -z -S -o jp01.de jp01.de
Fetching jp01.de/ECDSAP256SHA256/42450 (KSK) from key repository.
Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                            ZSKs: 0 active, 0 stand-by, 0 revoked
jp01.de.signed
Signatures generated:                        4
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.013
Signatures per second:                 307.692
Runtime in seconds:                    228.086

% strace -o str.keyfromlabel dnssec-keyfromlabel -E pkcs11 -a 13 -l "token=jptest;object=jp01.de-ksk" -f KSK jp01.de
Kjp01.de.+013+42450

% wc -l str.keyfromlabel
1876123 str.keyfromlabel

% grep -c ENOENT str.keyfromlabel
428717

% grep  ENOENT str.keyfromlabel  | tail -6
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-wal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-journal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-wal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-journal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)
stat("/usr/local/softhsmv2/var/lib/softhsm/tokens//8fbb4ca5-06a7-2790-81c6-83840db36811/sqlite3.db-wal", 0x7ffc6db57170) = -1 ENOENT (No such file or directory)


% grep -c stat str.keyfromlabel
655138

% strace -o str.signzone dnssec-signzone -E pkcs11 -t -z -S -o jp01.de jp01.de
Fetching jp01.de/ECDSAP256SHA256/42450 (KSK) from key repository.
Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                            ZSKs: 0 active, 0 stand-by, 0 revoked
jp01.de.signed
Signatures generated:                        4
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.017
Signatures per second:                 235.294
Runtime in seconds:                    299.037

% wc -l str.signzone
1876286 str.signzone

% grep -c ENOENT str.signzone
428726
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment