Menu
▾
▴
Re: [SignServer-develop] HSM slow
|
From: Markus K. <ma...@pr...> - 2014-06-04 08:16:58
|
On 2014-05-29 21:35, Antoine Louiset wrote:
> Hi Markus !
>
> It works now. Thanks a lot, when the keys are already generated, the
> signatures are immediate.
>
> The key generation is quite long and it seems that it depends to the
> number of keys present in the HSM. In the case of PKCS11Cryptotoken, the
> key generation is done by Cesecore.
>
> Do you know if I could accelerate this process ? Do you know if keys are
> reload systematically just for generation ? Could the shared library
> responsible of that ?
I made a quick look through the code, see below some of the noteworthy
methods called. The only think I discovered that would cause the time to
increase with an increased number of keys is in
P11KeyStore.engineSetEntry where it iterates over existing keys to check
that the new key alias does not already exist. Not sure if this could be
the reason though. I could also have missed something.
---
cesecore.PKCS11CryptoToken.generateKeyPair(keySpec,alias)
-> cesecore.KeyStoreTools.generateKeyPair(keySpec, alias);
KeyPairGenerator.getInstance(algorithm, this.providerName)
kpg.initialize(spec);
-> generateKeyPair(kpg, keyEntryName, sigAlg);
KeyPair keyPair = kpg.generateKeyPair()
-> setKeyEntry(keyEntryName, keyPair.getPrivate(),chain);
KeyStore.setKeyEntry(alias, key, null, chain);
-> keyStoreSpi.engineSetKeyEntry(alias,key,password,chain);
-> P11KeyStore.engineSetEntry(alias, entry, PasswordProt);
Iterates over existing aliases.
-> storePkey(alias, pke)
-> storeChain(alias, X509Certificate[]);
---
Let me know if you make some more progress.
Cheers,
Markus
>
> Thanks !
>
>
> Antoine
>
> Le 29/04/2014 11:48, Antoine Louiset a écrit :
>> Call activation method of the cryptotoken
>
--
Kind regards,
Markus Kilås
PKI Specialist
PrimeKey Solutions AB
Anderstorpsv. 16
171 54 Solna
Sweden
Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...
www.primekey.se
|
