Re: [SignServer-develop] HSM slow

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Markus,

To close this discussion, you were right and I can not change it because 
it is a Java Security Class.

Have a nice day !

Antoine

Le 04/06/2014 10:16, Markus Kilås a écrit :
> On 2014-05-29 21:35, Antoine Louiset wrote:
>> Hi Markus !
>>
>> It works now. Thanks a lot, when the keys are already generated, the
>> signatures are immediate.
>>
>> The key generation is quite long and it seems that it depends to the
>> number of keys present in the HSM. In the case of PKCS11Cryptotoken, the
>> key generation is done by Cesecore.
>>
>> Do you know if I could accelerate this process ? Do you know if keys are
>> reload systematically just for generation ? Could the shared library
>> responsible of that ?
> I made a quick look through the code, see below some of the noteworthy
> methods called. The only think I discovered that would cause the time to
> increase with an increased number of keys is in
> P11KeyStore.engineSetEntry where it iterates over existing keys to check
> that the new key alias does not already exist. Not sure if this could be
> the reason though. I could also have missed something.
>
> ---
> cesecore.PKCS11CryptoToken.generateKeyPair(keySpec,alias)
>    -> cesecore.KeyStoreTools.generateKeyPair(keySpec, alias);
>      KeyPairGenerator.getInstance(algorithm, this.providerName)
>      kpg.initialize(spec);
>      -> generateKeyPair(kpg, keyEntryName, sigAlg);
>        KeyPair keyPair = kpg.generateKeyPair()
>        -> setKeyEntry(keyEntryName, keyPair.getPrivate(),chain);
>          KeyStore.setKeyEntry(alias, key, null, chain);
>             -> keyStoreSpi.engineSetKeyEntry(alias,key,password,chain);
>              -> P11KeyStore.engineSetEntry(alias, entry, PasswordProt);
>              Iterates over existing aliases.
>              -> storePkey(alias, pke)
>                -> storeChain(alias, X509Certificate[]);
> ---
>
> Let me know if you make some more progress.
>
>
> Cheers,
> Markus
>
>> Thanks !
>>
>>
>> Antoine
>>
>> Le 29/04/2014 11:48, Antoine Louiset a écrit :
>>> Call activation method of the cryptotoken
>
>