Sun Crypto Accelerator 1000 Board Version 2.0 Installation and User's Guide Table Of ContentsPrevious ChapterNext ChapterBook Index


A P P E N D I X  C
Building PKCS#11 Applications for Use With the Sun Crypto Accelerator 1000 Board

This appendix describes how to build customized PKCS#11 applications to be used with the board.

The Sun Crypto Accelerator 1000 is registered in the Solaris Cryptographic Framework as a hardware provider. Thus the board can be administered using the system commands. Refer to Solaris Cryptographic Services section in the Solaris 10 System Administration Guide: Security Services.

The Solaris Cryptographic Framework provides a PKCS#11 interface. The Sun Crypto Accelerator 1000 is registered with two PKCS#11 slots. The first slot supports CKM_DES_CBC and CKM_DES3_CBC mechanisms and the second supports CKM_DSA, CKM_RSA_PKCS, and CKM_RSA_X_509 mechanisms. Advanced users can develop PKCS#11 applications using this interface to access the Sun Crypto Accelerator 1000 slots to take advantage of hardware accelerations.

The following table summarizes the PKCS#11 mechanisms and the corresponding key ranges:


TABLE C-1

Mechanism

Key Ranges

CKM_DES_CBC

8 bytes

CKM_DES3_CBC

24 bytes

CKM_DSA

512 - 1024 bits

CKM_RSA_PKCS

256 - 2048 bits

CKM_RSA_X_509

256 - 2048 bits


The sample PKCS#11 source code given below prints out the PKCS#11 slots in the system. The following are the sample outputs from this program--3 slots were detected.

The slots with dca/0 are from the Sun Crypto Accelerator 1000

There are two ways to use the Sun Crypto Accelerator 1000 through the PKCS#11 interface. The first is to use the Sun Metaslot. The Sun Metaslot will use the board for the mechanisms it supports and use its own internal implementations for other mechanisms. The Sun Metaslot also supports load balancing, failover, and so on. For more details, please refer to the Sun Metaslot documentation.

The second is to use the Sun Crypto Accelerator 1000 slots directly. In this way, it is limited to the five mechanisms given above.

The following provides a sample of PKCS#11 source code.


CODE EXAMPLE C-1 Sample PKCS#11 source code 
#include <stdio.h>

#include <security/cryptoki.h>

 

int

main(int argc, char **argv)

{

	CK_RV			rv;

	int			i;

	CK_SLOT_ID_PTR		pSlotList;

	CK_SLOT_INFO		slotInfo;

	CK_ULONG		ulSlotCount;

 

	rv = C_Initialize(NULL);

	if (rv != CKR_OK) {

	     	printf("C_Initialize failed with code 0x%x\n", rv);

	     	exit(1);

	}

 

	rv = C_GetSlotList(1, NULL_PTR, &ulSlotCount);

	if (rv != CKR_OK) {

	     	printf("C_GetSlotList failed with code 0x%x\n", rv);

	     	exit(1);

	}

 

	if (ulSlotCount == 0) {

	     	printf("No PKCS#11 slots found.\n");

         exit(1);

	}

 

	pSlotList = (CK_SLOT_ID_PTR) malloc(ulSlotCount * sizeof (CK_SLOT_ID));

	if (pSlotList == 0) {

         	printf("System out of memory.\n");

	     	exit(1);

	}

 

	rv = C_GetSlotList(1, pSlotList, &ulSlotCount);

	if (rv) {

		      printf("C_GetSlotList failed with code 0x%x\n", rv);

	     	free(pSlotList);

	     	exit(1);

	}

 

	printf("%d slots were detected\n", ulSlotCount);

 

	for (i = 0; i < ulSlotCount; i++) {

	     	rv = C_GetSlotInfo(pSlotList[i], &slotInfo);

		     if (rv) {

  		          printf("%d. Could not get Slot Info\n", i);

		     } else {

			      slotInfo.slotDescription[63] = '\000';

			      printf("Slot: %d	Description: %s\n", pSlotList[i],

			           slotInfo.slotDescription);

		     }

	}

 

	free(pSlotList);

}

This code can be compiled using the following command in a Solaris 10 system. 


cc -o test test.c -lpkcs11

The pkcs11 libraries are /usr/lib/libpkcs11.so (32-bit mode) and /usr/lib/sparcv9/libpkcs11.so (64-bit mode).



  Sun Crypto Accelerator 1000 Board Version 2.0 Installation and User's Guide 819-0425-11 Table Of ContentsPrevious ChapterNext ChapterBook Index


Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.