Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Examples

Before using BoringSSL to call KAE, install KAE, compile BoringSSL, and select a calling method. This section provides two examples.

Prerequisites

Install KAE by referring to Installation Using Source Code.

Compile and install KAEOpensslEngine. The BoringSSL source code path is required.
1
sh build.sh engine_boringssl /opt/boringssl

Installing BoringSSL

  1. Download the BoringSSL source package, copy the source package to a custom path (for example, /opt/boringssl), and decompress the package.
  2. Compile and install it.
    By default, BoringSSL is compiled in debug mode. To compile BoringSSL in release mode, add -DCMAKE_BUILD_TYPE=Release.
    cmake -DCMAKE_BUILD_TYPE=Release  -B build -DBUILD_SHARED_LIBS=1
make -C build -j
cd build
make install
  3. Check whether the installation is successful.
    After the installation using make install is complete, the install directory is generated in the BoringSSL source code path. Check the files in the install directory.
    1
    ll /opt/boringssl/install/
    The installation is successful if the following information is displayed:
    total 16
drwxr-xr-x. 3 root root 4096 Apr  8 11:41 bin
drwxr-xr-x. 3 root root 4096 Apr  8 09:14 include
drwxr-xr-x. 3 root root 4096 Apr  8 09:14 lib
drwxr-xr-x. 2 root root 4096 Apr  8 09:14 lib64

Method 1: Calling APIs in Service Code

Prerequisites: The KAE header file and dynamic library need to be linked during service code compilation.
  • Header file: /usr/local/boringssl/include/kae_bssl.h
  • Dynamic library: /usr/local/boringssl/lib/engines-1.1/kae_bssl.so

Example

For details, refer to the testsuit_rsa.cpp file. This file provides the sample code for calling KAE through the ENGINE_init_kae and ENGINE_free_kae interfaces. The file path is KAEOpensslEngine/test/bssl_test/src/rsa/. Procedure:

  1. Set the lookup paths for the KAE and BoringSSL dynamic libraries.
    export LD_LIBRARY_PATH=/usr/local/boringssl/lib/engines-1.1:/opt/boringssl/install/lib64
  2. Go to the Makefile file path and open the Makefile script.
    cd KAE/KAEOpensslEngine/test/bssl_test/src
vi Makefile
  3. Press i to enter the insert mode, and set -I in line 26 to the BoringSSL header file path and -L in line 28 to the BoringSSL dynamic library path.

    Press Esc, type :wq!, and press Enter to save the file and exit.

  4. Go to the test script path and run build.sh. The script will automatically compile the testsuit_rsa.cpp file.
    cd ../
sh build.sh
  5. Run the test case.
    cd src
./kaedemo

Method 2: Modifying the BoringSSL Source Code

Prerequisites: The KAE header file and dynamic library need to be linked during service code compilation.
  • bssl_add_kae_support.patch provided by KAE applies only to BoringSSL 0.20250311.0. If BoringSSL of another version is used, modify the patch and then apply it. The modification points are described in detail in the patch, which requires only minor effort. (Plus signs (+) in the patch file indicate new content, and minus signs (-) indicate content to be deleted. You can refer to the context to locate the modifications.)
  • Header file: /usr/local/boringssl/include/kae_bssl.h
  • Dynamic library: /usr/local/boringssl/lib/engines-1.1/kae_bssl.so
  1. Download BoringSSL source code again.
  2. Copy bssl_add_kae_support.patch to the new BoringSSL source code directory. The path to the patch is KAEOpensslEngine/patch/bssl_add_kae_support.patch.
  3. Run the cd command to go to the BoringSSL source code directory.
  4. Apply the bssl_add_kae_support.patch file.
    patch -Np1 < ../bssl_add_kae_support.patch
  5. Build BoringSSL source code with -DENABLE_KAE=ON.
    cmake -DENABLE_KAE=ON -DCMAKE_BUILD_TYPE=Release  -B build -DBUILD_SHARED_LIBS=1
  6. Perform compilation and installation.
    make -C build -j
cd build
make install

Example

After BoringSSL is compiled and installed, run the bssl command to perform a performance test. The command is in the install/bin directory of BoringSSL source code. Table 1 describes the parameters of the bssl command.
Table 1 bssl command description

Parameter

Description

-filter

Selects an algorithm.

-timeout

Specifies the test item running time.

The following describes how to use bssl speed to perform performance tests. Compare the signature performance results of bssl with and without KAE.

  • Without KAE: BoringSSL before the patch is applied
    1. Set the path to the KAE and BoringSSL dynamic libraries.
      export LD_LIBRARY_PATH=/opt/boringssl/install/lib64
    2. Go to the bssl command path and run the test command.
      cd /opt/boringssl/install/bin
./bssl speed -filter RSA -timeout 6
      Command output:
      Did 4823 RSA 2048 signing operations in 6019561us (801.2 ops/sec)
Did 202000 RSA 2048 verify (same key) operations in 6010664us (33606.9 ops/sec)
Did 173000 RSA 2048 verify (fresh key) operations in 6005633us (28806.3 ops/sec)
Did 28148 RSA 2048 private key parse operations in 6000050us (4691.3 ops/sec)
Did 1650 RSA 3072 signing operations in 6006562us (274.7 ops/sec)
Did 95000 RSA 3072 verify (same key) operations in 6010544us (15805.6 ops/sec)
Did 85000 RSA 3072 verify (fresh key) operations in 6022383us (14114.0 ops/sec)
Did 14204 RSA 3072 private key parse operations in 6050679us (2347.5 ops/sec)
Did 750 RSA 4096 signing operations in 6039070us (124.2 ops/sec)
Did 54808 RSA 4096 verify (same key) operations in 6075612us (9021.0 ops/sec)
Did 49600 RSA 4096 verify (fresh key) operations in 6001654us (8264.4 ops/sec)
Did 10004 RSA 4096 private key parse operations in 6073923us (1647.0 ops/sec)

      The RSA algorithm of BoringSSL before the patch is applied is used. The RSA 2048 signing performance is 801.2 ops/sec, the RSA 3072 signing performance is 274.7 ops/sec, and the RSA 4096 signing performance is 124.2 ops/sec.

  • With KAE: BoringSSL after the patch is applied
    1. Set the path to the KAE and BoringSSL (with the patch applied) dynamic libraries.
      export LD_LIBRARY_PATH=/usr/local/boringssl/lib/engines-1.1:/opt/patch/boringssl/install/lib64
    2. Go to the bssl command path and run the test command.
      cd /opt/patch/boringssl/install/bin
./bssl speed -filter RSA -timeout 6
      Command output:
      Did 19536 RSA 2048 signing operations in 6020015us (3245.2 ops/sec)
Did 202000 RSA 2048 verify (same key) operations in 6022999us (33538.1 ops/sec)
Did 171250 RSA 2048 verify (fresh key) operations in 6020358us (28445.2 ops/sec)
Did 32760 RSA 2048 private key parse operations in 6083206us (5385.3 ops/sec)
Did 7215 RSA 3072 signing operations in 6035497us (1195.4 ops/sec)
Did 95000 RSA 3072 verify (same key) operations in 6013634us (15797.4 ops/sec)
Did 85625 RSA 3072 verify (fresh key) operations in 6033388us (14191.9 ops/sec)
Did 14410 RSA 3072 private key parse operations in 6108017us (2359.2 ops/sec)
Did 3268 RSA 4096 signing operations in 6030206us (541.9 ops/sec)
Did 54303 RSA 4096 verify (same key) operations in 6016396us (9025.8 ops/sec)
Did 49749 RSA 4096 verify (fresh key) operations in 6018416us (8266.1 ops/sec)
Did 9072 RSA 4096 private key parse operations in 6080936us (1491.9 ops/sec)

      After the patch is applied to BoringSSL, the RSA 2048 signing performance is 3245.2 ops/sec, the RSA 3072 signing performance is 1195.4 ops/sec, and the RSA 4096 signing performance is 541.9 ops/sec. The RSA performance is significantly improved.