Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add different certificate signature algorithms to benchmarks #4080

Merged
merged 16 commits into from
Jul 25, 2023
Merged

Add different certificate signature algorithms to benchmarks #4080

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
1d8fff9
add different cert algs to benchmarks
Jun 26, 2023
424d758
updated readme to include certs
Jun 29, 2023
126d4c7
Merge remote-tracking branch 'origin/main' into cert-algs
Jul 12, 2023
230e1ba
Merge remote-tracking branch 'origin/main' into cert-algs
Jul 12, 2023
6c9c758
changed order of derives
Jul 12, 2023
6dd73c2
added rsa3072
Jul 14, 2023
9e76256
update certs benched in bench readme
tinzh Jul 19, 2023
155f707
removed fullchains
Jul 19, 2023
91c901b
separate out arguments in cert gen
Jul 19, 2023
1739ff9
removed certs from repo
Jul 20, 2023
b0bf99d
moved ownership of cert path info
Jul 20, 2023
b149e73
changed Default::default() to explicit types
Jul 20, 2023
dc65b4d
ignore generated certs
Jul 20, 2023
84d7faf
made readme consistent
Jul 20, 2023
559f12d
added clean command to generate_certs.sh
Jul 21, 2023
b401cef
Merge remote-tracking branch 'origin/main' into cert-algs
Jul 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions bindings/rust/bench/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
*.pem
4 changes: 2 additions & 2 deletions bindings/rust/bench/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ We use to Criterion.rs to benchmark s2n-tls against two commonly used TLS librar

## Setup

Setup is easy! Just have OpenSSL installed and generate Rust bindings for s2n-tls using `bindings/rust/generate.sh`.
Setup is easy! Just have OpenSSL installed, generate Rust bindings for s2n-tls using `../generate.sh`, and generate certs using `certs/generate_certs.sh`.

## Running benchmarks

Expand All @@ -20,7 +20,7 @@ To remove external factors, we use custom IO with our benchmarks, bypassing the

### Certificate generation

All certs are stored in `certs/` and can be regenerated using `certs/generate_certs.sh`. There is one root cert that directly signs the server and client certs that are used in benchmarking. Currently, we use ECDSA with `secp384r1`.
There is one root cert that directly signs the server and client certs that are used in benchmarking. We currently bench RSA and ECDSA certs.

### Negotiation parameters

Expand Down
49 changes: 30 additions & 19 deletions bindings/rust/bench/benches/handshake.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@
// SPDX-License-Identifier: Apache-2.0

use bench::{
CryptoConfig,
CipherSuite, CryptoConfig,
ECGroup::{self, *},
HandshakeType::{self, *},
OpenSslHarness, RustlsHarness, S2NHarness, TlsBenchHarness,
OpenSslHarness, RustlsHarness, S2NHarness,
SigType::{self, *},
TlsBenchHarness,
};
use criterion::{
criterion_group, criterion_main, measurement::WallTime, BatchSize, BenchmarkGroup, Criterion,
Expand All @@ -17,15 +19,13 @@ pub fn bench_handshake_params(c: &mut Criterion) {
bench_group: &mut BenchmarkGroup<WallTime>,
handshake_type: HandshakeType,
ec_group: ECGroup,
sig_type: SigType,
) {
bench_group.bench_function(type_name::<T>(), |b| {
b.iter_batched_ref(
|| {
T::new(
CryptoConfig {
cipher_suite: Default::default(),
ec_group,
},
CryptoConfig::new(CipherSuite::default(), ec_group, sig_type),
handshake_type,
)
.unwrap()
Expand All @@ -40,19 +40,30 @@ pub fn bench_handshake_params(c: &mut Criterion) {

for handshake_type in [ServerAuth, MutualAuth] {
for ec_group in [SECP256R1, X25519] {
let mut bench_group =
c.benchmark_group(format!("handshake-{:?}-{:?}", handshake_type, ec_group));
bench_handshake_for_library::<S2NHarness>(&mut bench_group, handshake_type, ec_group);
bench_handshake_for_library::<RustlsHarness>(
&mut bench_group,
handshake_type,
ec_group,
);
bench_handshake_for_library::<OpenSslHarness>(
&mut bench_group,
handshake_type,
ec_group,
);
for sig_type in [Rsa2048, Rsa3072, Rsa4096, Ec384] {
let mut bench_group = c.benchmark_group(format!(
"handshake-{:?}-{:?}-{:?}",
handshake_type, ec_group, sig_type
));
bench_handshake_for_library::<S2NHarness>(
&mut bench_group,
handshake_type,
ec_group,
sig_type,
);
bench_handshake_for_library::<RustlsHarness>(
&mut bench_group,
handshake_type,
ec_group,
sig_type,
);
bench_handshake_for_library::<OpenSslHarness>(
&mut bench_group,
handshake_type,
ec_group,
sig_type,
);
}
}
}
}
Expand Down
10 changes: 4 additions & 6 deletions bindings/rust/bench/benches/throughput.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@

use bench::{
CipherSuite::{self, *},
CryptoConfig, OpenSslHarness, RustlsHarness, S2NHarness, TlsBenchHarness,
CryptoConfig, ECGroup, HandshakeType, OpenSslHarness, RustlsHarness, S2NHarness, SigType,
TlsBenchHarness,
};
use criterion::{
criterion_group, criterion_main, measurement::WallTime, BatchSize, BenchmarkGroup, Criterion,
Expand All @@ -24,11 +25,8 @@ pub fn bench_throughput_cipher_suite(c: &mut Criterion) {
b.iter_batched_ref(
|| {
let mut harness = T::new(
CryptoConfig {
cipher_suite,
ec_group: Default::default(),
},
Default::default(),
CryptoConfig::new(cipher_suite, ECGroup::default(), SigType::default()),
HandshakeType::default(),
)
.unwrap();
harness.handshake().unwrap();
Expand Down
22 changes: 0 additions & 22 deletions bindings/rust/bench/certs/ca-cert.pem
View file
Open in desktop

This file was deleted.

22 changes: 0 additions & 22 deletions bindings/rust/bench/certs/client-cert.pem
View file
Open in desktop

This file was deleted.

44 changes: 0 additions & 44 deletions bindings/rust/bench/certs/client-fullchain.pem
View file
Open in desktop

This file was deleted.

6 changes: 0 additions & 6 deletions bindings/rust/bench/certs/client-key.pem
View file
Open in desktop

This file was deleted.

67 changes: 45 additions & 22 deletions bindings/rust/bench/certs/generate_certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,36 +6,59 @@
# immediately bail if any command fails
set -e

# go to directory script is located in
pushd "$(dirname "$0")"

echo "generating CA private key and certificate"
openssl req -nodes -new -x509 -keyout ca-key.pem -out ca-cert.pem -days 65536 -config config/ca.cnf
# Generates certs with given algorithms and bits in $1$2/, ex. ec384/
# $1: rsa or ec
# $2: number of bits
cert-gen () {
echo -e "\n----- generating certs for $1$2 -----\n"

# secp384r1 is an arbitrarily chosen curve that is supported by the default
# security policy in s2n-tls.
# https://github.com/aws/s2n-tls/blob/main/docs/USAGE-GUIDE.md#chart-security-policy-version-to-supported-curvesgroups
echo "generating server private key and CSR"
openssl req -new -nodes -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout server-key.pem -out server.csr -config config/server.cnf
key_family=$1
key_size=$2

echo "generating client private key and CSR"
openssl req -new -nodes -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout client-key.pem -out client.csr -config config/client.cnf
# set openssl argument name
if [[ $key_family == rsa ]]; then
local argname=rsa_keygen_bits:
elif [[ $key_family == ec ]]; then
local argname=ec_paramgen_curve:P-
fi

echo "generating server certificate and signing it"
openssl x509 -days 65536 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extensions req_ext -extfile config/server.cnf
# make directory for certs
mkdir -p $key_family$key_size
cd $key_family$key_size

echo "generating client certificate and signing it"
openssl x509 -days 65536 -req -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extensions req_ext -extfile config/client.cnf
echo "generating CA private key and certificate"
openssl req -new -nodes -x509 -newkey $key_family -pkeyopt $argname$key_size -keyout ca-key.pem -out ca-cert.pem -days 65536 -config ../config/ca.cnf

echo "verifying generated certificates"
openssl verify -CAfile ca-cert.pem server-cert.pem
openssl verify -CAfile ca-cert.pem client-cert.pem
echo "generating server private key and CSR"
openssl req -new -nodes -newkey $key_family -pkeyopt $argname$key_size -keyout server-key.pem -out server.csr -config ../config/server.cnf

cat server-cert.pem ca-cert.pem > server-fullchain.pem
cat client-cert.pem ca-cert.pem > client-fullchain.pem
echo "generating client private key and CSR"
openssl req -new -nodes -newkey $key_family -pkeyopt $argname$key_size -keyout client-key.pem -out client.csr -config ../config/client.cnf

echo "cleaning up temporary files"
rm server.csr
rm client.csr
rm ca-key.pem
echo "generating server certificate and signing it"
openssl x509 -days 65536 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extensions req_ext -extfile ../config/server.cnf

echo "generating client certificate and signing it"
openssl x509 -days 65536 -req -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extensions req_ext -extfile ../config/client.cnf

echo "verifying generated certificates"
openssl verify -CAfile ca-cert.pem server-cert.pem
openssl verify -CAfile ca-cert.pem client-cert.pem

echo "cleaning up temporary files"
rm server.csr
rm client.csr
rm ca-key.pem

cd ..
}

cert-gen ec 384
cert-gen rsa 2048
cert-gen rsa 3072
cert-gen rsa 4096

Copy link
Contributor

@maddeleine maddeleine Jul 21, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be time to add a clean function in this script that deletes all the generated pems. I'm thinking something like:

./generate_certs.sh clean

Do you think that would be useful? Otherwise the PR lgtm.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it wouldn't hurt, and the control flow is fairly easy to understand; just added it.

popd
22 changes: 0 additions & 22 deletions bindings/rust/bench/certs/server-cert.pem
View file
Open in desktop

This file was deleted.

44 changes: 0 additions & 44 deletions bindings/rust/bench/certs/server-fullchain.pem
View file
Open in desktop

This file was deleted.

6 changes: 0 additions & 6 deletions bindings/rust/bench/certs/server-key.pem
View file
Open in desktop

This file was deleted.

Loading