OpenSSL - check on what engine is a function called and if hardware is really used?

Question

First of all, I'm a beginner in the OpenSSL world. I apologize in advance for any basic, barbaric errors.

Consider a flow:

1. Initialize OpenSSL with engine using hardware (let's call it EngineHW).
2. Call an OpenSSL function, e.g. X509_sign.

How to check if the function called was performed on the hardware?

How to verify the EngineHW function was called? What if the function is not defined by EngineHW - will OpenSSL fallback to any default engine it has?

The question is related to asserting quality - since I've got the hardware to do crypto for me, I consider using software a regression (at least for the important functions).

Answer 1

Not sure what the purpose of this is. Are you testing that OpenSSL works or are you testing your own code? It seems you want to do regression testing of OpenSSL and HSM?

However, if you want to test if X509_sign works then remove all software/disk based keys from the test system and check if you can sign something. If you get a valid signature you can be sure it comes from your HSM. If you get null back, it is not. OpenSSL doesn't fallback to a different sign function and even if it did, it can't sign since it needs a key to sign. Hope that answered your question.