I cannot find a good explanation of what the ENGINE
in OpenSSL is. It is used in functions like EVP_PKEY_CTX_new
.
I am using EVP_PKEY_CTX_new
just before I encrypt/decrypt something using EVP_PKEY_encrypt
and EVP_PKEY_decrypt
but do I really need to specify the ENGINE
parameter when calling EVP_PKEY_CTX_new
. Everywhere I look inside the OpenSSL the parameter is specified as null.
So my question is:
What is the ENGINE
in OpenSSL and what is it used for and what difference does it make when it is not specified?
The engine is the hardware or software implementation used for performing cryptographic operations. The default engine ID is openssl
and uses the built-in functions of OpenSSL.
Assume we have a hardware device with a super fast implementation of AES. Now when we use AES encryption we can set the engine to that hardware device (instead of NULL
), which means that the operations are now computed by the hardware device instead of the default OpenSSL software layer.
This is explained in Section 4.6 of the Network Security with OpenSSL book.
OpenSSL has built-in support for cryptographic acceleration. Using the
ENGINE
object type, an application can get a reference to a changeable, underlying representation, most often a hardware device. (...)The general idea is simple: we retrieve an object representing the type of hardware we wish to utilize, then we tell OpenSSL to use the device we chose.
Example 4-17 shows a small code example of how we would perform this operation.
ENGINE *e; if (!(e = ENGINE_by_id("cswift"))) fprintf(stderr, "Error finding specified ENGINE\n"); else if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) fprintf(stderr, "Error using ENGINE\n"); else fprintf(stderr, "Engine successfully enabled\n");
The function call
ENGINE_by_id
will look up an implementation from the built-in methods available and return anENGINE
object. The single argument to this function should be the string identifier of the underlying implementation we wish to use. (...)The
ENGINE
object that we receive from the lookup should be used in the call toENGINE_set_default
to allow cryptographic functions to utilize the capabilities of the specificENGINE
. The second parameter allows us to specify constraints on what we allow the engine to implement. (...)
NOTE: cswift
is "used for CryptoSwift" acceleration hardware."
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With