Regarding engine implementation for RSA and AES

Matt Caswell matt at
Tue Mar 17 10:44:40 UTC 2020

On 17/03/2020 07:42, Mahendra SP wrote:
> Hi,
> We are looking at implementing an engine for RSA and AES.
> For AES, looking at the documentation, understand that engine will get
> invoked only if the application or SSL library invokes EVP based calls
> rather than native AES calls. Is this correct ?


Note that the low-level AES API will be deprecated in the forthcoming
OpenSSL 3.0.

> For RSA, is it mandatory to use EVP for using engine ?

No. You can hook in using RSA_METHOD or EVP_PKEY_METHOD.

The RSA low-level APIs (including RSA_METHOD) will also be deprecated in
the forthcoming OpenSSL 3.0.

> Is it a must to use latest openssl version for engine ? Reason for this
> question is, looking at 1.1.X code, all the calls are modified to EVP in
> SSL library when compared to previous versions. As understanding is,
> engine works with EVP, wanted to know if we need to use latest version.

Engines have been around for a long time. Not sure how well they worked
in conjunction with libssl in previous versions. But in any case the
only supported version at the moment is OpenSSL 1.1.1. All other
versions are EOL.

Note that Engines themselves are also being deprecated in OpenSSL 3.0.
They are being replaced by the new provider interface. Depending on the
the time frame that you want this functionality you might be better off
writing a provider (OpenSSL 3.0 is scheduled for release in Q4 this year).


More information about the openssl-users mailing list