OpenSSL provider replacement for ENGINE_load_private_key

Tomas Mraz tomas at
Mon Dec 13 10:15:18 UTC 2021

On Sun, 2021-12-12 at 00:39 +0200, Graham Leggett via openssl-users
> Hi all,
> The ENGINE API is deprecated in favour of the new Provider API.
> What is the provider equivalent function that replaces
> ENGINE_load_private_key()?

One option would be for a provider to provide provider-storemgmt
implementation to load a key from its special URI. You'd then use
OSSL_STORE from the application to load a private key from that special

Another, rather simplistic, approach would be to use the
EVP_PKEY_fromdata() function. In that case you'd have to know what the
key algorithm are you using. You'd then use EVP_PKEY_CTX_new_from_name
with query properties to include "provider=your_provider" and the
params used with EVP_PKEY_fromdata() would contain just the special id
parameter that the provider would use to identify the private key from
the device.

> Regards,
> Graham

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list