Engine vs provider questions
Matt Caswell
matt at openssl.org
Tue Sep 26 07:58:34 UTC 2023
On 26/09/2023 02:29, Kamal Joshi wrote:
> Hi Team,
>
> I have a few queries related to the Provider concept in OpenSSL 3.1.x
> version
>
> As openssl version is coming up with Provider implementation and engine
> API are deprecated. Below are the queries.
> 1. Is it possible to still use Engine API and will it work with OpenSSL
> 3.1.x?
Yes. The old API still works and can be used. This is intended for
porting of older applications developed against previous versions of
OpenSSL, so that they continue to work.
You will probably see deprecation warnings when compiling your code, and
it is likely that in some future version of OpenSSL the deprecated APIs
will be removed.
You are strongly encouraged not to use Engines for new code.
> 2. If not can someone help in replacing the engine with provider
> implementation with some basic example or minimum set of implementation?
There's a "toy" provider implemented here:
https://github.com/provider-corner/vigenere
>
> I am working on this on Linux (Openbmc environment ) which is then open
> source to the community. As OpenSSL provides command line support in
> Linux for testing different speed tests using hardware engines,
> similarly is there any such command line utility or commands for provider?
The "openssl speed" app works with providers.
>
> Also like in Engine, we change openssl.conf file for invoking the engine
> at runtime. Do we need to change the configuration file for the provider
> as well to load at runtime?
You can load providers either programmatically or via a config file. The
"Provider Configuration" section of the man page describes how to do this:
https://www.openssl.org/docs/man3.1/man5/config.html
Here's a minimal config file that automatically loads the default and
legacy providers:
https://github.com/openssl/openssl/blob/master/test/default-and-legacy.cnf
> Our project is at a very scratch level and we starting with OpenSSL
> 3.1.x so need to understand provider implementation. Any pointer or
> input will be highly helpful to us.
>
> Regards,
> Kamal Joshi
>
More information about the openssl-users
mailing list