On 26/09/2023 02:29, Kamal Joshi wrote:
Hi Team,
I have a few queries related to the Provider concept in OpenSSL 3.1.x
version
As openssl version is coming up with Provider implementation and engine
API are deprecated. Below are the queries.
1. Is it possible to still use Engine API and will it work with OpenSSL
3.1.x?
Yes. The old API still works and can be used. This is intended for
porting of older applications developed against previous versions of
OpenSSL, so that they continue to work.
You will probably see deprecation warnings when compiling your code, and
it is likely that in some future version of OpenSSL the deprecated APIs
will be removed.
You are strongly encouraged not to use Engines for new code.
2. If not can someone help in replacing the engine with provider
implementation with some basic example or minimum set of implementation?
There's a "toy" provider implemented here:
https://github.com/provider-corner/vigenere
I am working on this on Linux (Openbmc environment ) which is then open
source to the community. As OpenSSL provides command line support in
Linux for testing different speed tests using hardware engines,
similarly is there any such command line utility or commands for provider?
The "openssl speed" app works with providers.
Also like in Engine, we change openssl.conf file for invoking the engine
at runtime. Do we need to change the configuration file for the provider
as well to load at runtime?
You can load providers either programmatically or via a config file. The
"Provider Configuration" section of the man page describes how to do this:
https://www.openssl.org/docs/man3.1/man5/config.html
Here's a minimal config file that automatically loads the default and
legacy providers:
https://github.com/openssl/openssl/blob/master/test/default-and-legacy.cnf
Our project is at a very scratch level and we starting with OpenSSL
3.1.x so need to understand provider implementation. Any pointer or
input will be highly helpful to us.
Regards,
Kamal Joshi
