- The default "openssl" ENGINE is always chosen when performing crypto
- operations unless you specify otherwise. You must actively tell the
- openssl utility commands to use anything else through a new command line
- switch called "-engine". Also, if you want to use the ENGINE support in
- your own code to do something similar, you must likewise explicitly
- select the ENGINE implementation you want.
-
- Depending on the type of hardware, system, and configuration, "settings"
- may need to be applied to an ENGINE for it to function as expected/hoped.
- The recommended way of doing this is for the application to support
- ENGINE "control commands" so that each ENGINE implementation can provide
- whatever configuration primitives it might require and the application
- can allow the user/admin (and thus the hardware vendor's support desk
- also) to provide any such input directly to the ENGINE implementation.
- This way, applications do not need to know anything specific to any
- device, they only need to provide the means to carry such user/admin
- input through to the ENGINE in question. Ie. this connects *you* (and
- your helpdesk) to the specific ENGINE implementation (and device), and
- allows application authors to not get buried in hassle supporting
- arbitrary devices they know (and care) nothing about.
-
- A new "openssl" utility, "openssl engine", has been added in that allows
- for testing and examination of ENGINE implementations. Basic usage
- instructions are available by specifying the "-?" command line switch.
-
- DYNAMIC ENGINES
- ===============
-
- The new "dynamic" ENGINE provides a low-overhead way to support ENGINE
- implementations that aren't pre-compiled and linked into OpenSSL-based
- applications. This could be because existing compiled-in implementations
- have known problems and you wish to use a newer version with an existing
- application. It could equally be because the application (or OpenSSL
- library) you are using simply doesn't have support for the ENGINE you
- wish to use, and the ENGINE provider (eg. hardware vendor) is providing
- you with a self-contained implementation in the form of a shared-library.
- The other use-case for "dynamic" is with applications that wish to
- maintain the smallest foot-print possible and so do not link in various
- ENGINE implementations from OpenSSL, but instead leaves you to provide
- them, if you want them, in the form of "dynamic"-loadable
- shared-libraries. It should be possible for hardware vendors to provide
- their own shared-libraries to support arbitrary hardware to work with
- applications based on OpenSSL 0.9.7 or later. If you're using an
- application based on 0.9.7 (or later) and the support you desire is only
- announced for versions later than the one you need, ask the vendor to
- backport their ENGINE to the version you need.
-
- How does "dynamic" work?
- ------------------------
- The dynamic ENGINE has a special flag in its implementation such that
- every time application code asks for the 'dynamic' ENGINE, it in fact
- gets its own copy of it. As such, multi-threaded code (or code that
- multiplexes multiple uses of 'dynamic' in a single application in any
- way at all) does not get confused by 'dynamic' being used to do many
- independant things. Other ENGINEs typically don't do this so there is
- only ever 1 ENGINE structure of its type (and reference counts are used
- to keep order). The dynamic ENGINE itself provides absolutely no
- cryptographic functionality, and any attempt to "initialise" the ENGINE
- automatically fails. All it does provide are a few "control commands"
- that can be used to control how it will load an external ENGINE
- implementation from a shared-library. To see these control commands,
- use the command-line;
-
- openssl engine -vvvv dynamic
-
- The "SO_PATH" control command should be used to identify the
- shared-library that contains the ENGINE implementation, and "NO_VCHECK"
- might possibly be useful if there is a minor version conflict and you
- (or a vendor helpdesk) is convinced you can safely ignore it.
- "ENGINE_ID" is probably only needed if a shared-library implements
- multiple ENGINEs, but if you know the engine id you expect to be using,
- it doesn't hurt to specify it (and this provides a sanity check if
- nothing else). "LIST_ADD" is only required if you actually wish the
- loaded ENGINE to be discoverable by application code later on using the
- ENGINE's "id". For most applications, this isn't necessary - but some
- application authors may have nifty reasons for using it. The "LOAD"
- command is the only one that takes no parameters and is the command
- that uses the settings from any previous commands to actually *load*
- the shared-library ENGINE implementation. If this command succeeds, the
- (copy of the) 'dynamic' ENGINE will magically morph into the ENGINE
- that has been loaded from the shared-library. As such, any control
- commands supported by the loaded ENGINE could then be executed as per
- normal. Eg. if ENGINE "foo" is implemented in the shared-library
- "libfoo.so" and it supports some special control command "CMD_FOO", the
- following code would load and use it (NB: obviously this code has no
- error checking);
-
- ENGINE *e = ENGINE_by_id("dynamic");
- ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
- ENGINE_ctrl_cmd_string(e, "ENGINE_ID", "foo", 0);
- ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
- ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);
-
- For testing, the "openssl engine" utility can be useful for this sort
- of thing. For example the above code excerpt would achieve much the
- same result as;
-
- openssl engine dynamic \
- -pre SO_PATH:/lib/libfoo.so \
- -pre ENGINE_ID:foo \
- -pre LOAD \
- -pre "CMD_FOO:some input data"
-
- Or to simply see the list of commands supported by the "foo" ENGINE;
-
- openssl engine -vvvv dynamic \
- -pre SO_PATH:/lib/libfoo.so \
- -pre ENGINE_ID:foo \
- -pre LOAD
-
- Applications that support the ENGINE API and more specifically, the
- "control commands" mechanism, will provide some way for you to pass
- such commands through to ENGINEs. As such, you would select "dynamic"
- as the ENGINE to use, and the parameters/commands you pass would
- control the *actual* ENGINE used. Each command is actually a name-value
- pair and the value can sometimes be omitted (eg. the "LOAD" command).
- Whilst the syntax demonstrated in "openssl engine" uses a colon to
- separate the command name from the value, applications may provide
- their own syntax for making that separation (eg. a win32 registry
- key-value pair may be used by some applications). The reason for the
- "-pre" syntax in the "openssl engine" utility is that some commands
- might be issued to an ENGINE *after* it has been initialised for use.
- Eg. if an ENGINE implementation requires a smart-card to be inserted
- during intialisation (or a PIN to be typed, or whatever), there may be
- a control command you can issue afterwards to "forget" the smart-card
- so that additional initialisation is no longer possible. In
- applications such as web-servers, where potentially volatile code may
- run on the same host system, this may provide some arguable security
- value. In such a case, the command would be passed to the ENGINE after
- it has been initialised for use, and so the "-post" switch would be
- used instead. Applications may provide a different syntax for
- supporting this distinction, and some may simply not provide it at all
- ("-pre" is almost always what you're after, in reality).