Methods

KAE can be called by BoringSSL in either of the following methods: (1) Call APIs in service code; (2) Modify BoringSSL source code and apply a patch. This section describes the principles of the two methods in detail.

The engine mechanism of BoringSSL cannot call KAE by setting environment variables like OPENSSL_ENGINES. Therefore, KAE provides APIs ENGINE_init_kae and ENGINE_free_kae for external calling. Two methods are provided for BoringSSL to call KAE.

Method 1: Calling APIs in Service Code

This method does not require BoringSSL recompilation, but you may need to modify the existing BoringSSL service code.

The compatibility of RSA private key encryption and decryption APIs is as follows:

RSA_new(): KAE cannot be used.
RSA_new_method(): KAE can be called by passing it as an input parameter.

Before encryption, call ENGINE_init_kae to initiate KAE and pass KAE as an input parameter of RSA_new_method. Then, call KAE for private/public key encryption. After the task is complete, call ENGINE_free_kae to release KAE resources. Figure 1 shows the principle.

Figure 1 BoringSSL calling KAE through APIs

Method 2: Modifying BoringSSL Source Code and Applying a Patch

Modify BoringSSL source code and apply a patch to enable the RSA algorithm of BoringSSL to use KAE by default for encryption and decryption. bssl_add_kae_support.patch has been provided for BoringSSL 0.20250311.0. The patch is not compatible with other BoringSSL versions due to source code differences. If you use another BoringSSL version, you can adapt the patch based on BoringSSL source code, which requires minor modification effort.

This method requires no modifications to existing service code. However, BoringSSL has a strong dependency on the KAE dynamic library.

The compatibility of RSA private key encryption and decryption APIs is as follows:

RSA_new(): KAE is used by default.
RSA_new_method(): KAE can be called by passing it as an input parameter.

Parent topic: Using BoringSSL to Call KAE