Methods

KAE can be called by BoringSSL. You can either call KAE APIs through service code or apply the KAE patch into BoringSSL.

The engine mechanism of BoringSSL cannot call KAE by setting environment variables similar to OPENSSL_ENGINES. Therefore, KAE provides the external interfaces ENGINE_init_kae and ENGINE_free_kae. Two methods are provided for BoringSSL to call KAE.

Method 1: Calling APIs in Service Code

This method does not require BoringSSL recompilation, but you may need to modify the existing BoringSSL service code.

The compatibility of RSA private key encryption and decryption interfaces is as follows:

RSA_new(): KAE cannot be used.
RSA_new_method(): KAE can be called by passing it as an input parameter.

Before encryption, call ENGINE_init_kae to obtain KAE and pass KAE as an input parameter of RSA_new_method. Then KAE is called for private key encryption and public key encryption. After the task is complete, call ENGINE_free_kae to release KAE resources. Figure 1 shows the principle.

Figure 1 BoringSSL calling KAE through APIs

Method 2: Modifying BoringSSL Source Code and Applying a Patch

Modify BoringSSL source code and apply a patch to enable the RSA algorithm of BoringSSL to use KAE by default for encryption and decryption. bssl_add_kae_support.patch has been provided for BoringSSL 0.20250311.0. The patch is not compatible with other BoringSSL versions due to source code differences. If you use BoringSSL of another version, you can adapt the patch to the source code. The modification effort is minor.

This method requires no modifications to existing service code. However, BoringSSL has a strong dependency on the KAE dynamic library.

The compatibility of RSA private key encryption and decryption interfaces is as follows:

RSA_new(): KAE is used by default.
RSA_new_method(): KAE can be called by passing it as an input parameter.

Parent topic: Using BoringSSL to Call KAE