The OpenSSL library provides a rich and extensible interface for dealing with cryptographic tokens and dedicated accelerators through the engine API.
The vast majority of the cryptography library should already be able to transparently deal with engine supplied EVP_PKEY instances and OpenSSL already has functions for setting the default engines for various operations, therefore the implementation could be minimal.
The main difficulty would be deciding how an engine interface would look—a separate backend wouldn't make much sense and so there would be a decision between making a backend independent engine interface or a openssl-specific interface.
At the very least I think it would be useful to add some of the ENGINE_ functions to the CFFI bindings so that modules could piggy-back off of cryptography's cffi bindings to provide the functionality.
The OpenSSL library provides a rich and extensible interface for dealing with cryptographic tokens and dedicated accelerators through the engine API.
The vast majority of the cryptography library should already be able to transparently deal with engine supplied
EVP_PKEYinstances and OpenSSL already has functions for setting the default engines for various operations, therefore the implementation could be minimal.The main difficulty would be deciding how an engine interface would look—a separate backend wouldn't make much sense and so there would be a decision between making a backend independent engine interface or a openssl-specific interface.
At the very least I think it would be useful to add some of the
ENGINE_functions to the CFFI bindings so that modules could piggy-back off of cryptography's cffi bindings to provide the functionality.