How to encrypt/decrypt using key index in OpenSSL EVP APIs?

Question

My system includes a Hardware Secure module(HSM), which imports symmetric/asymmetric keys to its internal memory, then provides key index to outside users for future use(encrypt/decrypt).

I'm now writing an OpenSSL engine for this HSM, which is expected to be invoked via OpenSSL EVP APIs by applications.

What is the proper way for application level code(in C language) to call the encryption service(e.g. encrypt something by user's password stored in HSM) via EVP API functions, by just providing the Key index in parameters, rather than the key itself?

I know the EVP and Engine APIs provide some "control function" for developers, but they seem to be used for command line arguments. I wonder whether it is the proper way to use them for passing key index in library usage.

updated:

I'm now trying to use the ctrl function in EVP_CIPHER to import the key into the HSM.

I wonder which is better, that doing it in "init_ex" step(call ctrl in EVP_CIPHER->init), or in the "do_cipher" step(use EVP_CIPHER_CTX_set_app_data to pass the key to app_data before do_cipher, then call ctrl in do_cipher)?

Answer 1

Finally I decided to use the cipher_data in EVP_CIPHER_CTX to store everything related to the key index. Because I found that there is no difference between app_data and cipher_data, if I do all initialization and enc/decryption with my own implementation, rather than openssl built-in methods.