For whatever reason RSA blinding was disabled for the IBMCA engine. One possible reason is that setting up the blinding factors also requires a mod-expo operation, and this operation does not get offloaded to libica, unless a Montgomery context for the public key (modulus) was setup before.
Do no longer disable blinding, but make sure that a Montgomery contexts for the public and private keys are cached, like it is done without an engine. That way the mod-expo operation used for setting up the blinding context is also offloaded via ibmca_mod_exp().
Note: Due to a bug in OpenSSL code, the offloading of the mod-expo for the blinding setup does currently not work for private decrypt operations, but only for private encrypt (signature create) operations. Once that bug is fixed in OpenSSL, it will also work for private decrypt operations without an additional change in the IBMCA engine.
Related OpenSSL issue: https://github.com/openssl/openssl/issues/20579
For whatever reason RSA blinding was disabled for the IBMCA engine. One possible reason is that setting up the blinding factors also requires a mod-expo operation, and this operation does not get offloaded to libica, unless a Montgomery context for the public key (modulus) was setup before.
Do no longer disable blinding, but make sure that a Montgomery contexts for the public and private keys are cached, like it is done without an engine. That way the mod-expo operation used for setting up the blinding context is also offloaded via ibmca_mod_exp().
Note: Due to a bug in OpenSSL code, the offloading of the mod-expo for the blinding setup does currently not work for private decrypt operations, but only for private encrypt (signature create) operations. Once that bug is fixed in OpenSSL, it will also work for private decrypt operations without an additional change in the IBMCA engine. Related OpenSSL issue: https://github.com/openssl/openssl/issues/20579