Hello Reinier,
around five years back I was looking for such an implementation
as an alternative to the rather limited CAPI engine, mostly
because the C(rypto )API does not support ECC.
The only thing I found at that time was https://mta.openssl.org/pipermail/openssl-dev/2016-June/007362.html
and I do not know how it evolved since them.
So I am very pleased to see that meanwhile there is a way of using
core features of Windows CAPI Next Generation (CNG) from OpenSSL.
Many thanks to RTI for providing this as open-source development
under the Apache license.
I currently do not have the time for a closer look or even trying
it out, but this looks very good and well documented.
In particular, https://openssl-cng-engine.readthedocs.io/en/latest/using/openssl_commands.html
gives a nice example how to use the Windows cert & key store.
Porting this to the new OpenSSL crypto provider interface will
likely lift the limitation regarding RSA-PSS support, which lacks
just due to the engine interface.
Cheers,
David
Hi,
For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1, you may want to check out this new OpenSSL CNG Engine project on GitHub: https://github.com/rticommunity/openssl-cng-engine . The associated User's Manual is on ReadTheDocs: https://openssl-cng-engine.readthedocs.io/en/latest/index.html .
The project implements the majority of the EVP interface, to leverage the BCrypt crypto implementations, as well as a subset of the STORE interface, for integration with the Windows Certificate and Keystore(s), via the NCrypt and Cert APIs. It has been tested with 1.1.1k on Windows 10, with Visual Studio 2017 and 2019. It is released under the Apache-2.0 license.
Any feedback is welcome, please send it to me or open an issue on GitHub.
Best regards,Reinier
