Hi Selva,
On Fri, Jul 2, 2021 at 10:49 AM Selva Nair <selva.nair@xxxxxxxxx> wrote:
Hi,On Thu, Jul 1, 2021 at 1:49 PM Reinier Torenbeek <reinier.torenbeek@xxxxxxxxx> wrote:Hi,For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1, you may want to check out this new OpenSSL CNG Engine project on GitHub: https://github.com/rticommunity/openssl-cng-engine . The associated User's Manual is on ReadTheDocs: https://openssl-cng-engine.readthedocs.io/en/latest/index.html .The project implements the majority of the EVP interface, to leverage the BCrypt crypto implementations, as well as a subset of the STORE interface, for integration with the Windows Certificate and Keystore(s), via the NCrypt and Cert APIs. It has been tested with 1.1.1k on Windows 10, with Visual Studio 2017 and 2019. It is released under the Apache-2.0 license.Any feedback is welcome, please send it to me or open an issue on GitHub.This is great, but limiting RSA signature to RSA-PKCS#1 v 1.5 is a major limitation. It doesn't have to be that way as the OpenSSL engine interface does allow using EVP_PKEY_METHOD callbacks instead of rsa_priv_dec etc.
Yes I agree the lack of support for RSA-PSS is significant. There is a discussion (which includes you, I see ) around the root cause of that here: https://github.com/openssl/openssl/issues/7341 , among other places.
It is not clear to me what you mean with "the OpenSSL engine interface does allow using EVP_PKEY_METHOD callbacks instead of rsa_priv_dec etc.". Can you elaborate (here or on the GitHub issue)?
Thanks,
Reinier
Selva