Hello Reinier, around five years back I was looking for such an implementation as an alternative to the rather limited CAPI engine, mostly because the C(rypto )API does not support ECC. The only thing I found at that time was https://mta.openssl.org/pipermail/openssl-dev/2016-June/007362.html and I do not know how it evolved since them. So I am very pleased to see that meanwhile there is a way of using core features of Windows CAPI Next Generation (CNG) from OpenSSL.
Many thanks to RTI for providing this as open-source development under the Apache license. I currently do not have the time for a closer look or even trying it out, but this looks very good and well documented. In particular, https://openssl-cng-engine.readthedocs.io/en/latest/using/openssl_commands.html gives a nice example how to use the Windows cert & key store. Porting this to the new OpenSSL crypto provider interface will likely lift the limitation regarding RSA-PSS support, which lacks just due to the engine interface. Cheers, David On 01.07.21 19:49, Reinier Torenbeek wrote: > Hi, > > For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1, > you may want to check out this new OpenSSL CNG Engine project on > GitHub: https://github.com/rticommunity/openssl-cng-engine . The > associated User's Manual is on > ReadTheDocs: https://openssl-cng-engine.readthedocs.io/en/latest/index.html > . > > The project implements the majority of the EVP interface, to leverage > the BCrypt crypto implementations, as well as a subset of the STORE > interface, for integration with the Windows Certificate and > Keystore(s), via the NCrypt and Cert APIs. It has been tested with > 1.1.1k on Windows 10, with Visual Studio 2017 and 2019. It is released > under the Apache-2.0 license. > > Any feedback is welcome, please send it to me or open an issue on GitHub. > > Best regards, > Reinier