Re: OpenSSL CNG engine on GitHub

[Reinier Torenbeek]

Hello David,

Thanks for checking this out and your positive feedback. I was not able to
find any substantial solution for this either. I do wonder why that is?
Possibly, Windows users are not as interested in a cross platform solution
like OpenSSL provides and they are fine with using the Windows APIs
directly -- that is just speculation though.

Best regards,
Reinier

On Fri, Jul 2, 2021 at 6:56 AM David von Oheimb  wrote:

> Hello Reinier,
>
> around five years back I was looking for such an implementation as an
> alternative to the rather limited CAPI engine, mostly because the C(rypto
> )API does not support ECC.
> The only thing I found at that time was
> https://mta.openssl.org/pipermail/openssl-dev/2016-June/007362.html and I
> do not know how it evolved since them.
> So I am very pleased to see that meanwhile there is a way of using core
> features of Windows CAPI Next Generation (CNG) from OpenSSL.
>
> Many thanks to RTI for providing this as open-source development under the
> Apache license.
> I currently do not have the time for a closer look or even trying it out,
> but this looks very good and well documented.
> In particular,
> https://openssl-cng-engine.readthedocs.io/en/latest/using/openssl_commands.html
> gives a nice example how to use the Windows cert & key store.
> Porting this to the new OpenSSL crypto provider interface will likely lift
> the limitation regarding RSA-PSS support, which lacks just due to the
> engine interface.
>
> Cheers,
>
> David
>
>
> On 01.07.21 19:49, Reinier Torenbeek wrote:
>
> Hi,
>
> For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1, you
> may want to check out this new OpenSSL CNG Engine project on GitHub:
> https://github.com/rticommunity/openssl-cng-engine . The associated
> User's Manual is on ReadTheDocs:
> https://openssl-cng-engine.readthedocs.io/en/latest/index.html .
>
> The project implements the majority of the EVP interface, to leverage the
> BCrypt crypto implementations, as well as a subset of the STORE interface,
> for integration with the Windows Certificate and Keystore(s), via the
> NCrypt and Cert APIs. It has been tested with 1.1.1k on Windows 10, with
> Visual Studio 2017 and 2019. It is released under the Apache-2.0 license.
>
> Any feedback is welcome, please send it to me or open an issue on GitHub.
>
> Best regards,
> Reinier
>
>

Re: OpenSSL CNG engine on GitHub

[David von Oheimb]

Hello Reinier,

around five years back I was looking for such an implementation as an
alternative to the rather limited CAPI engine, mostly because the
C(rypto )API does not support ECC.
The only thing I found at that time was
https://mta.openssl.org/pipermail/openssl-dev/2016-June/007362.html and
I do not know how it evolved since them.
So I am very pleased to see that meanwhile there is a way of using core
features of Windows CAPI Next Generation (CNG) from OpenSSL.

Many thanks to RTI for providing this as open-source development under
the Apache license.
I currently do not have the time for a closer look or even trying it
out, but this looks very good and well documented.
In particular,
https://openssl-cng-engine.readthedocs.io/en/latest/using/openssl_commands.html
gives a nice example how to use the Windows cert & key store.
Porting this to the new OpenSSL crypto provider interface will likely
lift the limitation regarding RSA-PSS support, which lacks just due to
the engine interface.

Cheers,

    David


On 01.07.21 19:49, Reinier Torenbeek wrote:
> Hi,
>
> For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1,
> you may want to check out this new OpenSSL CNG Engine project on
> GitHub: https://github.com/rticommunity/openssl-cng-engine . The
> associated User's Manual is on
> ReadTheDocs: https://openssl-cng-engine.readthedocs.io/en/latest/index.html
> .
>
> The project implements the majority of the EVP interface, to leverage
> the BCrypt crypto implementations, as well as a subset of the STORE
> interface, for integration with the Windows Certificate and
> Keystore(s), via the NCrypt and Cert APIs. It has been tested with
> 1.1.1k on Windows 10, with Visual Studio 2017 and 2019. It is released
> under the Apache-2.0 license.
>
> Any feedback is welcome, please send it to me or open an issue on GitHub.
>
> Best regards,
> Reinier