OpenSSL CNG engine on GitHub

David von Oheimb dev at ddvo.net
Fri Jul 2 09:56:05 UTC 2021


Hello Reinier,

around five years back I was looking for such an implementation as an
alternative to the rather limited CAPI engine, mostly because the
C(rypto )API does not support ECC.
The only thing I found at that time was
https://mta.openssl.org/pipermail/openssl-dev/2016-June/007362.html and
I do not know how it evolved since them.
So I am very pleased to see that meanwhile there is a way of using core
features of Windows CAPI Next Generation (CNG) from OpenSSL.

Many thanks to RTI for providing this as open-source development under
the Apache license.
I currently do not have the time for a closer look or even trying it
out, but this looks very good and well documented.
In particular,
https://openssl-cng-engine.readthedocs.io/en/latest/using/openssl_commands.html
gives a nice example how to use the Windows cert & key store.
Porting this to the new OpenSSL crypto provider interface will likely
lift the limitation regarding RSA-PSS support, which lacks just due to
the engine interface.

Cheers,

    David


On 01.07.21 19:49, Reinier Torenbeek wrote:
> Hi,
>
> For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1,
> you may want to check out this new OpenSSL CNG Engine project on
> GitHub: https://github.com/rticommunity/openssl-cng-engine . The
> associated User's Manual is on
> ReadTheDocs: https://openssl-cng-engine.readthedocs.io/en/latest/index.html
> .
>
> The project implements the majority of the EVP interface, to leverage
> the BCrypt crypto implementations, as well as a subset of the STORE
> interface, for integration with the Windows Certificate and
> Keystore(s), via the NCrypt and Cert APIs. It has been tested with
> 1.1.1k on Windows 10, with Visual Studio 2017 and 2019. It is released
> under the Apache-2.0 license.
>
> Any feedback is welcome, please send it to me or open an issue on GitHub.
>
> Best regards,
> Reinier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210702/a0de756c/attachment-0001.html>


More information about the openssl-users mailing list