OpenSSL CNG engine on GitHub

Reinier Torenbeek reinier.torenbeek at gmail.com
Fri Jul 2 12:59:30 UTC 2021


Hello David,

Thanks for checking this out and your positive feedback. I was not able to
find any substantial solution for this either. I do wonder why that is?
Possibly, Windows users are not as interested in a cross platform solution
like OpenSSL provides and they are fine with using the Windows APIs
directly -- that is just speculation though.

Best regards,
Reinier

On Fri, Jul 2, 2021 at 6:56 AM David von Oheimb <dev at ddvo.net> wrote:

> Hello Reinier,
>
> around five years back I was looking for such an implementation as an
> alternative to the rather limited CAPI engine, mostly because the C(rypto
> )API does not support ECC.
> The only thing I found at that time was
> https://mta.openssl.org/pipermail/openssl-dev/2016-June/007362.html and I
> do not know how it evolved since them.
> So I am very pleased to see that meanwhile there is a way of using core
> features of Windows CAPI Next Generation (CNG) from OpenSSL.
>
> Many thanks to RTI for providing this as open-source development under the
> Apache license.
> I currently do not have the time for a closer look or even trying it out,
> but this looks very good and well documented.
> In particular,
> https://openssl-cng-engine.readthedocs.io/en/latest/using/openssl_commands.html
> gives a nice example how to use the Windows cert & key store.
> Porting this to the new OpenSSL crypto provider interface will likely lift
> the limitation regarding RSA-PSS support, which lacks just due to the
> engine interface.
>
> Cheers,
>
>     David
>
>
> On 01.07.21 19:49, Reinier Torenbeek wrote:
>
> Hi,
>
> For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1, you
> may want to check out this new OpenSSL CNG Engine project on GitHub:
> https://github.com/rticommunity/openssl-cng-engine . The associated
> User's Manual is on ReadTheDocs:
> https://openssl-cng-engine.readthedocs.io/en/latest/index.html .
>
> The project implements the majority of the EVP interface, to leverage the
> BCrypt crypto implementations, as well as a subset of the STORE interface,
> for integration with the Windows Certificate and Keystore(s), via the
> NCrypt and Cert APIs. It has been tested with 1.1.1k on Windows 10, with
> Visual Studio 2017 and 2019. It is released under the Apache-2.0 license.
>
> Any feedback is welcome, please send it to me or open an issue on GitHub.
>
> Best regards,
> Reinier
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210702/a1c90e14/attachment-0001.html>


More information about the openssl-users mailing list