Hi, I took the CAPI engine and extended it to give preference to NCrypt, otherwise to revert to Crypto API. Implemented for RSA so far (no DSA or ECC support though BoringSSL have done some ECC work for Windows I could look at). Tested with RSA, on CNG and on Crypto API based systems. I tried to make unintrusive changes in CAPI:
a) Extended CAPI_KEY struct to include NCrypt handle support. b) capi_get_pkey - NCrypt support for reading an RSA public key blob and extracting algorithm ids. c) capi_rsa_sign - NCrypt support. Easier for NCrypt, just one call as NCrypt signature is big endian. d) capi_get_key_CNG: new function that prefers to acquire a CNG style handle via CryptAcquireCertificatePrivateKey. e) capi_get_key_cert: Invokes capi_get_key_CNG(). If that fails reverts to original code to acquire a Crypto handle. [Note: NCrypt calls are only invoked if CryptAcquireCertificatePrivateKey returned an NCrypt handle which can never happen on Windows XP or Windows Srver 2003. So no need to wrap NCrypt calls in GetModuleHandle/GetProcAddress helper code aka BoringSSL style]. Apologies for my ignorance but what's the process submitting code to OpenSSL for consideration? Matt -- View this message in context: http://openssl.6102.n7.nabble.com/CNG-support-for-OpenSSL-CAPI-Engine-tp66193p66604.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
