c++ - Wincrypto (CNG)：无法使用任何 CNG 算法创建证书

Question

我正在编写一个可以在证书存储中创建证书的代码，并且我正在使用 CNG。其实不是真的在写，而是改编自 MSDN 的一个例子。我的代码可以编译，它为某些算法创建密钥，但这些密钥都不能用于创建证书。对于大多数人来说，它说“未知的密码算法”。

这是我的代码的一部分，它尝试所有可用的算法并为每个算法创建一个密钥和证书：

    NCRYPT_PROV_HANDLE ncrypt_prov;
    err = NCryptOpenStorageProvider(
          &ncrypt_prov
        , NULL // provider name - use default
        , 0    // flags - none exist as of 2019
        ); RAISE_ERRCODE(err);

    NCRYPT_KEY_HANDLE key;

    for (const auto* algo : algos)
    {
        std::cout << "trying ";
        std::wcout << algo << std::endl;
        err = NCryptCreatePersistedKey(
              ncrypt_prov
            , &key
            , algo
            , NULL // create ephemeral key
            , 0 // legacy key spec param
            , 0 // flags
            );
        if (err != ERROR_SUCCESS)
        {
            std::cout << "when creating a key: ";
            print_error(err);
            continue;
        }
        PCCERT_CONTEXT cert = CertCreateSelfSignCertificate(
              key
            , &subject_name
            , 0
            , NULL
            , NULL
            , NULL
            , NULL
            , NULL
            );
        if (cert == 0)
        {
            auto err = GetLastError();
            std::cout << "when crafting a certificate: ";
            print_error(err);
            continue;
        }

        std::cout << "certificate created with algo " << algo << std::endl;
    }

我从这里得到的算法列表。

以下是所有尝试过的算法的错误输出：

trying 3DES
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying 3DES_112
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying AES
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying AES-CMAC
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying AES-GMAC
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying CAPI_KDF
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying DES
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying DESX
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying DH
when crafting a certificate: Errcode 32
Details: The request is not supported.

trying DSA
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDH_P256
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDH_P384
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDH_P521
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDSA_P256
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDSA_P384
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDSA_P521
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying MD2
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying MD4
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying MD5
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying RC2
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying RC4
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying RNG
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying DUALECRNG
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying FIPS186DSARNG
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying RSA
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying RSA_SIGN
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SHA1
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SHA256
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SHA384
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SHA512
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SP800_108_CTR_HMAC
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying SP800_56A_CONCAT
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying PBKDF2
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

也许我只是在滥用新的 API？使用旧的 wincrypt32 时效果很好。