@@ -336,6 +336,9 @@ type WinCertStoreOptions struct {
336336 // - certStoreCreateNewFlag: Create new store if it doesn't exist
337337 // - certStoreOpenExistingFlag: Only open existing stores
338338 StoreFlags uint32
339+
340+ // IgnoreNoCNG can be set in order to ignore a not found CNG key when a CAPI key exists.
341+ IgnoreNoCNG bool
339342}
340343
341344// WinCertStore is a CertStorage implementation for the Windows Certificate Store.
@@ -350,6 +353,7 @@ type WinCertStore struct {
350353 stores map [string ]* storeHandle
351354 keyAccessFlags uintptr
352355 storeFlags uint32
356+ ignoreNoCNG bool
353357
354358 mu sync.Mutex
355359}
@@ -376,6 +380,7 @@ func DefaultWinCertStoreOptions(provider, container string, issuers, intermediat
376380 LegacyKey : legacyKey ,
377381 CurrentUser : false ,
378382 StoreFlags : 0 ,
383+ IgnoreNoCNG : false ,
379384 }
380385}
381386
@@ -443,6 +448,7 @@ func OpenWinCertStoreWithOptions(opts WinCertStoreOptions) (*WinCertStore, error
443448 container : opts .Container ,
444449 stores : make (map [string ]* storeHandle ),
445450 storeFlags : opts .StoreFlags ,
451+ ignoreNoCNG : opts .IgnoreNoCNG ,
446452 }
447453
448454 // Deep copy the issuer slices to prevent external modification
@@ -1366,6 +1372,11 @@ func keyMetadata(kh uintptr, store *WinCertStore) (*Key, error) {
13661372 if err != nil {
13671373 return nil , err
13681374 }
1375+
1376+ if ! store .ignoreNoCNG && uc == "" {
1377+ // key is not CNG backed, but store was opened with ignoreNoCNG=false
1378+ return nil , errors .New ("CNG key was empty" )
1379+ }
13691380 }
13701381
13711382 alg , err := getPropertyStr (kh , nCryptAlgorithmGroupProperty )
0 commit comments