From fed4342a52828816ed78ba56014d9508e13322ec Mon Sep 17 00:00:00 2001
From: Boris Djurdjevic <boris@djurdjevic.ch>
Date: Fri, 19 Sep 2025 09:47:14 +0200
Subject: [PATCH 1/2] Do not return error if CAPI SW key is found but CNG is
 not locatable

Signed-off-by: Boris Djurdjevic <boris@djurdjevic.ch>
---
 certtostore_windows.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/certtostore_windows.go b/certtostore_windows.go
index e6a7be8..8d537a6 100644
--- a/certtostore_windows.go
+++ b/certtostore_windows.go
@@ -1745,9 +1745,6 @@ func softwareKeyContainers(uniqueID string, storeDomain uint32) (string, string,
 		if err != nil {
 			return "", "", fmt.Errorf("unable to locate CNG key: %v", err)
 		}
-		if cng == "" {
-			return "", "", errors.New("CNG key was empty")
-		}
 	default:
 		return "", "", fmt.Errorf("unexpected key type %q", keyType)
 	}

From 27407d7f99ace6c6e13ef2d3a94516e83ce9af0a Mon Sep 17 00:00:00 2001
From: Boris Djurdjevic <boris@djurdjevic.ch>
Date: Wed, 29 Oct 2025 14:06:40 +0100
Subject: [PATCH 2/2] Add option to ignore a not found CNG key

---
 certtostore_windows.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/certtostore_windows.go b/certtostore_windows.go
index 8d537a6..ffb1037 100644
--- a/certtostore_windows.go
+++ b/certtostore_windows.go
@@ -335,6 +335,9 @@ type WinCertStoreOptions struct {
 	//   - certStoreCreateNewFlag: Create new store if it doesn't exist
 	//   - certStoreOpenExistingFlag: Only open existing stores
 	StoreFlags uint32
+
+	// IgnoreNoCNG can be set in order to ignore a not found CNG key when a CAPI key exists.
+	IgnoreNoCNG bool
 }
 
 // WinCertStore is a CertStorage implementation for the Windows Certificate Store.
@@ -349,6 +352,7 @@ type WinCertStore struct {
 	stores              map[string]*storeHandle
 	keyAccessFlags      uintptr
 	storeFlags          uint32
+	ignoreNoCNG         bool
 
 	mu sync.Mutex
 }
@@ -375,6 +379,7 @@ func DefaultWinCertStoreOptions(provider, container string, issuers, intermediat
 		LegacyKey:           legacyKey,
 		CurrentUser:         false,
 		StoreFlags:          0,
+		IgnoreNoCNG:         false,
 	}
 }
 
@@ -442,6 +447,7 @@ func OpenWinCertStoreWithOptions(opts WinCertStoreOptions) (*WinCertStore, error
 		container:           opts.Container,
 		stores:              make(map[string]*storeHandle),
 		storeFlags:          opts.StoreFlags,
+		ignoreNoCNG:         opts.IgnoreNoCNG,
 	}
 
 	// Deep copy the issuer slices to prevent external modification
@@ -1369,6 +1375,11 @@ func keyMetadata(kh uintptr, store *WinCertStore) (*Key, error) {
 		if err != nil {
 			return nil, err
 		}
+
+		if !store.ignoreNoCNG && uc == "" {
+			// key is not CNG backed, but store was opened with ignoreNoCNG=false
+			return nil, errors.New("CNG key was empty")
+		}
 	}
 
 	alg, err := getPropertyStr(kh, nCryptAlgorithmGroupProperty)