It's tricky one. Formally there is no reason to link everything with ncrypt.lib. Well, of course in static build ncrypt.lib needs to be there for every .exe that pulls in e_cng.obj. But in shared build cng.dll would be the only one that needs to be linked with it. MSC has solution for that, and it's #pragma comment(lib,"ncrypt") that can be added directly to e_cng.c. And it's going to work out in both static and dynamic builds. [The pragma is tolerated by mingw compilers, but does nothing.] Another argument against adding it as above is that people still seem to be asking about compiling for legacy version, and there is no ncrypt.lib there. Even in such case above mentioned #pragma would do the trick, because it can be conditional...

I think it can be argued that crypt32.lib shouldn't be there with the argument that only capi.dll needs it as well, no? I was pondering another variant, to add language in build.info to specify extra external libraries to be used with specific programs or shared libraries. Would it be worth it? Maybe. For now, though, I'll use the pragma, thanks for pointing it out.

I think it can be argued that crypt32.lib shouldn't be there

I think so, yes. But there is difference. crypt32.lib is present in legacy SDKs, while ncrypt.lib is not. This is kind of the real concern. Having library on command line you don't link with has no side effects (on Windows), but lib-file needs to be present if you refer to in on command line irregardless. In other words it's availability of ncrypt.lib file in user's SDK that is concern.

MSDN says include ncrypt.h and I don't see no ncrypt.h. Well, nothing prevents wincrypt.h from including ncrypt.h, but then question would be if all SDKs do that... Maybe they all do, did you verify?

I have verified that wincrypt.h includes ncrypt.h indeed. The reason I do this is the lines following, where I detect if ncrypt is present or not.

I have verified that wincrypt.h includes ncrypt.h indeed.

Question was if all of them do. But of course one can always say that if wincrypt.h doesn't include ncrypt.h, then we don't compile it. It would be appropriate to mention this in more verbose comment...

I'd suggest a little bit more verbose comment...

Sure.

I didn't follow the code thoroughly, but question is if CP_UTF8 would be more appropriate. Underlying question is if in can contain non-ASCII characters. Trouble is that CP_ACP can wipe some of them. I'd say that CP_UTF8 should be always preferred unless there is recognized reason to use CP_ACP.

I used CP_ACP because e_capi.c does so. I was wondering, though, if that was the right choice. What can we expect from the command prompt these days?

I used CP_ACP because e_capi.c does so.

It doesn't mean that it's right :-) I mean it surely needs an overhaul too.

What can we expect from the command prompt these days?

Command line options are UTF8-ised, and so should be console input. I'll double-check... And I'll have a look at e_capi.c. One can also put it this way. Let's aim for CP_UTF8, because it's the only one that should work, and fix remaining code paths. As opposite to trying to see what happens to work right now... Just to clarify, go for CP_UTF8 :-)

I hear ya

Passing NULL to pcbResult at this point causes NCryptExportKey to fail with 0x800706F4 in my test case. Passing &size resolves that problem.

As far as I have seen, NCryptEncrypt will use the public key from the key handle instead of the private key, so NCryptDecrypt needs to be used here to perform the RSA operation with the private key.

NCryptDecrypt however probably can't be configured to add padding before the RSA operation with the private key as required here (RSA private enrypt) as it's designed to be used for decryption with the private key but not for signing/encryption and therefore removes the padding after the RSA operation (RSA private decrypt) instead of adding it before.
For that reason, NCryptDecrypt can only be used with RSA_NO_PADDING here, as with that RSA private encrypt and RSA private decrypt result in the same operation.

When OpenSSL uses RSA signing with PSS padding, this method is called with RSA_NO_PADDING as the padding has already be applied to the buffer before, so that is no problem in that case.

Client certificate authentication with TLS 1.2+ works in my test case, when NCryptDecrypt with RSA_NO_PADDING is used here (See #12859).

Please tell me if I am wrong.

Yes, it is true that from my testing that when using TLSv1.3, the NCryptDecrypt should be used instead of NCryptEncrypt with the NCRYPT_NO_PADDING_FLAG as the padding of the buffer.