diff --git a/releases.json b/releases.json
index eb568253b3..537b181451 100644
--- a/releases.json
+++ b/releases.json
@@ -269,6 +269,7 @@
       "aws-c-cal"
     ],
     "versions": [
+      "0.9.13-1",
       "0.9.10-1"
     ]
   },
diff --git a/subprojects/aws-c-cal.wrap b/subprojects/aws-c-cal.wrap
index 25b2fe2e8a..b1fc9fb2b5 100644
--- a/subprojects/aws-c-cal.wrap
+++ b/subprojects/aws-c-cal.wrap
@@ -1,8 +1,8 @@
 [wrap-file]
-directory = aws-c-cal-0.9.10
-source_url = https://github.com/awslabs/aws-c-cal/archive/refs/tags/v0.9.10.tar.gz
-source_filename = aws-c-cal-0.9.10.tar.gz
-source_hash = a41b389e942fadd599a6a0f692b75480d663f1e702c0301177f00f365e0c9b94
+directory = aws-c-cal-0.9.13
+source_url = https://github.com/awslabs/aws-c-cal/archive/refs/tags/v0.9.13.tar.gz
+source_filename = aws-c-cal-0.9.13.tar.gz
+source_hash = 80b7c6087b0af461b4483e4c9483aea2e0dac5d9fb2289b057159ea6032409e1
 patch_directory = aws-c-cal
 
 [provide]
diff --git a/subprojects/packagefiles/aws-c-cal/meson.build b/subprojects/packagefiles/aws-c-cal/meson.build
index 7e90b047d8..06becf1f61 100644
--- a/subprojects/packagefiles/aws-c-cal/meson.build
+++ b/subprojects/packagefiles/aws-c-cal/meson.build
@@ -1,7 +1,7 @@
 project(
   'aws-c-cal',
   'c',
-  version: '0.9.10',
+  version: '0.9.13',
   meson_version: '>=0.63.0',
   license: 'Apache-2.0',
 )
@@ -11,34 +11,61 @@ fs = import('fs')
 pkg = import('pkgconfig')
 
 tests_opt = get_option('tests').disable_auto_if(meson.is_subproject())
-ed25519_everywhere = get_option('ed25519_everywhere')
 
-public_c_args = ['-DAWS_CAL_USE_IMPORT_EXPORT=1']
+# aws-c-cal doesn't use openssl on windows or darwin, on those platforms it uses the native crypto libraries
+# as it's required for compliance with platform policies. On linux and emscripten openssl is used.
+may_have_openssl = host_machine.system() in ['linux', 'emscripten']
+is_windows = host_machine.system() == 'windows'
+is_darwin = host_machine.system() == 'darwin'
+
+byo_crypto = get_option('byo_crypto')
+ed25519_everywhere = get_option('ed25519_everywhere').disable_auto_if(
+  not may_have_openssl,
+)
+
 c_args = ['-DAWS_CAL_EXPORTS=1']
 
+public_c_args = []
+if (
+  get_option('default_library') == 'shared'
+  and host_machine.system() == 'windows'
+) or host_machine.system() != 'windows'
+  public_c_args += ['-DAWS_CAL_USE_IMPORT_EXPORT=1']
+endif
+
 if host_machine.system() == 'windows' and host_machine.cpu_family() in [
   'x86',
   'aarch64',
 ]
-  error('unsupported architecture: only x86_64 Windows is supported')
+  error('unsupported architecture: only x86_64 is supported on Windows')
 endif
 
 aws_c_common_dep = dependency('aws-c-common')
 libcrypto_dep = dependency(
-  'libcrypto',
+  'openssl',
   version: '>=1.1',
+  required: not byo_crypto.allowed(),
 )
+
 ncrypt = cc.find_library(
   'ncrypt',
-  required: host_machine.system() == 'windows',
+  required: false,
 )
 
 foundation = dependency(
   'appleframeworks',
   modules: ['Security', 'CoreFoundation'],
-  required: host_machine.system() == 'darwin',
+  required: false,
 )
 
+if is_windows
+  byo_crypto = byo_crypto.disable_auto_if(ncrypt.found())
+endif
+
+if is_darwin
+  byo_crypto = byo_crypto.disable_auto_if(foundation.found())
+endif
+
 src = files(
   'source/cal.c',
   'source/der.c',
@@ -52,45 +79,49 @@ src = files(
   'source/symmetric_cipher.c',
 )
 
-if ed25519_everywhere or host_machine.system() == 'linux'
+if byo_crypto.allowed()
+  c_args += ['-DBYO_CRYPTO=1']
+endif
+
+if libcrypto_dep.found()
   src += files('source/shared/ed25519.c', 'source/shared/lccrypto_common.c')
-  c_args = ['-DAWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE']
+  c_args += ['-DAWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE']
 else
-  src += files('source/shared/ed25519_noop.c')
+  src += files('source/ed25519.c', 'source/shared/ed25519_noop.c')
 endif
 
-if host_machine.system() in ['cygwin', 'windows']
-  src += files(
-    'source/windows/bcrypt_aes.c',
-    'source/windows/bcrypt_ecc.c',
-    'source/windows/bcrypt_hash.c',
-    'source/windows/bcrypt_hmac.c',
-    'source/windows/bcrypt_platform_init.c',
-    'source/windows/bcrypt_rsa.c',
-  )
-elif host_machine.system() == 'darwin'
-  src += files(
-    'source/darwin/commoncrypto_aes.c',
-    'source/darwin/commoncrypto_hmac.c',
-    'source/darwin/commoncrypto_md5.c',
-    'source/darwin/commoncrypto_platform_init.c',
-    'source/darwin/commoncrypto_sha1.c',
-    'source/darwin/commoncrypto_sha256.c',
-    'source/darwin/commoncrypto_sha512.c',
-    'source/darwin/securityframework_ecc.c',
-    'source/darwin/securityframework_rsa.c',
-  )
-elif host_machine.system() == 'linux'
-  src += files(
-    'source/unix/openssl_aes.c',
-    'source/unix/openssl_platform_init.c',
-    'source/unix/openssl_rsa.c',
-    'source/unix/opensslcrypto_ecc.c',
-    'source/unix/opensslcrypto_hash.c',
-    'source/unix/opensslcrypto_hmac.c',
-  )
-else
-  error('Unsupported platform: ' + host_machine.system())
+if not byo_crypto.allowed()
+  if host_machine.system() in ['cygwin', 'windows']
+    src += files(
+      'source/windows/bcrypt_aes.c',
+      'source/windows/bcrypt_ecc.c',
+      'source/windows/bcrypt_hash.c',
+      'source/windows/bcrypt_hmac.c',
+      'source/windows/bcrypt_platform_init.c',
+      'source/windows/bcrypt_rsa.c',
+    )
+  elif host_machine.system() == 'darwin'
+    src += files(
+      'source/darwin/commoncrypto_aes.c',
+      'source/darwin/commoncrypto_hmac.c',
+      'source/darwin/commoncrypto_md5.c',
+      'source/darwin/commoncrypto_platform_init.c',
+      'source/darwin/commoncrypto_sha1.c',
+      'source/darwin/commoncrypto_sha256.c',
+      'source/darwin/commoncrypto_sha512.c',
+      'source/darwin/securityframework_ecc.c',
+      'source/darwin/securityframework_rsa.c',
+    )
+  elif host_machine.system() in ['linux', 'emscripten']
+    src += files(
+      'source/unix/openssl_aes.c',
+      'source/unix/openssl_platform_init.c',
+      'source/unix/openssl_rsa.c',
+      'source/unix/opensslcrypto_ecc.c',
+      'source/unix/opensslcrypto_hash.c',
+      'source/unix/opensslcrypto_hmac.c',
+    )
+  endif
 endif
 
 inc = include_directories('include')
@@ -101,7 +132,9 @@ libaws_c_cal = library(
   c_args: c_args + public_c_args,
   dependencies: [aws_c_common_dep, libcrypto_dep, ncrypt, foundation],
   include_directories: inc,
+  install: true,
   version: meson.project_version(),
+  gnu_symbol_visibility: 'hidden',
 )
 
 aws_c_cal_dep = declare_dependency(
diff --git a/subprojects/packagefiles/aws-c-cal/meson_options.txt b/subprojects/packagefiles/aws-c-cal/meson_options.txt
index cbbf2acd4f..ded9958c9c 100644
--- a/subprojects/packagefiles/aws-c-cal/meson_options.txt
+++ b/subprojects/packagefiles/aws-c-cal/meson_options.txt
@@ -6,7 +6,13 @@ option(
 
 option(
     'ed25519_everywhere',
-    type: 'boolean',
-    value: false,
+    type: 'feature',
     description: 'Experimental feature to support ED25519 keygen on platforms that do not support it in os libs (i.e. win/mac)',
 )
+
+option(
+    'byo_crypto',
+    type: 'feature',
+    value: 'disabled',
+    description: 'Set this if you want to provide your own cryptography implementation. This will cause the defaults to not be compiled.',
+)
diff --git a/subprojects/packagefiles/aws-c-cal/tests.txt b/subprojects/packagefiles/aws-c-cal/tests.txt
index d0276300e4..3df651859f 100644
--- a/subprojects/packagefiles/aws-c-cal/tests.txt
+++ b/subprojects/packagefiles/aws-c-cal/tests.txt
@@ -1,4 +1,3 @@
-
 sha256_nist_test_case_1
 sha256_nist_test_case_2
 sha256_nist_test_case_3
@@ -86,6 +85,7 @@ ecdsa_signature_encode_helper_roundtrip
 ecdsa_export_sec1_roundtrip
 ecdsa_export_pkcs8_roundtrip
 ecdsa_export_spki_roundtrip
+ecdsa_signature_decode_helper
 rsa_encryption_roundtrip_pkcs1_from_user
 rsa_encryption_roundtrip_oaep_sha256_from_user
 rsa_encryption_roundtrip_oaep_sha512_from_user