openca / libpki

Easy-to-use high-level library for PKI-enabled applications
Other
52 stars 34 forks source link
c cryptography hsm ocsp openssl pki x509certificates

The LibPKI Project

Introduction

The LibPKI Project is aimed to provide an easy-to-use PKI library for PKI enabled application development. The library provides the developer with all the needed functionalities to manage all major cryptographic data structures and associated prcedures, from generation to validation.

Ultimately, the LibPKI Project enables developers with the possibility to implement complex cryptographic operations with a few simple function calls by implementing an high-level cryptographic API.

You can find more inforamtion about this project and many more at our website: The OpenCA Labs and Projects.

Building the library and tools

LibPKI uses standard autoconf & automake tools for the configuration, compiling, and installation of the library and the associated SDK. To see all the different options available for compilation, you can use the following command:

$ ./configure --help

A typical set of options is as follows:

$ ./configure --prefix=/opt/crypto --with-openssl-prefix=/opt/crypto \
      --enable-extra-checks --enable-composite --disable-ldap

Although we try to support as many platforms as we can, there might be some options that are specific for your system that we might not be aware of. Please report the possible compilation issues through the GitHub interface or by sending an e-mail at madwolf -at- openca -dot- org.

Adding support for Quantum-Safe algorithms

LibPKI supports the use of the OQS library through the OpenSSL-OQS wrapper from the Open Quantum Safe project: The Open Quantum Safe project (OQS). Specifically, LibPKI currently supports the OpenSSL-OQS 1.1.1x branch with the appropriate patches to provide hash-n-sign functionality (not provided via the vanilla OQS project).

To ease the compilation of the LibPKI library and the dependencies for Quantum-Safe algorithms, you can download the repository:

Once downloaded, go in the libpki-pqc project's directory and use the build.sh script (or the `build-debug.sh``) to build and install all dependencies (but the development tools themselves).

Here's an example usage for building a debug version of the libraries:

  $ ./build.sh /opt/libpki-pqc

The script provides some help in building, patching, and installing all the needed libraries and dependencies. Specifically, it completes the following actions:

The specific patching that we do for the OpenSSL wrapper enables:

You can review the patched code in the config-n-patch/ossl-replace/20230525/ directory of the repository and in the GitHub repository.

Hybrid Keys and Certificates (Composite Crypto)

LibPKI supports the use of Composite Cryptography to enable hybrid signature schemes. Specifically, LibPKI supports both the generic version of Composite Crypto that allows to combine any number of algorithms and the explicit version of Composite Crypto that identifies well-known combinations with specific OIDs used in both public keys' and signatures' identifiers.

For example, to compose an RSA key and a Falcon key, you can use the following commands and the generic version of Composite Crypto:

  $ pki-tool genkey -algor RSA -sec_bits 112 -out rsa.key
  $ pki-tool genkey -algor Falcon -sec_bits 128 -out falcon512.key
  $ pki-tool genkey -algor Composite -addkey rsa.key -addkey falcon512.key \
      -out composite_rsa_falcon.key

The generated key is saved in composite_rsa_falcon.key file and stores both the RSA and Falcon512 keys (public and private).

To generate an explicit combination, instead, you first generate the individual keys and then put them together in a single explicit Composite Key:

  $ pki-tool genkey -algor ED25519 -out ed25519.key
  $ pki-tool genkey -algor Falcon -sec_bits 128 -out falcon512.key
  $ pki-tool genkey -algor FALCON-ED25519 -addkey falcon512.key \
      -addkey falcon512.key -out composite_rsa_falcon.key

In this case, the generated key is saved in the explicit_falcon_ed25519.key file that stores both the Falcon and Ed25519 keys (both private and public).

Acknowledgments:

The this project has been supported by the following entities:

We also want to thank all the contributors that have been submitting issues, pull requests, and patches for the library - thank you!