Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
January 26, 2018 10:42
August 15, 2023 19:32
January 7, 2021 18:21

The LibPKI Project


The LibPKI Project is aimed to provide an easy-to-use PKI library for PKI enabled application development. The library provides the developer with all the needed functionalities to manage all major cryptographic data structures and associated prcedures, from generation to validation.

Ultimately, the LibPKI Project enables developers with the possibility to implement complex cryptographic operations with a few simple function calls by implementing an high-level cryptographic API.

You can find more inforamtion about this project and many more at our website: The OpenCA Labs and Projects.

Building the library and tools

LibPKI uses standard autoconf & automake tools for the configuration, compiling, and installation of the library and the associated SDK. To see all the different options available for compilation, you can use the following command:

$ ./configure --help

A typical set of options is as follows:

$ ./configure --prefix=/opt/crypto --with-openssl-prefix=/opt/crypto \
      --enable-extra-checks --enable-composite --disable-ldap

Although we try to support as many platforms as we can, there might be some options that are specific for your system that we might not be aware of. Please report the possible compilation issues through the GitHub interface or by sending an e-mail at madwolf -at- openca -dot- org.

Adding support for Quantum-Safe algorithms

LibPKI supports the use of the OQS library through the OpenSSL-OQS wrapper from the Open Quantum Safe project: The Open Quantum Safe project (OQS). Specifically, LibPKI currently supports the OpenSSL-OQS 1.1.1x branch with the appropriate patches to provide hash-n-sign functionality (not provided via the vanilla OQS project).

To ease the compilation of the LibPKI library and the dependencies for Quantum-Safe algorithms, you can download the repository:

Once downloaded, go in the libpki-pqc project's directory and use the script (or the ```) to build and install all dependencies (but the development tools themselves).

Here's an example usage for building a debug version of the libraries:

  $ ./ /opt/libpki-pqc

The script provides some help in building, patching, and installing all the needed libraries and dependencies. Specifically, it completes the following actions:

The specific patching that we do for the OpenSSL wrapper enables:

  • The use of hash-n-sign paradigm with all PQC algorithms
  • Allows the generation/use of RSA keys smaller than 512 bits

You can review the patched code in the config-n-patch/ossl-replace/20230525/ directory of the repository and in the GitHub repository.

Hybrid Keys and Certificates (Composite Crypto)

LibPKI supports the use of Composite Cryptography to enable hybrid signature schemes. Specifically, LibPKI supports both the generic version of Composite Crypto that allows to combine any number of algorithms and the explicit version of Composite Crypto that identifies well-known combinations with specific OIDs used in both public keys' and signatures' identifiers.

For example, to compose an RSA key and a Falcon key, you can use the following commands and the generic version of Composite Crypto:

  $ pki-tool genkey -algor RSA -sec_bits 112 -out rsa.key
  $ pki-tool genkey -algor Falcon -sec_bits 128 -out falcon512.key
  $ pki-tool genkey -algor Composite -addkey rsa.key -addkey falcon512.key \
      -out composite_rsa_falcon.key

The generated key is saved in composite_rsa_falcon.key file and stores both the RSA and Falcon512 keys (public and private).

To generate an explicit combination, instead, you first generate the individual keys and then put them together in a single explicit Composite Key:

  $ pki-tool genkey -algor ED25519 -out ed25519.key
  $ pki-tool genkey -algor Falcon -sec_bits 128 -out falcon512.key
  $ pki-tool genkey -algor FALCON-ED25519 -addkey falcon512.key \
      -addkey falcon512.key -out composite_rsa_falcon.key

In this case, the generated key is saved in the explicit_falcon_ed25519.key file that stores both the Falcon and Ed25519 keys (both private and public).


The this project has been supported by the following entities:

  • OpenCA Laboratories ( Jan 2007 - Now ). This software has been released and supported by the OpenCA Labs and its projects related to PKIs. The software will continuosly be updated and used for several other projects including, but not limited to, OpenCA OCSP responder, OpenCA PKI Next Generation, and OpenCA PRQP Server.

  • CableLabs Television Laboratories (Jan 2019 - Now). The CableLabs organization has been supporting the LibPKI project and its evolution (especially the integration of innovative features such as the support for Composite Cryptography and Quantum-Safe algorithms).

  • U.S. Department of Homeland Security (Jan 2007 - Mar 2009). This software results from a research program in the Institute for Security Technology Studies at Dartmouth College, supported by the U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security.

We also want to thank all the contributors that have been submitting issues, pull requests, and patches for the library - thank you!