[openssl-users] Certification Path Building / non-hierachical PKI

Michael Wojcik Michael.Wojcik at microfocus.com
Sun Mar 29 15:08:38 UTC 2015

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Salz, Rich
> Sent: Sunday, March 29, 2015 09:31
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Certification Path Building / non-hierachical PKI
> > Are there any plans or patches for such a feature?
> We have no plans for this.

It should be relatively straightforward to implement a non-hierarchical X.509 PKI in an OpenSSL-based application using the certificate verification callback, though.  The necessary graph algorithms are well-known and I believe there are existing open-source implementations (or it could be done in some language other than C that's more amenable to graph processing). It's not trivial, but between the RFC and a basic understanding of graph processing it's pretty clear what needs to be done.

A larger concern is probably the processing time for checking certification paths; as the RFC points out, this kind of graph-path processing grows quickly with the size of the graph.

Michael Wojcik
Technology Specialist, Micro Focus

This message has been scanned for malware by Websense. www.websense.com

More information about the openssl-users mailing list