A library implementing the Simple Public Key Infrastructure

libspki a library for operations on SPKI certificates, ACL:s, and access and authorization decisions. The library is work in progress, it's not terribly useful yet. Some of the design:

About SPKI

SPKI is a way to think about certificates that makes a lot more sense then the popular X.500 and X.509 standards. The emphasis is on authorization, delegation and capabilities, rather than on names. See RFC 2693 and Carl Ellison's SPKI page for more informaton.

Current status

As of 2003-03-10, the code is reasonably solid, and the most important things are implemented. Parsing of keys, certificates and ACL:s. Verification and creation of signatures. The "5-tuple reduction" machinery is in place. There are some basic tools for creating certificates. There are no special key generation tools, but you can use lsh's. It's fairly small, about 7000 lines of C.

The interfaces, both for the library and the command line tools, are functional but subject to change and improvements. There's unfortunately not much documentation, the README file provides an introduction, after that you have to read the source.

Related projects

There are two other SPKI implementations I'm aware of: Intel's CDSA, which is a pretty big and does a lot more than just SPKI, and JSDSI, a Java library by Sameer Ajmani.

The first application that will use libspki is LSH, my ssh-2 implementation. I've planned adding real spki support for years, as a good way both for delegating restricted access, and for certifying hostkeys (which is usually the weakest link in all use of ssh).

libspki uses the Nettle cryptographic library for the few cryptographic operations that are needed. Nettle, in turn, uses GMP, the GNU bignum library, for calculations.

Source code

The CVS repository is located at cvs.lysator.liu.se. Beware that the build system is not perfect, in particular it expects to find Nettle as "../nettle" from both source and build trees, the same way things are arranged if you check out all the complete lsh source code. The easiest way to try it out is to use
cvs -d :pserver:anonymous@cvs.lysator.liu.se:/cvsroot/lsh co lsh
cd lsh
make bootstrap
The important parts here are the src/nettle and src/spki subdirectories.