OpenSSL development.

This page gives details of some of the extensive OpenSSL development I've carried out over the years.

I have been a core OpenSSL developer since the project started in 1999.

OpenSSL FIPS 140-2 validation.

I am currently working with the OpenSSL Software Foundation on a number of projects including continued development of 2.0 FIPS module validation. For more details please see the OpenSSL Website or contact OSF directly.

X509V3 support.

One of my initial tasks was to add X509v3 certificate extension support. SSLeay had only minimal understanding of some simple Netscape extensions and did not recognise extensions such as basicConstraints.

I added a complete extension handling framework and added support for many of the more common extensions.

Later I modified the OpenSSL verify code to respect the extension values during chain verification.

PKCS#12 code.

I wrote one of the first open source PKCS#12 implementations some years ago. This was initially a patch to SSLeay and was later merged into the OpenSSL core code in version 0.9.3. It is being continuously developed. More details are in my PKCS#12 FAQ.

PKCS#8 and PKCS#5 code.

I added code to handle PKCS#8 format private keys. This supports both the old PBE1 standards of PKCS#5 v1.5 and the newer PBE2 standards of PKCS#5 v2.0. The test vectors on RSA site were generated using my OpenSSL code.

S/MIME code.

Although SSLeay had some PKCS#7 functionality already it was rather broken. I fixed the existing code, wrote a high level S/MIME library on top of it and wrote the smime utility program. OpenSSL's S/MIME code has passed the S/MIME compatibility test, as documented on the S/MIME interoperability centre.

ASN1 rewrite.

This was one of my largest projects to date and took several months to complete. The ASN1 code in OpenSSL 0.9.6 and earlier was becoming increasingly difficult to maintain. Adding new modules was very time consuming and error prone, for example the PKCS#12 ASN1 code took over two weeks to write and considerably longer to debug. There were many bugs in the code which were difficult to fix. Very few people understood the code and those that did wished they hadn't.

Therefore during OpenSSL 0.9.7 development I completely rewrote the OpenSSL ASN1 code. I reimplemented almost all the ASN1 modules for OpenSSL and added new table based encoders and decoders. The new code is vastly easier to use, indeed several people have written new ASN1 modules just by examining the existing rewritten ones. For comparison the reimplemented PKCS#12 ASN1 code took under and hour to write.

The new code is capable of being extended further to support I/O based decoders and encoders (in fact 0.9.8 has initial support for I/O based encoders) and additional interpreters such as general ASN1 print routines and file based field entry.

OCSP code.

Although the initial OCSP code was based on a patch by Tom Titchener I have extensively rewritten the code to support the new ASN1, to provide a friendlier API and add a command line OCSP utility. OpenSSLs OCSP was one of the versions used for interoperability testing of  RFC2560.

Documentation.

I have written some or all of the manual pages for several sections of OpenSSL including, S/MIME, PKCS#7, PKCS#12, PEM, BIO, ASN1, X509.

Future Projects.

There are several possible future projects, such as S/MIME v3 support, full streaming ASN1, PKCS#12 updates etc. etc.

If you are interested in funding or discussing possible future OpenSSL or related PKI projects please email me details on my contact page