2025-10-08 –, Belvedere II/ Community, Contribution & the Future
Heimdal has an ASN.1 compiler and library that can fully encode/decode a certificate including all its extensions in one codec invocation. It does this by leveraging the RFC 5912 object sets, parameters, and constraints on PKIX. Showcasing Heimdal's ASN.1 tooling might help OpenSSL develop its own (or borrow Heimdal's) to a) be able to use ASN.1 modules as-is rather than having to rely on error-prone manual translation to OpenSSL's macros for defining ASN.1 types, and b) to get automatic use of RFC 5911 and 5912 to simplify the use of ASN.1 in OpenSSL.
For example, Heimdal can decode a certificate and print it as JSON, with all the certificate's extensions fully decoded, in two invocations: one to decode a DER-encoded certificate, and one to encode the result as JSON.
OpenSSL has ASN.1 modules that are manually translated from the actual ASN.1 to C macro uses. This translation is error-prone and slows down adoption of new modules. As well OpenSSL loses all the constraints and parameterization from RFCs 5911 and 5912, which means a great deal of that has to get hand-coded rather than having that code generated by tooling.
I argue that OpenSSL should develop its own ASN.1 tooling, or find suitable open source tooling. I will present Heimdal's ASN.1 tooling, its capabilities, and its internals, and propose the incorporation of it into OpenSSL, or perhaps a rewrite.
I've worked with or on Kerberos for about 28 years, and I've worked on Heimdal for about 15 years. I'm a Sun Microsystems, Inc. alumnus, and have worked for banks and hedge funds as a consultant and employee. I am also an erstwhile jq and Heimdal maintainer.