{"id":39030744,"url":"https://github.com/remiblancher/post-quantum-pki","last_synced_at":"2026-01-27T17:13:08.316Z","repository":{"id":331635478,"uuid":"1117090971","full_name":"remiblancher/post-quantum-pki","owner":"remiblancher","description":"Quantum-Safe X.509 PKI with PQC \u0026 Hybrid Certificates in Go","archived":false,"fork":false,"pushed_at":"2026-01-17T16:16:44.000Z","size":12329,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-18T02:06:43.753Z","etag":null,"topics":["certificate-authority","certificates","circl","composite-certificates","crypto-agility","cryptography","golang","hybrid-certificates","ml-dsa","ml-kem","nist","pkcs11","pki","post-quantum-cryptography","pqc","qpki","quantum-safe","slh-dsa","tls","x509"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/remiblancher.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-15T20:22:57.000Z","updated_at":"2026-01-17T16:16:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/remiblancher/post-quantum-pki","commit_stats":null,"previous_names":["remiblancher/post-quantum-pki"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/remiblancher/post-quantum-pki","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/remiblancher%2Fpost-quantum-pki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/remiblancher%2Fpost-quantum-pki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/remiblancher%2Fpost-quantum-pki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/remiblancher%2Fpost-quantum-pki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/remiblancher","download_url":"https://codeload.github.com/remiblancher/post-quantum-pki/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/remiblancher%2Fpost-quantum-pki/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28632781,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-21T04:47:28.174Z","status":"ssl_error","status_checked_at":"2026-01-21T04:47:22.943Z","response_time":86,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-authority","certificates","circl","composite-certificates","crypto-agility","cryptography","golang","hybrid-certificates","ml-dsa","ml-kem","nist","pkcs11","pki","post-quantum-cryptography","pqc","qpki","quantum-safe","slh-dsa","tls","x509"],"created_at":"2026-01-17T17:38:31.160Z","updated_at":"2026-01-27T17:13:08.309Z","avatar_url":"https://github.com/remiblancher.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# QPKI\n\n**Quantum-Safe X.509 PKI in Go**\n\n[![CI](https://github.com/remiblancher/post-quantum-pki/actions/workflows/ci.yml/badge.svg)](https://github.com/remiblancher/post-quantum-pki/actions/workflows/ci.yml)\n[![codecov](https://codecov.io/gh/remiblancher/post-quantum-pki/branch/main/graph/badge.svg)](https://codecov.io/gh/remiblancher/post-quantum-pki)\n[![Go Report Card](https://goreportcard.com/badge/github.com/remiblancher/post-quantum-pki)](https://goreportcard.com/report/github.com/remiblancher/post-quantum-pki)\n[![Go Reference](https://pkg.go.dev/badge/github.com/remiblancher/post-quantum-pki.svg)](https://pkg.go.dev/github.com/remiblancher/post-quantum-pki)\n[![Release](https://img.shields.io/github/v/release/remiblancher/post-quantum-pki)](https://github.com/remiblancher/post-quantum-pki/releases)\n[![Dependabot](https://img.shields.io/badge/Dependabot-enabled-brightgreen?logo=dependabot)](https://github.com/remiblancher/post-quantum-pki/network/updates)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n\nA quantum-safe Public Key Infrastructure (PKI) toolkit to help organizations prepare and migrate to post-quantum cryptography (PQC) with interoperable, standards-compliant certificates.\n\n\u003e **For education and prototyping** — Learn PKI concepts, experiment with PQC migration, and test crypto-agility. See [Post-Quantum PKI Lab](https://github.com/remiblancher/post-quantum-pki-lab) for step-by-step tutorials.\n\n## Features\n\n- **State-of-the-art X.509 certificates** (RFC 5280 compliant)\n- **Post-Quantum Cryptography (PQC)** support via ML-DSA, SLH-DSA and ML-KEM\n- **CSR generation** for all algorithms including RFC 9883 ML-KEM attestation\n- **Catalyst certificates** (ITU-T X.509 Section 9.8) - dual keys via extensions\n- **Composite certificates** (IETF draft-13, **DRAFT**) - dual keys bound together\n- **Hybrid certificates** (classical + PQC via combined or separate modes)\n- **CMS Signatures \u0026 Encryption** (RFC 5652) - sign and encrypt with PQC\n- **Crypto-agility** - seamless migration between algorithms (ECDSA → ML-DSA)\n- **Profiles** (certificate templates) - define certificate policies in YAML\n- **Credentials** - group certificates with coupled lifecycle\n- **HSM support** via PKCS#11\n- **Cross-validated** with external implementations (OpenSSL, BouncyCastle)\n- **CLI-first** - simple, scriptable, no database required\n- **PQC via [Cloudflare CIRCL](https://github.com/cloudflare/circl)** — FIPS 203/204/205 implementations, NIST test vectors validated\n- **Pure Go by default** - CGO optional (only for HSM/PKCS#11)\n\n## Supported Algorithms\n\n### Classical\n| Algorithm | Security | Notes |\n|-----------|----------|-------|\n| ECDSA (P-256, P-384, P-521) | ~128/192/256-bit | NIST curves, P-384 recommended |\n| EdDSA (Ed25519) | ~128-bit | Fast, constant-time |\n| RSA (2048, 4096) | ~112/140-bit | Legacy compatibility |\n\n*EC keys support both ECDSA (signature) and ECDH (key agreement) depending on certificate keyUsage.*\n\n### Post-Quantum\n| Algorithm | Security | Notes |\n|-----------|----------|-------|\n| ML-DSA-44/65/87 | NIST Level 1/3/5 | FIPS 204, lattice-based |\n| SLH-DSA-128/192/256 | NIST Level 1/3/5 | FIPS 205, hash-based |\n| ML-KEM-512/768/1024 | NIST Level 1/3/5 | FIPS 203, key encapsulation |\n\n*Classical security levels reflect resistance to classical attacks only. Post-quantum algorithms are designed to remain secure against quantum adversaries.*\n\n## Installation\n\n### Download pre-built binaries (recommended)\n\nDownload the latest release for your platform from [GitHub Releases](https://github.com/remiblancher/post-quantum-pki/releases/latest).\n\n**Linux / macOS:**\n```bash\n# Download (replace VERSION, OS, and ARCH as needed)\ncurl -LO https://github.com/remiblancher/post-quantum-pki/releases/latest/download/qpki_VERSION_OS_ARCH.tar.gz\n\n# Extract\ntar -xzf qpki_*.tar.gz\n\n# Install\nsudo mv qpki /usr/local/bin/\n\n# Verify\nqpki --version\n```\n\n**Available platforms:**\n| OS | Architecture | File |\n|----|--------------|------|\n| Linux | amd64 | `qpki_VERSION_linux_amd64.tar.gz` |\n| Linux | arm64 | `qpki_VERSION_linux_arm64.tar.gz` |\n| macOS | Intel | `qpki_VERSION_darwin_amd64.tar.gz` |\n| macOS | Apple Silicon | `qpki_VERSION_darwin_arm64.tar.gz` |\n| macOS | Universal | `qpki_VERSION_darwin_all.tar.gz` |\n| Windows | amd64 | `qpki_VERSION_windows_amd64.zip` |\n\n**Linux packages:**\n```bash\n# Debian/Ubuntu\nsudo dpkg -i qpki_VERSION_linux_amd64.deb\n\n# RHEL/Fedora\nsudo rpm -i qpki_VERSION_linux_amd64.rpm\n```\n\n### Install via Homebrew (macOS)\n\n```bash\nbrew tap remiblancher/qpki\nbrew install qpki\n```\n\n### Verify release signatures\n\nAll releases are signed with GPG. To verify:\n\n```bash\n# Import public key\ngpg --keyserver keyserver.ubuntu.com --recv-keys 39CD0BF9647E3F56\n\n# Download checksums and signature\ncurl -LO https://github.com/remiblancher/post-quantum-pki/releases/download/vX.Y.Z/checksums.txt\ncurl -LO https://github.com/remiblancher/post-quantum-pki/releases/download/vX.Y.Z/checksums.txt.sig\n\n# Verify signature\ngpg --verify checksums.txt.sig checksums.txt\n```\n\n### Build from source\n\nRequires Go 1.25 or later.\n\n```bash\n# Clone and build\ngit clone https://github.com/remiblancher/post-quantum-pki.git\ncd pki\ngo build -o qpki ./cmd/qpki\n\n# Or install directly to GOPATH/bin\ngo install github.com/remiblancher/post-quantum-pki/cmd/qpki@latest\n```\n\n### Verify installation\n\n```bash\nqpki version\nqpki --help\n```\n\n## Requirements\n\n- **Go 1.25** or later (only for building from source)\n- No CGO required for standard usage\n- CGO required only for HSM/PKCS#11 support (optional)\n- No external dependencies (OpenSSL not required)\n\n## Dependencies\n\nThis project uses minimal, well-maintained dependencies:\n\n| Dependency | Version | Purpose |\n|------------|---------|---------|\n| [cloudflare/circl](https://github.com/cloudflare/circl) | v1.6.2 | Post-quantum cryptography (ML-DSA, ML-KEM, SLH-DSA) |\n| [spf13/cobra](https://github.com/spf13/cobra) | v1.10.2 | CLI framework |\n| [miekg/pkcs11](https://github.com/miekg/pkcs11) | v1.1.2 | HSM/PKCS#11 support (optional, requires CGO) |\n\n### PQC Implementation\n\nPost-quantum algorithms are provided by **Cloudflare's CIRCL** library:\n- **ML-DSA** (FIPS 204) - Digital signatures (Dilithium)\n- **SLH-DSA** (FIPS 205) - Hash-based digital signatures (SPHINCS+)\n- **ML-KEM** (FIPS 203) - Key encapsulation (Kyber)\n\nCIRCL is tested against official NIST test vectors. We rely on their implementation rather than re-implementing PQC algorithms.\n\n## Quick Start\n\n### Initialize a Root CA\n\n```bash\n# Create a CA with ECDSA P-384 (recommended)\nqpki ca init --profile ec/root-ca --ca-dir ./root-ca --var cn=\"My Root CA\"\n# → root-ca/{ca.crt, private/ca.key, certs/, crl/, index.txt, serial}\n\n# Create a hybrid CA (ECDSA + ML-DSA, ITU-T X.509 Section 9.8)\nqpki ca init --profile hybrid/catalyst/root-ca --ca-dir ./hybrid-ca --var cn=\"Hybrid Root CA\"\n\n# Create a pure PQC CA (ML-DSA-87)\nqpki ca init --profile ml/root-ca --ca-dir ./pqc-ca --var cn=\"PQC Root CA\"\n```\n\n### Create a Subordinate CA\n\n```bash\n# Create a subordinate/issuing CA signed by the root\nqpki ca init --profile ec/issuing-ca --ca-dir ./issuing-ca \\\n  --parent ./root-ca --var cn=\"Issuing CA\"\n```\n\nThis creates a complete CA structure with:\n- `ca.crt` - Subordinate CA certificate\n- `chain.crt` - Full certificate chain (sub CA + root)\n- `private/ca.key` - Subordinate CA private key\n\n### Generate Keys\n\nGenerate private key files. The public key is mathematically derived from the private key and can be extracted using `qpki key pub`.\n\n```bash\n# Generate an ECDSA key\nqpki key gen --algorithm ecdsa-p256 --out key.pem\n\n# Generate an ML-DSA-65 (PQC lattice-based) key\nqpki key gen --algorithm ml-dsa-65 --out ml-dsa-key.pem\n\n# Generate an SLH-DSA-128f (PQC hash-based) key\nqpki key gen --algorithm slh-dsa-128f --out slh-dsa-key.pem\n\n# Generate with passphrase protection\nqpki key gen --algorithm ecdsa-p384 --out key.pem --passphrase mysecret\n\n# Extract public key from private key\nqpki key pub --key key.pem --out key.pub\n```\n\n### Generate Certificate Signing Requests\n\nWhen using `--keyout`, the private key is generated alongside the CSR. Use `--key` to create a CSR from an existing key.\n\n```bash\n# Generate NEW key pair + CSR\nqpki csr gen --algorithm ecdsa-p256 --keyout server.key --cn server.example.com --out server.csr\n\n# CSR from EXISTING key (no key generation)\nqpki csr gen --key existing.key --cn server.example.com --out server.csr\n\n# PQC CSR (ML-DSA)\nqpki csr gen --algorithm ml-dsa-65 --keyout mldsa.key --cn alice@example.com --out mldsa.csr\n\n# ML-KEM CSR with RFC 9883 attestation\nqpki csr gen --algorithm ml-kem-768 --keyout kem.key --cn alice@example.com \\\n    --attest-cert sign.crt --attest-key sign.key --out kem.csr\n\n# Hybrid CSR (ECDSA + ML-DSA dual signatures)\nqpki csr gen --algorithm ecdsa-p256 --keyout classical.key \\\n    --hybrid ml-dsa-65 --hybrid-keyout pqc.key --cn example.com --out hybrid.csr\n```\n\n### Issue Certificates\n\nCertificates are always issued from a CSR (Certificate Signing Request).\nFor direct issuance with key generation, use `qpki credential enroll` instead.\n\n```bash\n# From classical CSR with variables\nqpki cert issue --ca-dir ./myca --profile ec/tls-server \\\n  --csr server.csr --out server.crt \\\n  --var cn=api.example.com \\\n  --var dns_names=api.example.com,api-v2.example.com\n\n# Using a variables file\nqpki cert issue --ca-dir ./myca --profile ec/tls-server \\\n  --csr server.csr --var-file vars.yaml\n\n# From PQC signature CSR (ML-DSA, SLH-DSA)\nqpki cert issue --ca-dir ./myca --profile ml/tls-server-sign \\\n  --csr mldsa.csr --out server.crt \\\n  --var cn=pqc.example.com\n\n# From ML-KEM CSR (requires RFC 9883 attestation for verification)\nqpki cert issue --ca-dir ./myca --profile ml-kem/client \\\n  --csr kem.csr --out kem.crt \\\n  --attest-cert sign.crt --var cn=client@example.com\n\n# From Hybrid CSR (classical + PQC dual signatures)\nqpki cert issue --ca-dir ./myca --profile hybrid/catalyst/tls-server \\\n  --csr hybrid.csr --out server.crt \\\n  --var cn=hybrid.example.com\n```\n\n### Inspect \u0026 Verify\n\n```bash\n# Show certificate details\nqpki inspect certificate.crt\n\n# Show key information\nqpki inspect private-key.pem\n\n# Verify certificate chain\nqpki cert verify server.crt --ca ./myca/ca.crt\n\n# Verify with CRL revocation check\nqpki cert verify server.crt --ca ./myca/ca.crt --crl ./myca/crl/ca.crl\n\n# List all issued certificates\nqpki cert list --ca-dir ./myca\n\n# List only valid certificates\nqpki cert list --ca-dir ./myca --status valid\n```\n\n### Sign \u0026 Encrypt with CMS\n\n```bash\n# Sign a document (detached signature)\nqpki cms sign --data doc.pdf --cert signer.crt --key signer.key --out doc.p7s\n\n# Verify signature\nqpki cms verify doc.p7s --data doc.pdf --ca ca.crt\n\n# Encrypt for recipient (supports ECDH, RSA, ML-KEM)\nqpki cms encrypt --recipient bob.crt --in secret.txt --out secret.p7m\n\n# Decrypt\nqpki cms decrypt --key bob.key --in secret.p7m --out secret.txt\n```\n\n### Revocation\n\n```bash\n# Revoke a certificate by serial number\nqpki cert revoke 02 --ca-dir ./myca --reason superseded\n\n# Revoke and generate new CRL\nqpki cert revoke 02 --ca-dir ./myca --gen-crl\n\n# Generate/update CRL\nqpki crl gen --ca-dir ./myca --days 30\n```\n\n## Profiles (Certificate Templates)\n\nProfiles are YAML files that define how certificates are issued. **1 profile = 1 certificate type**.\n\nQPKI includes **50+ built-in profiles** covering common use cases. All examples in this README use these built-in profiles for simplicity.\n\n```bash\n# List all built-in profiles\nqpki profile list\n\n# View profile details\nqpki profile info hybrid/catalyst/tls-server\n\n# Export a profile to customize it\nqpki profile export ec/tls-server ./my-tls-server.yaml\n\n# Export all profiles for reference\nqpki profile export --all ./templates/\n```\n\nYou can also create custom profiles from scratch. See [docs/PROFILES.md](docs/PROFILES.md) for the full YAML specification.\n\n**Profile Categories:**\n\n| Category | Description |\n|----------|-------------|\n| `ec/*` | ECDSA profiles (modern classical) |\n| `rsa/*` | RSA profiles (legacy compatibility) |\n| `ml/*` | ML-DSA and ML-KEM (post-quantum) |\n| `slh/*` | SLH-DSA (hash-based post-quantum) |\n| `hybrid/catalyst/*` | Catalyst dual-key (ITU-T X.509 9.8) |\n| `hybrid/composite/*` | IETF composite signatures |\n\n**Example Profile (catalyst mode):**\n\n```yaml\nname: hybrid/catalyst/tls-server\nmode: catalyst\nalgorithms:\n  - ecdsa-p256\n  - ml-dsa-65\nvalidity: 365d\nextensions:\n  keyUsage:\n    values: [digitalSignature]\n  extKeyUsage:\n    values: [serverAuth]\n```\n\nSee [docs/PROFILES.md](docs/PROFILES.md) for details.\n\n## Credentials\n\nA credential is a managed bundle of **private key(s) + certificate(s)** with coupled lifecycle management (enrollment, renewal, revocation).\n\n`credential enroll` generates everything in one command:\n\n```bash\nqpki credential enroll --ca-dir ./myca --profile ec/tls-client --var cn=Alice\n# → credentials/\u003cid\u003e/{credential.meta.json, certificates.pem, private-keys.pem}\n```\n\n**Why use credentials?**\n- **Coupled lifecycle**: Renew or revoke all certificates at once\n- **Multi-certificate**: Use multiple `--profile` flags for crypto-agility (classical + PQC)\n\n```bash\n# Create credential with multiple profiles (crypto-agility)\nqpki credential enroll --ca-dir ./myca --profile ec/client --profile ml/client --var cn=Alice\n\n# Create credential with custom ID\nqpki credential enroll --ca-dir ./myca --profile hybrid/catalyst/tls-client --var cn=Alice --id alice-prod\n```\n\nManage credential lifecycle:\n\n```bash\n# List credentials\nqpki credential list\n\n# Show credential details\nqpki credential info alice-20250115-abc123\n\n# Renew all certificates in a credential\nqpki credential rotate alice-20250115-abc123\n\n# Renew with crypto migration (add/change profiles)\nqpki credential rotate alice-20250115-abc123 --profile ec/client --profile ml/client\n\n# Revoke all certificates in a credential\nqpki credential revoke alice-20250115-abc123 --reason keyCompromise\n```\n\nSee [docs/CREDENTIALS.md](docs/CREDENTIALS.md) for details.\n\n## Directory Structure\n\n### CA Directory (`--ca-dir`, default: `./ca`)\n\n```\nca/\n├── ca.crt           # CA certificate (PEM)\n├── chain.crt        # Certificate chain (subordinate CA only)\n├── private/\n│   └── ca.key       # CA private key (PEM, optionally encrypted)\n├── certs/           # Issued certificates by serial\n│   ├── 01.crt\n│   └── 02.crt\n├── crl/\n│   ├── ca.crl       # Current CRL (PEM)\n│   └── ca.crl.der   # Current CRL (DER)\n├── profiles/        # Certificate templates\n│   ├── classic.yaml\n│   ├── hybrid-catalyst.yaml\n│   └── ...\n├── index.txt        # Certificate database\n├── serial           # Next serial number\n└── crlnumber        # Next CRL number\n```\n\n### Credentials Directory (`--cred-dir`, default: `./credentials`)\n\n```\ncredentials/\n└── \u003ccredential-id\u003e/\n    ├── credential.meta.json  # Metadata (status, profiles, validity)\n    ├── certificates.pem      # Certificate(s) (PEM)\n    └── private-keys.pem      # Private key(s) (PEM, optionally encrypted)\n```\n\nCredentials are stored separately from the CA, enabling End Entity (EE) autonomy.\n\n## Development\n\n```bash\n# Run tests\nmake test\n\n# Run tests with coverage\nmake coverage\n\n# Lint code\nmake lint\n\n# Build binary\nmake build\n```\n\n## Interoperability \u0026 Compatibility\n\nThis project focuses on **real-world Post-Quantum PKI interoperability**.\nAll artifacts are designed to be compatible with standard PKI tooling and are **cross-tested with external implementations**.\n\n### Standards Compliance\n\n| Standard | Description | Status |\n|----------|-------------|--------|\n| RFC 5280 | X.509 Certificates and CRL | 🟢 |\n| RFC 2986 | PKCS#10 CSR | 🟢 |\n| RFC 9883 | ML-KEM CSR Attestation | 🟢 |\n| RFC 6960 | OCSP | 🟢 |\n| RFC 3161 | TSA Timestamping | 🟢 |\n| RFC 5652 | CMS Signed Data | 🟢 |\n| RFC 8419 | EdDSA in CMS | 🟢 |\n| RFC 9814 | SLH-DSA in CMS | 🟢 |\n| RFC 9882 | ML-DSA in CMS | 🟢 |\n| FIPS 203 | ML-KEM | 🟢 |\n| FIPS 204 | ML-DSA | 🟢 |\n| FIPS 205 | SLH-DSA | 🟢 |\n| ITU-T X.509 9.8 | Catalyst (dual-key extensions) | 🟢 |\n| IETF draft-13 | Composite Signatures | 🟢 |\n\n### Interoperability Matrix\n\nArtifacts are validated using **OpenSSL 3.6+** and **BouncyCastle 1.83+**.\n\n#### Certificates\n\n| Type | QPKI | OpenSSL | BouncyCastle |\n|------|------|---------|--------------|\n| Classical (ECDSA/RSA) | 🟢 | 🟢 verify | 🟢 verify |\n| PQC (ML-DSA, SLH-DSA) | 🟢 | 🟢 verify | 🟢 verify |\n| Catalyst Hybrid | 🟢 both sigs | 🟢 ECDSA only | 🟢 both sigs |\n| Composite (IETF) | 🟢 both sigs | 🔴 | 🟡 parse only* |\n\n#### CSR (Certificate Signing Requests)\n\n| Type | QPKI | OpenSSL | BouncyCastle |\n|------|------|---------|--------------|\n| Classical | 🟢 | 🟢 verify | 🟢 verify |\n| PQC (ML-DSA) | 🟢 | 🟢 verify | 🟢 verify |\n| ML-KEM (RFC 9883) | 🟢 | 🟢 parse | 🟢 verify |\n| Hybrid | 🟢 | 🟢 primary | 🟢 both sigs |\n\n#### CRL (Certificate Revocation Lists)\n\n| Type | QPKI | OpenSSL | BouncyCastle |\n|------|------|---------|--------------|\n| Classical | 🟢 | 🟢 verify | 🟢 verify |\n| PQC (ML-DSA, SLH-DSA) | 🟢 | 🟢 verify | 🟢 verify |\n| Catalyst Hybrid | 🟢 both sigs | 🟢 ECDSA only | 🟢 both sigs |\n| Composite (IETF) | 🟢 both sigs | 🔴 | 🟡 parse only* |\n\n#### OCSP, TSA, CMS\n\n| Artifact | QPKI | OpenSSL | BouncyCastle |\n|----------|------|---------|--------------|\n| OCSP Response | 🟢 | 🟢 verify | 🟢 verify |\n| TSA Timestamp | 🟢 | 🟢 verify | 🟢 verify |\n| CMS Signed Data | 🟢 | 🟢 verify | 🟢 verify |\n| CMS Enveloped (ML-KEM) | 🟢 | 🟢 decrypt | 🟢 decrypt |\n\n### Known Limitations\n\n| Feature | Status | Notes |\n|---------|--------|-------|\n| Composite signatures | 🟡 Partial | BC 1.83 uses draft-07 OIDs, we use IETF draft-13 |\n| OpenSSL Catalyst | 🟡 Partial | Only ECDSA signature verified, PQC ignored |\n| HSM support (PKCS#11) | 🟢 | Tested with SoftHSM; hardware HSM not yet validated |\n\n*\\*Composite: BC 1.83 implements draft-07 (Entrust OIDs `2.16.840.1.114027.80.8.1.x`), our implementation uses draft-13 (IETF standard OIDs `1.3.6.1.5.5.7.6.x`). Certificates parse correctly but signature verification requires OID migration in BC.*\n\n### Running Cross-Tests\n\n```bash\nmake crosstest          # All (OpenSSL + BouncyCastle)\nmake crosstest-openssl  # OpenSSL only\nmake crosstest-bc       # BouncyCastle only (requires Java 17+)\n```\n\n\u003e OpenSSL and BouncyCastle are used **for interoperability validation only**.\n\u003e This project does **not embed nor depend on** these libraries.\n\nSee [docs/dev/TESTING.md](docs/dev/TESTING.md) for details on the testing strategy.\n\n## Documentation\n\n| Document | Description |\n|----------|-------------|\n| [CA.md](docs/CA.md) | CA initialization, certificates, CRL management |\n| [KEYS.md](docs/KEYS.md) | Key generation and CSR operations |\n| [CREDENTIALS.md](docs/CREDENTIALS.md) | Credential management (enroll, rotate, revoke) |\n| [PROFILES.md](docs/PROFILES.md) | Certificate profile configuration |\n| [CONCEPTS.md](docs/CONCEPTS.md) | PQC, hybrid certificates (Catalyst, Composite) |\n| [CRYPTO-AGILITY.md](docs/CRYPTO-AGILITY.md) | Algorithm migration guide (EC → Catalyst → ML-DSA) |\n| [CMS.md](docs/CMS.md) | CMS signatures and encryption |\n| [HSM.md](docs/HSM.md) | HSM/PKCS#11 integration |\n| [TROUBLESHOOTING.md](docs/TROUBLESHOOTING.md) | Common errors and solutions |\n| [GLOSSARY.md](docs/GLOSSARY.md) | PKI and PQC terminology |\n\n### Developer Documentation\n\n| Document | Description |\n|----------|-------------|\n| [CONTRIBUTING.md](docs/dev/CONTRIBUTING.md) | Contributing guidelines and development workflow |\n| [TESTING.md](docs/dev/TESTING.md) | Testing strategy and local execution |\n| [INTEROPERABILITY.md](docs/dev/INTEROPERABILITY.md) | Cross-validation matrix (OpenSSL, BouncyCastle) |\n\n## About\n\nDeveloped and maintained by **Remi Blancher**, cryptography and PKI specialist with 20+ years of experience in cryptographic infrastructures and post-quantum migration.\n\nFor questions, feedback, or professional inquiries:\n- Email: remi.blancher@proton.me\n- LinkedIn: linkedin.com/in/remiblancher\n\n## License\n\nApache License 2.0 - See [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fremiblancher%2Fpost-quantum-pki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fremiblancher%2Fpost-quantum-pki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fremiblancher%2Fpost-quantum-pki/lists"}