Download OpenPACE

You can download the latest release of OpenPACE on Github. Older releases are still available on Sourceforge.

If you plan to make contribution, you can clone our git repository to later make a pull request on Github:

git clone

Alternatively, the current developement version is available as zip file or as precompiled Windows 32 bit binaries and 64 bit binaries.

Compiling and Installing OpenPACE

Setting up a development environment using Vagrant

The easiest way to setup a development or test environment is to use Vagrant 7 with VirtualBox 8. OpenPACE comes with a Vagrantfile which lets you setup a working environment with just one command. To create a Ubuntu based virtual machine, install all dependencies and compile OpenPACE, run the following command in the OpenPACE directory:

vagrant up

You then need to vagrant ssh in order to access the VM. The openpace folder is shared between the host and the VM so any changes you make on the host are immediately visible in the VM and vice versa.

Compiling on Linux, Unix and similar

OpenPACE uses the GNU Build System to compile and install. If you are unfamiliar with it, please have a look at INSTALL. If you can not find it, you are probably working bleeding edge in the repository. Run the following command in openpace to get the missing standard auxiliary files:

autoreconf --verbose --install

To configure (./configure --help lists possible options), build and install OpenPACE now do the following:

make install

OpenPACE depends on the OpenSSL 4 library. Since PACE uses CMAC and the Brainpool curves, OpenSSL is required with version 1.0.2 or later.

Furthermore, additional object identifiers from BSI TR-03110 1 are required. You have two options to get them to work:

  1. Let OpenPACE load the object identifiers at runtime

  2. Patch OpenSSL to include the identifiers

The first option allows you to install an unchanged version of OpenSSL to your system. However, performance will be slightly worse and there are some limitations. For example, you won’t be able to use the new NIDs as labels in a switch statement and you need to make sure to call EAC_init() first. For patching OpenSSL we provide bsi_objects.txt. You can configure OpenPACE with --enable-openssl-install, which will automatically download, patch, build and install OpenSSL if needed.

The language bindings for Python, Java, … are currently disabled by default. You need to explicitely configure OpenPACE to install them by using --enable-python, --enable-java, … This requires SWIG to be installed along with the language’s toolchain to build the bindings.

Compiling for Windows

Cross-Compiling for Windows on Linux

Our Makefile includes scripts for cross compilation for Windows on Debian wheezy:

test -x configure || autoreconf --verbose --install
./configure --enable-openssl-install
make win

gendef 6 should be installed to generate the library definitions. On successfull compilation, the Windows binaries can be found in openpace-1.1.2_win32. For customization you may pass the following make variables:

Make Variable





cross compiler



root directory of the cross compiler containing the lib and include folders

Compiling with Visual Studio

A quick and dirty way without wasting too much time on setting up the development environment would be to compile the library by hand in the Visual Studio Tools ‣ Developer Command Prompt with installed OpenSSL Windows binaries 9:

  - cd src
  - cl /I%OPENSSL_DIR%\include /I. /DX509DIR=\"/\" /DCVCDIR=\"/\" %CL_OPTIONS% %OPENSSL_1_1_0_FLAGS% /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
  - lib /out:libeacMT.lib ws2_32.lib ca_lib.obj cv_cert.obj cvc_lookup.obj x509_lookup.obj eac_asn1.obj eac.obj eac_ca.obj eac_dh.obj eac_ecdh.obj eac_kdf.obj eac_lib.obj eac_print.obj eac_util.obj misc.obj pace.obj pace_lib.obj pace_mappings.obj ri.obj ri_lib.obj ta.obj ta_lib.obj objects.obj ssl_compat.obj
  - cl /I%OPENSSL_DIR%\include /I. libeacMT.lib %OPENSSL_DIR%\lib\VC\static\%LIBCRYPTO% user32.lib advapi32.lib crypt32.lib gdi32.lib %CL_OPTIONS% %OPENSSL_1_1_0_FLAGS% eactest.c vc.c ssl_compat.c
  # The following has already been performed by make (see above)
  # gengetopt.exe --include-getopt --file-name=cvc-print-cmdline --input=cvc-print.ggo
  - cl /I%OPENSSL_DIR%\include /I. libeacMT.lib %OPENSSL_DIR%\lib\VC\static\%LIBCRYPTO% user32.lib advapi32.lib crypt32.lib gdi32.lib %CL_OPTIONS% %OPENSSL_1_1_0_FLAGS% cvc-print.c read_file.c cvc-print-cmdline.c vc.c
  # The following has already been performed by make (see above)
  # gengetopt.exe --include-getopt --file-name=cvc-create-cmdline --input= cvc-create.ggo
  - cl /I%OPENSSL_DIR%\include /I. libeacMT.lib %OPENSSL_DIR%\lib\VC\static\%LIBCRYPTO% user32.lib advapi32.lib crypt32.lib gdi32.lib %CL_OPTIONS% %OPENSSL_1_1_0_FLAGS% cvc-create.c read_file.c cvc-create-cmdline.c vc.c
  - cd ..

The setup of the environment variables can be found in our Windows CI script which includes all steps of this procedure.

Compiling the Python Bindings

Again, without further ado, we compile the bindings with the Developer Command prompt with installed Python 5:

  - swig -python -outdir . -I.. eac.i
  - cl /I%OPENSSL_DIR%\include /I%PYTHON_INCLUDE% /I..\..\src %CL_OPTIONS% %OPENSSL_1_1_0_FLAGS% /c eac_wrap.c ..\..\src\ssl_compat.c ..\..\src\vc.c
  - link /out:_eac.pyd /dll eac_wrap.obj ssl_compat.obj vc.obj %PYTHON_LIB% ..\..\src\libeacMT.lib %OPENSSL_DIR%\lib\VC\static\%LIBCRYPTO% user32.lib advapi32.lib crypt32.lib gdi32.lib
  - cd ..\..

The setup of the environment variables can be found in our Windows CI script which includes all steps of this procedure.

Compiling for Android

Our Makefile includes scripts for cross compilation for Android on Debian wheezy:

test -x configure || autoreconf --verbose --install
./configure --enable-openssl-install
make android

Make Variable





target Architecture



cross compiler



location of the NDK script for creating the toolchain

On successfull compilation, the Android binaries can be found in openpace-1.1.2_$ANDROID_ARCH-linux-androideabi.

Compiling for Javascript

Technically the process for getting OpenPACE into Javascript is similar to cross compiling. With Emscripten 2 the library is compiled into LLVM bytecode and then translated into Javascript. Use the following command:

test -x configure || autoreconf --verbose --install
./configure --enable-openssl-install
make emscripten

Make Variable





root directory of emscripten containing the system/include/libc

On successfull compilation, the compiled bitcode files can be found in openpace-1.1.2_js. You can run our testsuite completely in Javascript or in your browser:

nodejs openpace-1.1.2_js/bin/eactest.js
firefox openpace-1.1.2_js/eactest.html


Javascript cryptography is considered harmful 3. You may want to think twice before using the Javascript version of OpenPACE.