All,
J.G. Van Dyke and Associates (VDA), a Wang Government Services Company, has
delivered Version 1.6 of the S/MIME Freeware Library (SFL) source code and
Application Programming Interface (API). The SFL source code files are
freely available to everyone from the Fortezza Developer's S/MIME Page
<http://www.armadillo.huntsville.al.us/software/smime>.
The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message
Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS) specifications.
It also implements portions of the RFC 2633 Message Specification and
RFC 2632 Certificate Handling document. When used in conjunction with
the Crypto++ freeware library, the SFL implements the RFC 2631
Diffie-Hellman (D-H) Key Agreement Method specification. It has been
successfully tested using the MS Windows NT/95/98 and Solaris 2.7 operating
systems. Further enhancements, ports and testing of the SFL are still in
process. Further releases of the SFL will be provided as significant
capabilities are added.
The SFL has been successfully used to sign, verify, encrypt and decrypt
CMS/ESS
objects using: S/MIME v3 mandatory-to-implement algorithms (DSA, E-S D-H,
3DES)
provided by the Crypto++ 3.1 library; RSA suite of algorithms provided by
the
RSA BSAFE v4.2 and Crypto++ 3.1 libraries; and Fortezza suite of algorithms
provided by the Fortezza Crypto Card. The SFL uses the VDA-enhanced SNACC
v1.3
ASN.1 C++ Library to encode/decode objects. The v1.6 SFL release includes:
SFL
High-level library; Free (a.k.a. Crypto++) Crypto Token Interface Library
(CTIL);
BSAFE CTIL; Fortezza CTIL; SPEX/ CTIL; PKCS #11 CTIL (still being tested);
VDA-
enhanced GNU SNACC v1.3 rev 0.07 ASN.1 Compiler and C++ Library; test
utilities;
test drivers and test data. All CTILs were tested as Dynamically Linked
Libraries (DLL) using MS Windows. The Fortezza, BSAFE and Crypto++ CTILs
were
tested with the respective security libraries as shared objects using
Solaris 2.7.
The SFL has been successfully used to exchange signedData and envelopedData
messages with the Microsoft (MS) Internet Explorer Outlook Express v4.01 and
Netscape Communicator 4.X S/MIME v2 products. Signed messages have been
exchanged with the RSA S/MAIL, WorldTalk and Entrust S/MIME v2 products.
The SFL has also been used to perform S/MIME v3 interoperability testing
with
Microsoft that exercised the majority of the features specified by RFCs
2630,
2631 and 2634. This testing included the RSA, mandatory S/MIME V3 and
Fortezza
suites of algorithms. We have also performed limited S/MIME v3 testing with
Baltimore and Entrust.
The following enhancements are included in the v1.6 SFL release (compared
with
the v1.5 release):
1) We used the SFL to successfully process all of the SFL-supported sample
data included in the S/MIME WG "Examples of S/MIME Messages" document. We
also used the SFL to construct sample data (such as signed receipts) to be
added to the document. We automated this SFL testing (through the use of
test drivers and configuration files) so that it can be easily repeated and
modified by us or independently by a third party. We developed sample
objects that illustrate each feature in the Examples document that the SFL
supports. This self-contained environment uses the specified certificates
(DSA, RSA, and DH) in the login as described in the document. This
directory resides in "./smimeR1.6/test/specMatrix.d/CMS_Examples.d"; the
binaries are named as in the document (e.g. 5.4.bin, etc.). The config
files used to generate these examples are in the "config.d" subdirectory.
The certificate build config files are in the "certs.d/config.d"
subdirectory.
2) We successfully completed RFC 2634 signed receipt interoperability
testing between the SFL and
Microsoft. We added a check to the SFL to ensure that the application
always includes in the receiptRequest attribute a receiptsTo e-mail address
to which the signed receipt is to be sent.
3) We verified that the SFL can produce and process the SFL-supported
features documented in the S/MIME v3 interoperability matrices created by
Jim Schaad. We automated this SFL testing so that it can be easily repeated
and modified by us or independently by a third party. We have developed
sample objects that illustrate each feature in the matrix that the SFL
supports. We updated the Interop.xls document (contained in the
"./smimeR1.6/test/specMatrix.d" subdirectories) to indicate the testing
performed using the SFL. Within this document, each feature row contains a
reference to a binary file in the "CMS_Examples.d" directory that
demonstrates that feature if applicable. These additional file names are
preceded by the name "ExInterop..." to distinguish them from the
"examples-03.txt" example binaries.
4) Fixed a number of bugs in the SFL and test drivers found during the
aforementioned interoperability testing. Features improved in the SFL
include: proper SignedData and SignerInfo version numbers;
creating/processing encrypted messages without a User Key Material (UKM);
added SubjectKeyIdentifier (SKI) processing in SignedData and EnvelopedData
(Originator only, the RecipientInfos automatically use SKI for Fortezza/SPEX
CTILs); and EnvelopedData unprotectedAttrs from the test config file. We
also corrected the following bugs in the test driver/configuration files
used to create X.509 Certificates for SFL testing: corrected inconsistent
UTC and General Time Dates; included dates past 1999; corrected object
identifiers (OID) for algorithms; and regenerated certificates to include
unsigned integers.
5) List template processing has been fixed to use the same "CSM_ListC"
template from the common libCert DLL. The old convention required a new
name for this list class in each DLL; the new convention uses the same
CSM_ListC template class from libCert. This forces the compiler to build
the logic for the actual class lists uniquely in the new DLL (see references
to CSM_ListC in the SFL for an example). This simplifies the list logic in
support libraries and any new user libraries interested in using the list
template.
6) CertificateBuilder utility has been improved in functionality and tested
more thoroughly. This utility can view, edit, and create certificates
(including extensions) as well as generate a variety of public/private keys
for processing by the SFL. A new command line CertificateBuilderCL has been
created (it does not yet allow the building of keys, private or public).
The command line utility has not yet been tested on Unix.
7) Tested SFL with the C++ version of the SNACC ASN.1 library enhanced to
support PrintableString, TeletexString, NumericString, IA5String,
VisibileString, BMPString, UniversalString and UTF8String character string
types. We added an optional function to SNACC to convert ASN.1 OCTET
STRINGs to single- or multi-byte character strings (as appropriate).
8) Developed new test code and configuration files to implement test cases;
and
9) Performed regression testing to ensure that aforementioned enhancements
did
not break existing SFL functionality.
We are still in the process of enhancing and testing the SFL. Future
releases
will include: completion of PKCS #11 CTIL testing; SPEX/ CTIL
encrypt/decrypt/ESDH capabilities; finish CertificateBuilder command line
utility; enhancing CertificateBuilder to support creation of Attribute
Certificates; modify PKCS #12 code in test utilities to provide
interoperable key
storage; add MIME support for test drivers; add "Certificate Management
Messages over CMS" ASN.1 encode/decode functions; add enhanced test
routines;
bug fixes; support for other crypto APIs (possible); and support for other
operating systems.
The SFL is developed to maximize portability to 32-bit operating
systems. In addition to testing on MS Windows and Solaris 2.7, we plan to
port
the SFL to the following operating systems: Linux, HP/UX 11, IBM AIX 3.2
(possibly), SCO 5.0 (possibly) and Macintosh (possibly).
The following SFL files are available from the Fortezza Developer's S/MIME
Page:
1) SFL Documents: Fact Sheet, Software Design Description, API, CTIL API,
Software Test Description, Implementers Guide, Overview Briefing and Public
License.
2) snacc1_6VDA.zip: Zip file containing SNACC v1.3 rev 0.07 ASN.1 Compiler
and
C++ Library source code compilable for Unix and MS Windows NT/95/98/2000
that has been
enhanced by VDA to implement the Distinguished Encoding Rules and to support
multiple-byte character strings. Project files and makefiles are included.
This file includes a sample test project demonstrating the use of the SNACC
classes.
3) smimeR16.zip: Zip file containing all SFL source code including:
SFL Hi-Level source code; VDA-enhanced SNACC-generated ASN.1 source
code; project files. This file also contains test driver source code,
sample CMS/ESS test data and test X.509 Certificates. This file also
includes test utilities to create X.509 Certificates that each include
a D-H, DSA or RSA public key. SNACC release and debug libraries
are compiled for MS Windows NT/95/98/2000. MS Windows NT/95/98/2000
project files and Unix makefiles are included for the SNACC code and
Crypto++.
4) smR16CTI.zip: Source code for the following CTILs: Test (no crypto),
Crypto++, BSAFE, Fortezza, SPEX/ and PKCS #11. The Win95/98/NT/2000
projects are
also included. (NOTE: The Free (a.k.a. Crypto++) CTIL includes
VDA-developed
source code to use the RSA public key algorithm implemented within the
external
Crypto++ library. As with all of the external crypto token libraries, the
Crypto++ library is not distributed as part of the SFL source code.
To use the Crypto++ library with the SFL, the application developer must
independently obtain the Crypto++ library from the Crypto++ Web Page
<http://www.eskimo.com/~weidai/cryptlib.html> and then compile it with
the VDA-developed Crypto++ CTIL source code. The RSA public key
algorithm is covered by U.S. Patent 4,405,829 "Cryptographic Communication
System and Method". Within the U.S., users of the RSA public key algorithm
provided by the external Crypto++ library must obtain a license from RSA
granting them permission to use the RSA algorithm.)
5) csmime.mdl contains SFL Class diagrams created using Microsoft
Visual Modeler (comes with MS Visual Studio 6.0, Enterprise Tools).
The file can also be viewed using Rational Rose C++ Demo 4.0
45 day evaluation copy which can be obtained from
<http://www.rational.com/uml/resources/practice_uml/index.jtmpl>.
Not all classes are documented in the MDL file at this time.
All source code for the SFL is being provided at no cost and with no
financial limitations regarding its use and distribution.
Organizations can use the SFL without paying any royalties or
licensing fees. VDA is developing the SFL under contract to the U.S.
Government. The U.S. Government is furnishing the SFL source code at no
cost to the vendor subject to the conditions of the "SFL Public
License" available from the VDA SFL Page and Fortezza Developer's
S/MIME Page.
On 14 January 2000, the U.S. Department of Commerce, Bureau of
Export Administration published a new regulation implementing an update to
the U.S. Government's encryption export policy
<http://www.bxa.doc.gov/Encryption/Default.htm>. In accordance with the
revisions to the Export Administration Regulations (EAR) of 14 Jan 2000,
the downloading of the SFL source code is not password controlled.
The SFL is composed of a high-level library that performs generic CMS
and ESS processing independent of the crypto algorithms used to
protect a specific object. The SFL high-level library makes calls to
an algorithm-independent CTIL API. The underlying, external crypto
token libraries are not distributed as part of the SFL
source code. The application developer must independently obtain these
libraries and then link them with the SFL. For example, the SFL uses
the freeware Crypto++ library to obtain 3DES, D-H and DSA. To use
the SFL with Crypto++ the vendor must download the Crypto++ freeware
library from the Crypto++ Web Page and then compile it with the
VDA-developed Crypto++ CTIL source code.
The Internet Mail Consortium (IMC) has established an SFL web page
<http://www.imc.org/imc-sfl>. The IMC has also established an SFL
mail list which is used to: distribute information regarding SFL
releases; discuss SFL-related issues; and provide a means for SFL
users to provide feedback, comments, bug reports, etc. Subscription
information for the imc-sfl mailing list is at the IMC web site
listed above.
All comments regarding the SFL source code and documents are welcome.
We recommend that comments should be sent to the imc-sfl mail list.
We will respond to all messages on that list.
============================================
John Pawling, Director - Systems Engineering
J.G. Van Dyke & Associates, Inc;
a Wang Government Services Company
john(_dot_)pawling(_at_)wang(_dot_)com
============================================