Wang Government Services, Inc. (WGSI), A Getronics Company, has delivered
Version 1.7 of the S/MIME Freeware Library (SFL) source code and
Application Programming Interface (API). The SFL source code files are
freely available to everyone from the Fortezza Developer's S/MIME Page
The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message
Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS) specifications.
It also implements portions of the RFC 2633 Message Specification and
RFC 2632 Certificate Handling document. When used in conjunction with
the Crypto++ freeware library, the SFL implements the RFC 2631
Diffie-Hellman (D-H) Key Agreement Method specification. It has been
successfully tested using the MS Windows NT/95/98 and Solaris 2.7 operating
systems. Further enhancements, ports and testing of the SFL are still in
process. Further releases of the SFL will be provided as significant
capabilities are added.
The SFL has been successfully used to sign, verify, encrypt and decrypt
objects using: S/MIME v3 mandatory-to-implement algorithms (DSA, E-S D-H,
provided by the Crypto++ 3.1 library; RSA suite of algorithms provided by
RSA BSAFE v4.2 and Crypto++ 3.1 libraries; and Fortezza suite of algorithms
provided by the Fortezza Crypto Card. The SFL uses the v1.3 Enhanced SNACC
ASN.1 Library to encode/decode objects. The v1.7 SFL release includes: SFL
level library; Free (a.k.a. Crypto++) Crypto Token Interface Library (CTIL);
BSAFE CTIL; Fortezza CTIL; SPEX/ CTIL; PKCS #11 CTIL (still being tested);
v1.3 Enhanced SNACC ASN.1 Compiler and Library; test utilities; test drivers
and test data. All CTILs were tested as Dynamically Linked Libraries (DLL)
using MS Windows. The Fortezza, BSAFE and Crypto++ CTILs were tested with
the respective security libraries as shared objects using Solaris 2.7.
The SFL has been successfully used to exchange signedData and envelopedData
messages with the Microsoft (MS) Internet Explorer Outlook Express v4.01 and
Netscape Communicator 4.X S/MIME v2 products. Signed messages have been
exchanged with the RSA S/MAIL, WorldTalk and Entrust S/MIME v2 products.
The SFL has also been used to perform S/MIME v3 interoperability testing
Microsoft that exercised the majority of the features specified by RFCs
2631 and 2634. This testing included the RSA, mandatory S/MIME V3 and
suites of algorithms. We used the SFL to successfully process all of the
SFL-supported sample data included in the S/MIME WG "Examples of S/MIME
document. We have also performed limited S/MIME v3 testing with Baltimore
The following enhancements are included in the v1.7 SFL release (compared
the v1.6 release):
1) Tested using new, consolidated SNACC library and other common libraries
shared with the v1.3 Access Control Library (ACL) and v1.71 Certificate
Management Library (CML).
2) Re-configured directory structure for SFL source code files so that it is
consistent with the ACL and CML.
3) Corrected bugs in SPEX/ CTIL. Successfully used SPEX/ CTIL to provide
RSA key management and DES using the Spyrus SPEX/ Library v1.52b Release 7b,
Spyrus Lynks Card and X.509 v3 Certificates created by the Spyrus S2CA. We
also tested SHA1-with-RSA signature creation/verification using the Lynks
Card. We also tested the Fortezza algorithm suite using a Fortezza Card.
4) Corrected several bugs reported by customers.
5) Performed regression testing to ensure that aforementioned enhancements
not break existing SFL functionality.
We are still in the process of enhancing and testing the SFL. Future
will include: completion of PKCS #11 CTIL testing; SPEX/ CTIL
encrypt/decrypt/ESDH capabilities; finish CertificateBuilder command line
utility; enhancing CertificateBuilder to support creation of Attribute
Certificates; modify PKCS #12 code in test utilities to provide
storage; add MIME support for test drivers; add "Certificate Management
Messages over CMS" ASN.1 encode/decode functions; add enhanced test
bug fixes; support for other crypto APIs (possible); and support for other
The SFL is developed to maximize portability to 32-bit operating
systems. In addition to testing on MS Windows and Solaris 2.7, we plan to
the SFL to the following operating systems: Linux, HP/UX 11, IBM AIX 3.2
(possibly), SCO 5.0 (possibly) and Macintosh (possibly).
The following SFL files are available from the Fortezza Developer's S/MIME
1) SFL Documents: Fact Sheet, Software Design Description, API, CTIL API,
Software Test Description, Implementers Guide, Overview Briefing and Public
2) snacc13rn.tar.gz: Zip file containing v1.3 Enhanced SNACC ASN.1 Compiler
Library source code compilable for Unix and MS Windows NT/95/98/2000 that
enhanced by WGSI to implement the Distinguished Encoding Rules. Project
and makefiles are included. This file includes a sample test project
demonstrating the use of the SNACC classes.
3) smimeR1.7.tar.gz: Zip file containing all SFL source code including:
SFL Hi-Level source code; Enhanced SNACC-generated ASN.1 source
code; project files. This file also contains test driver source code,
sample CMS/ESS test data and test X.509 Certificates. This file also
includes test utilities to create X.509 Certificates that each include
a D-H, DSA or RSA public key. SNACC release and debug libraries
are compiled for MS Windows NT/95/98/2000. MS Windows NT/95/98/2000
project files and Unix makefiles are included for the SNACC code and
4) smCTIR1.7.tar.gz: Source code for the following CTILs: Test (no crypto),
Crypto++, BSAFE, Fortezza, SPEX/ and PKCS #11. The Win95/98/NT/2000
also included. (NOTE: The Free (a.k.a. Crypto++) CTIL includes
source code to use the RSA public key algorithm implemented within the
Crypto++ library. As with all of the external crypto token libraries, the
Crypto++ library is not distributed as part of the SFL source code.
To use the Crypto++ library with the SFL, the application developer must
independently obtain the Crypto++ library from the Crypto++ Web Page
<http://www.eskimo.com/~weidai/cryptlib.html> and then compile it with
the WGSI-developed Crypto++ CTIL source code. The RSA public key
algorithm is covered by U.S. Patent 4,405,829 "Cryptographic Communication
System and Method". Within the U.S., users of the RSA public key algorithm
provided by the external Crypto++ library must obtain a license from RSA
granting them permission to use the RSA algorithm.)
5) csmime.mdl contains SFL Class diagrams created using Microsoft
Visual Modeler (comes with MS Visual Studio 6.0, Enterprise Tools).
The file can also be viewed using Rational Rose C++ Demo 4.0
45 day evaluation copy which can be obtained from
Not all classes are documented in the MDL file at this time.
All source code for the SFL is being provided at no cost and with no
financial limitations regarding its use and distribution.
Organizations can use the SFL without paying any royalties or
licensing fees. WGSI is developing the SFL under contract to the U.S.
Government. The U.S. Government is furnishing the SFL source code at no
cost to the vendor subject to the conditions of the "SFL Public
License" available from the Fortezza Developer's S/MIME Page.
On 14 January 2000, the U.S. Department of Commerce, Bureau of
Export Administration published a new regulation implementing an update to
the U.S. Government's encryption export policy
<http://www.bxa.doc.gov/Encryption/Default.htm>. In accordance with the
revisions to the Export Administration Regulations (EAR) of 14 Jan 2000,
the downloading of the SFL source code is not password controlled.
The SFL is composed of a high-level library that performs generic CMS
and ESS processing independent of the crypto algorithms used to
protect a specific object. The SFL high-level library makes calls to
an algorithm-independent CTIL API. The underlying, external crypto
token libraries are not distributed as part of the SFL
source code. The application developer must independently obtain these
libraries and then link them with the SFL. For example, the SFL uses
the freeware Crypto++ library to obtain 3DES, D-H and DSA. To use
the SFL with Crypto++ the vendor must download the Crypto++ freeware
library from the Crypto++ Web Page and then compile it with the
WGSI-developed Crypto++ CTIL source code.
The Internet Mail Consortium (IMC) has established an SFL web page
<http://www.imc.org/imc-sfl>. The IMC has also established an SFL
mail list which is used to: distribute information regarding SFL
releases; discuss SFL-related issues; and provide a means for SFL
users to provide feedback, comments, bug reports, etc. Subscription
information for the imc-sfl mailing list is at the IMC web site
All comments regarding the SFL source code and documents are welcome. This
SFL release announcement was sent to several mail lists, but please send all
messages regarding the SFL to the imc-sfl mail list ONLY. Please do not
send messages regarding the SFL to any of the IETF mail lists. We will
respond to all messages sent to the imc-sfl mail list.
John Pawling, john(_dot_)pawling(_at_)wang(_dot_)com
Wang Government Services, Inc.,
A Getronics Company