All,
Getronics Government Solutions has delivered Version 1.9 of the
S/MIME Freeware Library (SFL) source code. The SFL source code files
are freely available to everyone from the Getronics Government
Solutions web site at <http://www.getronicsgov.com/hot/sfl_home.htm>.
The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message
Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS) specifications.
It also implements portions of the RFC 2633 Message Specification and
RFC 2632 Certificate Handling document. When used in conjunction with
the Crypto++ v4.1 freeware library, the SFL implements the RFC 2631
Diffie-Hellman (D-H) Key Agreement Method specification. It has been
successfully tested using the MS Windows NT/95/98/2000, Linux and Solaris
2.7 operating systems. Further enhancements, ports and testing of the SFL
are
still in process. Further releases of the SFL will be provided as
significant
capabilities are added.
The SFL has been successfully used to sign, verify, encrypt and decrypt
CMS/ESS objects using: S/MIME v3 mandatory-to-implement algorithms (DSA, E-S
D-
H, 3DES) provided by the Crypto++ v4.1 library; RSA suite of algorithms
provided
by the RSA BSAFE v4.2 and Crypto++ v4.1 libraries; and Fortezza suite of
algorithms provided by the Fortezza Crypto Card. The v1.9 SFL uses the v1.3
R5
Enhanced SNACC ASN.1 Library to encode/decode objects. The v1.9 SFL release
includes: SFL High-level library; Free (a.k.a. Crypto++) Crypto Token
Interface
Library (CTIL); BSAFE CTIL; Fortezza CTIL; SPEX/ CTIL; PKCS #11 CTIL; v1.3
R5
Enhanced SNACC ASN.1 Compiler and Library; test utilities; test drivers; and
test data. All CTILs were tested as Dynamically Linked Libraries (DLL)
using
MS Windows. The Fortezza, BSAFE and Crypto++ CTILs were tested with the
respective security libraries as shared objects using Linux and Solaris 2.7.
The SFL has been successfully used to exchange signedData and envelopedData
messages with the Microsoft (MS) Internet Explorer Outlook Express v4.01,
Netscape Communicator 4.X and Entrust S/MIME v2 products. Signed messages
have been exchanged with the RSA S/MAIL and WorldTalk S/MIME v2 products.
The SFL has also been used to perform S/MIME v3 interoperability testing
with
Microsoft that exercised the majority of the features specified by RFCs
2630, 2631 and 2634. This testing included the RSA, mandatory S/MIME V3 and
Fortezza suites of algorithms. We used the SFL to successfully process all
of
the SFL-supported sample data included in the S/MIME WG "Examples of S/MIME
Messages" document. We also used the SFL to generate S/MIME v3 sample
messages that were included in the "Examples" document.
We have also performed limited S/MIME v3 testing with Baltimore.
The following enhancements are included in the v1.9 SFL and CTIL releases
(compared with the v1.8 releases):
1) Tested using common v1.3 R5 Enhanced SNACC ASN.1 Library, v1.9 CTILs
and LIBCERT libraries shared with the v1.5 Access Control Library (ACL)
and v1.9 Certificate Management Library (CML).
2) Added freeware implementation of the Advanced Encryption Standard (AES)
algorithm (in addition to SHA-1) to the Common Class inherited by all CTILs.
3) Enhanced PKCS #11 CTIL so that it can be used with any PKCS #11-compliant
DLL/shared library.
4) Successfully tested PKCS #11 CTIL with Litronic Maestro v1.0 library
(using
Fortezza Card). Successfully performed interop testing between Fortezza
CTIL
and PKCS #11 CTIL.
5) Successfully tested PKCS #11 CTIL with the GemPlus PKCS #11 library (DLL)
using a GemPlus Smart Card (to provide RSA); and Free3 CTIL with the
Crypto++
library (to provide 3DES). Successfully performed interop testing between
this
configuration and Free3 CTIL.
6) We developed and tested a hybrid CTIL that inherits the PKCS #11 and
Free3
CTILs. This allows the application to access both CTILs using a single
login.
We tested the hybrid CTIL to use: PKCS #11 CTIL with the GemPlus DLL using a
GemPlus Smart Card (to provide RSA); and Free3 CTIL with the Crypto++
library
(to provide 3DES). Note that we did not modify the PKCS #11 and Free3 CTILs
to
support this work.
7) Successfully tested PKCS #11 CTIL with the DataKey PKCS #11 library (DLL)
using a DataKey Smart Card (to provide RSA); and Free3 CTIL with the
Crypto++
library (to provide 3DES). Successfully performed interop testing between
this
configuration and Free3 CTIL.
8) Successfully tested SFL with SPEX/ CTIL, Spyrus SPEX/ 2 Library, and
Lynks
Cards, including using RSA and Triple-DES.
9) Enhanced common CTIL functionality to accept no parameters and to provide
hash, content, encrypt/decrypt, signature verification services.
10) Tested Free3 CTIL with Crypto++ v4.1.
11) Enhanced SFL test utilities to create/process MIME headings using
Mozilla
MIME library.
12) Enhanced ReportTool to completely process PKCS #12 file and provide
decrypted
contents.
13) Developed code to generate RSA key material using the Crypto++ library.
14) Enhanced CertificateBuilder to create PKCS #12 files including DSA
private
keys and related data.
15) Converted all source code to use CVS configuration management system.
16) Corrected bugs in SFL: incorrect E-S D-H object identifier (OID);
ESSSecurityLabel build/process code; Party A information field used
with D-H; envelopedData keyTransportRecipientInfo version; and NULL
parameter
incorrectly omitted when RSA OID is present.
17) Corrected bugs in Fortezza and SPEX/ CTILs (3DES initialization vector
ASN.1
encoded improperly).
18) Resolved compiler warnings in SFL and CTILs.
19) Performed regression testing to ensure that aforementioned enhancements
did
not break existing SFL functionality.
20) Successfully linked (using Windows) the v1.9 SFL, v1.3 R5 SNACC and v1.9
CML.
We also delivered the v1.9 SFL Application Programming Interface (API)
and v1.9 SDD API documents. We also delivered the v1.0 SMP Components Setup
Manual that describes the component installation procedures for the v1.9
SFL,
v1.9 CML, and v1.3 R5 Enhanced SNACC libraries.
We are still in the process of enhancing and testing the SFL. Future
releases will include: additional PKCS #11 CTIL testing; finish
CertificateBuilder command line utility; enhancing
CertificateBuilder to support creation of Attribute Certificates;
add "Certificate Management Messages over CMS" ASN.1 encode/decode
functions; add enhanced test routines; bug fixes; support for other
crypto APIs (possible); and support for other operating systems.
The SFL is developed to maximize portability to 32-bit operating
systems. In addition to testing on MS Windows, Linux and Solaris 2.7,
we plan to port the SFL to the following operating systems: HP/UX 11, IBM
AIX
3.2 (possibly), SCO 5.0 (possibly) and Macintosh (possibly).
The following SFL files are available from <http://www.GetronicsGov.com/>:
1) SFL Documents: Fact Sheet, Software Design Description, API, CTIL
API, Software Test Description, Implementers Guide, Overview Briefing and
Public License.
2) smimeR1.9.tar.gz: Source code, MS Windows NT/95/98/2000 project files
and
Unix makefiles for SFL Hi-Level library.
3) snacc13r5rn.tar.gz (source code and binaries available from Getronics
Enhanced SNACC web page: <http://www.getronicsgov.com/hot/snacc_home.htm>):
Source code, MS Windows NT/95/98/2000 project files and Unix makefiles for
v1.3 R5 Enhanced SNACC ASN.1 Compiler and Library. Source code is
compilable for Linux, Solaris 2.7 and MS Windows NT/95/98/2000 that has
been enhanced by GGS to implement the Distinguished Encoding Rules. This
file includes a sample test project demonstrating the use of the SNACC
classes.
4) smCTIR1.9.tar.gz: Source code, MS Windows NT/95/98/2000 project files
and
Unix makefiles for the following CTILs: Test (no crypto), Crypto++, BSAFE,
Fortezza, SPEX/ and PKCS #11.
5) smLibCR1.9.tar.gz: Source code, MS Windows NT/95/98/2000 project files
and
Unix makefiles for the LIBCERT library that provides ASN.1 and certificate
processing services used by the SFL, ACL and CML.
6) smTest1.9.tar.gz: Source code, MS Windows NT/95/98/2000 project files and
Unix makefiles for test drivers used to test the SFL. This file also
includes
sample CMS/ESS test data and test X.509 Certificates. This file also
includes
test utilities to create X.509 Certificates that each include
a D-H, DSA or RSA public key.
7) csmime.mdl contains SFL Class diagrams created using Microsoft
Visual Modeler (comes with MS Visual Studio 6.0, Enterprise Tools).
The file can also be viewed using Rational Rose C++ Demo 4.0
45 day evaluation copy which can be obtained from
<http://www.rational.com/uml/resources/practice_uml/index.jtmpl>.
Not all classes are documented in the MDL file at this time.
All source code for the SFL is being provided at no cost and with no
financial limitations regarding its use and distribution.
Organizations can use the SFL without paying any royalties or
licensing fees. Getronics is developing the SFL under contract to the U.S.
Government. The U.S. Government is furnishing the SFL source code at
no cost to the vendor subject to the conditions of the "SFL Public
License".
On 14 January 2000, the U.S. Department of Commerce, Bureau of
Export Administration published a new regulation implementing an update
to the U.S. Government's encryption export policy
<http://www.bxa.doc.gov/Encryption/Default.htm>. In accordance with
the revisions to the Export Administration Regulations (EAR) of 14 Jan
2000, the downloading of the SFL source code is not password controlled.
The SFL is composed of a high-level library that performs generic CMS
and ESS processing independent of the crypto algorithms used to
protect a specific object. The SFL high-level library makes calls to
an algorithm-independent CTIL API. The underlying, external crypto
token libraries are not distributed as part of the SFL
source code. The application developer must independently obtain these
libraries and then link them with the SFL. For example, the SFL can be
used with the freeware Crypto++ library to obtain 3DES, D-H, RSA and
DSA. To use the SFL with Crypto++ the vendor must download the Crypto++
freeware library from the Crypto++ Web Page
<http://www.eskimo.com/~weidai/cryptlib.html>
and then compile it with the GGS-developed Crypto++ CTIL source code.
The National Institute of Standards and Technology (NIST) is providing
test S/MIME messages (created by Getronics) at
<http://csrc.nist.gov/pki/testing/x509paths.html>.
Getronics used the SFL to successfully process the NIST test data.
The Internet Mail Consortium (IMC) has established an SFL web page
<http://www.imc.org/imc-sfl>. The IMC has also established an SFL
mail list which is used to: distribute information regarding SFL
releases; discuss SFL-related issues; and provide a means for SFL
users to provide feedback, comments, bug reports, etc. Subscription
information for the imc-sfl mailing list is at the IMC web site
listed above.
All comments regarding the SFL source code and documents are welcome.
This SFL release announcement was sent to several mail lists, but
please send all messages regarding the SFL to the imc-sfl mail list
ONLY. Please do not send messages regarding the SFL to any of the IETF
mail lists. We will respond to all messages sent to the imc-sfl mail
list.
============================================
John Pawling, John(_dot_)Pawling(_at_)GetronicsGov(_dot_)com
Getronics Government Solutions, LLC
============================================