All,
Getronics Government Solutions has delivered a set of patch files
(Patch A) that fix bugs (see below) in the v2.0.1 S/MIME Freeware
Library (SFL) source code. The SFL source code files are freely
available at <http://www.getronicsgov.com/hot/sfl_home.htm>.
The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message
Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS) specifications.
It also implements portions of the RFC 2633 Message Specification and
RFC 2632 Certificate Handling document. When used in conjunction with
the Crypto++ freeware library, the SFL implements the RFC 2631
Diffie-Hellman (D-H) Key Agreement Method specification. It has been
successfully tested using the Microsoft (MS) Windows NT/98/2000/XP, Linux
and Sun Solaris 2.8 operating systems. Further enhancements, ports and
testing of the SFL are still in process. Further releases of the SFL
will be provided as significant capabilities are added.
The SFL has been successfully used to sign, verify, encrypt and decrypt
CMS/ESS objects using: DSA, E-S D-H, 3DES algorithms provided by the
Crypto++ library; RSA suite of algorithms provided by the RSA BSAFE 6.0
Crypto-C and Crypto++ libraries; and Fortezza suite of algorithms provided
by the Fortezza Crypto Card. The v2.0.1 (Patch A) SFL uses the v1.3 R10
Enhanced SNACC (eSNACC) ASN.1 C++ Library to encode/decode objects.
The v2.0.1 SFL release includes: SFL High-level library; Free
(a.k.a. Crypto++) Crypto Token Interface Library (CTIL); BSAFE CTIL;
Fortezza CTIL; SPEX/ CTIL; PKCS #11 CTIL; Microsoft CAPI v2.0 CTIL;
test utilities; test drivers; and test data. All CTILs were tested as
Dynamically Linked Libraries (DLL) using MS Windows. The Fortezza, BSAFE
and Crypto++ CTILs were tested with the respective security libraries as
shared objects using Linux and Solaris 2.8.
The SFL has been successfully used to exchange signedData and envelopedData
messages with the MS Internet Explorer Outlook Express v4.01, Netscape
Communicator 4.X, Entrust and Baltimore S/MIME products. Signed messages
have been exchanged with the RSA S/MAIL and WorldTalk S/MIME v2 products.
The SFL has also been used to perform S/MIME v3 interoperability testing
with
Microsoft that exercised the majority of the features specified by RFCs
2630, 2631 and 2634. This testing included the RSA, DSA, E-S D-H, 3DES, SHA
and Fortezza algorithms. We used the SFL to successfully process the
SFL-supported sample data included in the S/MIME WG "Examples of S/MIME
Messages" document. We also used the SFL to generate S/MIME v3 sample
messages that were included in the "Examples" document.
The use of the v2.0.1 SFL is described in the v2.0 SFL Application
Programming Interface (API) and v2.0 SDD documents. The v2.0 SMP
Components Setup Manual that describes the component installation
procedures for the v2.0.1 SFL, v2.0.1 Certificate Management Library (CML),
and v1.3 R10 eSNACC libraries. The use of the v2.0.1 CTIL API is
described in the v2.0 CTIL API document.
Patch A includes the following enhancements (compared to v2.0.1 SFL
and CTIL releases):
1) v2.0.1 (Patch A) SFL was tested using v1.3 R10 eSNACC ASN.1 C++ library
that fixed a bug in the code that implements the SET OF sorting as part
of the Distinguished Encoding Rules (DER). The eSNACC DER bug was
causing the SFL to report signature verification problems when attempting
to verify valid signed S/MIME messages.
2) v2.0.1 (Patch A) SFL was tested using v1.3 R10 eSNACC ASN.1 C++ library
that also includes a bug fix that resulted in a significant decrease in the
time required to decode objects greater than 1MB in size. For example, this
eSNACC bug fix resulted in a 300-fold improvement in the SFL decryption of
objects that are greater than 1MB in size.
3) Fixed bugs in Microsoft CAPI CTIL code that handles the use of two
RSA certificates (and corresponding private keys) that include the same
subject name, but are distinguished by the keyUsage extension (one for
signature, one for encryption).
4) The SFL timing routine was updated in the sm_EDTImingTest.cpp test
utility to time variable loop counter of messages of variable content
size. This test now handles ASN.1 Encode, Decode, Encrypt and Decrypt
tests (./SMIME/testsrc/util/sm_EDTImingTest.cpp).
5) SFL and Microsoft CAPI CTIL were updated to fix minor memory leaks
and other minor bugs.
6) Corrected bug in CertNameToStr (sm_capi.cpp) to process names
longer than 100 characters.
7) Improved CertificateBuilder by adding a separate certificatePolicies
extension creation menu item.
8) The demonstration program in ./SMIME/testutil/testTripleWrap has
been updated to demonstrate multiple certificate loads into
RecipientInfos for encryption. This program also demonstrates the
Microsoft CAPI CTIL initialization and usage.
We are still in the process of enhancing and testing the SFL. Future
releases may include: additional PKCS #11 CTIL testing; finish
CertificateBuilder command line utility; enhancing
CertificateBuilder to support creation of Attribute Certificates;
add "Certificate Management Messages over CMS" ASN.1 encode/decode
functions; add enhanced test routines; bug fixes; support for other
crypto APIs; and support for other operating systems.
The SFL is developed to maximize portability to 32-bit operating
systems. In addition to testing on MS Windows, Linux and Solaris 2.8,
we may port the SFL to other operating systems.
The following SFL files are available from
<http://www.getronicsgov.com/hot/sfl_lib.htm>:
1) SFL Documents: Fact Sheet, Software Design Description, API, CTIL
API, Software Test Description, Implementers Guide, Overview Briefing
and Public License.
2) smimeR2.0.1.tar.gz: Source code, MS Windows project files and
Unix makefiles for SFL Hi-Level library.
3) snacc13r10rn.tar.gz (source code and binaries available from Getronics
eSNACC web page: <http://www.getronicsgov.com/hot/snacc_home.htm>):
Source code, MS Windows project files and Unix makefiles for
v1.3 R10 eSNACC ASN.1 Compiler and Library that has been enhanced by
Getronics to implement the Distinguished Encoding Rules. Source code is
compilable for Linux, Solaris 2.8 and MS Windows NT/98/2000/XP. This
file includes a sample test project demonstrating the use of the eSNACC
classes.
4) smCTIR2.0.1.tar.gz: Source code, MS Windows project files and
Unix makefiles for the following CTILs: Test (no crypto), Crypto++, BSAFE,
Fortezza, SPEX/, PKCS #11 and MS CAPI v2.0. The CTIL source code includes
PKCS #12 software developed by the OpenSSL Project for use in the OpenSSL
Toolkit <http://www.openssl.org/>
5) sm_CTIL_MGR_R2.0.1.tar.gz: Source code, MS Windows project files and
Unix makefiles for the CTILManager library that provides CTIL-related
processing services used by the SFL, ACL and CML.
6) smTest2.0.1.tar.gz: Source code, MS Windows project files and
Unix makefiles for test drivers used to test the SFL. This file includes
sample CMS/ESS test data and test X.509 Certificates. It also includes
the CertificateBuilder utility that can be used to create X.509
Certificates.
7) sfl_v2.0.1_Patch_A.zip: Contains patch files that include aforementioned
enhancements to v2.0.1 SFL, Microsoft CAPI CTIL, CertificateBuilder.
All source code for the SFL is being provided at no cost and with no
financial limitations regarding its use and distribution.
Organizations can use the SFL without paying any royalties or
licensing fees. Getronics is developing the SFL under contract to
the U.S. Government. The U.S. Government is furnishing the SFL
source code at no cost to the vendor subject to the conditions of
the "SFL Public License".
On 14 January 2000, the U.S. Department of Commerce, Bureau of
Export Administration published a new regulation implementing an update
to the U.S. Government's encryption export policy
<http://www.bxa.doc.gov/Encryption/Default.htm>. In accordance with
the revisions to the Export Administration Regulations (EAR) of 14 Jan
2000, the downloading of the SFL source code is not password controlled.
The SFL is composed of a high-level library that performs generic CMS
and ESS processing independent of the crypto algorithms used to
protect a specific object. The SFL high-level library makes calls to
an algorithm-independent CTIL API. The underlying, external crypto
token libraries are not distributed as part of the SFL
source code. The application developer must independently obtain these
libraries and then link them with the SFL.
The SFL uses the CML and eSNACC ASN.1 Library to encode/decode
certificates, ACs, CRLs and components thereof. The CML is freely
available at: <http://www.getronicsgov.com/hot/cml_home.htm>.
The SFL has been successfully tested in conjunction with the Access
Control Library (ACL) that is freely available to everyone from:
<http://www.getronicsgov.com/hot/acl_home.htm>.
The National Institute of Standards and Technology (NIST) is providing
test S/MIME messages (created by Getronics) at
<http://csrc.nist.gov/pki/testing/x509paths.html>.
Getronics used the SFL to successfully process the NIST test data.
NIST is using the SFL and CML as part of the NIST S/MIME Test
Facility (NSMTF) that they are planning to host (see
<http://csrc.ncsl.nist.gov/pki/smime/>). Vendors will be able to use
the NSMTF to help determine if their products comply with the
IETF S/MIME v3 specifications and the Federal S/MIME v3 Client Profile.
The SFL has been integrated into many applications to provide CMS/ESS
security services. For example, the SFL was integrated into a security
plug-in for a commercial e-mail application that enabled the
application to meet the Bridge Certification Authority Demonstration
Phase II requirements including implementing ESS features such as
security labels.
The Internet Mail Consortium (IMC) has established an SFL web page
<http://www.imc.org/imc-sfl>. The IMC has also established an SFL
mail list which is used to: distribute information regarding SFL
releases; discuss SFL-related issues; and provide a means for SFL
users to provide feedback, comments, bug reports, etc. Subscription
information for the imc-sfl mailing list is at the IMC web site
listed above.
All comments regarding the SFL source code and documents are welcome.
This SFL release announcement was sent to several mail lists, but
please send all messages regarding the SFL to the imc-sfl mail list
ONLY. Please do not send messages regarding the SFL to any of the IETF
mail lists. We will respond to all messages sent to the imc-sfl mail
list.
============================================
John Pawling, John(_dot_)Pawling(_at_)GetronicsGov(_dot_)com
Getronics Government Solutions, LLC
============================================