From owner-imc-cml Fri Feb 18 11:38:04 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA28770 for imc-cml-bks; Fri, 18 Feb 2000 11:38:04 -0800 (PST) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA28765 for ; Fri, 18 Feb 2000 11:38:03 -0800 (PST) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id <1JW6LRQB>; Fri, 18 Feb 2000 14:41:17 -0500 Message-ID: <33BD629222C0D211B6DB0060085ACF31965A0A@wfhqex03.wang.com> From: "Pawling, John" To: "'imc-cml@imc.org'" Subject: CML Mail List/CML Plans/ASN.1 Bug Date: Fri, 18 Feb 2000 14:41:18 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, The Internet Mail Consortium (IMC) has established a CML web page and a CML mail list which is used to: distribute information regarding CML releases; discuss CML-related issues; and allow CML users to provide feedback, comments, bug reports, etc. To subscribe to the mailing list, send a message to to imc-cml-request@imc.org with the single word subscribe in the body of the message. We fixed a bug in the VDA-developed code (sm_BigIntegerStr.cpp) that processes large ASN.1 INTEGERs used in conjuction with the C++ version of the SNACC library. ASN.1 INTEGER values of one byte in length were being improperly processed. This bug only impacts the use of the C++ version of the SNACC library. It does not impact the use of the C version. In conjunction with the v1.5 S/MIME Freeware Library, we deliverd a new SNACC zip file that includes the bug fix. The new SNACC zip file is available from http://www.armadillo.huntsville.al.us./software/smime/. We are currently enhancing the C and C++ versions of the SNACC library to support BMP, Universal and UTF-8 strings (in addition to Printable and Teletex strings). We are adding an optional function that can be used to convert ASN.1 OCTET STRINGs to single- and multi-byte character strings. This is needed to support the RFC 2459 PKIX requirements. The SNACC library will decode an object as it always has. If the app/library needs the ASN.1 OCTET STRINGs converted to character strings, then it will call an additional SNACC function/class to perform the conversion. The SNACC enhancement is being made to minimize the impact to existing code that uses SNACC. If an app/library does not need the ASN.1 OCTET STRINGs converted, then it will not call the conversion function/classes and will use the SNACC-generated structures/classes as always. We plan to deliver a new CML (v1.7) in early March. The v1.7 CML will include minor bug fixes and a new function that validates generic signed data (ASN.1 encoded using the X.509 SIGNED macro). The v1.7 CML will use the enhanced SNACC library to support BMP, Universal and UTF-8 strings (in addition to Printable and Teletex strings). The v1.7 CML will also be enhanced so that it can work as a server or shared process serving multiple applications. Session information will be enhanced to include: list of trusted root certificates; method of revocation checking; address and parameters needed to contact an external LDAP server; and other configuration file parameters. Steve Koehler, Secure Computing Corporation, is contributing these enhancements. These enhancements will be backward compatible. They will be implemented using optional parameters. We will inform everyone when the v1.7 CML and enhanced SNACC libraries are available. ============================================ John Pawling, Director - Systems Engineering J.G. Van Dyke & Associates, Inc; a Wang Government Services Company john.pawling@wang.com ============================================ From owner-imc-cml Wed Feb 23 10:11:29 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA29000 for imc-cml-bks; Wed, 23 Feb 2000 10:11:29 -0800 (PST) Received: from atlrel2.hp.com (atlrel2.hp.com [156.153.255.202]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA28995 for ; Wed, 23 Feb 2000 10:11:27 -0800 (PST) Received: from xboibrg1.boi.hp.com (xboibrg1.boi.hp.com [15.56.8.167]) by atlrel2.hp.com (Postfix) with ESMTP id 4FD0A651 for ; Wed, 23 Feb 2000 13:15:46 -0500 (EST) Received: by xboibrg1.boi.hp.com with Internet Mail Service (5.5.2650.21) id ; Wed, 23 Feb 2000 11:15:32 -0700 Message-ID: <973751E29EE0D211976800A0C9F446FE015DBDA9@xboi05.boi.hp.com> From: "MCMAINS,ALEX (HP-Boise,ex1)" To: "'imc-cml@imc.org'" Subject: certificate encodings and the CML Date: Wed, 23 Feb 2000 11:15:29 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I am relatively new to cryptography and certificates so forgive me if these are dumb questions. I have been trying to use the CML to add certificates to the database. I've written a small program that reads a file into a buffer (using the same method as is done in the CML_Tool source) and then calls CM_DatabaseAdd(ulong, ASN1_Data, long) passing the buffer as the second parameter. I am using CMLv1.6, CPLv1.3.1, and SNACCv1.5 under NT 4.0 w/ MS C++ 6.0. My questions/problems are the following: 1) I get a CM_ASN_ERROR when I try to import a PKCS#7 Verisign certificate. I get an NT access violation when I try to import any of the certificates in the CM_Tool directory. I can, however, insert certificates from the Updated V3 Cert Test Data (from the CML website). Can I not import certificates in PKCS#7 format? If not, why not since this seems to be the default format for many certs? What format is the test data in? Maybe this is out of scope, but what is the difference between X.509v3 and the so called PKCS#7 format of certificates from say Verisign? I thought all (new) certificates were in X.509v3 format. What does this have to do with PKCS#7? 2) In the Updated V3 Cert Test Data directory, each certificate has a corresponding text file that shows its decoding. Is the source code that generated these files available? Is it separate from the CML itself or just part of some test suite? I grep'ed through the directories and could not find it. Perhaps I was looking in the wrong place. Thank you. -- Alex McMains From owner-imc-cml Wed Feb 23 10:31:38 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA29458 for imc-cml-bks; Wed, 23 Feb 2000 10:31:38 -0800 (PST) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA29454 for ; Wed, 23 Feb 2000 10:31:36 -0800 (PST) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id <1JW6M3S0>; Wed, 23 Feb 2000 13:35:14 -0500 Message-ID: <33BD629222C0D211B6DB0060085ACF31614E8C@wfhqex03.wang.com> From: "McPherson, Clyde" To: "'MCMAINS,ALEX (HP-Boise,ex1)'" , "'imc-cml@imc.org'" Subject: RE: certificate encodings and the CML Date: Wed, 23 Feb 2000 13:35:15 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: You will probably need to pull the certs out of the pkcs7 format first, and then the certs could be added to the CML. You could do the extraction via the SFL by getting the Certificates out of the Certificates section of the Signed Data. See csm_msgtoverify.cpp -Tex -----Original Message----- From: MCMAINS,ALEX (HP-Boise,ex1) [mailto:alex_mcmains@hp.com] Sent: Wednesday, February 23, 2000 1:15 PM To: 'imc-cml@imc.org' Subject: certificate encodings and the CML Hi, I am relatively new to cryptography and certificates so forgive me if these are dumb questions. I have been trying to use the CML to add certificates to the database. I've written a small program that reads a file into a buffer (using the same method as is done in the CML_Tool source) and then calls CM_DatabaseAdd(ulong, ASN1_Data, long) passing the buffer as the second parameter. I am using CMLv1.6, CPLv1.3.1, and SNACCv1.5 under NT 4.0 w/ MS C++ 6.0. My questions/problems are the following: 1) I get a CM_ASN_ERROR when I try to import a PKCS#7 Verisign certificate. I get an NT access violation when I try to import any of the certificates in the CM_Tool directory. I can, however, insert certificates from the Updated V3 Cert Test Data (from the CML website). Can I not import certificates in PKCS#7 format? If not, why not since this seems to be the default format for many certs? What format is the test data in? Maybe this is out of scope, but what is the difference between X.509v3 and the so called PKCS#7 format of certificates from say Verisign? I thought all (new) certificates were in X.509v3 format. What does this have to do with PKCS#7? 2) In the Updated V3 Cert Test Data directory, each certificate has a corresponding text file that shows its decoding. Is the source code that generated these files available? Is it separate from the CML itself or just part of some test suite? I grep'ed through the directories and could not find it. Perhaps I was looking in the wrong place. Thank you. -- Alex McMains From owner-imc-cml Thu Feb 24 10:37:54 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id KAA14667 for imc-cml-bks; Thu, 24 Feb 2000 10:37:54 -0800 (PST) Received: from palrel1.hp.com (palrel1.hp.com [156.153.255.242]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA14660 for ; Thu, 24 Feb 2000 10:37:49 -0800 (PST) Received: from xrosebh3.rsvl.itc.hp.com (xrosebh3.rsvl.itc.hp.com [15.34.240.67]) by palrel1.hp.com (Postfix) with ESMTP id 8975337D for ; Thu, 24 Feb 2000 10:42:01 -0800 (PST) Received: by xrosebh3.rsvl.itc.hp.com with Internet Mail Service (5.5.2650.21) id <179SBPPD>; Thu, 24 Feb 2000 10:42:01 -0800 Message-ID: <973751E29EE0D211976800A0C9F446FE015DBDAA@xboi05.boi.hp.com> From: "MCMAINS,ALEX (HP-Boise,ex1)" To: "'McPherson, Clyde'" , "MCMAINS,ALEX (HP-Boise,ex1)" , "'imc-cml@imc.org'" Subject: RE: certificate encodings and the CML Date: Thu, 24 Feb 2000 10:41:59 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Tex, Thanks for the response. I couldn't find a file anywhere named csm_msgtoverify.cpp, but I did notice that there is an SFL class with this name. However, if I use the CSM_Buffer construtor that contains my PKCS#7 certificate file with the CSM_MsgToVerify class, I get an abnormal program termination. This is a look at the code I was using: #include "sm_api.h" char filename[] = "E:\\mypkcs7file.p7c"; int main() { CSM_Buffer * buffer = new CSM_Buffer(filename); // Causes an "exception breakpoint" to be reached CSM_MsgToVerify * mtv = new CSM_MsgToVerify(buffer); return 0; } -- Alex McMains > -----Original Message----- > From: McPherson, Clyde [mailto:Clyde.McPherson@wang.com] > Sent: Wednesday, February 23, 2000 11:35 AM > To: 'MCMAINS,ALEX (HP-Boise,ex1)'; 'imc-cml@imc.org' > Subject: RE: certificate encodings and the CML > > > You will probably need to pull the certs out of the pkcs7 > format first, and > then the certs could be added to the CML. You could do the > extraction via > the SFL by getting the Certificates out of the Certificates > section of the > Signed Data. See csm_msgtoverify.cpp > > -Tex > > -----Original Message----- > From: MCMAINS,ALEX (HP-Boise,ex1) [mailto:alex_mcmains@hp.com] > Sent: Wednesday, February 23, 2000 1:15 PM > To: 'imc-cml@imc.org' > Subject: certificate encodings and the CML > > > > Hi, > > I am relatively new to cryptography and certificates so > forgive me if these > are dumb questions. I have been trying to use the CML to add > certificates > to the database. I've written a small program that reads a > file into a > buffer (using the same method as is done in the CML_Tool > source) and then > calls CM_DatabaseAdd(ulong, ASN1_Data, long) passing the buffer as the > second parameter. > > I am using CMLv1.6, CPLv1.3.1, and SNACCv1.5 under NT 4.0 w/ > MS C++ 6.0. My > questions/problems are the following: > > 1) I get a CM_ASN_ERROR when I try to import a PKCS#7 > Verisign certificate. > I get an NT access violation when I try to import any of the > certificates in > the CM_Tool directory. I can, however, insert certificates > from the Updated > V3 Cert Test Data (from the CML website). > > Can I not import certificates in PKCS#7 format? > > If not, why not since this seems to be the default format for > many certs? > > What format is the test data in? > > Maybe this is out of scope, but what is the difference > between X.509v3 and > the so called PKCS#7 format of certificates from say > Verisign? I thought > all (new) certificates were in X.509v3 format. What does > this have to do > with PKCS#7? > > 2) In the Updated V3 Cert Test Data directory, each certificate has a > corresponding text file that shows its decoding. Is the > source code that > generated these files available? Is it separate from the CML > itself or just > part of some test suite? I grep'ed through the directories > and could not > find it. Perhaps I was looking in the wrong place. > > Thank you. > > -- Alex McMains > From owner-imc-cml Tue Feb 29 09:41:15 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id JAA14151 for imc-cml-bks; Tue, 29 Feb 2000 09:41:15 -0800 (PST) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA14147 for ; Tue, 29 Feb 2000 09:41:14 -0800 (PST) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id <1JW6PGDV>; Tue, 29 Feb 2000 12:40:48 -0500 Message-ID: <33BD629222C0D211B6DB0060085ACF31965A9C@wfhqex03.wang.com> From: "Pawling, John" To: "'MCMAINS,ALEX (HP-Boise,ex1)'" , "'imc-cml@imc.org'" Subject: RE: certificate encodings and the CML Date: Tue, 29 Feb 2000 12:40:41 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Alex, >From your messages sent to the imc-sfl list and to us directly, I know that you have been able to successfully use the S/MIME Freeware Library (SFL) to ASN.1 decode a PKCS#7 object and extract the encapsulated X.509 certificate. Only X.509 certificates can be imported into the CML database. The CML does not accept PKCS#7-encapsulated X.509 certificates. PKCS#7 is one of many methods for distributing certificates. Other methods include: IETF PKIX Certificate Management Protocol; MISSI Management Protocol; loading certs on a physical media; etc. In summary, the SFL can be used to build/process PKCS#7 and IETF S/MIME v3 objects, and the CML can be used to process/validate X.509 certificates. ============================================ John Pawling, Director - Systems Engineering J.G. Van Dyke & Associates, Inc; a Wang Government Services Company john.pawling@wang.com ============================================ > -----Original Message----- > From: McPherson, Clyde [mailto:Clyde.McPherson@wang.com] > Sent: Wednesday, February 23, 2000 11:35 AM > To: 'MCMAINS,ALEX (HP-Boise,ex1)'; 'imc-cml@imc.org' > Subject: RE: certificate encodings and the CML > > > You will probably need to pull the certs out of the pkcs7 > format first, and > then the certs could be added to the CML. You could do the > extraction via > the SFL by getting the Certificates out of the Certificates > section of the > Signed Data. See csm_msgtoverify.cpp > > -Tex > > -----Original Message----- > From: MCMAINS,ALEX (HP-Boise,ex1) [mailto:alex_mcmains@hp.com] > Sent: Wednesday, February 23, 2000 1:15 PM > To: 'imc-cml@imc.org' > Subject: certificate encodings and the CML > > > > Hi, > > I am relatively new to cryptography and certificates so > forgive me if these > are dumb questions. I have been trying to use the CML to add > certificates > to the database. I've written a small program that reads a > file into a > buffer (using the same method as is done in the CML_Tool > source) and then > calls CM_DatabaseAdd(ulong, ASN1_Data, long) passing the buffer as the > second parameter. > > I am using CMLv1.6, CPLv1.3.1, and SNACCv1.5 under NT 4.0 w/ > MS C++ 6.0. My > questions/problems are the following: > > 1) I get a CM_ASN_ERROR when I try to import a PKCS#7 > Verisign certificate. > I get an NT access violation when I try to import any of the > certificates in > the CM_Tool directory. I can, however, insert certificates > from the Updated > V3 Cert Test Data (from the CML website). > > Can I not import certificates in PKCS#7 format? > > If not, why not since this seems to be the default format for > many certs? > > What format is the test data in? > > Maybe this is out of scope, but what is the difference > between X.509v3 and > the so called PKCS#7 format of certificates from say > Verisign? I thought > all (new) certificates were in X.509v3 format. What does > this have to do > with PKCS#7? > > 2) In the Updated V3 Cert Test Data directory, each certificate has a > corresponding text file that shows its decoding. Is the > source code that > generated these files available? Is it separate from the CML > itself or just > part of some test suite? I grep'ed through the directories > and could not > find it. Perhaps I was looking in the wrong place. > > Thank you. > > -- Alex McMains > From owner-imc-cml Wed Mar 8 11:02:59 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA17222 for imc-cml-bks; Wed, 8 Mar 2000 11:02:59 -0800 (PST) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA17218 for ; Wed, 8 Mar 2000 11:02:53 -0800 (PST) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id ; Wed, 8 Mar 2000 14:03:09 -0500 Message-ID: <33BD629222C0D211B6DB0060085ACF31965B45@wfhqex03.wang.com> From: "Pawling, John" To: "'Frederic_Felten@lotus.com'" , imc-cml@imc.org Subject: OCSP Plans for CML Date: Wed, 8 Mar 2000 14:03:08 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, RFC 2560 defines the X.509 Internet Public Key Infrastructure (PKIX) Online Certificate Status Protocol (OCSP). OCSP is used to determine if a certificate has been revoked by the issuer. Please see RFC 2560 for more details. The current (v1.6) Certificate Management Library (CML) determines if a certificate has been revoked by the issuer by checking the appropriate Certificate Revocation Lists (CRL) as specified in the 1997 X.509 Recommendation. Several people have asked if there are plans to enhance the CML to perform an OCSP revocation check of a certificate in addition to checking the appropriate CRLs. The current plans are to add a capability to the CML to make calls to an existing OCSP library. This is similar to the strategy used by the CML to provide LDAP retrieval services. The CML makes calls to the Netscape-developed freeware LDAP library. The optimal solution would be to identify a freeware OCSP library which could be distributed along with the CML (as with the Netscape freeware LDAP library). If a freeware OCSP library is not available, then we would at least like to use a standard OCSP application programming interface. Does anybody know of any freeware OCSP implementations or of a standard OCSP API? Adding OCSP is one of many planned enhancements to the CML. Currently, it does not have a high priority, so it will probably be several months before we begin working on this enhancement. ============================================ John Pawling, Director - Systems Engineering J.G. Van Dyke & Associates, Inc; a Wang Government Services Company john.pawling@wang.com ============================================ From owner-imc-cml Mon Mar 20 21:55:01 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id VAA01468 for imc-cml-bks; Mon, 20 Mar 2000 21:55:01 -0800 (PST) Received: from seine.valicert.com (corporate-gw.valicert.com [63.65.221.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA01460 for ; Mon, 20 Mar 2000 21:54:59 -0800 (PST) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id ; Mon, 20 Mar 2000 21:55:03 -0800 Message-ID: <27FF4FAEA8CDD211B97E00902745CBE2B410BF@seine.valicert.com> From: Ambarish Malpani To: "'imc-cml@imc.org'" , "'john.pawling@wang.com'" Cc: "Paul Hoffman (E-mail)" Subject: RE: OCSP Plans for CML Date: Mon, 20 Mar 2000 21:54:59 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi John, You had posted about the desire to OCSP enable CML and asked whether there was a freeware OCSP library. The best I can offer you is our toolkit which is available for no charge. Would that work for you? Please let me know, Regards, Ambarish P.S. The library is written in C/C++ and available as a DLL on both NT and Solaris. --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 1215 Terra Bella Ave. http://www.valicert.com Mountain View, CA 94043-1833 From owner-imc-cml Tue Mar 21 08:00:46 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA29965 for imc-cml-bks; Tue, 21 Mar 2000 08:00:46 -0800 (PST) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA29959 for ; Tue, 21 Mar 2000 08:00:44 -0800 (PST) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id ; Tue, 21 Mar 2000 11:02:03 -0500 Message-ID: <33BD629222C0D211B6DB0060085ACF31965BF6@wfhqex01.wangfed.com> From: "Pawling, John" To: "'Ambarish Malpani'" , "'imc-cml@imc.org'" Cc: "Paul Hoffman (E-mail)" Subject: RE: OCSP Plans for CML Date: Tue, 21 Mar 2000 11:02:04 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ambarish, Thank you very much for your reply and your generous offer. I believe that your offer is worthy of consideration. You stated "our toolkit which is available for no charge". Does this mean that there is no cost and no financial limitations regarding its use and distribution? Does this mean that companies can use it in their commercial products without paying any royalties or licensing fees? Are there any limits on the distribution of the library? Is there a license that states these facts? Is the source code provided? Thanks again, -John -----Original Message----- From: Ambarish Malpani [mailto:ambarish@valicert.com] Sent: Tuesday, March 21, 2000 12:55 AM To: 'imc-cml@imc.org'; 'john.pawling@wang.com' Cc: Paul Hoffman (E-mail) Subject: RE: OCSP Plans for CML Hi John, You had posted about the desire to OCSP enable CML and asked whether there was a freeware OCSP library. The best I can offer you is our toolkit which is available for no charge. Would that work for you? Please let me know, Regards, Ambarish P.S. The library is written in C/C++ and available as a DLL on both NT and Solaris. --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 1215 Terra Bella Ave. http://www.valicert.com Mountain View, CA 94043-1833 From owner-imc-cml Tue Mar 21 11:47:46 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA04341 for imc-cml-bks; Tue, 21 Mar 2000 11:47:46 -0800 (PST) Received: from seine.valicert.com (corporate-gw.valicert.com [63.65.221.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA04337 for ; Tue, 21 Mar 2000 11:47:45 -0800 (PST) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id ; Tue, 21 Mar 2000 11:47:50 -0800 Message-ID: <27FF4FAEA8CDD211B97E00902745CBE2B410CE@seine.valicert.com> From: Ambarish Malpani To: "'Pawling, John'" , "'imc-cml@imc.org'" Subject: RE: OCSP Plans for CML Date: Tue, 21 Mar 2000 11:47:43 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi John, Here are the responses to your questions: no cost to distribution: yes. no financial limitations regarding distribution: yes. Licensee needs own RSA or other crypto. Companies can use it in their product w/out license fees: yes. Any limits to distribution of library: No, ValiCert does not place any. Is source code provided: No. Any restrictions: only that interoperability w/ our products & service not be removed. Hope this helps, Please let me know how you want to go ahead (and maybe we can take it off the list). Regards, Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 1215 Terra Bella Ave. http://www.valicert.com Mountain View, CA 94043-1833 > -----Original Message----- > From: Pawling, John [mailto:John.Pawling@wang.com] > Sent: Tuesday, March 21, 2000 8:02 AM > To: 'Ambarish Malpani'; 'imc-cml@imc.org' > Cc: Paul Hoffman (E-mail) > Subject: RE: OCSP Plans for CML > > > Ambarish, > > Thank you very much for your reply and your generous offer. > I believe that > your offer is worthy of consideration. You stated "our > toolkit which is > available for no charge". Does this mean that there is no cost and no > financial limitations regarding its use and distribution? > Does this mean > that companies can use it in their commercial products > without paying any > royalties or licensing fees? Are there any limits on the > distribution of > the library? Is there a license that states these facts? Is > the source > code provided? > > Thanks again, > -John > > > -----Original Message----- > From: Ambarish Malpani [mailto:ambarish@valicert.com] > Sent: Tuesday, March 21, 2000 12:55 AM > To: 'imc-cml@imc.org'; 'john.pawling@wang.com' > Cc: Paul Hoffman (E-mail) > Subject: RE: OCSP Plans for CML > > > > Hi John, > You had posted about the desire to OCSP enable CML and asked > whether there was a freeware OCSP library. > > The best I can offer you is our toolkit which is available for no > charge. Would that work for you? > > Please let me know, > Regards, > Ambarish > > P.S. The library is written in C/C++ and available as a DLL on > both NT and Solaris. > > --------------------------------------------------------------------- > Ambarish Malpani > Architect 650.567.5457 > ValiCert, Inc. ambarish@valicert.com > 1215 Terra Bella Ave. http://www.valicert.com > Mountain View, CA 94043-1833 > From owner-imc-cml Wed Apr 12 13:19:46 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id NAA17933 for imc-cml-bks; Wed, 12 Apr 2000 13:19:46 -0700 (PDT) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA17929 for ; Wed, 12 Apr 2000 13:19:45 -0700 (PDT) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id ; Wed, 12 Apr 2000 16:22:55 -0400 Message-ID: <33BD629222C0D211B6DB0060085ACF31965D5D@wfhqex01.wangfed.com> From: "Pawling, John" To: imc-cml@imc.org Subject: v1.7 Certificate Management Library & Mail List Date: Wed, 12 Apr 2000 16:22:55 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, J. G. Van Dyke and Associates (VDA), a Wang Government Services Company, has delivered the freeware Version 1.7 Certificate Management Library (CML) software and Application Programming Interface (API). An enhanced version of the SNACC ASN.1 C library has been delivered with the v1.7 CML. The v1.7 CML and enhanced SNACC source code is available from the Fortezza Developer's CML Page . The CML implements the 1997 X.509 certification path processing rules and meets SDN.706 requirements. It (optionally) provides local cache management functions and (optionally) obtains data objects using LDAP v2. It can (optionally) be used in conjunction with the v1.31 Certificate Path Development Library (CPDL) developed by CygnaCom Solutions to provide robust certification path building capabilities such as using cross certificates. The CML has been used to validate X.509 Certificates and Certificate Revocation Lists (CRL) signed using Digital Signature Algorithm (DSA) and RSA. The v1.7 CML includes the following enhancements (compared with the v1.6 CML release): 1) Tested with the SNACC C++ library, Crypto Token Interface Libraries (CTIL) and LibCert Dynamically Linked Libraries (DLL) delivered with the v1.6 S/MIME Freeware Library (SFL) available from the Fortezza Developer's S/MIME Page . 2) Enhanced CML API and software to add function to validate generic signed data (using SIGNED macro). 3) Added functionality to set LDAP settings, trusted certificates, and a validated public key cache on a per session basis. 4) Fixed uninitialized pointer problem on Extended Key Usage extensions, and the freeing of the Extended Key Usage extension. 5) Fixed memory leak in freeing of a EncObject_LL. 6) Fixed memory leak in asn-any.c (line 175). 7) Fixed memory leaks in CMU_GetDistPts(). 8) Added the UID attribute to SNACC library. 9) Enhanced the CMU_FilterRemoteCertsList() function to perform certificate filtering after LDAP retrieval. 10) Enhanced the setting of the CRL/ARL type in the CML provided callback function, and set correctly the location flag in the CML provided callback. 11) Corrected the CRL Issuing Distribution Point processing logic. 12) Enhanced CML to automatically search the directory using LDAP for a current certificate or CRL when the local CRL or Certificate has expired, if the application has specified "search until found". 13) Tested CML with C and C++ versions of SNACC ASN.1 library that have been enhanced to support PrintableString, TeletexString, NumericString, IA5String, VisibileString, BMPString, UniversalString and UTF8String character string types. An optional function was added to SNACC to convert ASN.1 OCTET STRINGs to single- or multi-byte character strings (as appropriate). The C version of the enhanced SNACC library is included in the CML17sr.tar.Z file. The C++ version of the enhanced SNACC library is available with the SFL. The following v1.7 CML files are available from the Fortezza Developer's CML Page: CMLv17win.zip: Windows DLLs CML17so.tar.Z: Solaris Libraries CML17sr.tar.Z: Source for CML and SNACC C library, includes Windows project files CMv1_7api.doc, CMv1_7api.pdf: MS Word and Adobe PDF versions of v1.7 CML API document cml17data.zip: test certs used to test the CML readme.txt: Instructions for installing and using the CML VDA welcomes all feedback regarding the CML software and documents. If bugs are reported, then VDA will investigate each reported bug and, if required, will produce a patch or an updated release of the software to repair the bug. All source code for the CML is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the CML without paying any royalties or licensing fees. The CML was originally developed by the U.S. Government. VDA is enhancing and supporting the CML under contract to the U.S. Government. The U.S. Government is furnishing the CML software at no cost to the vendor subject to the conditions of the CML Public License provided with the CML software. The CML software is not subject to U.S. Government encryption export regulations, so it is freely available to everyone. The v1.7 CML uses the VDA-enhanced SNACC v1.3 ASN.1 Library to encode/decode objects. VDA has successfully tested the v1.7 CML with the SNACC and CTIL DLLs delivered in conjunction with the v1.6 SFL. Source code for the VDA-developed CTILs is available from the Fortezza Developer's S/MIME Page. The actual crypto libraries are not provided with the CML or SFL. They must be independently obtained from the appropriate source. The v1.7 CML can be used in conjunction with the v1.31 CPDL to successfully meet all of the requirements of the Bridge Certification Authority Demonstration effort which includes cross-certified Entrust, Spyrus and Motorola v3 certificate domains. The CML17sr.tar.Z file includes the CPDL source code and public license. provides more information regarding the CPDL. Further enhancements, ports and testing of the CML are still in process. Further releases of the CML will be provided as significant capabilities are added. The Internet Mail Consortium (IMC) has established a CML web page . The IMC has also established a CML mail list which is used to: distribute information regarding CML releases; discuss CML-related issues; and provide a means for CML users to provide feedback, comments, bug reports, etc. Subscription information for the imc-cml mailing list is at the IMC web site listed above. ============================================ John Pawling, Director - Systems Engineering J.G. Van Dyke & Associates, Inc; a Wang Government Services Company john.pawling@wang.com ============================================ From owner-imc-cml Mon Apr 24 08:34:47 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id IAA05425 for imc-cml-bks; Mon, 24 Apr 2000 08:34:47 -0700 (PDT) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA05419 for ; Mon, 24 Apr 2000 08:34:45 -0700 (PDT) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id ; Mon, 24 Apr 2000 11:38:41 -0400 Message-ID: <33BD629222C0D211B6DB0060085ACF31965E13@wfhqex01.wangfed.com> From: "Pawling, John" To: "Pawling, John" Subject: v1.7 CML Patch Files Date: Mon, 24 Apr 2000 11:38:38 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, Several bugs have been reported in the freeware v1.7 Certificate Management Library (CML) (also known as CMAPI). We strongly recommend that the patch files (described below) should be immediately incorporated into your local version of the CML. Much thanks to Steve Koehler, Secure Computing Corporation, for reporting these bugs. We encourage all feedback related to the CML software. We made the changes in the CML baseline software as described below and successfully tested the corrected software. The corrected CML source code files are stored in the cmapi_157patch.tar.Z file available from the Fortezza Developer's CML Page . We do not plan to deliver a new release of the CML solely to fix this bug. We added the following text to the CML Problem Report File available in the "cmapi_157patch.tar.Z" zip file: ===================================================================== CML PROBLEM REPORT FILE 21 April 2000 This file documents errors in the freeware v1.7 Certificate Management Library (CML) (a.k.a. CMAPI) that have not yet been included in a new release of the CML. ====================================================================== Problem Report #1 File(s) Affected: CM_RetrieveKey.c Date Reported: 18 April 2000 Reporter: Steve Koehler, Secure Computing Corporation Problem Description: The v1.7 CML CMU_Get_DistPts() function was corrupting the heap. Platform(s) affected: All Resolution: Fixed bugs. See new CMU_Get_DistPts() function in CM_RetrieveKey.c file. Baseline Source Code Fixed and Tested: 20 April 2000 Patch Files: Available in cmapi_157patch.tar.Z from . ====================================================================== Problem Report #2 File(s) Affected: CM_store.c Date Reported: 20 April 2000 Reporter: Steve Koehler, Secure Computing Corporation Problem Description: The v1.7 CML CMU_AddCertToDB() function was improperly saving user certs in the local CML database. Platform(s) affected: All Resolution: See new CMU_AddCertToDB() function in CM_store.c file. We added the following code: if (dec_cert && dec_cert->exts && dec_cert->exts->basicCons && dec_cert->exts->basicCons->value && ((Basic_cons_struct *)dec_cert->exts->basicCons->value)->cA_flag == TRUE) { /* This certificate is an issuer certificate, so it's OK to stor e it in the database. */ } else if (dec_cert && (0 == strcmp (dec_cert->subject, dec_cert->issuer))) { /* It's also OK to store any self-issued certificate. */ } else { return CM_NO_ERROR; } Baseline Source Code Fixed and Tested: 20 April 2000 Patch Files: Available in cmapi_157patch.tar.Z from . ====================================================================== Problem Report #3 File(s) Affected: CM_Sigcheck.c Date Reported: 20 April 2000 Reporter: Steve Koehler, Secure Computing Corporation Problem Description: The v1.7 CML CM_Sigcheck.c clean_up routine had a memory leak. Platform(s) affected: All Resolution: Fixed bug. See new clean_up code in CM_Sigcheck.c file. Here's the replacement code (note the missing if): clean_up: if ( decr_data ) free( decr_data ); if ( decrAlg ) B_DestroyAlgorithmObject( &decrAlg ); if ( publicKeyObj ) B_DestroyKeyObject( &publicKeyObj ); return(err); Baseline Source Code Fixed and Tested: 20 April 2000 Patch Files: Available in cmapi_157patch.tar.Z from . ====================================================================== Problem Report #4 File(s) Affected: CM_infc.c Date Reported: 20 April 2000 Reporter: Steve Koehler, Secure Computing Corporation Problem Description: Steve stated the following concern: "I'm concerned about how the trusted certs list is handled in CM_CreateSessionExt. In my original code, the trusted keys are added to the cache by the call to CM_DatabaseAdd. In the new code, the keys are added separately with a call to CMU_AddKeyToCache. This seems unnecessary, and possibly dangerous. I say dangerous, because CM_DatabaseAdd checks to see that the trusted certificate is self-signed, and that the signature verifies. By adding the key directly from CM_CreateSessionExt, these checks are avoided." Platform(s) affected: All Resolution: We agreed with Steve's concerns and made his recommended changes. See new code in CM_infc.c file. Baseline Source Code Fixed and Tested: 20 April 2000 Patch Files: Available in cmapi_157patch.tar.Z from . ====================================================================== Problem Report #5 File(s) Affected: CM_infc.c Date Reported: 20 April 2000 Reporter: Steve Koehler, Secure Computing Corporation Problem Description: The v1.7 CML CMU_VerifyCRLSig() function was not properly initializing the sig_value to NULL. This could cause problems in the memory freeing code. It's possible that in certain error conditions, a garbage value will be freed. Platform(s) affected: All Resolution: Fixed bug. See new CMU_VerifyCRLSig() function in CM_infc.c file. Baseline Source Code Fixed and Tested: 20 April 2000 Patch Files: Available in cmapi_157patch.tar.Z from . ====================================================================== Problem Report #6 File(s) Affected: CM_RetrieveKey.c Date Reported: 20 April 2000 Reporter: Steve Koehler, Secure Computing Corporation Problem Description: There were several memory leaks in the CMU_CPLBuildPath() function. Platform(s) affected: All Resolution: Fixed bugs. See new CMU_CPLBuildPath() function in CM_RetrieveKey.c file. Baseline Source Code Fixed and Tested: 20 April 2000 Patch Files: Available in cmapi_157patch.tar.Z from . ====================================================================== For more information, contact: ============================================ John Pawling, Director - Systems Engineering J.G. Van Dyke & Associates, Inc; a Wang Government Services Company john.pawling@wang.com ============================================ From owner-imc-cml Tue May 2 08:45:59 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA07607 for imc-cml-bks; Tue, 2 May 2000 08:45:59 -0700 (PDT) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA07603 for ; Tue, 2 May 2000 08:45:58 -0700 (PDT) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id ; Tue, 2 May 2000 11:50:36 -0400 Message-ID: <33BD629222C0D211B6DB0060085ACF31965EB5@wfhqex01.wangfed.com> From: "Pawling, John" To: "Pawling, John" Subject: 4/28/00 v1.7 CML Patch File Date: Tue, 2 May 2000 11:50:35 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, A bug has been reported in the freeware v1.7 Certificate Management Library (CML) (also known as CMAPI). We strongly recommend that the patch file (described below) should be immediately incorporated into your local version of the CML. Much thanks to John Nord for reporting this bug. We encourage all feedback related to the CML. We made the change in the CML baseline source code as described below and successfully tested the corrected software. The corrected CML source code file is stored in the CM_RetrieveKey.c file available from the Fortezza Developer's CML Page . We do not plan to deliver a new release of the CML solely to fix this bug. We added the following text to the CML Problem Report File available from the Fortezza Developer's CML Page: ===================================================================== Problem Report #7 File(s) Affected: CM_RetrieveKey.c Date Reported: 26 April 2000 Reporter: John Nord Problem Description: John reported a problem in the CMU_CPLBuildPath() function when trying to verify a certification path for which none of the required certificates are present in the CML database (except the end user certificate). At line 449, the pointer to subject->asn1cert is copied. At line 456, the copied pointer is freed, and subject->asn1cert then points to an invalid memory location. Later in the function (since the certificate path is not found in the database), the invalid subject->asn1cert pointer gets freed (in a call to CMU_FreeDownCertTree()). Platform(s) affected: All Resolution: We made John's recommended fix to the CMU_CPLBuildPath() function as follows: We added line 457 indicated by "NEW-->". With this line added, the correct error information is provided. /* get length of the asn1 item */ errCode = AsnGetLength(subject->asn1cert, &partialPath.asn1cert.num); if (errCode != CM_NO_ERROR) return (errCode); 449 partialPath.asn1cert.data = subject->asn1cert; partialPath.next = NULL; pCertPath = NULL; /* Path not yet complete -- finish building... */ rv = cplInfo->beginPathDev(&cpl_session,cpl_subject,&sessInfo,&partialPath, 0,NULL,0,NULL, NULL); 456 CM_Free (partialPath.asn1cert.data); NEW-->subject->asn1cert = NULL; if(rv != 0) return (short)rv; Baseline Source Code Fixed and Tested: 28 April 2000 Patch Files: Available in CM_RetrieveKey.c from . ============================================ John Pawling, Director - Systems Engineering J.G. Van Dyke & Associates, Inc; a Wang Government Services Company john.pawling@wang.com ============================================ From owner-imc-cml Fri Jul 14 14:03:10 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id OAA14945 for imc-cml-bks; Fri, 14 Jul 2000 14:03:10 -0700 (PDT) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA14719; Fri, 14 Jul 2000 14:00:17 -0700 (PDT) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id <3GNFB4M2>; Fri, 14 Jul 2000 17:01:39 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C0016D013D@wfhqex01.wangfed.com> From: "Pawling, John" To: "Pawling, John" Subject: v1.71 Certificate Management Library Now Available Date: Fri, 14 Jul 2000 17:01:32 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, Wang Government Services, Inc. (WGSI), A Getronics Company, has delivered the Version 1.71 Certificate Management Library (CML). The v1.71 CML is freely available to everyone from the Fortezza Developers CML Page . The v1.71 CML is described in the v1.7 CML Application Programming Interface (API) document. It implements the 1997 X.509 certification path processing rules. It meets the majority of RFC 2459 and SDN.706 requirements. It (optionally) provides local cache management functions and (optionally) obtains data objects using LDAP. It can (optionally) be used in conjunction with the v1.31 Certificate Path Development Library (CPDL) developed by CygnaCom Solutions, an Entrust Technologies company, to provide robust certification path building capabilities such as using cross certificates. The CML has been used to validate X.509 Certificates and Certificate Revocation Lists (CRL) signed using the Digital Signature Algorithm (DSA) and RSA. Further enhancements, ports and testing of the CML are still in process. Further releases of the CML will be provided as significant capabilities are added. The following v1.71 CML files are available: CMLv171win.zip: MS Windows Dynamically Linked Libraries (DLL) CML171so.tar.Z: Sun Solaris Libraries CML171sr.tar.Z: Source, including Windows project files The aforementioned files and the v1.7 CML API document (CMv1_7api.doc, CMv1_7api.pdf), test certs (cml171data.zip) and readme.txt files are stored on the Fortezza Developers CML Page. The v1.71 CML includes the following enhancements (compared with the v1.7 CML release): 1) Tested with the SNACC, Crypto Token Interface Libraries (CTIL) and LibCert DLL delivered with the v1.7 S/MIME Freeware Library (SFL) available from Fortezza Developer's S/MIME Page . 2) Re-configured directory structure for CML source code files so that it is consistent with the SFL and Access Control Library (ACL). 3) Diffie-Hellman logic in CM_RetrieveKey and CM_DecodeCert cleaned up. 4) Corrected several bugs reported by customers. 5) Performed regression testing to ensure that aforementioned enhancements did not break existing CML functionality. WGSI welcomes all feedback regarding the CML software and documents. If bugs are reported, then we will investigate each reported bug and, if required, will produce a patch or an updated release of the software to repair the bug. All source code for the CML is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the CML without paying any royalties or licensing fees. The CML was originally developed by the U.S. Government. WGSI is enhancing and supporting the CML under contract to the U.S. Government. The U.S. Government is furnishing the CML software at no cost to the vendor subject to the conditions of the CML Public License provided with the CML software. The CML software is not subject to U.S. Government encryption export regulations, so it is freely available to everyone. The v1.71 CML uses the WGSI v1.3 Enhanced SNACC ASN.1 Library to encode/decode objects. WGSI has successfully tested the v1.71 CML with the SNACC and CTIL DLLs delivered in conjunction with the v1.7 SFL. Source code for the WGSI-developed CTILs is available from the Fortezza Developer's S/MIME Page. The actual crypto libraries are not provided with the CML or SFL. They must be independently obtained from the appropriate source. The v1.71 CML can be used in conjunction with the v1.31 CPDL to successfully meet all of the requirements of the Bridge Certification Authority Demonstration effort which includes cross-certified Entrust, Spyrus and Motorola v3 certificate domains. The CML171sr.tar.Z file includes the CPDL source code and public license. provides more information regarding the CPDL. The Internet Mail Consortium (IMC) has established a CML web page and a CML mail list which is used to: distribute information regarding CML releases; discuss CML-related issues; and allow CML users to provide feedback, comments, bug reports, etc. Subscription information for the imc-cml mailing list is at the IMC web site listed above. All comments regarding the CML source code and documents are welcome. This CML release announcement was sent to several mail lists, but please send all messages regarding the CML to the imc-cml mail list ONLY. Please do not send messages regarding the CML to any of the IETF mail lists. We will respond to all messages sent to the imc-cml mail list. ============================================ John Pawling, john.pawling@wang.com Wang Government Services, Inc., A Getronics Company ============================================ From owner-imc-cml Thu Jul 20 09:59:33 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id JAA03337 for imc-cml-bks; Thu, 20 Jul 2000 09:59:33 -0700 (PDT) Received: from hal9000.vguard.com (vguard.com [192.117.162.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA03291; Thu, 20 Jul 2000 09:58:21 -0700 (PDT) Received: by vguard.com with Internet Mail Service (5.5.2650.21) id ; Thu, 20 Jul 2000 20:01:36 +0200 Message-ID: From: Alon Barak To: "'imc-sfl@imc.org'" , "'imc-cml@imc.org'" Subject: CML ver1.71 compile errors Date: Thu, 20 Jul 2000 20:01:36 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I'm tried to upgrade my application to : SFL v1.7, SNACC v1.3R2, Crypto++ v3.1 all taken from the http://www.armadillo.huntsville.al.us./software/smime/ , & CML v1.71 taken from the http://www.armadillo.huntsville.al.us./software/certmgmt/index.html. The problem is that I can not compile the 'cml_1.71' since I have the following compile errors : (1) ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(93) : error C2061: syntax error : identifier 'OtherName' ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(3946) : error C2061: syntax error : identifier 'OtherName' (and some more errors because of the two above). (2) ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(2046) : error C2039: 'utf8StringCid' : is not a member of 'DirectoryString' ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(2053) : error C2039: 'utf8String' : is not a member of 'DirectoryString' ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(2083) : error C2039: 'bmpString' : is not a member of 'DirectoryString' All can be found in : ...\snacc13rn\c++-examples\vdatestDLL\vdatest_asn.h class BOBTest_API DirectoryString: public AsnType { public: enum ChoiceIdEnum { teletexStringCid = 0, printableStringCid = 1, universalStringCid = 2, utf8StringCid = 3, bmpStringCid = 4 }; enum ChoiceIdEnum choiceId; union { TeletexString *teletexString; PrintableString *printableString; UniversalString *universalString; }; ... (3) ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(2086) : error C2227: left of '->cvt_StrtoLDAP' must point to class/struct/union SO...WHAT IS WRONG WITH MY UPGRADE SETTINGS ??? Thanks in advance Alon Barak Vanguard Security Technologies Ltd. Tel: 972-4-9891311 (Ext. 221); Fax: 972-4-9891322 mailto:Alon@vguard.com From owner-imc-cml Thu Jul 20 11:40:20 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA05979 for imc-cml-bks; Thu, 20 Jul 2000 11:40:20 -0700 (PDT) Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA05975 for ; Thu, 20 Jul 2000 11:40:19 -0700 (PDT) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id <3GNFCG5L>; Thu, 20 Jul 2000 14:42:25 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C0016D0194@wfhqex01.wangfed.com> From: "Pawling, John" To: "imc-cml@imc. org (E-mail)" Subject: FW: CML ver1.71 compile errors Date: Thu, 20 Jul 2000 14:42:18 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----Original Message----- From: Clyde.McPherson@Wang.com Sent: Thursday, July 20, 2000 2:11 PM To: Alon Barak Cc: Colestock, Robert; Pawling, John Subject: RE: CML ver1.71 compile errors Alon: Are you using the supplied projects? Actually, OtherName is defined in sm_x509cmn.h, which is referenced by sm_apiCert.h, which is part of the libcert shared library. This reference should be in the cmdec_cpp project settings->c++ settings->preprocessor in include references as "..\..\SMPDist\SFL\include" (without the quotes), you should also see a Define of _USRDLL. You will notice that all projects have been modified to reference the SMPDist directory structure. Each project should have a SMP Dist subproject, that builds the SMP Distribution directory structure for you. The order of building should be SNACC, followed by the SFL, followed by the CML. Hope this helps, and if you have any other problems, please contact me. Thanks Tex -----Original Message----- From: Alon Barak [mailto:alon@vguard.com] Sent: Thursday, July 20, 2000 11:02 AM To: 'imc-sfl@imc.org'; 'imc-cml@imc.org' Subject: CML ver1.71 compile errors I'm tried to upgrade my application to : SFL v1.7, SNACC v1.3R2, Crypto++ v3.1 all taken from the http://www.armadillo.huntsville.al.us./software/smime/ , & CML v1.71 taken from the http://www.armadillo.huntsville.al.us./software/certmgmt/index.html. The problem is that I can not compile the 'cml_1.71' since I have the following compile errors : (1) ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(93) : error C2061: syntax error : identifier 'OtherName' ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(3946) : error C2061: syntax error : identifier 'OtherName' (and some more errors because of the two above). (2) ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(2046) : error C2039: 'utf8StringCid' : is not a member of 'DirectoryString' ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(2053) : error C2039: 'utf8String' : is not a member of 'DirectoryString' ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(2083) : error C2039: 'bmpString' : is not a member of 'DirectoryString' All can be found in : ...\snacc13rn\c++-examples\vdatestDLL\vdatest_asn.h class BOBTest_API DirectoryString: public AsnType { public: enum ChoiceIdEnum { teletexStringCid = 0, printableStringCid = 1, universalStringCid = 2, utf8StringCid = 3, bmpStringCid = 4 }; enum ChoiceIdEnum choiceId; union { TeletexString *teletexString; PrintableString *printableString; UniversalString *universalString; }; ... (3) ...\cml_1.71\cmdec_cpp\src\X_DecodeCert.cpp(2086) : error C2227: left of '->cvt_StrtoLDAP' must point to class/struct/union SO...WHAT IS WRONG WITH MY UPGRADE SETTINGS ??? Thanks in advance Alon Barak Vanguard Security Technologies Ltd. Tel: 972-4-9891311 (Ext. 221); Fax: 972-4-9891322 mailto:Alon@vguard.com From owner-imc-cml Sun Jul 23 07:23:24 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA22467 for imc-cml-bks; Sun, 23 Jul 2000 07:23:24 -0700 (PDT) Received: from hal9000.vguard.com (vguard.com [192.117.162.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA22431; Sun, 23 Jul 2000 07:22:21 -0700 (PDT) Received: by vguard.com with Internet Mail Service (5.5.2650.21) id ; Sun, 23 Jul 2000 17:25:42 +0200 Message-ID: From: Alon Barak To: "'Clyde.McPherson@wang.com'" , "'imc-sfl@imc.org'" , "'imc-cml@imc.org'" Subject: SFLv1.7 + RSA build errors Date: Sun, 23 Jul 2000 17:25:41 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Tex I'm using MSVC 6 on a WinNT OS with: SFL v1.7, SNACC v1.3R2, Crypto++ v3.1 CML v1.71 (all downloaded 3 day ago) The problem is that I'm adding RSA capabilities to our APP & I'm new in the RSA area, so...: 1) I created the "cryptlib.lib" as always BUT I couldn't understand what creates the ../../SMPDist/Algs/crypto++3.1/debug/cryptlib.lib since THERE IS NO ...SMP_SFL_Dist\SMP_SFL_Dist.dsp IN THE Crypto++3.1. 2) I couldn't understand what creates the bsafe42.lib and the what creates the ../../SMPDist/Algs/bsafe42/Library/lib/bsafe42.lib 3) I use the "rsaref2.tar" & "bsafeeay.tar.gz" as the RSA sources but I (& the compiler) can't find the "stdlibrf.h". Where can I get it from ? 4) Do I need anything else to use the Crypto++3.1 RSA capabilities ? Thanks in advance Alon Barak Vanguard Security Technologies Ltd. Tel: 972-4-9891311 (Ext. 221); Fax: 972-4-9891322 mailto:Alon@vguard.com From owner-imc-cml Wed Aug 2 06:58:27 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA08242 for imc-cml-bks; Wed, 2 Aug 2000 06:58:27 -0700 (PDT) Received: from hal9000.vguard.com (vguard.com [192.117.162.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA08238 for ; Wed, 2 Aug 2000 06:58:25 -0700 (PDT) Received: by vguard.com with Internet Mail Service (5.5.2650.21) id ; Wed, 2 Aug 2000 17:02:44 +0200 Message-ID: From: Nissim Ofek To: "'imc-cml@imc.org'" Cc: Alon Barak Subject: Problem with the method CM_RequestEncCertPath Date: Wed, 2 Aug 2000 17:02:43 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I have a problem when using the CM_RequestEncCertPath when giving it a certificate which its issuer does not exist in the database. the exact scenario that happened was: 1. local session was created 2. I added a cert which is not self signed to it 3. CM_RequestEncCertPath was called to retreive that cert path, the bounds were set to CM_SEARCH_LOCAL in the CM_RequestEncCertPath method : 3.1 subject_tree is allocated with a first element containing the cert blob that was passed 3.2 this subject_tree is passed on the the method CMU_CPLBuildPath in the CMU_CPLBuildPath method : 3.2.1 the path is not found, so we reach to the lines: if (sub != NULL) CMU_FreeDownCertTree(sessionID, &sub); while sub points to the first element in the subject_tree that was passed 3.2.2 this first element is freed, but this does not notified to the subject_tree in any way 3.2.3 the method returns CM_NO_PATH_FOUND back to CM_RequestEncCertPath : 3.3 goto errExit 3.4 performing these lines: if(subject_tree != 0) { CMU_FreeDownCertTree(sessionID, &subject_tree); /* from this entry on down the list */ } as said, subject_tree is not null exactly as it was sent. now it points to an area that was freed. now, the method CMU_FreeDownCertTree crashes as said, subject_tree is not null exactly as it was sent. now it points to an area that was freed. I have a suggestion about fixing it and ask if it is OK at the method CMU_CPLBuildPath I inserted the red line: /* initialize BeginPathDevelopment variables */ subject = *pathTree; *pathTree = NULL; cpl_subject = subject->cert->subject; partialPath.cert = subject->cert; if the method find the path, the pathTree is already readdressed to it, and when the path can not be found, the pathTree will point to NULL. Nissim Ofek, Vanguard Security Technologies Tel. 972-4-9891311(Ext. 122), Fax. 972-4-9891322 mailto:nissim@vguard.com From owner-imc-cml Fri Aug 11 09:03:06 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id JAA29048 for imc-cml-bks; Fri, 11 Aug 2000 09:03:06 -0700 (PDT) Received: from res02wnt246.corp.wang.com (res02wnt246.corp.wang.com [150.124.55.138]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA29044 for ; Fri, 11 Aug 2000 09:03:04 -0700 (PDT) Received: by res02wnt246.corp.wang.com with Internet Mail Service (5.5.2650.21) id ; Fri, 11 Aug 2000 12:01:36 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C0016D029D@wfhqex01.wangfed.com> From: "Pawling, John" To: "Pawling, John" Subject: v1.7.1 CML Bug Fixes Date: Fri, 11 Aug 2000 12:01:31 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: CML Customers, Two bugs have been reported in the freeware v1.71 Certificate Management Library (CML) (also known as CMAPI). We strongly recommend that the modified code (described below) should be immediately incorporated into your local version of the CML. Much thanks to Rich Nicholas and Nissim Ofek for reporting these bugs. We encourage all feedback related to the CML. We made the changes in the CML baseline source code as described below and successfully tested the corrected software. We do not plan to deliver a new release of the CML solely to fix these bugs. We added the following text to the CML Problem Report File available from the Fortezza Developer's CML Page: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ This file documents errors in the freeware v1.71 Certificate Management Library (CML) (a.k.a. CMAPI) that have not yet been included in a new release of the CML. ====================================================================== Problem Report #1 File(s) Affected: CM_ReqOps.c Date Reported: 14 July 2000 Reported By: Rich Nicholas, Wang Government Services Problem Description: Rich reported a bug in CM_RequestCerts() in that on local retrievals from the data base, the cert list returned from CMU_BuildCertListFmObject() would not be filtered. Under certain conditions, this caused an error to occur in the CM_RetrieveKey() function. Platform(s) affected: All Resolution: Fixed bug. See new CMU_BuildCertListFmObject() function in CM_ReqOps.c file. Baseline Source Code Fixed and Tested: 14 July 2000 Patch File: The corrected CML source code file is stored in the CM_ReqOps.c file available from: . ====================================================================== Problem Report #2 File(s) Affected: CM_RetrieveKey.c Reported By: Nissim Ofek Date Reported: 2 August 2000 Problem Description: The CM_RetrieveKey() function calls CMU_CPLBuildPath(). In the case that CMU_CPLBuildPath() returns an error when cplInfo->doPathDev() fails (returns 40013), then CM_RetrieveKey was attempting to free the cert list that had already been freed. Platform(s) affected: All Resolution: We corrected CM_RetrieveKey.c so that in the case when CMU_CPLBuildPath returns an error, the code no longer attempts to free the cert list. In CM_RetrieveKey.c, line number 434, we added: *pathTree = NULL; For a code fragment view, this is: else { if (searchFlag == CM_SEARCH_UNTIL_FOUND) sessInfo.boundsMask = RAM_LOC | CLIENT_LOC | SERVER_LOC | DSA_LOC; else /* CM_SEARCH_BOTH */ sessInfo.boundsMask = RAM_LOC | CLIENT_LOC | SERVER_LOC | DSA_LOC | SEARCH_ALL; } /* initialize BeginPathDevelopment variables */ subject = *pathTree; *pathTree = NULL; Baseline Source Code Fixed and Tested: 8 August 2000 Patch File: The corrected CML source code file will soon be stored in the CM_RetrieveKey.c file available from: . For more information, contact: ============================================ John Pawling, john.pawling@wang.com Wang Government Services, Inc., A Getronics Company ============================================ From owner-imc-cml Tue Sep 5 10:42:17 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA05781 for imc-cml-bks; Tue, 5 Sep 2000 10:42:17 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA05777 for ; Tue, 5 Sep 2000 10:42:16 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 5 Sep 2000 13:43:42 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C0016D03FC@wfhqex01.wangfed.com> From: "Pawling, John" To: "Pawling, John" Subject: 5 Sep 00 v1.7.1 CML Bug Fix Date: Tue, 5 Sep 2000 13:43:16 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: CML Customers, A significant bug has been reported in the freeware v1.71 Certificate Management Library (CML) (also known as CMAPI). We strongly recommend that the modified code (described below) should be immediately incorporated into your local version of the CML. Much thanks to Kevin Vlasich for reporting this bug. We encourage all feedback related to the CML. We made the change in the CML baseline source code as described below and successfully tested the corrected software. We do not plan to deliver a new release of the CML solely to fix this bug. We added the following text to the CML Problem Report File available from the Fortezza Developer's CML Page (see below): +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ This file documents errors in the freeware v1.71 Certificate Management Library (CML) (a.k.a. CMAPI) that have not yet been included in a new release of the CML. ====================================================================== Problem Report #3 File(s) Affected: CM_ReqOps.c Date Reported: 22 August 2000 Reported By: Kevin Vlasich, Secure Computing Corporation Problem Description: When doing a CM_RequestCerts() call with boundsFlag = CM_SEARCH_BOTH, LDAP is never searched if the certificate can't be found in the local database. Platform(s) affected: All Resolution: We modified line 1931 of CM_ReqOps.c: OLD: if((err == CM_NOT_FOUND) && (typeMask & CLIENT_LOC)) ^^^^^^^^^^^^^^^^^^^^^^^ NEW: if ( (err == CM_NOT_FOUND) && !(locMask & DSA_LOC) ) Baseline Source Code Fixed and Tested: 24 August 2000 Patch File: Soon to be available in CM_ReqOps.c from . For more information, contact: ============================================ John Pawling, john.pawling@wang.com Wang Government Services, Inc., A Getronics Company ============================================ From owner-imc-cml Fri Sep 15 06:44:11 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA15791 for imc-cml-bks; Fri, 15 Sep 2000 06:44:11 -0700 (PDT) Received: from mail.motus.qc.ca (jplachance.motus.qc.ca [207.236.155.216]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA15786 for ; Fri, 15 Sep 2000 06:44:09 -0700 (PDT) From: eboudreault@motus.com Subject: Problems To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Fri, 15 Sep 2000 09:46:34 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-09-15 09:47:06 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA15788 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello every body !! I'm new with your Certificate Management software library v1.7. I already haved download cml171sr.tar.Z and cml171win.zip and i've problems to compile unziped files. That's what i get when i try to compile to main project (CM_Tool): ----------------------------------------------------------------------------------------------------------------- --------------------Configuration: cpdlib - Win32 Memory Check-------------------- Compiling... CertCache.cpp CertsRec.cpp CMAPIInterface.cpp cpl.cpp PathCache.cpp PathDev.cpp PathRec.cpp stristr.cpp utils.cpp Generating Code... Linking... Creating library MemCheck/cpdlib_md.lib and object MemCheck/cpdlib_md.exp cpdlib_md.exp : warning LNK4070: /OUT:cpdlib.dll directive in .EXP differs from output filename "MemCheck/cpdlib_md.dll"; ignoring directive Copying DLL to system32 directory... E:\CM_Library\cpl>copy MemCheck\cpdlib_md.dll C:\WINNT\system32 1 fichier(s) copi'(s). --------------------Configuration: cmapi_dll - Win32 Memory Check-------------------- Compiling resources... Compiling... CM_cache.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_cpl.cpp includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_db.c CM_Free.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_globals.c CM_infc.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_ldap.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_Mgr.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_ReqOps.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_RetrieveKey.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_Sigcheck.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_store.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory fortezza.c E:\CM_Library\cmapi\src\fortezza.c(154) : warning C4244: '=' : conversion from 'int ' to 'short ', possible loss of data E:\CM_Library\cmapi\src\fortezza.c(185) : warning C4189: 'dummy' : local variable is initialized but not referenced Error executing cl.exe. CM_Tool_d.exe - 10 error(s), 3 warning(s) ----------------------------------------------------------------------------------------------------------------- What's the correct way to compile it. Thanks ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Fri Sep 15 06:59:20 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA16461 for imc-cml-bks; Fri, 15 Sep 2000 06:59:20 -0700 (PDT) Received: from exch-bhs-2.redstone.army.mil (exch-bhs-2.redstone.army.mil [136.205.13.50]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA16456 for ; Fri, 15 Sep 2000 06:59:18 -0700 (PDT) Received: by exch-bhs-2.redstone.army.mil with Internet Mail Service (5.5.2448.0) id ; Fri, 15 Sep 2000 09:03:08 -0500 Message-ID: <1345B59AC3C5D211975E00A0C99DAC7A01B67561@exch-msg-6> From: "Nord, John D Contractor/NCCIM" To: "'eboudreault@motus.com'" , imc-cml@imc.org Subject: RE: Problems Date: Fri, 15 Sep 2000 09:02:17 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA16458 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric, "ldap.h" is the LDAP API header. You can get a LDAP library from the Netscape LDAP SDK web page (http://developer.netscape.com/tech/directory/downloads.html). After getting the LDAP SDK, put the path to the "ldap.h" header in your project include search path. John -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Friday, September 15, 2000 8:47 AM To: imc-cml@imc.org Subject: Problems Hello every body !! I'm new with your Certificate Management software library v1.7. I already haved download cml171sr.tar.Z and cml171win.zip and i've problems to compile unziped files. That's what i get when i try to compile to main project (CM_Tool): -------------------------------------------------------------------------------- --------------------------------- --------------------Configuration: cpdlib - Win32 Memory Check-------------------- Compiling... CertCache.cpp CertsRec.cpp CMAPIInterface.cpp cpl.cpp PathCache.cpp PathDev.cpp PathRec.cpp stristr.cpp utils.cpp Generating Code... Linking... Creating library MemCheck/cpdlib_md.lib and object MemCheck/cpdlib_md.exp cpdlib_md.exp : warning LNK4070: /OUT:cpdlib.dll directive in .EXP differs from output filename "MemCheck/cpdlib_md.dll"; ignoring directive Copying DLL to system32 directory... E:\CM_Library\cpl>copy MemCheck\cpdlib_md.dll C:\WINNT\system32 1 fichier(s) copi'(s). --------------------Configuration: cmapi_dll - Win32 Memory Check-------------------- Compiling resources... Compiling... CM_cache.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_cpl.cpp includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_db.c CM_Free.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_globals.c CM_infc.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_ldap.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_Mgr.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_ReqOps.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_RetrieveKey.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_Sigcheck.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory CM_store.c includes\CM_internal.h(31) : fatal error C1083: Cannot open include file: 'ldap.h': No such file or directory fortezza.c E:\CM_Library\cmapi\src\fortezza.c(154) : warning C4244: '=' : conversion from 'int ' to 'short ', possible loss of data E:\CM_Library\cmapi\src\fortezza.c(185) : warning C4189: 'dummy' : local variable is initialized but not referenced Error executing cl.exe. CM_Tool_d.exe - 10 error(s), 3 warning(s) -------------------------------------------------------------------------------- --------------------------------- What's the correct way to compile it. Thanks ******************************************************************************** ************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ******************************************************************************** ************** From owner-imc-cml Mon Sep 18 12:37:46 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id MAA23384 for imc-cml-bks; Mon, 18 Sep 2000 12:37:46 -0700 (PDT) Received: from mail.motus.qc.ca (motus.qc.ca [207.236.155.194]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA23380 for ; Mon, 18 Sep 2000 12:37:44 -0700 (PDT) From: eboudreault@motus.com Subject: UTF-8 To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Mon, 18 Sep 2000 15:40:26 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 18/09/2000 15:40:57 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id MAA23381 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello !!! I think i've found a bug in the file "asn-tag.h". There is the line of that bug : ..... typedef enum { NO_TAG_CODE = 0, BOOLEAN_TAG_CODE = 1, INTEGER_TAG_CODE, BITSTRING_TAG_CODE, OCTETSTRING_TAG_CODE, NULLTYPE_TAG_CODE, OID_TAG_CODE, OD_TAG_CODE, EXTERNAL_TAG_CODE, REAL_TAG_CODE, ENUM_TAG_CODE, UTF8STRING_TAG_CODE, SEQ_TAG_CODE = 16, SET_TAG_CODE, NUMERICSTRING_TAG_CODE, PRINTABLESTRING_TAG_CODE, TELETEXSTRING_TAG_CODE, VIDEOTEXSTRING_TAG_CODE, IA5STRING_TAG_CODE, UTCTIME_TAG_CODE, GENERALIZEDTIME_TAG_CODE, GRAPHICSTRING_TAG_CODE, VISIBLESTRING_TAG_CODE, GENERALSTRING_TAG_CODE, UNIVERSALSTRING_TAG_CODE = 28, BMPSTRING_TAG_CODE = 30 } BER_UNIV_CODE; ..... The bug is that the UTF8STRING_TAG_CODE is supposed to be 12 (11 now) as mentionned in the specification (rfc2459) and in the file asn-usefulVDA.h. What do think about that ???? And what can i do to correct that bug (if bug exist) ???? Thanks !! ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Tue Sep 19 07:22:46 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA24330 for imc-cml-bks; Tue, 19 Sep 2000 07:22:46 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA24325; Tue, 19 Sep 2000 07:22:44 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 19 Sep 2000 10:26:35 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C0019B1455@wfhqex01.wangfed.com> From: "Pawling, John" To: imc-cml@imc.org, imc-snacc@imc.org Subject: FW: UTF-8 Date: Tue, 19 Sep 2000 10:25:58 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAB24326 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, The attached message documents a bug in the v1.3 R3 Enhanced SNACC C library. It does not impact the SNACC C++ library. ============================================ John Pawling, john.pawling@wang.com Wang Government Services, Inc., A Getronics Company ============================================ -----Original Message----- From: Colestock, Robert Sent: Tuesday, September 19, 2000 10:21 AM To: 'eboudreault@motus.com' Cc: Pawling, John; McPherson, Clyde Subject: RE: UTF-8 Eric: I believe you are correct, the 11th position in the enum array sets the wrong tag. This has been fixed in the next SNACC baseline. For you, simply add "=12" to the UTF8 tag value and re-build the SNACC "C" library: UTF8STRING_TAG_CODE, CHANGE TO UTF8STRING_TAG_CODE=12, Bob Colestock VDA -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Monday, September 18, 2000 3:40 PM To: imc-cml@imc.org Subject: UTF-8 Hello !!! I think i've found a bug in the file "asn-tag.h". There is the line of that bug : ..... typedef enum { NO_TAG_CODE = 0, BOOLEAN_TAG_CODE = 1, INTEGER_TAG_CODE, BITSTRING_TAG_CODE, OCTETSTRING_TAG_CODE, NULLTYPE_TAG_CODE, OID_TAG_CODE, OD_TAG_CODE, EXTERNAL_TAG_CODE, REAL_TAG_CODE, ENUM_TAG_CODE, UTF8STRING_TAG_CODE, SEQ_TAG_CODE = 16, SET_TAG_CODE, NUMERICSTRING_TAG_CODE, PRINTABLESTRING_TAG_CODE, TELETEXSTRING_TAG_CODE, VIDEOTEXSTRING_TAG_CODE, IA5STRING_TAG_CODE, UTCTIME_TAG_CODE, GENERALIZEDTIME_TAG_CODE, GRAPHICSTRING_TAG_CODE, VISIBLESTRING_TAG_CODE, GENERALSTRING_TAG_CODE, UNIVERSALSTRING_TAG_CODE = 28, BMPSTRING_TAG_CODE = 30 } BER_UNIV_CODE; ..... The bug is that the UTF8STRING_TAG_CODE is supposed to be 12 (11 now) as mentionned in the specification (rfc2459) and in the file asn-usefulVDA.h. What do think about that ???? And what can i do to correct that bug (if bug exist) ???? Thanks !! **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Tue Sep 19 08:17:48 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id IAA27693 for imc-cml-bks; Tue, 19 Sep 2000 08:17:48 -0700 (PDT) Received: from mail.motus.qc.ca (motus.qc.ca [207.236.155.194]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA27677; Tue, 19 Sep 2000 08:17:46 -0700 (PDT) From: eboudreault@motus.com Subject: Re: FW: UTF-8 To: "Pawling, John" Cc: imc-cml@imc.org, imc-snacc@imc.org, owner-imc-cml@mail.imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Tue, 19 Sep 2000 11:20:31 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 19/09/2000 11:21:04 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAB27686 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Why UTF-8 is not included in the file asn-tag.h ??? ----------------------------------------------------------- ...... typedef enum BER_UNIV_CODE { NO_TAG_CODE = 0, BOOLEAN_TAG_CODE = 1, INTEGER_TAG_CODE, BITSTRING_TAG_CODE, OCTETSTRING_TAG_CODE, NULLTYPE_TAG_CODE, OID_TAG_CODE, OD_TAG_CODE, EXTERNAL_TAG_CODE, REAL_TAG_CODE, ENUM_TAG_CODE, SEQ_TAG_CODE = 16, SET_TAG_CODE, NUMERICSTRING_TAG_CODE, PRINTABLESTRING_TAG_CODE, TELETEXSTRING_TAG_CODE, VIDEOTEXSTRING_TAG_CODE, IA5STRING_TAG_CODE, UTCTIME_TAG_CODE, GENERALIZEDTIME_TAG_CODE, GRAPHICSTRING_TAG_CODE, VISIBLESTRING_TAG_CODE, #ifndef VDADER_RULES GENERALSTRING_TAG_CODE #else GENERALSTRING_TAG_CODE, UNIVERSALSTRING_TAG_CODE = 28, BMPSTRING_TAG_CODE = 30 #endif } BER_UNIV_CODE; ........ ----------------------------------------------------------- Why this does not impact the SNACC C++ library ????? ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** "Pawling, John" cc: Sent by: Subject: FW: UTF-8 owner-imc-cml@ma il.imc.org 19/09/00 10:25 All, The attached message documents a bug in the v1.3 R3 Enhanced SNACC C library. It does not impact the SNACC C++ library. ============================================ John Pawling, john.pawling@wang.com Wang Government Services, Inc., A Getronics Company ============================================ -----Original Message----- From: Colestock, Robert Sent: Tuesday, September 19, 2000 10:21 AM To: 'eboudreault@motus.com' Cc: Pawling, John; McPherson, Clyde Subject: RE: UTF-8 Eric: I believe you are correct, the 11th position in the enum array sets the wrong tag. This has been fixed in the next SNACC baseline. For you, simply add "=12" to the UTF8 tag value and re-build the SNACC "C" library: UTF8STRING_TAG_CODE, CHANGE TO UTF8STRING_TAG_CODE=12, Bob Colestock VDA -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Monday, September 18, 2000 3:40 PM To: imc-cml@imc.org Subject: UTF-8 Hello !!! I think i've found a bug in the file "asn-tag.h". There is the line of that bug : ..... typedef enum { NO_TAG_CODE = 0, BOOLEAN_TAG_CODE = 1, INTEGER_TAG_CODE, BITSTRING_TAG_CODE, OCTETSTRING_TAG_CODE, NULLTYPE_TAG_CODE, OID_TAG_CODE, OD_TAG_CODE, EXTERNAL_TAG_CODE, REAL_TAG_CODE, ENUM_TAG_CODE, UTF8STRING_TAG_CODE, SEQ_TAG_CODE = 16, SET_TAG_CODE, NUMERICSTRING_TAG_CODE, PRINTABLESTRING_TAG_CODE, TELETEXSTRING_TAG_CODE, VIDEOTEXSTRING_TAG_CODE, IA5STRING_TAG_CODE, UTCTIME_TAG_CODE, GENERALIZEDTIME_TAG_CODE, GRAPHICSTRING_TAG_CODE, VISIBLESTRING_TAG_CODE, GENERALSTRING_TAG_CODE, UNIVERSALSTRING_TAG_CODE = 28, BMPSTRING_TAG_CODE = 30 } BER_UNIV_CODE; ..... The bug is that the UTF8STRING_TAG_CODE is supposed to be 12 (11 now) as mentionned in the specification (rfc2459) and in the file asn-usefulVDA.h. What do think about that ???? And what can i do to correct that bug (if bug exist) ???? Thanks !! **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Tue Sep 19 09:35:23 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id JAA02691 for imc-cml-bks; Tue, 19 Sep 2000 09:35:23 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA02687; Tue, 19 Sep 2000 09:35:21 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 19 Sep 2000 12:39:09 -0400 Message-ID: <57B5672B24E6D2118165006008A5925969E6FA@wfhqex06.wangfed.com> From: "Colestock, Robert" To: "'eboudreault@motus.com'" Cc: "'imc-cml@imc.org'" , "'imc-snacc@imc.org'" , "'owner-imc-cml@mail.imc.org'" Subject: RE: FW: UTF-8 Date: Tue, 19 Sep 2000 12:38:31 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id JAB02688 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric: The C++ DER rules were implemented separate from the "C" DER rules (added later from freeware sources). The SNACC compiler changes necessary to implement the rules had to be compromised to reflect the different approaches. The short answer is that this reference does not affect the C++ tag encode/decode operations (the C++ reference to the tag is in ./specs/asn-usefulVDA.asn1). Bob Colestock VDA -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Tuesday, September 19, 2000 11:21 AM To: Pawling, John Cc: imc-cml@imc.org; imc-snacc@imc.org; owner-imc-cml@mail.imc.org Subject: Re: FW: UTF-8 Why UTF-8 is not included in the file asn-tag.h ??? ----------------------------------------------------------- ...... typedef enum BER_UNIV_CODE { NO_TAG_CODE = 0, BOOLEAN_TAG_CODE = 1, INTEGER_TAG_CODE, BITSTRING_TAG_CODE, OCTETSTRING_TAG_CODE, NULLTYPE_TAG_CODE, OID_TAG_CODE, OD_TAG_CODE, EXTERNAL_TAG_CODE, REAL_TAG_CODE, ENUM_TAG_CODE, SEQ_TAG_CODE = 16, SET_TAG_CODE, NUMERICSTRING_TAG_CODE, PRINTABLESTRING_TAG_CODE, TELETEXSTRING_TAG_CODE, VIDEOTEXSTRING_TAG_CODE, IA5STRING_TAG_CODE, UTCTIME_TAG_CODE, GENERALIZEDTIME_TAG_CODE, GRAPHICSTRING_TAG_CODE, VISIBLESTRING_TAG_CODE, #ifndef VDADER_RULES GENERALSTRING_TAG_CODE #else GENERALSTRING_TAG_CODE, UNIVERSALSTRING_TAG_CODE = 28, BMPSTRING_TAG_CODE = 30 #endif } BER_UNIV_CODE; ........ ----------------------------------------------------------- Why this does not impact the SNACC C++ library ????? **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com **************************************************************************** ****************** "Pawling, John" cc: Sent by: Subject: FW: UTF-8 owner-imc-cml@ma il.imc.org 19/09/00 10:25 All, The attached message documents a bug in the v1.3 R3 Enhanced SNACC C library. It does not impact the SNACC C++ library. ============================================ John Pawling, john.pawling@wang.com Wang Government Services, Inc., A Getronics Company ============================================ -----Original Message----- From: Colestock, Robert Sent: Tuesday, September 19, 2000 10:21 AM To: 'eboudreault@motus.com' Cc: Pawling, John; McPherson, Clyde Subject: RE: UTF-8 Eric: I believe you are correct, the 11th position in the enum array sets the wrong tag. This has been fixed in the next SNACC baseline. For you, simply add "=12" to the UTF8 tag value and re-build the SNACC "C" library: UTF8STRING_TAG_CODE, CHANGE TO UTF8STRING_TAG_CODE=12, Bob Colestock VDA -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Monday, September 18, 2000 3:40 PM To: imc-cml@imc.org Subject: UTF-8 Hello !!! I think i've found a bug in the file "asn-tag.h". There is the line of that bug : ..... typedef enum { NO_TAG_CODE = 0, BOOLEAN_TAG_CODE = 1, INTEGER_TAG_CODE, BITSTRING_TAG_CODE, OCTETSTRING_TAG_CODE, NULLTYPE_TAG_CODE, OID_TAG_CODE, OD_TAG_CODE, EXTERNAL_TAG_CODE, REAL_TAG_CODE, ENUM_TAG_CODE, UTF8STRING_TAG_CODE, SEQ_TAG_CODE = 16, SET_TAG_CODE, NUMERICSTRING_TAG_CODE, PRINTABLESTRING_TAG_CODE, TELETEXSTRING_TAG_CODE, VIDEOTEXSTRING_TAG_CODE, IA5STRING_TAG_CODE, UTCTIME_TAG_CODE, GENERALIZEDTIME_TAG_CODE, GRAPHICSTRING_TAG_CODE, VISIBLESTRING_TAG_CODE, GENERALSTRING_TAG_CODE, UNIVERSALSTRING_TAG_CODE = 28, BMPSTRING_TAG_CODE = 30 } BER_UNIV_CODE; ..... The bug is that the UTF8STRING_TAG_CODE is supposed to be 12 (11 now) as mentionned in the specification (rfc2459) and in the file asn-usefulVDA.h. What do think about that ???? And what can i do to correct that bug (if bug exist) ???? Thanks !! **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Thu Sep 21 07:48:16 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA00204 for imc-cml-bks; Thu, 21 Sep 2000 07:48:16 -0700 (PDT) Received: from mail.motus.qc.ca (motus.qc.ca [207.236.155.194]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA00200 for ; Thu, 21 Sep 2000 07:48:14 -0700 (PDT) From: eboudreault@motus.com Subject: Data base To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Thu, 21 Sep 2000 10:51:07 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 21/09/2000 10:51:43 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA00201 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I started to execute CM_Tool.exe, and the only thing i've tried, is to insert a certificate into the DB. My question is how the file cert.db is structured. The first goal of that, is to understand how do you insert a certificate into this DB. The second goal, is to understand what's append in the file cert.db when i retrieve a certificate. I have a general idea of what's append, but i can't trace it into the file. Can you help me to understand it ???? (How an empty DB, a DB with one element, and a DB whit one element retrieved are structured) Thanks !!! ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Thu Sep 21 09:11:39 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id JAA05702 for imc-cml-bks; Thu, 21 Sep 2000 09:11:39 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA05698 for ; Thu, 21 Sep 2000 09:11:37 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Thu, 21 Sep 2000 12:15:38 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C0019B1495@wfhqex01.wangfed.com> From: "Pawling, John" To: imc-cml@imc.org Subject: FW: Data base Date: Thu, 21 Sep 2000 12:15:22 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id JAA05699 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----Original Message----- From: McPherson, Clyde Sent: Thursday, September 21, 2000 11:57 AM To: eboudreault@motus.com Cc: Pawling, John; Nicholas, Richard Subject: RE: Data base Eric: The CML uses as its data base the GNU gdb data base, and is structured according to the gdb structures. As far as data being written to the data base there are basically 2 main types of data, they are Certificate Revocation Lists and Certificates, which are stored in 2 seperate data base files. Each entry that is stored in the data base are made up of 2 parts, the template, and the data itself (the raw CRL or CERT). The templates are used so that the CML can search on items that are revelant to the CRL or CERT, and then be able to pull out the raw CRL or CERT from the data base. As far as tracing on what each function does, you may want to build under the debug option, and trace through the CM_store.c functions as well as the CM_db.c functions. If you are not familar with the GNU based gdb data base, you may want to first download the full release of gdb (www.gnu.org) and trace through the routines in a more "relaxed" manner. Thanks Tex -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Thursday, September 21, 2000 10:51 AM To: imc-cml@imc.org Subject: Data base Hi, I started to execute CM_Tool.exe, and the only thing i've tried, is to insert a certificate into the DB. My question is how the file cert.db is structured. The first goal of that, is to understand how do you insert a certificate into this DB. The second goal, is to understand what's append in the file cert.db when i retrieve a certificate. I have a general idea of what's append, but i can't trace it into the file. Can you help me to understand it ???? (How an empty DB, a DB with one element, and a DB whit one element retrieved are structured) Thanks !!! **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Mon Oct 2 07:16:05 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA15621 for imc-cml-bks; Mon, 2 Oct 2000 07:16:05 -0700 (PDT) Received: from hal9000.vguard.com (vguard.com [192.117.162.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15616 for ; Mon, 2 Oct 2000 07:16:03 -0700 (PDT) Received: by vguard.com with Internet Mail Service (5.5.2650.21) id <4CYSNXJJ>; Mon, 2 Oct 2000 17:20:13 +0200 Message-ID: <802467A7827ED411B5F600508B732D3C0BBF1B@vguard.com> From: Nissim Ofek To: "'imc-cml@imc.org'" Subject: some questions Date: Mon, 2 Oct 2000 17:20:02 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I have some question about CML 1.71 1. sometime I want the cahce to be stored in the files immediatly. how can I do it without closing and opening my sessions? (DBFlush does not do it, it is performed only at the file itself) 2. about the trust special sign. if a trusted cert is removed from the db, it is still treated as trusted (it is not deleted from the cahce), so unless you close all the session that were opened when the cert was still trusted and open them again it will act like a trusted cert. is that on purpose? 3. when a cert is retreived, its info is converted into a template and this template is searched. the trust special sign is serialized also into this template and the result is the the same cert with different trust signs are treated as different certs. you can add the same cert as trusted and not trusted cert. is that on purpose? Nissim Ofek, Vanguard Security Technologies Tel. 972-4-9891311(Ext. 122), Fax. 972-4-9891322 mailto:nissim@vguard.com From owner-imc-cml Mon Oct 2 09:33:40 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id JAA18563 for imc-cml-bks; Mon, 2 Oct 2000 09:33:40 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA18559 for ; Mon, 2 Oct 2000 09:33:39 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Mon, 2 Oct 2000 12:39:09 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C001A31BE9@wfhqex01.wangfed.com> From: "McPherson, Clyde" To: Nissim Ofek , "'imc-cml@imc.org'" Subject: RE: some questions Date: Mon, 2 Oct 2000 12:36:57 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----Original Message----- From: Nissim Ofek [mailto:nissim@vguard.com] Sent: Monday, October 02, 2000 11:20 AM To: 'imc-cml@imc.org' Subject: some questions Hello, I have some question about CML 1.71 1. sometime I want the cahce to be stored in the files immediatly. how can I do it without closing and opening my sessions? (DBFlush does not do it, it is performed only at the file itself) You currently cannot do this. To be safe all sessions must be closed. 2. about the trust special sign. if a trusted cert is removed from the db, it is still treated as trusted (it is not deleted from the cahce), so unless you close all the session that were opened when the cert was still trusted and open them again it will act like a trusted cert. is that on purpose? Yes it is, it will be treated as a trusted cert for as long as time to live hasn't expired, or the validity dates are okay. 3. when a cert is retreived, its info is converted into a template and this template is searched. the trust special sign is serialized also into this template and the result is the the same cert with different trust signs are treated as different certs. you can add the same cert as trusted and not trusted cert. is that on purpose? Yes it is. Nissim Ofek, Vanguard Security Technologies Tel. 972-4-9891311(Ext. 122), Fax. 972-4-9891322 mailto:nissim@vguard.com From owner-imc-cml Mon Oct 2 10:58:45 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id KAA20256 for imc-cml-bks; Mon, 2 Oct 2000 10:58:45 -0700 (PDT) Received: from mail.motus.qc.ca (motus.qc.ca [207.236.155.194]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA20250 for ; Mon, 2 Oct 2000 10:58:43 -0700 (PDT) From: eboudreault@motus.com Subject: DB files To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Mon, 2 Oct 2000 14:02:34 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-10-02 14:03:09 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id KAA20251 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I just want to know what kind of DB are the certs.db and crl.db files. Homemade or ..... ????? What is his structure ? Thanks ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Mon Oct 2 11:55:31 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id LAA21636 for imc-cml-bks; Mon, 2 Oct 2000 11:55:31 -0700 (PDT) Received: from mail.motus.qc.ca (motus.qc.ca [207.236.155.194]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA21629 for ; Mon, 2 Oct 2000 11:55:25 -0700 (PDT) From: eboudreault@motus.com Subject: UTF-8 To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Mon, 2 Oct 2000 14:59:17 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-10-02 14:59:53 MIME-Version: 1.0 Content-type: multipart/mixed; Boundary="0__=8525696C00659D538f9e8a93df938690918c8525696C00659D53" Content-Disposition: inline Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --0__=8525696C00659D538f9e8a93df938690918c8525696C00659D53 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable I think into "short cvt_DirectoryName(char **cm_name, DirectoryString *x_name)" in the file X_DecodeCert.cpp that we have a problem int these= part of the code. there is the code now: /******************************************************/ ........ else if (x_name->choiceId =3D=3D DirectoryString::utf8StringCid) { VDAGeneralString GenString; char *LDAPString =3D NULL; wchar_t *wPchar; UTF8String A; /* Get the Wide Character */ wPchar =3D *x_name->utf8String; /* Get the UTF-8 Encoding */ wPchar =3D A.GetWChar(); /* Convert the string to LDAP and return to caller */ GenString.cvt_StrtoLDAP(wPchar, &LDAPString); delete wPchar; /* Copy back for caller */ *cm_name =3D LDAPString; } ........ /******************************************************/ and there is the code that i think it's work: /******************************************************/ ........ else if (x_name->choiceId =3D=3D DirectoryString::utf8StringCid) { VDAGeneralString GenString; char *LDAPString =3D NULL; wchar_t *wPchar; /* Get the Wide Character */ wPchar =3D (*x_name->utf8String).GetWChar(); /* Convert the string to LDAP and return to caller */ GenString.cvt_StrtoLDAP(wPchar, &LDAPString); free( wPchar); /* Copy back for caller */ *cm_name =3D LDAPString; } ........ /******************************************************/ I have an other question. Do you know if the decoding code of UTF-8 st= ring work correctly ??? It's just because i try to decode a certificate wit= h OU and O of the subject and the issuer in UTF-8 format, and i don't know i= f it's decoded correctly. You can found the certificate that i try to de= code in attachement. Thanks ***********************************************************************= *********************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Qu=E9bec, Qc G1K 3P6 T=E9l.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ***********************************************************************= *********************** (See attached file: Certificat_Client1.cer)= --0__=8525696C00659D538f9e8a93df938690918c8525696C00659D53 Content-type: application/octet-stream; name="=?iso-8859-1?Q?Certificat=5FClient1.cer?=" Content-Disposition: attachment; filename="=?iso-8859-1?Q?Certificat=5FClient1.cer?=" Content-transfer-encoding: base64 MIICbjCCAhigAwIBAgIBAjANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGEwJDTjEOMAwGA1UECgwF TU9UVVMxIDAeBgNVBAsMF0NFUlRJRklDQVRJT04gQVVUSE9SSVRZMCIYDzIwMDAwOTE5MTI0MzA2 WhgPMjAwMTA5MTkxMzQzMDZaMDAxCzAJBgNVBAYTAkNOMQ4wDAYDVQQKDAVNT1RVUzERMA8GA1UE CwwIQ0xJRU5UIDEwge4wgaYGByqGSM44BAEwgZoCQJy0fq1Ldu9+AoYm1v6w0Q3GroWuboUeHOr6 kS5kRjARzxn6op9Pvbu2VP9Ur+HpthvJa+LYAJ6Qxcxt9x95/S8CFNw9Sbx1qLAODNCnfVVpzZSj GSxDAkCK4G13FGZFcNGoQs6cgw2r3d476y8m7yXRhuaMguifLs6rqxxaRIWbDJ8lfP7YhavgVFA4 0bqugPvJXmd3qaffA0MAAkAspObTAg9ixncL3+qfHCKYP28YeSdfdzWgX+/SWN8fYklWjHvSYLL4 PaqW6YVZaKeeMG/jsavYyGTAMW0OgYSio3cwdTAkBgNVHSMBAf8EGjAYgBYEFKgMR77mQIUQ84zj qIhM/1dkYuRYMBIGA1UdEQQLMAmHB2NsaWVudDEwDAYDVR0PBAUDAwCAADArBggrBgEFBQcBAQEB /wQcMBowGAYIKwYBBQUHMAGHDDE5Mi4xNjguMS40ODANBgkqhkiG9w0BAQUFAANBADQL7Wl6/FKR MhzXfHhdYd5YIhygUl7i5wCjFmyq6jLS9dzdePoHDMkaiVfeQxCFp8wPUwSlEBr66561iY3s94E= --0__=8525696C00659D538f9e8a93df938690918c8525696C00659D53-- From owner-imc-cml Tue Oct 3 05:19:50 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id FAA13519 for imc-cml-bks; Tue, 3 Oct 2000 05:19:50 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA13511 for ; Tue, 3 Oct 2000 05:19:48 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 3 Oct 2000 08:23:13 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C001A31C38@wfhqex01.wangfed.com> From: "McPherson, Clyde" To: eboudreault@motus.com, imc-cml@imc.org Subject: RE: DB files Date: Tue, 3 Oct 2000 08:23:13 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id FAA13512 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: The data base used by the CML is a version of the GNU gdb database. -Tex -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Monday, October 02, 2000 2:03 PM To: imc-cml@imc.org Subject: DB files Hello, I just want to know what kind of DB are the certs.db and crl.db files. Homemade or ..... ????? What is his structure ? Thanks **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Tue Oct 3 06:11:59 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA14893 for imc-cml-bks; Tue, 3 Oct 2000 06:11:59 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA14889 for ; Tue, 3 Oct 2000 06:11:57 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 3 Oct 2000 09:17:32 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C001A31C3F@wfhqex01.wangfed.com> From: "McPherson, Clyde" To: eboudreault@motus.com, imc-cml@imc.org Subject: RE: UTF-8 Date: Tue, 3 Oct 2000 09:15:21 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA14890 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric: Thanks for the bug fix for the DirectoryString. I have tried to decode your attached certificate, but it looks like your Subject and Issuer Organizational Name and Organiznational Unit Name have a bad tag and sequence in the encoded cert. Thanks Tex -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Monday, October 02, 2000 2:59 PM To: imc-cml@imc.org Subject: UTF-8 I think into "short cvt_DirectoryName(char **cm_name, DirectoryString *x_name)" in the file X_DecodeCert.cpp that we have a problem int these part of the code. there is the code now: /******************************************************/ ........ else if (x_name->choiceId == DirectoryString::utf8StringCid) { VDAGeneralString GenString; char *LDAPString = NULL; wchar_t *wPchar; UTF8String A; /* Get the Wide Character */ wPchar = *x_name->utf8String; /* Get the UTF-8 Encoding */ wPchar = A.GetWChar(); /* Convert the string to LDAP and return to caller */ GenString.cvt_StrtoLDAP(wPchar, &LDAPString); delete wPchar; /* Copy back for caller */ *cm_name = LDAPString; } ........ /******************************************************/ and there is the code that i think it's work: /******************************************************/ ........ else if (x_name->choiceId == DirectoryString::utf8StringCid) { VDAGeneralString GenString; char *LDAPString = NULL; wchar_t *wPchar; /* Get the Wide Character */ wPchar = (*x_name->utf8String).GetWChar(); /* Convert the string to LDAP and return to caller */ GenString.cvt_StrtoLDAP(wPchar, &LDAPString); free( wPchar); /* Copy back for caller */ *cm_name = LDAPString; } ........ /******************************************************/ I have an other question. Do you know if the decoding code of UTF-8 string work correctly ??? It's just because i try to decode a certificate with OU and O of the subject and the issuer in UTF-8 format, and i don't know if it's decoded correctly. You can found the certificate that i try to decode in attachement. Thanks **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com **************************************************************************** ****************** (See attached file: Certificat_Client1.cer) From owner-imc-cml Thu Oct 12 10:22:27 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id KAA09873 for imc-cml-bks; Thu, 12 Oct 2000 10:22:27 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA09642; Thu, 12 Oct 2000 10:20:37 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Thu, 12 Oct 2000 13:26:00 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C0019B165F@wfhqex01.wangfed.com> From: "Pawling, John" To: "Pawling, John" Subject: v1.8 Certificate Management Library Now Available Date: Thu, 12 Oct 2000 13:22:51 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, Getronics Government Solutions (GGS) (formerly Wang Government Services) has delivered the Version 1.8 Certificate Management Library (CML). The v1.8 CML is freely available to everyone from the Fortezza Developers CML Page . The v1.8 CML is described in the v1.8 CML Application Programming Interface (API) document. It implements the 1997 X.509 certification path processing rules and SDN.706. It meets the majority of the IETF PKIX RFC 2459 Certificate/CRL Profile requirements. It (optionally) provides local cache management functions and (optionally) obtains data objects using the Lightweight Directory Access Protocol (LDAP). It can (optionally) be used in conjunction with the v1.31 Certificate Path Development Library (CPDL) developed by CygnaCom Solutions, an Entrust Technologies company, to provide robust certification path building capabilities such as using cross certificates. The CML has been used to validate X.509 Certificates and Certificate Revocation Lists (CRL) signed using the Digital Signature Algorithm (DSA) and RSA. Further enhancements, ports and testing of the CML are still in process. Further releases of the CML will be provided as significant capabilities are added. The following v1.8 CML files are available: CMLv18win.zip: MS Windows Dynamically Linked Libraries (DLL) CML18so.tar.Z: Sun Solaris Libraries CML18li.tar.Z: Linux Libraries CML18sr.tar.Z: Source, including Windows project files The aforementioned files and the v1.8 CML API document (CMv1_8api.doc, CMv1_8api.pdf), test certs (CML18data.zip) and readme.txt files are stored on the Fortezza Developers CML Page. The v1.8 CML includes the following enhancements (compared with the v1.71 CML release): 1) Fixed all bugs reported by customers. 2) Tested for MS Windows, Solaris 2.7 and Linux. On Linux and MS Windows, we tested the CML with the following crypto capabilities: internal calls to the internal SHA-1/DSA code; internal calls to RSAREF library; and using the Crypto++ Crypto Token Interface Libraries (CTIL) with the Crypto++ v3.2 library. 3) Tested using common v1.3 R4 Enhanced SNACC ASN.1 C Library, v1.8 CTILs and LIBCERT libraries shared with the v1.8 S/MIME Freeware Library (SFL) and v1.4 Access Control Library (ACL). The common, shared libraries are available from the Fortezza Developer's S/MIME Page . 4) Enhanced to process all recognized certificate and CRL extensions, regardless of criticality. 5) Implemented SDN.706 sigOrKMPrivileges and commPrivileges subordination checks. 6) Corrected processing of v2 subject and issuer unique identifiers. v1.71 CML incorrectly processed them as if they were key identifiers instead of distinguished name (DN) qualifiers. 7) Corrected cache/database code so that it stores distribution point CRLs under a separate entry in the cache/database that is identical to entry from which the CRL was retrieved. 8) Added name constraints processing for name forms specified in RFC 2459: rfc822Names, DNS Names and Uniform Resource Identifiers (URI). directoryName is already supported. 9) Added support for NULL subject DNs. (NOTE: Certs with a NULL subject DN will not be stored in the CML database.) 10) Added support for the RFC 2459 Authority Information Access (AIA) extension. This includes enhancing the CML to retrieve and check a CRL identified in an AIA extension by an LDAP address in the URI field. 11) Enhanced CRL retrieval processing. This includes identification of Authority Revocation List (ARL) vice CRLs and using the application-provided distribution points information in the CM_RequestCRLs function. This includes enhancing the CML to automatically search the directory for a current CRL when the current date is later than the nextUpdate field in a local CRL. This also includes enhancing the CML to retrieve and check a CRL identified in a CRLDistributionPoint (CRLDP) extension by an LDAP address in the URI field. This also includes the ability to process multiple URI fields in the CRLDP (especially to handle the case in which the initial URI field indicates a null server name (LDAP:///...)). 12) Added support for certificate policy qualifiers as described in RFC 2459. 13) Removal of the C++ SNACC conversion shared library (cmdec_cpp) (the v1.8 CML makes use of the C SNACC ASN.1 Library, but not the C++ SNACC ASN.1 Library). 14) Add CTIL interface shared library (cmctil). 15) Incorporated calls (IFDEFed) to BSAFE v5 library submitted by Secure Computing Corporation. 16) Enhanced CMTool to execute performance testing and memory leak testing. 17) Performed regression testing to ensure that aforementioned enhancements did not break existing CML functionality. We welcome all feedback regarding the CML software and documents. If bugs are reported, then we will investigate each reported bug and, if required, will produce a patch or an updated release of the software to repair the bug. All source code for the CML is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the CML without paying any royalties or licensing fees. The CML was originally developed by the U.S. Government. GGS is enhancing and supporting the CML under contract to the U.S. Government. The U.S. Government is furnishing the CML software at no cost to the vendor subject to the conditions of the CML Public License provided with the CML software. The CML software is not subject to U.S. Government encryption export regulations, so it is freely available to everyone. The v1.8 CML uses the GGS v1.3 R4 Enhanced SNACC ASN.1 Library to encode/decode objects. GGS has successfully tested the v1.8 CML with the SNACC and CTIL DLLs delivered in conjunction with the v1.8 SFL. Source code for the GGS-developed CTILs is available from the Fortezza Developer's S/MIME Page. The actual crypto libraries are not provided with the CML or SFL. They must be independently obtained from the appropriate source. The v1.8 CML can be used in conjunction with the v1.31 CPDL to successfully meet all of the requirements of the Bridge Certification Authority Demonstration effort which includes cross-certified Entrust, Spyrus and Motorola v3 certificate domains. The CML18sr.tar.Z file includes the CPDL source code and public license. provides more information regarding the CPDL. The Internet Mail Consortium (IMC) has established a CML web page and a CML mail list which is used to: distribute information regarding CML releases; discuss CML-related issues; and allow CML users to provide feedback, comments, bug reports, etc. Subscription information for the imc-cml mailing list is at the IMC web site listed above. All comments regarding the CML source code and documents are welcome. This CML release announcement was sent to several mail lists, but please send all messages regarding the CML to the imc-cml mail list ONLY. Please do not send messages regarding the CML to any of the IETF mail lists. We will respond to all messages sent to the imc-cml mail list. =========================================== John Pawling, john.pawling@getronicsgov.com Getronics Government Solutions, LLC =========================================== From owner-imc-cml Fri Oct 13 12:04:24 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id MAA03855 for imc-cml-bks; Fri, 13 Oct 2000 12:04:24 -0700 (PDT) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA03851 for ; Fri, 13 Oct 2000 12:04:14 -0700 (PDT) From: eboudreault@motus.com Subject: Decryption with pbeWithMD5AndDES_CBC To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Fri, 13 Oct 2000 15:08:48 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-10-13 15:09:40 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id MAA03852 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I have two questions. First: I want to know why you dont use the CryptoPP::CBCDecryptor in the function CSM_Buffer* CSM_Free3::DecryptPrivateKey(char *pszPassword, CSM_Buffer *pEncryptedPrivateKeyInfo) in the file sm_free3.cpp ? This is because one of the if statement in that function specify "pbeWithMD5AndDES_CBC". Second: In the function CSM_Buffer* CSM_Free3::GeneratePBEKey(CSM_Buffer *pbufSalt, int nIterCount, char *pszPassword), do you use a standard algorithm. If it is, can you tell me where can i found this standard ? Part of the function: CSM_Buffer* CSM_Free3::DecryptPrivateKey(char *pszPassword, CSM_Buffer *pEncryptedPrivateKeyInfo) { ...... else if (snaccEncryptedX.encryptionAlgorithm->algorithm == pbeWithMD5AndDES_CBC) { // DESDecryption *pDESDecryption; // generate the key using the salt, the iteration count, and the password SME(pK = GeneratePBEKey(&bufSalt, nIterCount, pszPassword)); // create our cipher pDESDecryption = new DESDecryption ((const unsigned char*)pK->Access ()); // create cbc object cbc_decryption = new CBCPaddedDecryptor (*pDESDecryption, (const unsigned char *)pK->Access() + 8); blocksize = SM_FREE_3DES_BLOCKSIZE; } ...... } Thanks ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Mon Oct 16 07:19:25 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA07600 for imc-cml-bks; Mon, 16 Oct 2000 07:19:25 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA07595 for ; Mon, 16 Oct 2000 07:19:23 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Mon, 16 Oct 2000 10:26:57 -0400 Message-ID: <57B5672B24E6D2118165006008A5925969E736@wfhqex06.wangfed.com> From: "Colestock, Robert" To: "'eboudreault@motus.com'" , "'imc-cml@imc.org'" Cc: "Pawling, John" Subject: RE: Decryption with pbeWithMD5AndDES_CBC Date: Mon, 16 Oct 2000 10:23:53 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA07596 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric: FIRST: The original author of this logic intended to follow the PKCS-8 standard for password protected private keys. I have not looked at "CryptoPP::CBCDecryptor", but I would assume it does not perform the padding as specified (vs. our use of "CryptoPP::CBCPaddedDecryptor"). I do not understand your reference/issue with "pbeWithMD5AndDES_CBC". SECOND: It should follow the PKCS-8 standard for key generation (from the RSA folks, www.rsa.com). Bob Colestock VDA. -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Friday, October 13, 2000 3:09 PM To: imc-cml@imc.org Subject: Decryption with pbeWithMD5AndDES_CBC Hello, I have two questions. First: I want to know why you dont use the CryptoPP::CBCDecryptor in the function CSM_Buffer* CSM_Free3::DecryptPrivateKey(char *pszPassword, CSM_Buffer *pEncryptedPrivateKeyInfo) in the file sm_free3.cpp ? This is because one of the if statement in that function specify "pbeWithMD5AndDES_CBC". Second: In the function CSM_Buffer* CSM_Free3::GeneratePBEKey(CSM_Buffer *pbufSalt, int nIterCount, char *pszPassword), do you use a standard algorithm. If it is, can you tell me where can i found this standard ? Part of the function: CSM_Buffer* CSM_Free3::DecryptPrivateKey(char *pszPassword, CSM_Buffer *pEncryptedPrivateKeyInfo) { ...... else if (snaccEncryptedX.encryptionAlgorithm->algorithm == pbeWithMD5AndDES_CBC) { // DESDecryption *pDESDecryption; // generate the key using the salt, the iteration count, and the password SME(pK = GeneratePBEKey(&bufSalt, nIterCount, pszPassword)); // create our cipher pDESDecryption = new DESDecryption ((const unsigned char*)pK->Access ()); // create cbc object cbc_decryption = new CBCPaddedDecryptor (*pDESDecryption, (const unsigned char *)pK->Access() + 8); blocksize = SM_FREE_3DES_BLOCKSIZE; } ...... } Thanks **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Tue Oct 17 06:12:06 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA22690 for imc-cml-bks; Tue, 17 Oct 2000 06:12:06 -0700 (PDT) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA22684 for ; Tue, 17 Oct 2000 06:12:00 -0700 (PDT) From: eboudreault@motus.com Subject: void CSM_Free3::SetPassword(char *pszPassword) AND char* CSM_Free3::GetPassword() To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Tue, 17 Oct 2000 09:17:05 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-10-17 09:17:44 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA22687 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I have a problem to use set and get password. This is an exemple of what i try to do: CSM_Free3 *pFree = NULL; ///////////////////////////////////////////////////////////// // generate a new FREE CTI class if ((pFree = new CSM_Free3(id_dsa)) == NULL) throw -1; pFree->SetPassword("Client1"); ...... char *cPassword = pFree->GetPassword(); ...... The result in cPassword is 0x00. ?????? Can you explain me what's wrong with my exemple and how to use the functions void CSM_Free3::SetPassword(char *pszPassword) AND char* CSM_Free3::GetPassword() in the file sm_free3.cpp ? Thanks ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Tue Oct 17 06:23:32 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA22931 for imc-cml-bks; Tue, 17 Oct 2000 06:23:32 -0700 (PDT) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA22922 for ; Tue, 17 Oct 2000 06:23:29 -0700 (PDT) From: eboudreault@motus.com Subject: Re: void CSM_Free3::SetPassword(char *pszPassword) AND char* CSM_Free3::GetPassword() To: eboudreault@motus.com Cc: imc-cml@imc.org, owner-imc-cml@mail.imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Tue, 17 Oct 2000 09:28:34 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-10-17 09:29:10 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA22926 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Oups !!! Forget that question. I've found what's my problem. The length of my password is less than 8 bytes. Sorry !! ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** eboudreault@motu s.com To: imc-cml@imc.org Sent by: cc: owner-imc-cml@ma Subject: void CSM_Free3::SetPassword(char *pszPassword) AND char* il.imc.org CSM_Free3::GetPassword() 17/10/00 09:17 Hi, I have a problem to use set and get password. This is an exemple of what i try to do: CSM_Free3 *pFree = NULL; ///////////////////////////////////////////////////////////// // generate a new FREE CTI class if ((pFree = new CSM_Free3(id_dsa)) == NULL) throw -1; pFree->SetPassword("Client1"); ...... char *cPassword = pFree->GetPassword(); ...... The result in cPassword is 0x00. ?????? Can you explain me what's wrong with my exemple and how to use the functions void CSM_Free3::SetPassword(char *pszPassword) AND char* CSM_Free3::GetPassword() in the file sm_free3.cpp ? Thanks ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Tue Oct 17 07:46:01 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA25237 for imc-cml-bks; Tue, 17 Oct 2000 07:46:01 -0700 (PDT) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA25233 for ; Tue, 17 Oct 2000 07:46:00 -0700 (PDT) From: eboudreault@motus.com Subject: Structure of DSA private key To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Tue, 17 Oct 2000 10:51:09 -0400 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-10-17 10:51:41 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA25234 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I already known the RSAPrivatekey structure but i can't found the equivalent for DSA. Do you know where i can found it's definition ? Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 couriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Thu Nov 2 10:22:30 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA02647 for imc-cml-bks; Thu, 2 Nov 2000 10:22:30 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA02637 for ; Thu, 2 Nov 2000 10:22:25 -0800 (PST) From: eboudreault@motus.com Subject: To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Thu, 2 Nov 2000 13:29:03 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-11-02 13:29:31 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id KAA02644 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I try to do my own program with CM library and SMIME library. I want to put in a data base a trusted certificate, and sm_free3 is the CTIL. The problem is that i don't understand in the function bool CSM_CSInst::IsSigner () the member variable CSM_CertificateChoiceLst *m_pCertificates. What i have to put in that list, beacause when i put nothing in it, the signature is not valid ?????? Can you explain me what is that list ??? Thanks . ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Fri Nov 3 06:28:48 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA27085 for imc-cml-bks; Fri, 3 Nov 2000 06:28:48 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA27076 for ; Fri, 3 Nov 2000 06:28:46 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Fri, 3 Nov 2000 09:34:48 -0500 Message-ID: <4B0D36365AD3D2118FF40060972A16C0019B1777@wfhqex01.wangfed.com> From: "Pawling, John" To: imc-cml@imc.org Subject: FW: CSM_CSInst Usage Date: Fri, 3 Nov 2000 09:34:49 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA27079 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, This was Bob Colestock's reply to Eric's question. If anybody wants the file that was attached to Bob's response, please let me know. =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== -----Original Message----- From: Colestock, Robert Sent: Friday, November 03, 2000 9:27 AM To: 'eboudreault@motus.com' Cc: McPherson, Clyde; Pawling, John Subject: RE: SFL Question Eric: The class CSM_CSInst should contain a login instance (in this case a CSM_Free3 instance) which should have a public certificate and a private key (password protected). The member veriable "m_pCertificates" you refer to should contain that certificate; it SHOULD NOT BE LOADED BY YOU directly. YOU MUST PERFORM the proper initialization procedure in the CSM_Free3 library in order to setup the algorithm list for hash, content encryption, signature algs, etc. (Hence, why I believe the signature verification fails for you). As to the need for a certificate, you should not need a certificate in this location for the verification process; the verification should use the certificate associated with the SignedData SignerInfo Signer ID (usually a DN) that came with the signed message. The certificate in the "m_pCertificates" member variable is associated with the login's private key, not (necessarily) with the message signature. One common reason for verification failures is due to the lack of setting the "UseThis" and "Applicable" flags; the document attempts to explain these flags; they indicate to the library what CSM_CSInst instances to use for algorithm processing. The enclosed file demonstrates a proper login and how to set these flags in order to perform a crypto algorithm (this demo does not use the recommended general DLL load, it directly links to the CTIL logic). Bob Colestock -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Thursday, November 02, 2000 1:29 PM To: imc-cml@imc.org Subject: Hello, I try to do my own program with CM library and SMIME library. I want to put in a data base a trusted certificate, and sm_free3 is the CTIL. The problem is that i don't understand in the function bool CSM_CSInst::IsSigner () the member variable CSM_CertificateChoiceLst *m_pCertificates. What i have to put in that list, beacause when i put nothing in it, the signature is not valid ?????? Can you explain me what is that list ??? Thanks . **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Thu Nov 16 13:14:32 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id NAA09269 for imc-cml-bks; Thu, 16 Nov 2000 13:14:32 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA09264 for ; Thu, 16 Nov 2000 13:14:31 -0800 (PST) From: eboudreault@motus.com Subject: EnvelopedData To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Thu, 16 Nov 2000 16:22:13 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-11-16 16:22:46 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id NAA09265 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I want to generate an EnvelopedData with the C function SM_Encrypt, and i want to use 3DES to encrypt the data and RSA to encrypt the 3DES key. When i try to build the libCertDLL, i obtain a batch of errors like this one : "e:\work\cml\smimer1.7\libcert\src\sm_oid.cpp(184) : error C2065: 'des_ede3_cbc' : undeclared identifier". What can i do to resolve these batch of errors ? I want to know what is the project that is supposed to build "sm_cms.cpp" and "sm_ess.cpp" in the folder "smimeR1.7\libsrc\asn1", beacause these files contain the definitions of the OID that are not declared in my errors. Thanks ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Fri Nov 17 06:54:10 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA16657 for imc-cml-bks; Fri, 17 Nov 2000 06:54:10 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA16653 for ; Fri, 17 Nov 2000 06:54:09 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Fri, 17 Nov 2000 10:05:01 -0500 Message-ID: <0B95FB5619B3D411817E006008A5925917278E@wfhqex06.wangfed.com> From: "Colestock, Robert" To: "'imc-cml@imc.org'" , "'eboudreault@motus.com'" Cc: "Pawling, John" Subject: RE: EnvelopedData Date: Fri, 17 Nov 2000 10:01:19 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA16654 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric: I do not receive any such errors on MS Windows nor Unix when I build the libCert project/makefile. I do not understand how you (and no-one else) are getting such an error. Are you sure the release is complete from the delivered tar.gz files, not mixed with a previous release (these definitions have been moved). It sounds like the include files have not been updated appropriately (or re-built using the SNACC compiler). If the environment is setup correctly, then SNACC should be re-building the support files automatically (e.g. ./SMPDist/bin/snacc.exe has been built). I notice your directory name is smimeR1.7; there is a 1.8 version out. The specified OID should only be compiled in if the "CMS_DEFINED" define is set; this is defaulted OFF due to the lack of a definition within the libCert directory; if you have set it on, it will not work; it is only used for the ASCII string representation of the OID, it has nothing to do with the CTIL usage. Either way, if you change such definitions in the library, you are not using our baseline. If you have unzipped the smimeR1.8 defs into the smimeR1.7 directory, I would suggest you start fresh into the smimeR1.8 directory; most changes were in the project settings. Beyond all of these issues; I believe you may be trying to use the BSafe RSA CTIL to perform 3DES encryption? We did not implement 3DES using this CTIL. This detail is completely independent of the logic in libcert. The RSA BSafe CTIL does not implement 3DES, only RC2. If you want 3DES, you will have to create the Free3 CTIL and setup a login for access by the application (or write your own, it should not be difficult using the BSafe library). Bob Colestock VDA -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Thursday, November 16, 2000 4:22 PM To: imc-cml@imc.org Subject: EnvelopedData Hello, I want to generate an EnvelopedData with the C function SM_Encrypt, and i want to use 3DES to encrypt the data and RSA to encrypt the 3DES key. When i try to build the libCertDLL, i obtain a batch of errors like this one : "e:\work\cml\smimer1.7\libcert\src\sm_oid.cpp(184) : error C2065: 'des_ede3_cbc' : undeclared identifier". What can i do to resolve these batch of errors ? I want to know what is the project that is supposed to build "sm_cms.cpp" and "sm_ess.cpp" in the folder "smimeR1.7\libsrc\asn1", beacause these files contain the definitions of the OID that are not declared in my errors. Thanks **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Fri Nov 17 10:39:45 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA04992 for imc-cml-bks; Fri, 17 Nov 2000 10:39:45 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA04988 for ; Fri, 17 Nov 2000 10:39:43 -0800 (PST) From: eboudreault@motus.com Subject: smime 1.8 building problem To: imc-cml@imc.org X-Mailer: Lotus Notes France (Canada) 5.0 14 avril 1999 Message-ID: Date: Fri, 17 Nov 2000 13:47:30 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.3 |March 21, 2000) at 2000-11-17 13:48:02 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id KAA04989 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello again, Now, i have trouble to build the project sm_pkcs11DLL beacause it not find the file pkcs11.h. Why ??? Thanks ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Fri Nov 17 11:44:12 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id LAA13382 for imc-cml-bks; Fri, 17 Nov 2000 11:44:12 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA13367 for ; Fri, 17 Nov 2000 11:44:09 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Fri, 17 Nov 2000 14:55:00 -0500 Message-ID: <4B0D36365AD3D2118FF40060972A16C0019B18A3@wfhqex01.wangfed.com> From: "Pawling, John" To: "'eboudreault@motus.com'" , imc-cml@imc.org Subject: RE: smime 1.8 building problem Date: Fri, 17 Nov 2000 14:51:21 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C050CF.C2310A20" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C050CF.C2310A20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Eric: This particular file is expected to be provided by your PKCS11 = provider. The newer version (soon to be available) will provide this particular = file. I have included our version here (vendor independent). You should try = and use your PKCS11 vendor's file, not this one. Bob Colestock VDA -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Friday, November 17, 2000 1:48 PM To: imc-cml@imc.org Subject: smime 1.8 building problem Hello again, Now, i have trouble to build the project sm_pkcs11DLL beacause it not = find the file pkcs11.h. Why ??? Thanks ************************************************************************= **** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Qu=E9bec, Qc G1K 3P6 T=E9l.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ************************************************************************= **** ****************** ------_=_NextPart_000_01C050CF.C2310A20 Content-Type: application/octet-stream; name="pkcs11.h" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pkcs11.h" #ifndef _PKCS11_H_ #define _PKCS11_H_ 1 #ifdef __cplusplus extern "C" { #endif /* Before including this file (pkcs11.h) (or pkcs11t.h by * itself), 6 platform-specific macros must be defined. These * macros are described below, and typical definitions for them * are also given. Be advised that these definitions can depend * on both the platform and the compiler used (and possibly also * on whether a Cryptoki library is linked statically or * dynamically). * * In addition to defining these 6 macros, the packing convention * for Cryptoki structures should be set. The Cryptoki * convention on packing is that structures should be 1-byte * aligned. * * In a Win32 environment, this might be done by using the * following preprocessor directive before including pkcs11.h * or pkcs11t.h: * * #pragma pack(push, cryptoki, 1) * * and using the following preprocessor directive after including * pkcs11.h or pkcs11t.h: * * #pragma pack(pop, cryptoki) * * In a Win16 environment, this might be done by using the * following preprocessor directive before including pkcs11.h * or pkcs11t.h: */ #pragma pack(1) /* * In a UNIX environment, you're on your own here. You might * not need to do anything. * * * Now for the macros: * * * 1. CK_PTR: The indirection string for making a pointer to an * object. It can be used like this: * * typedef CK_BYTE CK_PTR CK_BYTE_PTR; * * In a Win32 environment, it might be defined by */ #define CK_PTR * /* * In a Win16 environment, it might be defined by * * #define CK_PTR far * * * In a UNIX environment, it might be defined by * * #define CK_PTR * * * * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes * an exportable Cryptoki library function definition out of a * return type and a function name. It should be used in the * following fashion to define the exposed Cryptoki functions in * a Cryptoki library: * * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)( * CK_VOID_PTR pReserved * ) * { * ... * } * * For defining a function in a Win32 Cryptoki .dll, it might be * defined by */ #define CK_DEFINE_FUNCTION(returnType, name) \ returnType __declspec(dllexport) name /* * For defining a function in a Win16 Cryptoki .dll, it might be * defined by * * #define CK_DEFINE_FUNCTION(returnType, name) \ * returnType __export _far _pascal name * * In a UNIX environment, it might be defined by * * #define CK_DEFINE_FUNCTION(returnType, name) \ * returnType name * * * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes * an importable Cryptoki library function declaration out of a * return type and a function name. It should be used in the * following fashion: * * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)( * CK_VOID_PTR pReserved * ); * * For declaring a function in a Win32 Cryptoki .dll, it might * be defined by * */ #if !defined CK_DECLARE_FUNCTION #define CK_DECLARE_FUNCTION(returnType, name) \ returnType __declspec(dllimport) name #endif /* * For declaring a function in a Win16 Cryptoki .dll, it might * be defined by * * #define CK_DECLARE_FUNCTION(returnType, name) \ * returnType __export _far _pascal name * * In a UNIX environment, it might be defined by * * #define CK_DECLARE_FUNCTION(returnType, name) \ * returnType name * * * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro * which makes a Cryptoki API function pointer declaration or * function pointer type declaration out of a return type and a * function name. It should be used in the following fashion: * * // Define funcPtr to be a pointer to a Cryptoki API function * // taking arguments args and returning CK_RV. * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args); * * or * * // Define funcPtrType to be the type of a pointer to a * // Cryptoki API function taking arguments args and returning * // CK_RV, and then define funcPtr to be a variable of type * // funcPtrType. * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); * funcPtrType funcPtr; * * For accessing functions in a Win32 Cryptoki .dll, in might be * defined by * */ #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ returnType __declspec(dllimport) (* name) /* * For accessing functions in a Win16 Cryptoki .dll, it might be * defined by * * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ * returnType __export _far _pascal (* name) * * In a UNIX environment, it might be defined by * * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ * returnType (* name) * * * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes * a function pointer type for an application callback out of * a return type for the callback and a name for the callback. * It should be used in the following fashion: * * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args); * * to declare a function pointer, myCallback, to a callback * which takes arguments args and returns a CK_RV. It can also * be used like this: * * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); * myCallbackType myCallback; * * In a Win32 environment, it might be defined by * */ #define CK_CALLBACK_FUNCTION(returnType, name) \ returnType (* name) /* * In a Win16 environment, it might be defined by * * #define CK_CALLBACK_FUNCTION(returnType, name) \ * returnType _far _pascal (* name) * * In a UNIX environment, it might be defined by * * #define CK_CALLBACK_FUNCTION(returnType, name) \ * returnType (* name) * * * 6. NULL_PTR: This macro is the value of a NULL pointer. * * In any ANSI/ISO C environment (and in many others as well), * this should be defined by */ #ifndef NULL_PTR #define NULL_PTR 0 #endif /* All the various Cryptoki types and #define'd values are in the * file pkcs11t.h. */ #include "pkcs11t.h" #define __PASTE(x,y) x##y /* = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D * Define the "extern" form of all the entry points. * = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ #if defined (EXPORT_FUNCTIONS) #define CK_NEED_ARG_LIST 1 #define CK_PKCS11_FUNCTION_INFO(name) \ extern CK_DEFINE_FUNCTION(CK_RV, name) #else //(EXPORT_FUNCTIONS) #define CK_NEED_ARG_LIST 1 #define CK_PKCS11_FUNCTION_INFO(name) \ extern CK_DECLARE_FUNCTION(CK_RV, name) #endif //(EXPORT_FUNCTIONS) /* pkcs11f.h has all the information about the Cryptoki * function prototypes. */ #include "pkcs11f.h" #undef CK_NEED_ARG_LIST #undef CK_PKCS11_FUNCTION_INFO /* = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D * Define the typedef form of all the entry points. That is, for * each Cryptoki function C_XXX, define a type CK_C_XXX which is * a pointer to that kind of function. * = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ #define CK_NEED_ARG_LIST 1 #define CK_PKCS11_FUNCTION_INFO(name) \ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name)) /* pkcs11f.h has all the information about the Cryptoki * function prototypes. */ #include "pkcs11f.h" #undef CK_NEED_ARG_LIST #undef CK_PKCS11_FUNCTION_INFO /* = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D * Define structed vector of entry points. A CK_FUNCTION_LIST * contains a CK_VERSION indicating a library's Cryptoki version * and then a whole slew of function pointers to the routines in * the library. This type was declared, but not defined, in * pkcs11t.h. * = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */ #define CK_PKCS11_FUNCTION_INFO(name) \ __PASTE(CK_,name) name; =20 struct CK_FUNCTION_LIST { CK_VERSION version; /* Cryptoki version */ /* Pile all the function pointers into the CK_FUNCTION_LIST. */ /* pkcs11f.h has all the information about the Cryptoki * function prototypes. */ #include "pkcs11f.h" }; #undef CK_PKCS11_FUNCTION_INFO =20 #undef __PASTE #ifdef __cplusplus } #endif #endif ------_=_NextPart_000_01C050CF.C2310A20-- From owner-imc-cml Tue Nov 21 08:38:01 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA25756 for imc-cml-bks; Tue, 21 Nov 2000 08:38:01 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA25752 for ; Tue, 21 Nov 2000 08:37:59 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 21 Nov 2000 11:38:22 -0500 Message-ID: <4B0D36365AD3D2118FF40060972A16C0019B18C9@wfhqex01.wangfed.com> From: "Pawling, John" To: "Pawling, John" Subject: SFL/CML/ACL/Enhanced SNACC Freeware Availability Date: Tue, 21 Nov 2000 11:38:22 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, The freeware Certificate Management Library (CML), S/MIME Freeware Library (SFL), Access Control Library (ACL) and Enhanced SNACC ASN.1 freeware are no longer available from the web site. They will be available on the Getronics Government Solutions web site by 1 December 2000. I will inform everyone as soon as they are available. They will continue to be freely available to everyone. =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== From owner-imc-cml Thu Nov 23 03:14:45 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id DAA27637 for imc-cml-bks; Thu, 23 Nov 2000 03:14:45 -0800 (PST) Received: from deputy.london.kbcfp.com (deputy.london.kbcfp.com [194.203.211.148]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA27624 for ; Thu, 23 Nov 2000 03:14:42 -0800 (PST) Received: from mslondon3.london.kbcfp.com (mslondon3.london.kbcfp.com [194.203.211.159]) by deputy.london.kbcfp.com (8.8.8/8.8.8/2.0.kim) with ESMTP id LAA26214 for ; Thu, 23 Nov 2000 11:15:41 GMT Received: by mslondon3.london.kbcfp.com with Internet Mail Service (5.5.2650.21) id ; Thu, 23 Nov 2000 11:15:40 -0000 Message-ID: <6B4A1A3E6178D111BD120060085A79A80390A416@mslondon3.london.kbcfp.com> From: "Procida, Giuliano" To: "'imc-cml@imc.org'" Subject: Latest SNACC source/manual Date: Thu, 23 Nov 2000 11:15:36 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I have just tried looking for the latest version of the SNACC source and documentation. I started on a project with some ASN.1 involvement this week. The old web site has vanished and the new one is not in place yet. Could someone point me at an alternative location. I have looked for a mirror site without success. Thanks for your help. Giuliano Procida. From owner-imc-cml Fri Nov 24 07:42:04 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA29649 for imc-cml-bks; Fri, 24 Nov 2000 07:42:04 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA29635 for ; Fri, 24 Nov 2000 07:42:01 -0800 (PST) From: eboudreault@motus.com Subject: sm_SignC.cpp To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Fri, 24 Nov 2000 10:43:12 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 24/11/2000 10:43:45 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA29639 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I think i have found a bug in the function SM_Sign(...) in the file sm_SignC.cpp. There it is: ........ if (pSignerInfos) { // set signed attributes if (pSignerInfos->pSignedAttrs) { SM_AttribLst *pTempSAttr = pSignerInfos->pSignedAttrs; CSM_Attrib *pSAttr = NULL; CSM_Buffer *ptmp_buf; do { // Use AddAttrib to copy the attributes into the // m_pSignedAttrs list ptmp_buf = new CSM_Buffer(pTempSAttr->buffer.data.pchData, pTempSAttr->buffer.data.lLength); CSM_OID tempoid(pTempSAttr->poidType); if ((pSAttr = new CSM_Attrib(tempoid, *ptmp_buf)) == NULL) SME_THROW(SM_MEMORY_ERROR, NULL, NULL); if (smSignMsg.m_pSignedAttrs == NULL) if ((smSignMsg.m_pSignedAttrs = new CSM_MsgAttributes) == NULL) SME_THROW(SM_MEMORY_ERROR, NULL, NULL); SME(smSignMsg.m_pSignedAttrs->AddAttrib(*pSAttr)); delete ptmp_buf; } while ((pTempSAttr = pTempSAttr->pNext) != NULL); } // set unsigned attributes if (pSignerInfos->pSignedAttrs) <---------------------------------------------- It's supposed to be "pSignerInfos->pUnSignedAttrs" { SM_AttribLst *pTempUnSAttr = pSignerInfos->pSignedAttrs; <---- It's supposed to be "pSignerInfos->pUnSignedAttrs" ........ Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Fri Nov 24 08:23:13 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA03650 for imc-cml-bks; Fri, 24 Nov 2000 08:23:13 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA03646 for ; Fri, 24 Nov 2000 08:23:11 -0800 (PST) From: eboudreault@motus.com Subject: SM_Sign To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Fri, 24 Nov 2000 11:24:24 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 24/11/2000 11:24:55 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA03647 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, How can i know if the signature, in a SignedData, is correct if i put "NULL" in the parameter 4 (an EncCert_LL) in the function SM_Sign ??? Thanks ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Mon Nov 27 09:04:36 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id JAA15864 for imc-cml-bks; Mon, 27 Nov 2000 09:04:36 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA15857 for ; Mon, 27 Nov 2000 09:04:34 -0800 (PST) From: eboudreault@motus.com Subject: SignerInfo in SM_Sign To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Mon, 27 Nov 2000 12:06:02 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2000-11-27 12:06:34 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id JAA15860 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Is there an error in the function SM_Sign ???? I have more than one SignerInfo and the function process only one object of that list (SignerInfo). Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Mon Nov 27 10:04:14 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA19424 for imc-cml-bks; Mon, 27 Nov 2000 10:04:14 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA19419 for ; Mon, 27 Nov 2000 10:04:11 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Mon, 27 Nov 2000 13:05:03 -0500 Message-ID: <0B95FB5619B3D411817E006008A592591727A1@wfhqex06.wangfed.com> From: "Colestock, Robert" To: "'imc-cml@imc.org'" , "'eboudreault@motus.com'" Subject: RE: sm_SignC.cpp Date: Mon, 27 Nov 2000 13:05:06 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id KAA19421 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----Original Message----- From: Pawling, John Sent: Monday, November 27, 2000 9:14 AM To: Colestock, Robert Subject: FW: sm_SignC.cpp Bob, Eric: Thank you for pointing this out. It is wrong and has been corrected in the baseline for the next release. Bob Colestock VDA -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Friday, November 24, 2000 10:43 AM To: imc-cml@imc.org Subject: sm_SignC.cpp Hello, I think i have found a bug in the function SM_Sign(...) in the file sm_SignC.cpp. There it is: ........ if (pSignerInfos) { // set signed attributes if (pSignerInfos->pSignedAttrs) { SM_AttribLst *pTempSAttr = pSignerInfos->pSignedAttrs; CSM_Attrib *pSAttr = NULL; CSM_Buffer *ptmp_buf; do { // Use AddAttrib to copy the attributes into the // m_pSignedAttrs list ptmp_buf = new CSM_Buffer(pTempSAttr->buffer.data.pchData, pTempSAttr->buffer.data.lLength); CSM_OID tempoid(pTempSAttr->poidType); if ((pSAttr = new CSM_Attrib(tempoid, *ptmp_buf)) == NULL) SME_THROW(SM_MEMORY_ERROR, NULL, NULL); if (smSignMsg.m_pSignedAttrs == NULL) if ((smSignMsg.m_pSignedAttrs = new CSM_MsgAttributes) == NULL) SME_THROW(SM_MEMORY_ERROR, NULL, NULL); SME(smSignMsg.m_pSignedAttrs->AddAttrib(*pSAttr)); delete ptmp_buf; } while ((pTempSAttr = pTempSAttr->pNext) != NULL); } // set unsigned attributes if (pSignerInfos->pSignedAttrs) <---------------------------------------------- It's supposed to be "pSignerInfos->pUnSignedAttrs" { SM_AttribLst *pTempUnSAttr = pSignerInfos->pSignedAttrs; <---- It's supposed to be "pSignerInfos->pUnSignedAttrs" ........ Thanks. **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Mon Nov 27 10:08:41 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA19520 for imc-cml-bks; Mon, 27 Nov 2000 10:08:41 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA19514 for ; Mon, 27 Nov 2000 10:08:38 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Mon, 27 Nov 2000 13:09:30 -0500 Message-ID: <0B95FB5619B3D411817E006008A592591727A2@wfhqex06.wangfed.com> From: "Colestock, Robert" To: "'eboudreault@motus.com'" , "'imc-cml@imc.org'" Subject: RE: SM_Sign Date: Mon, 27 Nov 2000 13:09:32 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id KAA19517 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric: This is a specification issue; the SMIME V3 specification allows the corresponding SignedData field for certificates to be OPTIONAL. In an application, it would be up to the calling program to locate the appropriate certificate (identified in the SignerInfo) and pass this certificate to the verify process. The certificates are usually stored in an ldap directory or DSA; it could be in the local address book. The SignerInfo::sid uniquely identified the signer. Bob Colestock VDA -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Friday, November 24, 2000 11:24 AM To: imc-cml@imc.org Subject: SM_Sign Hello, How can i know if the signature, in a SignedData, is correct if i put "NULL" in the parameter 4 (an EncCert_LL) in the function SM_Sign ??? Thanks **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Tue Nov 28 06:30:01 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA02500 for imc-cml-bks; Tue, 28 Nov 2000 06:30:01 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA02482 for ; Tue, 28 Nov 2000 06:29:59 -0800 (PST) From: eboudreault@motus.com Subject: SM_Verify with more than one SignerInfo To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Tue, 28 Nov 2000 09:31:31 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2000-11-28 09:32:03 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA02485 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I try to verify a SignedData with two SignerInfo, but that's not working. Only one of the SignerInfo (the second in the verification process) verify correctly the signature of the SignedData. Does any body know why ???? What i have to do to process correctly the verification of a SignedData with more than one SignerInfo ???? Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Tue Nov 28 13:32:22 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id NAA12616 for imc-cml-bks; Tue, 28 Nov 2000 13:32:22 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA12612 for ; Tue, 28 Nov 2000 13:32:20 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 28 Nov 2000 16:33:18 -0500 Message-ID: <0B95FB5619B3D411817E006008A592591727A5@wfhqex06.wangfed.com> From: "Colestock, Robert" To: "'eboudreault@motus.com'" , "'imc-cml@imc.org'" Subject: RE: SM_Verify with more than one SignerInfo Date: Tue, 28 Nov 2000 16:33:16 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id NAA12613 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric Boudreault: The verify process will verify all SignerInfos that are present if the appropriate certificates can be located (either in the message itself, or as provided by the application) and there is an appropriate CTIL to verify the message (e.g. if 1 is DSA and the other RSA and you only have the RSA CTIL, only the RSA SignerInfo will be verified). This all depends on using the library correctly. The call must be made to CSM_MsgToVerify::Verify(...) for proper high-level processing (the CSM_DataToVerify concept was flawed, it is too primitave to work properly; this functionality is used by the CSM_MsgToVerify class). Bob Colestock VDA. -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Tuesday, November 28, 2000 9:32 AM To: imc-cml@imc.org Subject: SM_Verify with more than one SignerInfo Hello, I try to verify a SignedData with two SignerInfo, but that's not working. Only one of the SignerInfo (the second in the verification process) verify correctly the signature of the SignedData. Does any body know why ???? What i have to do to process correctly the verification of a SignedData with more than one SignerInfo ???? Thanks. **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Tue Dec 5 11:29:46 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA15368 for imc-cml-bks; Tue, 5 Dec 2000 11:29:46 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA14707; Tue, 5 Dec 2000 11:26:16 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 5 Dec 2000 14:27:47 -0500 Message-ID: <4B0D36365AD3D2118FF40060972A16C0019B19DB@wfhqex01.wangfed.com> From: "Pawling, John" To: "Pawling, John" Subject: SFL/CML/ACL/SNACC Freeware Available *NEW CML RELEASE* Date: Tue, 5 Dec 2000 14:27:50 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, The freeware Certificate Management Library (CML), S/MIME Freeware Library (SFL), Access Control Library (ACL), Enhanced SNACC ASN.1 freeware and Cryptographic Token Interface Libraries (CTIL) developed by Getronics Government Solutions are now available from the following web pages: SFL and CTILs: CML: ACL: Enhanced SNACC ASN.1 Freeware: **NEW CML RELEASE**: The CML files available from are a new release. The v1.81 CML release fixes bugs in the v1.8 CML as documented in the v1.8 CML Problem Report file. With the exception of the CML files, there are no significant differences between the files available from the Getronics Government Solutions web pages and those that were formerly available from the Fortezza Developers Web Site . We welcome all feedback regarding these freeware security libraries. =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== From owner-imc-cml Fri Dec 8 13:52:22 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id NAA11951 for imc-cml-bks; Fri, 8 Dec 2000 13:52:22 -0800 (PST) Received: from pdcfairfax.elock.com ([63.83.231.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA11947 for ; Fri, 8 Dec 2000 13:52:21 -0800 (PST) Received: from ROCK207 ([63.83.231.21]) by pdcfairfax.elock.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id X6T46TXR; Fri, 8 Dec 2000 16:49:45 -0500 Message-ID: <026301c06160$d237c980$15e7533f@elock.com> From: "Jayant Sane \(Exchange\)" To: "CML List" Subject: New bie to CML (help) Date: Fri, 8 Dec 2000 16:49:52 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0260_01C06136.E2BC66A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0260_01C06136.E2BC66A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I am trying to use the CML library and am having problems trying to = validate a simple path with some test certs. I have loaded the latest = CMv1_81 version of the library (windows dll). The CM_RetrieveKey function bombs in the following code. Could some one = pt out what is wrong with it. The documentation indicates that the = ValidKey_struct is an in/out param but I have set it to NULL. void CMainFrame::OnCmlPathValidate()=20 { // TODO: Add your command handler code here ulong cm_session; InitSettings_struct initSettings; ASN1_Data subjectCert; ValidKey_struct *pValidKey=3DNULL; memset(&initSettings, 0, sizeof(initSettings)); initSettings.revPolicy =3D CM_REVNONE; // This function simply reads in a root certificate from a file (for = testing purposes) and correctly sets the trustedCerts structure. // I have checked this one is ok if ( (initSettings.trustedCerts =3D GetTrustedCertList()) =3D=3D NULL ) return; // This function reads in a certificate (end-entity cert issued by the = above CA cert) from=20 // a file in a memory block in DER/ASN encoded form and returns the = block // This too is ok (checked) if ( !(subjectCert =3D (ASN1_Data)GetEncodedCertToCheck()) )=20 return; if ( CM_CreateSessionExt(&cm_session, &initSettings) !=3D CM_NO_ERROR ) { // This bombs... if ( CM_RetrieveKey(cm_session, subjectCert,=20 CM_CERT_TYPE, &pValidKey, CM_SEARCH_LOCAL) =3D=3D CM_NO_ERROR) { AfxMessageBox("Hurray"); } CM_DestroySession(&cm_session); } =20 } To investigate the crash, I downloaded the CML sources (CML181sr.tar) = but am having trouble compiling them. The CmApi\Src\CM_SignCheck.c file = refers to "globals.h" and it is nowhere to be found in the source = zip/tar. Where can I find it ? thanks, Jayant ------=_NextPart_000_0260_01C06136.E2BC66A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello,
 
I am trying to use the CML library and = am having=20 problems trying to validate a simple path with some test certs. I have = loaded=20 the latest CMv1_81 version of the library (windows dll).
 
The CM_RetrieveKey function bombs in = the following=20 code. Could some one pt out what is wrong with it. The documentation = indicates=20 that the ValidKey_struct is an in/out param but I have set it to=20 NULL.
 
void CMainFrame::OnCmlPathValidate()=20
{
 // TODO: Add your command handler code here
 
 ulong=20 cm_session;
 InitSettings_struct = initSettings;
 ASN1_Data=20 subjectCert;
 ValidKey_struct *pValidKey=3DNULL;
 
 memset(&initSettings, 0,=20 sizeof(initSettings));
 
 initSettings.revPolicy =3D=20 CM_REVNONE;
 
// This function simply reads in a root = certificate=20 from a file (for testing purposes) and correctly sets the trustedCerts=20 structure.
// I have checked this one is = ok
 if ( (initSettings.trustedCerts = =3D=20 GetTrustedCertList()) =3D=3D NULL )
  return;
 
// This function reads in a certificate = (end-entity=20 cert issued by the above CA cert) from
// a file in a memory block in DER/ASN = encoded form=20 and returns the block
// This too is ok = (checked)
 if ( !(subjectCert =3D=20 (ASN1_Data)GetEncodedCertToCheck()) ) =
  return;
 
 if ( = CM_CreateSessionExt(&cm_session,=20 &initSettings) !=3D CM_NO_ERROR )
 {
    // This = bombs...
  if ( = CM_RetrieveKey(cm_session,=20 subjectCert, =
        CM_CERT_TYPE,=20 &pValidKey, CM_SEARCH_LOCAL) =3D=3D=20 CM_NO_ERROR)
  {
   AfxMessageBox("Hurray"= );
  }
  CM_DestroySession(&cm_session); }
 
}
To investigate the crash, I downloaded = the CML=20 sources (CML181sr.tar) but am having trouble compiling them. The=20 CmApi\Src\CM_SignCheck.c file refers to "globals.h" and it is nowhere to = be=20 found in the source zip/tar. Where can I find it ?
 
thanks,
Jayant
------=_NextPart_000_0260_01C06136.E2BC66A0-- From owner-imc-cml Fri Dec 8 14:22:23 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id OAA13487 for imc-cml-bks; Fri, 8 Dec 2000 14:22:23 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA13482 for ; Fri, 8 Dec 2000 14:22:21 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Fri, 8 Dec 2000 17:24:08 -0500 Message-ID: <4B0D36365AD3D2118FF40060972A16C001564719@wfhqex01.wangfed.com> From: "Nicholas, Richard" To: "'Jayant Sane (Exchange)'" , "CML Mail List (E-mail)" Subject: RE: New bie to CML (help) Date: Fri, 8 Dec 2000 17:24:02 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C06165.915F0A90" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C06165.915F0A90 Content-Type: text/plain; charset="iso-8859-1" Jayant, if ( CM_CreateSessionExt(&cm_session, &initSettings) != CM_NO_ERROR ) [RN] My guess is CM_CreateSession is returning an error. You should check that error code, it might shed some light on the problem. Regardless, there must be a bug in CM_RetrieveKey(), since the code is crashing on your PC. I'll investigate further on Monday. { // This bombs... if ( CM_RetrieveKey(cm_session, subjectCert, CM_CERT_TYPE, &pValidKey, CM_SEARCH_LOCAL) == CM_NO_ERROR) { AfxMessageBox("Hurray"); } CM_DestroySession(&cm_session); } } To investigate the crash, I downloaded the CML sources (CML181sr.tar) but am having trouble compiling them. The CmApi\Src\CM_SignCheck.c file refers to "globals.h" and it is nowhere to be found in the source zip/tar. Where can I find it ? thanks, Jayant [RN] By default, the cmapi.dll assumes that RSAREF is available on your system. If you don't have RSAREF, you'll need to set the RSA #define at the beginning of CM_Sigcheck.c to either BSAFE (if you have the BSAFE library) or NORSA. The RSA setting determines which RSA library the CML will call to support the RSA algorithms. If neither RSAREF nor BSAFE is available, the signature checking code will return CM_NOT_IMPLEMENTED when an RSA signature is encountered. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 ------_=_NextPart_001_01C06165.915F0A90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Jayant,
 if ( = CM_CreateSessionExt(&cm_session,=20 &initSettings) !=3D CM_NO_ERROR )
[RN]  My guess is CM_CreateSession is = returning an=20 error.  You should check that error code, it might shed some light = on the=20 problem.  Regardless, there must be a bug in = CM_RetrieveKey(),=20 since the code is crashing on your PC.  I'll investigate further = on=20 Monday.
 {
    // This = bombs...
  if ( = CM_RetrieveKey(cm_session,=20 subjectCert, =
        CM_CERT_TYPE,=20 &pValidKey, CM_SEARCH_LOCAL) =3D=3D=20 = CM_NO_ERROR)
  {
   AfxMessageBox("Hurray= ");
  }
  CM_DestroySession(&cm_session);<= BR> }
 
}
To investigate the crash, I = downloaded the CML=20 sources (CML181sr.tar) but am having trouble compiling them. The=20 CmApi\Src\CM_SignCheck.c file refers to "globals.h" and it is nowhere = to be=20 found in the source zip/tar. Where can I find it ?
 
thanks,
Jayant
[RN]  By = default, the=20 cmapi.dll assumes that RSAREF is available on your system.  If you = don't=20 have RSAREF, you'll need to set the RSA #define at the beginning of=20 CM_Sigcheck.c to either BSAFE (if you have the BSAFE library) or = NORSA. =20 The RSA setting determines which RSA library the CML will call to = support=20 the RSA algorithms.  If neither RSAREF nor BSAFE is available, the = signature checking code will return CM_NOT_IMPLEMENTED when an RSA = signature is=20 encountered.

- = Rich
---------------------------
Richard E. = Nicholas
Principal Secure=20 Systems Engineer
Getronics Government Solutions,=20 LLC
Richard.Nicholas@GetronicsGov.com
(301) 939-2722=20

------_=_NextPart_001_01C06165.915F0A90-- From owner-imc-cml Fri Dec 8 14:53:37 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id OAA14507 for imc-cml-bks; Fri, 8 Dec 2000 14:53:37 -0800 (PST) Received: from pdcfairfax.elock.com ([63.83.231.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA14503 for ; Fri, 8 Dec 2000 14:53:35 -0800 (PST) Received: from ROCK207 ([63.83.231.21]) by pdcfairfax.elock.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id X6T46TZT; Fri, 8 Dec 2000 17:51:00 -0500 Message-ID: <035e01c06169$55557c60$15e7533f@elock.com> From: "Jayant Sane \(Exchange\)" To: "Nicholas, Richard" Cc: "CML List" References: <4B0D36365AD3D2118FF40060972A16C001564719@wfhqex01.wangfed.com> Subject: Re: New bie to CML (help) Date: Fri, 8 Dec 2000 17:50:58 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_035B_01C0613F.6BA54100" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_035B_01C0613F.6BA54100 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable if ( CM_CreateSessionExt(&cm_session, &initSettings) !=3D = CM_NO_ERROR ) [RN] My guess is CM_CreateSession is returning an error. You should = check that error code, it might shed some light on the problem. = Regardless, there must be a bug in CM_RetrieveKey(), since the code is = crashing on your PC. I'll investigate further on Monday. Blush...had the if check reversed.=20 Indeed the create session is failing with code of 0x30 = (CM_ASN_DEC_DLL_FAILED). I get the same error even with = CM_CreateSession. And I have all the CM*.dll files in my windows system = directory (if I were to think it is not finding one of those dlls). To investigate the crash, I downloaded the CML sources = (CML181sr.tar) but am having trouble compiling them. The = CmApi\Src\CM_SignCheck.c file refers to "globals.h" and it is nowhere to = be found in the source zip/tar. Where can I find it ?=20 [RN] By default, the cmapi.dll assumes that RSAREF is available on = your system. If you don't have RSAREF, you'll need to set the RSA = #define at the beginning of CM_Sigcheck.c to either BSAFE (if you have = the BSAFE library) or NORSA. The RSA setting determines which RSA = library the CML will call to support the RSA algorithms. If neither = RSAREF nor BSAFE is available, the signature checking code will return = CM_NOT_IMPLEMENTED when an RSA signature is encountered. Does RSAREF also have some kind of development environment? I ask = because it is a compile error with the CM_SigCheck.c file that has its = RSA setting set to RSAREF which in turn decides to include globals.h.=20 thanks much, Jayant ------=_NextPart_000_035B_01C0613F.6BA54100 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 if ( = CM_CreateSessionExt(&cm_session,=20 &initSettings) !=3D CM_NO_ERROR )
[RN]  My guess is CM_CreateSession is = returning=20 an error.  You should check that error code, it might shed some = light on=20 the problem.  Regardless, there must be a bug in=20 CM_RetrieveKey(), since the code is crashing on your PC.  I'll=20 investigate further on Monday.
Blush...had the=20 if check reversed. 
Indeed = the create=20 session is failing with code of 0x30 = (CM_ASN_DEC_DLL_FAILED). I get=20 the same error even with CM_CreateSession. And I have all the CM*.dll = files in=20 my windows system directory (if I were to think it is not finding one of = those=20 dlls).
To = investigate the=20 crash, I downloaded the CML sources (CML181sr.tar) but am having = trouble=20 compiling them. The CmApi\Src\CM_SignCheck.c file refers to = "globals.h" and=20 it is nowhere to be found in the source zip/tar. Where can I find it = ? 
 
[RN]  By = default, the=20 cmapi.dll assumes that RSAREF is available on your system.  If = you don't=20 have RSAREF, you'll need to set the RSA #define at the beginning of=20 CM_Sigcheck.c to either BSAFE (if you have the BSAFE library) or = NORSA. =20 The RSA setting determines which RSA library the CML will call to = support=20 the RSA algorithms.  If neither RSAREF nor BSAFE is available, = the=20 signature checking code will return CM_NOT_IMPLEMENTED when an RSA = signature=20 is encountered.

Does RSAREF also have some kind of = development=20 environment? I ask because it is a compile error with the CM_SigCheck.c=20 file that has its RSA setting set to RSAREF which in turn decides = to=20 include globals.h.

thanks much,

Jayant

 

------=_NextPart_000_035B_01C0613F.6BA54100-- From owner-imc-cml Mon Dec 11 12:01:07 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id MAA05059 for imc-cml-bks; Mon, 11 Dec 2000 12:01:07 -0800 (PST) Received: from pdcfairfax.elock.com ([63.83.231.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA05055 for ; Mon, 11 Dec 2000 12:01:05 -0800 (PST) Received: from ROCK207 ([63.83.231.21]) by pdcfairfax.elock.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id X6T46WPY; Mon, 11 Dec 2000 14:59:01 -0500 Message-ID: <03ec01c063ac$e5eb4620$15e7533f@elock.com> From: "Jayant Sane \(Exchange\)" To: "Nicholas, Richard" , "CML List" References: <4B0D36365AD3D2118FF40060972A16C00156471B@wfhqex01.wangfed.com> Subject: Re: New bie to CML (help) Date: Mon, 11 Dec 2000 14:59:40 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_03E9_01C06382.FCB20F80" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_03E9_01C06382.FCB20F80 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Blush...had the if check reversed.=20 Indeed the create session is failing with code of 0x30 = (CM_ASN_DEC_DLL_FAILED). I get the same error even with = CM_CreateSession. And I have all the CM*.dll files in my windows system = directory (if I were to think it is not finding one of those dlls).=20 [RN] You are correct, a DLL is missing. The reason for the error is = that the SNACC ASN.1 DLL is not present on the system, as it was not = included with the other CML binaries. I've attached a zip file = containing both the debug and release DLLs for the SNACC C and C++ = libraries. Thanks. That helped. The CM_RetrieveKey do not crash anymore without = incorporating the patch, which I guess might be due to the invalid = session-id that I was passing earlier, but now returns CM_NO_PATH_FOUND = and CM_GetErrInfo returns CM_NO_ERROR_INFO in the following code = snippet. I hope I am not committing any obvious blunder... if ( CM_CreateSessionExt(&cm_session, &initSettings) =3D=3D CM_NO_ERROR = ) =20 { if ( CM_RetrieveKey(cm_session, subjectCert,=20 CM_CERT_TYPE, &pValidKey, CM_SEARCH_LOCAL) =3D=3D CM_NO_ERROR) { AfxMessageBox("Hurray"); } else { ErrorInfo_List *pErrInfoList=3DNULL; CM_GetErrInfo(cm_session, &pErrInfoList); } CM_DestroySession(&cm_session); } The initSettings.trustedcerts and the subjectCert are set correctly with = the test CA cert (that I had setup here) and a certificate issued by it = respectively. I had not specified any trusted keys to begin with in the = db cache (but pass with initSettings). [RN] Regarding the crash in CM_RetrieveKey(), there is a bug in = CMU_GetSessionFromRef(), in the CM_Mgr.c source file. I've attached the = patched file. The change was to insert the following check at line 708: if (gCM_MgrInfo =3D=3D NULL) return CM_SESSION_NOT_VALID; I will incorporate this in the sources though as mentioned that may not = have been the cause of the crash. [RN] By default, the cmapi.dll assumes that RSAREF is available = on your system. If you don't have RSAREF, you'll need to set the RSA = #define at the beginning of CM_Sigcheck.c to either BSAFE (if you have = the BSAFE library) or NORSA. The RSA setting determines which RSA = library the CML will call to support the RSA algorithms. If neither = RSAREF nor BSAFE is available, the signature checking code will return = CM_NOT_IMPLEMENTED when an RSA signature is encountered. Does RSAREF also have some kind of development environment? I ask = because it is a compile error with the CM_SigCheck.c file that has its = RSA setting set to RSAREF which in turn decides to include globals.h.=20 [RN] I'm not sure exactly what you're asking. You can set = RSA=3DNORSA in the MS Dev Studio project settings (or your particular = development environment) to specify that no RSA library is available. = That'll allow the cmapi DLL to be built without RSA algorithm support. Sorry for the confusion. As I read the documentation more carefully I = realized that I would need to provide some crypto lib (Crypto++, = RSAREF, BSafe) for CML to be able to do any crypto operations = (RSA,..etc). It appears that the compiled CML DLLs by default dont seem = to be presuming anything (RSAREF) as I am able to run the above code = without having RSAREF on my system. It was only the CML sources that had = the compile-time switch set to RSAREF. And at the moment I am not very = keen on compiling the CML source but first to get some simple = samples/tests (above) working. Unless the reason for the CM_PATH_NOT_FOUND error by CM_RetrieveKey has = anything to do with it (RSAREF being not present) as it may be not able = to do any signature verification. Strangely though the = CM_RequestEncCertPath (which I dont think does any crypto operations to = require RSAREF etc.) also returns the same error (path not found) and = CM_GetErrInfo again returns CM_NO_ERROR_INFO.=20 regards, Jayant ------=_NextPart_000_03E9_01C06382.FCB20F80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Blush...had the if check=20 reversed. 
Indeed the=20 create session is failing with code of 0x30=20 (CM_ASN_DEC_DLL_FAILED). I get the same error even with=20 CM_CreateSession. And I have all the CM*.dll files in my windows = system=20 directory (if I were to think it is not finding one of those = dlls). 
[RN]  You are correct, a DLL is = missing. =20 The reason for the error is that the SNACC ASN.1 DLL is not present on = the=20 system, as it was not included with the other CML binaries.  I've = attached a zip file containing both the debug and release DLLs for the = SNACC C=20 and C++ libraries.
Thanks. That helped.  The = CM_RetrieveKey do=20 not crash anymore without incorporating the patch, which I guess might = be due to=20 the invalid session-id that I was passing earlier, but now returns=20 CM_NO_PATH_FOUND and CM_GetErrInfo returns CM_NO_ERROR_INFO in the = following=20 code snippet. I hope I am not committing any obvious = blunder...
 
 if ( = CM_CreateSessionExt(&cm_session,=20 &initSettings) =3D=3D CM_NO_ERROR )   =
 {
 
  if ( = CM_RetrieveKey(cm_session,=20 subjectCert, =
        CM_CERT_TYPE,=20 &pValidKey, CM_SEARCH_LOCAL) =3D=3D=20 CM_NO_ERROR)
  {
   AfxMessageBox("Hurray"= );
  }
  else
  {
  &= nbsp;ErrorInfo_List=20 *pErrInfoList=3DNULL;
 
   CM_GetErrInfo(cm_session,=20 &pErrInfoList);
  }
 
  CM_DestroySession(&cm_session);
 }
 
The initSettings.trustedcerts and the=20 subjectCert are set correctly with the test CA cert (that I had = setup here)=20 and a certificate issued by it respectively. I had not specified any = trusted=20 keys to begin with in the db cache (but pass with = initSettings).
[RN]  Regarding the crash in = CM_RetrieveKey(),=20 there is a bug in CMU_GetSessionFromRef(), in the CM_Mgr.c source = file. =20 I've attached the patched file.  The change was to insert the = following=20 check at line 708:
    if (gCM_MgrInfo =3D=3D=20 NULL)
        = return=20 CM_SESSION_NOT_VALID;
I will incorporate this in the sources though = as=20 mentioned that may not have been the cause of the=20 crash.
[RN]  By = default, the=20 cmapi.dll assumes that RSAREF is available on your system.  = If you=20 don't have RSAREF, you'll need to set the RSA #define at the = beginning of=20 CM_Sigcheck.c to either BSAFE (if you have the BSAFE library) or=20 NORSA.  The RSA setting determines which RSA library the = CML=20 will call to support the RSA algorithms.  If neither RSAREF = nor BSAFE=20 is available, the signature checking code will return = CM_NOT_IMPLEMENTED=20 when an RSA signature is=20 encountered.

Does RSAREF also have some kind of = development=20 environment? I ask because it is a compile error with the = CM_SigCheck.c=20 file that has its RSA setting set to RSAREF which in turn = decides to=20 include globals.h.

[RN]  I'm not sure exactly what you're = asking.  You can set RSA=3DNORSA in the MS Dev Studio project = settings (or=20 your particular development environment) to specify that no RSA = library is=20 available.  That'll allow the cmapi DLL to be built without = RSA=20 algorithm support.

Sorry = for the=20 confusion. As I read the documentation more carefully I realized that I = would=20 need to provide some crypto lib  (Crypto++, RSAREF, BSafe) for CML = to be=20 able to do any crypto operations (RSA,..etc). It appears that the = compiled CML=20 DLLs by default dont seem to be presuming anything (RSAREF) as I am = able to=20 run the above code without having RSAREF on my system. It was only the CML sources = that had the=20 compile-time switch set to RSAREF. And at the moment I am not very keen = on=20 compiling the CML source but first to get some simple samples/tests = (above)=20 working.

Unless the reason = for the=20 CM_PATH_NOT_FOUND error by CM_RetrieveKey has anything to do with it = (RSAREF=20 being not present) as it may be not able to do any signature = verification.=20 Strangely though the CM_RequestEncCertPath (which I dont think does = any=20 crypto operations to require RSAREF etc.) also returns the same error = (path not=20 found) and CM_GetErrInfo again returns CM_NO_ERROR_INFO. =

regards, Jayant

------=_NextPart_000_03E9_01C06382.FCB20F80-- From owner-imc-cml Mon Dec 11 14:52:00 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id OAA08607 for imc-cml-bks; Mon, 11 Dec 2000 14:52:00 -0800 (PST) Received: from wfhqex05.gfgsi.com ([206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA08603 for ; Mon, 11 Dec 2000 14:51:58 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Mon, 11 Dec 2000 17:53:40 -0500 Message-ID: <4B0D36365AD3D2118FF40060972A16C00156471D@wfhqex01.wangfed.com> From: "Nicholas, Richard" To: "'Jayant Sane (Exchange)'" , CML List Subject: RE: New bie to CML (help) Date: Mon, 11 Dec 2000 17:53:35 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C063C5.31848750" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C063C5.31848750 Content-Type: text/plain; charset="iso-8859-1" Jayant, The initSettings.trustedcerts and the subjectCert are set correctly with the test CA cert (that I had setup here) and a certificate issued by it respectively. I had not specified any trusted keys to begin with in the db cache (but pass with initSettings). Unless the reason for the CM_PATH_NOT_FOUND error by CM_RetrieveKey has anything to do with it (RSAREF being not present) as it may be not able to do any signature verification. Strangely though the CM_RequestEncCertPath (which I dont think does any crypto operations to require RSAREF etc.) also returns the same error (path not found) and CM_GetErrInfo again returns CM_NO_ERROR_INFO. regards, Jayant [RN] Your code snippet looks fine. You could try passing your trusted cert to CM_RetrieveKey as a check to ensure the CML is correctly processing your trusted cert. [RN] If that succeeds, take a look at the values in the cert you created to ensure that it chains correctly. Also, the CML will need to be able to retrieve your trusted cert to complete the path. If you are using the callback functions, ensure they are returning the requested cert. - Rich ------_=_NextPart_001_01C063C5.31848750 Content-Type: text/html; charset="iso-8859-1"
Jayant,
The initSettings.trustedcerts and the subjectCert are set correctly with the test CA cert (that I had setup here) and a certificate issued by it respectively. I had not specified any trusted keys to begin with in the db cache (but pass with initSettings). 

Unless the reason for the CM_PATH_NOT_FOUND error by CM_RetrieveKey has anything to do with it (RSAREF being not present) as it may be not able to do any signature verification. Strangely though the CM_RequestEncCertPath (which I dont think does any crypto operations to require RSAREF etc.) also returns the same error (path not found) and CM_GetErrInfo again returns CM_NO_ERROR_INFO.

regards, Jayant

[RN]  Your code snippet looks fine.  You could try passing your trusted cert to CM_RetrieveKey as a check to ensure the CML is correctly processing your trusted cert.
 
[RN]  If that succeeds, take a look at the values in the cert you created to ensure that it chains correctly.  Also, the CML will need to be able to retrieve your trusted cert to complete the path.  If you are using the callback functions, ensure they are returning the requested cert.
 
- Rich
------_=_NextPart_001_01C063C5.31848750-- From owner-imc-cml Tue Dec 12 10:39:09 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA05739 for imc-cml-bks; Tue, 12 Dec 2000 10:39:09 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA05734 for ; Tue, 12 Dec 2000 10:39:08 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 12 Dec 2000 13:41:14 -0500 Message-ID: <0B95FB5619B3D411817E006008A592591727BD@wfhqex06.wangfed.com> From: "Colestock, Robert" To: "'imc-cml@imc.org'" , "'Ahmed Bhamjee '" Subject: RE: UKM size in the SMIME Freeware Library v1.8 Date: Tue, 12 Dec 2000 13:41:18 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ahmed: You are absolutely correct. I had to dig up the rfc2631 specification for DH to determine the actual UserKeyMaterial size. 128 byte length works fine, but is not correct to the specification. Thank you for pointing this out. If you wish to change your copy, simply update the variable "SM_FREE_RA_SIZE" in ./alg_libs/sm_free3/sm_free3.h from 128 to 512 and re-build. Our next release will have the updated size. This has been tested on ESDH operations and now produces the appropriate sized PartyAInfo structures (only used for the wrap hash). Thank you Bob Colestock VDA. -----Original Message----- From: Ahmed Bhamjee To: ietf-smime@imc.org Sent: 12/12/2000 6:18 AM Subject: UKM size in the SMIME Freeware Library v1.8 I have been testing our product with the latest SFL version. More specifically, I have performed tests using the Diffie-Hellman key agreement method. From the RFC (2631), the size of partyAInfo contained in the OtherInfo sequence must be 512 bits in size. However, the SFL produces keying material with partyAInfo set to 128 bytes. Should this not be 64 bytes? Perhaps I am missing something. Thanks Ahmed From owner-imc-cml Wed Dec 13 14:51:48 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id OAA26198 for imc-cml-bks; Wed, 13 Dec 2000 14:51:48 -0800 (PST) Received: from pdcfairfax.elock.com ([63.83.231.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA26192 for ; Wed, 13 Dec 2000 14:51:47 -0800 (PST) Received: from ROCK207 ([63.83.231.21]) by pdcfairfax.elock.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id X6T466JQ; Wed, 13 Dec 2000 17:50:06 -0500 Message-ID: <027201c06557$151917a0$15e7533f@elock.com> From: "Jayant Sane \(Exchange\)" To: "Nicholas, Richard" , "CML List" References: <4B0D36365AD3D2118FF40060972A16C00156471D@wfhqex01.wangfed.com> Subject: Re: New bie to CML (help) Date: Wed, 13 Dec 2000 17:50:12 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_026F_01C0652D.2467F3E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_026F_01C0652D.2467F3E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable The initSettings.trustedcerts and the subjectCert are set correctly = with the test CA cert (that I had setup here) and a certificate issued = by it respectively. I had not specified any trusted keys to begin with = in the db cache (but pass with initSettings).=20 Unless the reason for the CM_PATH_NOT_FOUND error by CM_RetrieveKey = has anything to do with it (RSAREF being not present) as it may be not = able to do any signature verification. Strangely though the = CM_RequestEncCertPath (which I dont think does any crypto operations to = require RSAREF etc.) also returns the same error (path not found) and = CM_GetErrInfo again returns CM_NO_ERROR_INFO.=20 [RN] Your code snippet looks fine. You could try passing your = trusted cert to CM_RetrieveKey as a check to ensure the CML is correctly = processing your trusted cert. =20 Passing the trusted (root) cert, both CM_RetrieveKey and = CM_RequestEncCertPath succeed. Note that I had passed the same trusted = cert with initSettings param of CM_CreateSessionExt call.=20 =20 [RN] If that succeeds, take a look at the values in the cert you = created to ensure that it chains correctly. Also, the CML will need to = be able to retrieve your trusted cert to complete the path. If you are = using the callback functions, ensure they are returning the requested = cert. I re-checked that the subject certificate is issued by the trusted = (root) cert. Also IE shows the certificate chain properly for this pair. = I tried adding the two certificates to the CML certificate/CRL db using = CM_DatabaseAdd with the trusted one marked as trusted while adding but = despite it both (CM_RetrieveKey and CM_RequestEncCertPath) give same = path not found error and CM_GetErrInfo gives nothing. If I have added = the certs to the db then I should not be required to provide the = callbacks, right?=20 Looks like I am still missing something but cant think what.=20 =20 thanks, Jayant ------=_NextPart_000_026F_01C0652D.2467F3E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
The initSettings.trustedcerts = and the=20 subjectCert are set correctly with the test CA cert (that I had = setup=20 here) and a certificate issued by it respectively. I had not = specified any=20 trusted keys to begin with in the db cache (but pass with=20 initSettings). 

Unless the = reason for the=20 CM_PATH_NOT_FOUND error by CM_RetrieveKey has anything to do with it = (RSAREF=20 being not present) as it may be not able to do any signature = verification.=20 Strangely though the CM_RequestEncCertPath (which I dont think = does any=20 crypto operations to require RSAREF etc.) also returns the same = error (path=20 not found) and CM_GetErrInfo again returns CM_NO_ERROR_INFO.=20

[RN]  Your code snippet looks = fine.  You=20 could try passing your trusted cert to CM_RetrieveKey as a check to = ensure the=20 CML is correctly processing your trusted cert.
 
Passing the trusted=20 (root) cert, both CM_RetrieveKey and CM_RequestEncCertPath succeed. Note = that I=20 had passed the same trusted cert with initSettings param of = CM_CreateSessionExt=20 call.
 
[RN]  If that succeeds, take a look at = the=20 values in the cert you created to ensure that it chains = correctly.  Also,=20 the CML will need to be able to retrieve your trusted cert to complete = the=20 path.  If you are using the callback functions, ensure they are = returning=20 the requested cert.
I re-checked that the subject certificate is issued by the trusted = (root)=20 cert. Also IE shows the certificate chain properly for this pair.
I tried adding the two certificates to the CML certificate/CRL db = using=20 CM_DatabaseAdd with the trusted one marked as trusted while adding but = despite=20 it both (CM_RetrieveKey and CM_RequestEncCertPath) give same path = not found=20 error and CM_GetErrInfo gives nothing. If I have added the certs to the = db then=20 I should not be required to provide the callbacks, right?
Looks like I am still missing something but cant think what. =
 
thanks,
Jayant
 ------=_NextPart_000_026F_01C0652D.2467F3E0-- From owner-imc-cml Tue Dec 19 07:19:22 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA07574 for imc-cml-bks; Tue, 19 Dec 2000 07:19:22 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA07564 for ; Tue, 19 Dec 2000 07:19:20 -0800 (PST) From: eboudreault@motus.com Subject: Signature status To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Tue, 19 Dec 2000 10:22:39 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2000-12-19 10:23:13 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA07567 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I know that the low level function CSM_DataToVerify::Verify(...); use CSM_MsgSignerInfo::SetVerified(...); to specify if the signature is ok, but how can i get the signature status when i use the high level function SM_Verify(...); ???? Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Thu Dec 28 07:04:19 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA06008 for imc-cml-bks; Thu, 28 Dec 2000 07:04:19 -0800 (PST) Received: from wfhqex05.gfgsi.com ([206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA06003; Thu, 28 Dec 2000 07:04:17 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Thu, 28 Dec 2000 10:09:24 -0500 Message-ID: <4B0D36365AD3D2118FF40060972A16C0019B1AE1@wfhqex01.wangfed.com> From: "Pawling, John" To: imc-cml@imc.org Cc: imc-sfl@imc.org Subject: FW: Signature status Date: Thu, 28 Dec 2000 10:07:46 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAB06004 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----Original Message----- From: Colestock, Robert To: 'eboudreault@motus.com\'; 'imc-cml@imc.org' Sent: 12/20/2000 11:54 AM Subject: RE: Signature status Eric: This is an easy one. The logic in "./libsrc/lolevel/sm_MsgSignerInfo.cpp" for class CSM_MsgSignerInfos (plural) demonstrates how to access each SignerInfo (and hence the same flag you mention below): ... for (tmpSI = SetCurrToFirst(); tmpSI; tmpSI = GoNext()) { if (tmpSI->IsVerified()) { os << "Number " << ++lCount << " signer info WAS VERIFIED.\n"; } else { os << "Did not verify number " << ++lCount << " signer info.\n"; } ... The CSM_MsgSignerInfos are publicly available from the CSM_MsgToVerify class ("m_pSignerInfos"). This logic is demonstrated in the "Report...(...)" methods of the individual classes. Bob Colestock VDA -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Tuesday, December 19, 2000 10:23 AM To: imc-cml@imc.org Subject: Signature status Hi, I know that the low level function CSM_DataToVerify::Verify(...); use CSM_MsgSignerInfo::SetVerified(...); to specify if the signature is ok, but how can i get the signature status when i use the high level function SM_Verify(...); ???? Thanks. ************************************************************************ ********************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ************************************************************************ ********************** From owner-imc-cml Tue Jan 16 22:38:06 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id WAA15914 for imc-cml-bks; Tue, 16 Jan 2001 22:38:06 -0800 (PST) Received: from webserver.onlineevents.com.au ([203.111.80.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA15907; Tue, 16 Jan 2001 22:38:03 -0800 (PST) From: bk12bk27@yahoo.com Received: from max1-34.losangeles.corecomm.net by webserver.onlineevents.com.au with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1459.44) id C0CGL8VD; Wed, 17 Jan 2001 16:37:19 +1100 DATE: 16 Jan 01 8:27:28 PM Message-ID: <0E0y3qZ34AOjj0> SUBJECT: RE; THANK YOU Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Dear Friend and Partner, Think of all the things you could do if you had more free time and money wasn't an object What kind of car would you be driving? Where would you live? Where would you go on vacation? Now, for a limited time, 300+ money making and saving secrets can be yours for less than $10.00. Click here http://www.300moneysecrets.com/ and ORDER NOW!!!!!!!!!!!!!! Get information now, that could make you millions!!!! ** REMOVE ** REMOVE ** REMOVE ** REMOVE ** REMOVE ** To be removed from our mailing list, please email sandywho1212@yahoo.com All REMOVE requests AUTOMATICALLY honored upon receipt. PLEASE understand that any effort to disrupt, close or block this REMOVE account can only result in difficulties for others wanting to be removed from our mailing list as it will be impossible to take anyone off the list if the remove instruction can not be received. From owner-imc-cml Wed Jan 17 11:12:58 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA24441 for imc-cml-bks; Wed, 17 Jan 2001 11:12:58 -0800 (PST) Received: from webserver.onlineevents.com.au ([203.111.80.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA24414; Wed, 17 Jan 2001 11:12:55 -0800 (PST) From: bk12bk27@yahoo.com Received: from max1-34.losangeles.corecomm.net by webserver.onlineevents.com.au with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1459.44) id C0CGL8VD; Wed, 17 Jan 2001 16:37:19 +1100 DATE: 16 Jan 01 8:27:28 PM Message-ID: <0E0y3qZ34AOjj0> SUBJECT: RE; THANK YOU Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Dear Friend and Partner, Think of all the things you could do if you had more free time and money wasn't an object What kind of car would you be driving? Where would you live? Where would you go on vacation? Now, for a limited time, 300+ money making and saving secrets can be yours for less than $10.00. Click here http://www.300moneysecrets.com/ and ORDER NOW!!!!!!!!!!!!!! Get information now, that could make you millions!!!! ** REMOVE ** REMOVE ** REMOVE ** REMOVE ** REMOVE ** To be removed from our mailing list, please email sandywho1212@yahoo.com All REMOVE requests AUTOMATICALLY honored upon receipt. PLEASE understand that any effort to disrupt, close or block this REMOVE account can only result in difficulties for others wanting to be removed from our mailing list as it will be impossible to take anyone off the list if the remove instruction can not be received. From owner-imc-cml Tue Jan 30 07:00:16 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA25634 for imc-cml-bks; Tue, 30 Jan 2001 07:00:16 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA25628 for ; Tue, 30 Jan 2001 07:00:12 -0800 (PST) From: eboudreault@motus.com Subject: CM_RequestDecCertPath To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Tue, 30 Jan 2001 10:07:07 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2001-01-30 10:07:41 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA25630 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I want to know why i only retrieve the certificate of the owner of that request. I have in the Cert.db these certificates: 1- The trusted certificate. 2- An intermediate certificate authority. 3- A certificate issued by the intermediate certificate authority. and i use the Certification Path Developpement Library. My code exemple: ------------------------------------------------------------------------------------------------------------------------- ...... if (CM_RequestDecCertPath(sessionID, asn1_cert3, CM_SEARCH_LOCAL, &decPathCert3) != CM_NO_ERROR) { ErrorInfo_List *errInfo = NULL; CM_GetErrInfo(sessionID, &errInfo); CM_FreeErrInfo(sessionID, &errInfo); } ...... ------------------------------------------------------------------------------------------------------------------------- the path returned in "decPathCert3" is the certificate issued by the intermediate certificate authority, but in the function CMU_CPLBuildPath the path builded is the intermediate certificate authority plus the certificate issued by the intermediate certificate authority. ????? I think the problem is in that part of the function CM_RequestDecCertPath. CM_RequestDecCertPath(......) { ........ /* pull the decoded cert ptrs out of the result from build path * and store them for sending back to the caller. */ result_dec_path = (Cert_path_LL *) CM_Malloc(sizeof(Cert_path_LL) ); if(result_dec_path == 0) { err = CM_MEMORY_ERROR; goto errExit; } itemLink = subject_tree; !!!!!!!!!!!!! -------------------> I am not sure that "subject_tree" is correct ????? resLink = result_dec_path; resLink->cert = 0; resLink->next = 0; while(itemLink != 0) { resLink->cert = itemLink->cert; itemLink->cert = 0; /* mark empty so it's not free'd, we are using it */ if(itemLink->down != 0) /* another cert */ !!!!!!!!!!!!!-------------------> At this point, itemLink->down equal 0, but itemLink->up is != 0 ????? { resLink->next = (Cert_path_LL *) CM_Malloc(sizeof(Cert_path_LL) ); if(resLink->next == 0) { err = CM_MEMORY_ERROR; goto errExit; } resLink = resLink->next; resLink->cert = 0; } resLink->next = 0; itemLink = itemLink->down; } ........ } Can you help me to find my error ??? or there is an error in that function ??? Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Tue Jan 30 08:47:20 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id IAA04680 for imc-cml-bks; Tue, 30 Jan 2001 08:47:20 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA04674 for ; Tue, 30 Jan 2001 08:47:18 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 30 Jan 2001 11:57:20 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D10@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: "'eboudreault@motus.com'" , imc-cml@imc.org Subject: RE: CM_RequestDecCertPath Date: Tue, 30 Jan 2001 11:57:13 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA04677 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric, There is a bug in the CMU_CPLBuildPath() function in CML v1.8.1. The following lines in CM_RetrieveKey.c (lines 726-727) should be deleted: while ((*subject)->down) *subject = (*subject)->down; - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 > -----Original Message----- > From: eboudreault@motus.com [mailto:eboudreault@motus.com] > Sent: Tuesday, January 30, 2001 10:07 AM > To: imc-cml@imc.org > Subject: CM_RequestDecCertPath > > > Hi, > > I want to know why i only retrieve the certificate of the > owner of that > request. > > I have in the Cert.db these certificates: > > 1- The trusted certificate. > 2- An intermediate certificate authority. > 3- A certificate issued by the intermediate certificate authority. > > and i use the Certification Path Developpement Library. > > My code exemple: > -------------------------------------------------------------- > ----------------------------------------------------------- > > ...... > if (CM_RequestDecCertPath(sessionID, asn1_cert3, CM_SEARCH_LOCAL, > &decPathCert3) != CM_NO_ERROR) > { > ErrorInfo_List *errInfo = NULL; > > CM_GetErrInfo(sessionID, &errInfo); > > CM_FreeErrInfo(sessionID, &errInfo); > } > ...... > > -------------------------------------------------------------- > ----------------------------------------------------------- > > the path returned in "decPathCert3" is the certificate issued by the > intermediate certificate authority, but in the function > CMU_CPLBuildPath > the path builded is the intermediate certificate authority plus the > certificate issued by the intermediate certificate authority. ????? > > I think the problem is in that part of the function > CM_RequestDecCertPath. > > CM_RequestDecCertPath(......) > { > ........ > /* pull the decoded cert ptrs out of the result from build path > * and store them for sending back to the caller. > */ > result_dec_path = (Cert_path_LL *) > CM_Malloc(sizeof(Cert_path_LL) ); > if(result_dec_path == 0) > { > err = CM_MEMORY_ERROR; > goto errExit; > > } > itemLink = subject_tree; !!!!!!!!!!!!! > -------------------> I am not sure that "subject_tree" is > correct ????? > resLink = result_dec_path; > resLink->cert = 0; > resLink->next = 0; > while(itemLink != 0) > { > resLink->cert = itemLink->cert; > itemLink->cert = 0; /* mark empty so it's not free'd, we are > using it */ > > if(itemLink->down != 0) /* another cert */ > !!!!!!!!!!!!!-------------------> At this point, > itemLink->down equal 0, > but itemLink->up is != 0 ????? > { > resLink->next = (Cert_path_LL *) > CM_Malloc(sizeof(Cert_path_LL) ); > if(resLink->next == 0) > { > err = CM_MEMORY_ERROR; > goto errExit; > } > resLink = resLink->next; > resLink->cert = 0; > } > > resLink->next = 0; > itemLink = itemLink->down; > } > ........ > } > > > Can you help me to find my error ??? > > or there is an error in that function ??? > > > Thanks. > > ************************************************************** > ******************************** > > Eric Boudreault > ------------------------------------------------ > Programmeur > ------------------------------------------------ > Motus Technologies > 390, St-Vallier Est > Bureau 100 > Québec, Qc > G1K 3P6 > Tél.: 521-2100 ext.#242 > Fax.: 521-2101 > courriel: eboudreault@motus.com > ************************************************************** > ******************************** > From owner-imc-cml Tue Jan 30 12:37:52 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id MAA18235 for imc-cml-bks; Tue, 30 Jan 2001 12:37:52 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA18231 for ; Tue, 30 Jan 2001 12:37:50 -0800 (PST) From: eboudreault@motus.com Subject: Crypto Token with Certification Path To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Tue, 30 Jan 2001 15:44:43 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2001-01-30 15:45:19 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id MAA18232 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, it's me again !!! I want to know what is the certificate that i am suppose to put in the function addLogin of the class CSM_Free3. There is the achitecture of the certificates: CA1 CA2 CA3 Client1 Client2 I initialise the structure InitSettings_struct::pTokenObj with CSMIME and in the CSMIME instance i insert an instance of CSM_Free3. My question is: Why, if i want to create the certification path of all the Clients with the instanciation of the token interface with the certificate of the Client1, all the paths returned equals NULL ?????? Code exemple : ------------------------------------------------------------------------------------------------------- ...... InitSettings_struct settings; ...... settings.extHandle = NULL; /* Handle to external library for callbacks */ settings.pGetObj = NULL; /* Function pointer to external get callback function */ settings.pFreeObj = NULL; /* Function pointer to external free callback function */ settings.pTokenObj = new CSMIME; /* Pointer to crypto token object */ if ((pFree_RSA = new CSM_Free3(rsa)) == NULL) throw -1; // CSM_Free3 constructor set's Alg IDs pTI_RSA = pFree_RSA->AddLogin( certificat1, // IN, public key and algs NULL, // IN, private key for signing // encryption ops OPTIONAL NULL, // IN, password to pbe decrypt privatekey szID_RSA // CTIL specific ID ); pCSInst = new CSM_CSInst; pCSInst->SetTokenInterface((CSM_TokenInterface*)pTI_RSA); pCSInst->SetApplicable(); pCSInst->SetUseThis(); CSM_BufferLst *pCertificates = NULL; pCertificates = new CSM_BufferLst; pCertificates->AppendL(&certificatCA); pCSInst->SetCertificates(pCertificates); ((CSMIME*)settings.pTokenObj)->m_pCSInsts = new CSM_CSInstLst; ((CSMIME*)settings.pTokenObj)->m_pCSInsts->AppendL(pCSInst); settings.revPolicy; /* How certificate revocation is to be done */ settings.trustedCerts = NULL; /* The list of trusted certs for the session */ settings.trustedCerts = new EncCert_LL; settings.trustedCerts->encCert.data = (unsigned char*)certificatCA.Access(); settings.trustedCerts->encCert.num = certificatCA.Length(); settings.trustedCerts->next = NULL; settings.useLDAP = 0; /* Whether or not LDAP is to be used */ settings.ldapServer = NULL; /* The LDAP server IP address */ settings.ldapPort = 0; /* The LDAP port */ settings.ldapTimeout = 0; /* The number of seconds before timeout */ CM_CreateSessionExt(&sessionID, &settings); if (CM_RequestDecCertPath(sessionID, asn1_CA1, CM_SEARCH_LOCAL, &decPathCA) != CM_NO_ERROR) { ErrorInfo_List *errInfo = NULL; CM_GetErrInfo(sessionID, &errInfo); CM_FreeErrInfo(sessionID, &errInfo); } if (CM_RequestDecCertPath(sessionID, asn1_Client1, CM_SEARCH_LOCAL, &decPathClient1) != CM_NO_ERROR) { ErrorInfo_List *errInfo = NULL; CM_GetErrInfo(sessionID, &errInfo); CM_FreeErrInfo(sessionID, &errInfo); } if (CM_RequestDecCertPath(sessionID, asn1_Client2, CM_SEARCH_LOCAL, &decPathClient2) != CM_NO_ERROR) { ErrorInfo_List *errInfo = NULL; CM_GetErrInfo(sessionID, &errInfo); CM_FreeErrInfo(sessionID, &errInfo); } if (CM_RequestDecCertPath(sessionID, asn1_CA2, CM_SEARCH_LOCAL, &decPathCA1) != CM_NO_ERROR) { ErrorInfo_List *errInfo = NULL; CM_GetErrInfo(sessionID, &errInfo); CM_FreeErrInfo(sessionID, &errInfo); } if (CM_RequestDecCertPath(sessionID, asn1_CA3, CM_SEARCH_LOCAL, &decPathCA2) != CM_NO_ERROR) { ErrorInfo_List *errInfo = NULL; CM_GetErrInfo(sessionID, &errInfo); CM_FreeErrInfo(sessionID, &errInfo); } ...... ------------------------------------------------------------------------------------------------------- Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Tue Jan 30 13:51:17 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id NAA21470 for imc-cml-bks; Tue, 30 Jan 2001 13:51:17 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA21466 for ; Tue, 30 Jan 2001 13:51:16 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 30 Jan 2001 17:01:20 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D13@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: imc-cml@imc.org Cc: "'eboudreault@motus.com'" Subject: RE: Crypto Token with Certification Path Date: Tue, 30 Jan 2001 17:01:19 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric, Not sure if I know the answer. I can't see any problem with your code below. Regardless, CM_RequestDecCertPath() doesn't use the CTIL tokens at all, so that shouldn't have any impact on the function failing. I'm assuming that: 1. CM_CreateSessionExt() was successful. 2. CM_RequestDecCertPath() is returning CM_NO_PATH_FOUND. 3. certificatCA is the ASN.1 encoded cert for CA1. If so, can you send me those certs and I'll run them here and try and figure out why the path fails. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 > -----Original Message----- > From: eboudreault@motus.com [mailto:eboudreault@motus.com] > Sent: Tuesday, January 30, 2001 3:45 PM > To: imc-cml@imc.org > Subject: Crypto Token with Certification Path > > > Hi, it's me again !!! > > I want to know what is the certificate that i am suppose to put in the > function addLogin of the class CSM_Free3. > > There is the achitecture of the certificates: > > CA1 > > CA2 CA3 > > Client1 Client2 > > > I initialise the structure InitSettings_struct::pTokenObj > with CSMIME and > in the CSMIME instance i insert an instance of CSM_Free3. > > My question is: > > Why, if i want to create the certification path of all the > Clients with the > instanciation of the token interface with the certificate of > the Client1, > all the paths returned equals NULL ?????? > > Code exemple : > -------------------------------------------------------------- > ----------------------------------------- > > ...... > InitSettings_struct settings; > ...... > settings.extHandle = NULL; /* Handle to > external library > for callbacks */ > settings.pGetObj = NULL; /* Function pointer > to external > get callback function */ > settings.pFreeObj = NULL; /* Function pointer to > external free callback function */ > > settings.pTokenObj = new CSMIME; /* Pointer to crypto > token object > */ > if ((pFree_RSA = new CSM_Free3(rsa)) == NULL) > throw -1; > > // CSM_Free3 constructor set's Alg IDs > pTI_RSA = pFree_RSA->AddLogin( certificat1, // > IN, public key > and algs > NULL, // IN, > private key for > signing > // encryption ops OPTIONAL > NULL, // IN, password to pbe > decrypt privatekey > szID_RSA // CTIL specific ID > ); > pCSInst = new CSM_CSInst; > pCSInst->SetTokenInterface((CSM_TokenInterface*)pTI_RSA); > pCSInst->SetApplicable(); > pCSInst->SetUseThis(); > > CSM_BufferLst *pCertificates = NULL; pCertificates = new > CSM_BufferLst; > pCertificates->AppendL(&certificatCA); > pCSInst->SetCertificates(pCertificates); > > ((CSMIME*)settings.pTokenObj)->m_pCSInsts = new CSM_CSInstLst; > ((CSMIME*)settings.pTokenObj)->m_pCSInsts->AppendL(pCSInst); > > settings.revPolicy; /* How > certificate revocation > is to be done */ > settings.trustedCerts = NULL; /* The > list of trusted > certs for the session */ > settings.trustedCerts = new EncCert_LL; > settings.trustedCerts->encCert.data = (unsigned > char*)certificatCA.Access(); > settings.trustedCerts->encCert.num = certificatCA.Length(); > settings.trustedCerts->next = NULL; > settings.useLDAP = 0; /* Whether or > not LDAP is to > be used */ > settings.ldapServer = NULL; /* The LDAP > server IP address > */ > settings.ldapPort = 0; /* The LDAP port */ > settings.ldapTimeout = 0; /* The number of seconds > before timeout */ > > CM_CreateSessionExt(&sessionID, &settings); > > if (CM_RequestDecCertPath(sessionID, asn1_CA1, CM_SEARCH_LOCAL, > &decPathCA) != CM_NO_ERROR) > { > ErrorInfo_List *errInfo = NULL; > > CM_GetErrInfo(sessionID, &errInfo); > > CM_FreeErrInfo(sessionID, &errInfo); > } > > if (CM_RequestDecCertPath(sessionID, asn1_Client1, > CM_SEARCH_LOCAL, > &decPathClient1) != CM_NO_ERROR) > { > ErrorInfo_List *errInfo = NULL; > > CM_GetErrInfo(sessionID, &errInfo); > > CM_FreeErrInfo(sessionID, &errInfo); > } > > if (CM_RequestDecCertPath(sessionID, asn1_Client2, > CM_SEARCH_LOCAL, > &decPathClient2) != CM_NO_ERROR) > { > ErrorInfo_List *errInfo = NULL; > > CM_GetErrInfo(sessionID, &errInfo); > > CM_FreeErrInfo(sessionID, &errInfo); > } > > if (CM_RequestDecCertPath(sessionID, asn1_CA2, CM_SEARCH_LOCAL, > &decPathCA1) != CM_NO_ERROR) > { > ErrorInfo_List *errInfo = NULL; > > CM_GetErrInfo(sessionID, &errInfo); > > CM_FreeErrInfo(sessionID, &errInfo); > } > > if (CM_RequestDecCertPath(sessionID, asn1_CA3, CM_SEARCH_LOCAL, > &decPathCA2) != CM_NO_ERROR) > { > ErrorInfo_List *errInfo = NULL; > > CM_GetErrInfo(sessionID, &errInfo); > > CM_FreeErrInfo(sessionID, &errInfo); > } > ...... > > -------------------------------------------------------------- > ----------------------------------------- > > > Thanks. > > ************************************************************** > ******************************** > > Eric Boudreault > ------------------------------------------------ > Programmeur > ------------------------------------------------ > Motus Technologies > 390, St-Vallier Est > Bureau 100 > Québec, Qc > G1K 3P6 > Tél.: 521-2100 ext.#242 > Fax.: 521-2101 > courriel: eboudreault@motus.com > ************************************************************** > ******************************** > > From owner-imc-cml Fri Feb 2 08:15:06 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA24936 for imc-cml-bks; Fri, 2 Feb 2001 08:15:06 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA24928 for ; Fri, 2 Feb 2001 08:15:04 -0800 (PST) From: eboudreault@motus.com Subject: CM_NOT_SET To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Fri, 2 Feb 2001 11:22:15 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 02/02/2001 11:22:47 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA24931 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, This define is not to be supposed to be 0 ????? #define CM_NOT_SET -1 (line 237 in cmapi.h) Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Fri Feb 2 08:47:31 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA26721 for imc-cml-bks; Fri, 2 Feb 2001 08:47:31 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA26716 for ; Fri, 2 Feb 2001 08:47:29 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Fri, 2 Feb 2001 11:57:46 -0500 Message-ID: <0B95FB5619B3D411817E006008A592593AC062@wfhqex06.gfgsi.com> From: "McPherson, Clyde" To: eboudreault@motus.com, imc-cml@imc.org Cc: "Pawling, John" Subject: RE: CM_NOT_SET Date: Fri, 2 Feb 2001 11:57:45 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA26718 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Correct CM_NO_SET should be -1. -Tex -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Friday, February 02, 2001 11:22 AM To: imc-cml@imc.org Subject: CM_NOT_SET Hi, This define is not to be supposed to be 0 ????? #define CM_NOT_SET -1 (line 237 in cmapi.h) Thanks. **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Wed Feb 7 06:31:51 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA11843 for imc-cml-bks; Wed, 7 Feb 2001 06:31:51 -0800 (PST) Received: from rospo1.bbn.com (rospo1.bbn.com [192.233.49.145]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA11838 for ; Wed, 7 Feb 2001 06:31:50 -0800 (PST) Received: from bbn.com (coldhcp3-53.bbn.com [207.123.171.53]) by rospo1.bbn.com (8.9.1a/8.9.1) with ESMTP id JAA07068 for ; Wed, 7 Feb 2001 09:28:07 -0500 (EST) Message-ID: <3A815D24.620EF819@bbn.com> Date: Wed, 07 Feb 2001 09:35:16 -0500 From: Robert Masters X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: imc-cml@imc.org Subject: CM_RetrieveKey Content-Type: multipart/alternative; boundary="------------373BB1AFF9183735FFB90BC6" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --------------373BB1AFF9183735FFB90BC6 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, I initialize the CM library (version 1.81) like so: cml_return_code = CM_CreateSessionExt(sessionID, &initSettings); if(cml_return_code != CM_NO_ERROR) { fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code); return false; } where initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate. When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt. I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE. So I pass in the user certificate again. Two questions: (1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated? I would think it would be called with the Issuer's DN. (2) Why is my fetchDBObjects function being called at all to request certificates? The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path. I would think fetchDBObjects would only be called requesting CRLs. What am I doing wrong? Bob Masters --------------373BB1AFF9183735FFB90BC6 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Hi,

I initialize the CM library (version 1.81) like so:

 cml_return_code = CM_CreateSessionExt(sessionID, &initSettings);
 if(cml_return_code != CM_NO_ERROR)
 {
  fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code);
  return false;
 }

where  initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate.

When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt.  I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE.  So I pass in the user certificate again.

Two questions:

(1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated?  I would think it would be called with the Issuer's DN.

(2) Why is my fetchDBObjects function being called at all to request certificates?  The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path.  I would think fetchDBObjects would only be called requesting CRLs.

What am I doing wrong?

Bob Masters
 
  --------------373BB1AFF9183735FFB90BC6-- From owner-imc-cml Wed Feb 7 08:38:32 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id IAA21300 for imc-cml-bks; Wed, 7 Feb 2001 08:38:32 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA21296 for ; Wed, 7 Feb 2001 08:38:30 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Wed, 7 Feb 2001 11:49:12 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D25@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: imc-cml@imc.org Cc: "'Robert Masters'" Subject: RE: CM_RetrieveKey Date: Wed, 7 Feb 2001 11:49:10 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C09125.E4998E20" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C09125.E4998E20 Content-Type: text/plain Bob, The answers to your specific questions are inline below. First some general info: The CML uses the Cert Path Development Library (CPDL) from CygnaCom Solutions to build certification paths. Like the CML, the CPDL (aka. CPL) is also owned by U.S. Government and is in the public domain. The CPDL is a generic path building library with its own API and was not written specifically for the CML. This has caused some minor integration issues for the CML when calling the CPDL functions. Note that these are not problems with the CPDL itself. Because of those issues and some inefficiencies caused by duplication of functionality between the two libraries, the CML development team has planned to remove the CPDL dependency from the CML architecture at the earliest possible date. Unfortunately, other CML development requirements have been given higher priorities and the CPDL is still present in v1.9. However, the removal of the CPDL is likely to be the first requirement implemented after the v1.9 release. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 -----Original Message----- From: Robert Masters [mailto:rmasters@bbn.com] Sent: Wednesday, February 07, 2001 9:35 AM To: imc-cml@imc.org Subject: CM_RetrieveKey Hi, I initialize the CM library (version 1.81) like so: cml_return_code = CM_CreateSessionExt(sessionID, &initSettings); if(cml_return_code != CM_NO_ERROR) { fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code); return false; } where initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate. When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt. I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE. So I pass in the user certificate again. Two questions: (1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated? I would think it would be called with the Issuer's DN. (2) Why is my fetchDBObjects function being called at all to request certificates? The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path. I would think fetchDBObjects would only be called requesting CRLs. [RN]: Essentially, the CPDL treats the application-supplied cert (or cert path) as a hint. The CPDL was designed to build paths to a given DN, not a cert. So the first thing the CPDL does is request the certs for the subject's DN, even though the CML always passes the subject's cert to the CPDL. [RN]: You are correct that once the path is built the CML will call your callback function to request the CRL issued by the root. What am I doing wrong? Bob Masters [RN]: As far as I can tell, nothing. One thing to try, though, is to call CM_SetPolicy() before calling CM_RetrieveKey(). In the PolicyData_struct that is passed as a parameter, set the initialPolicy field to NULL and the two members of the initPolValues field to zero (or FALSE). Then call CM_RetrieveKey(). Hopefully, the path will now be found. [RN]: There is a bug in CM_RetrieveKey.c where the initial policy value flags get passed into the CPDL. This bug has been fixed in v1.9 by changing the PolicyData_struct to use boolean values rather than re-using the Pol_cons_struct (and its short integer values). ------_=_NextPart_001_01C09125.E4998E20 Content-Type: text/html

Bob,
 
The answers to your specific questions are inline below.  First some general info:
 
The CML uses the Cert Path Development Library (CPDL) from CygnaCom Solutions to build certification paths.  Like the CML, the CPDL (aka. CPL) is also owned by U.S. Government and is in the public domain.  The CPDL is a generic path building library with its own API and was not written specifically for the CML.  This has caused some minor integration issues for the CML when calling the CPDL functions.  Note that these are not problems with the CPDL itself.
 
Because of those issues and some inefficiencies caused by duplication of functionality between the two libraries, the CML development team has planned to remove the CPDL dependency from the CML architecture at the earliest possible date.  Unfortunately, other CML development requirements have been given higher priorities and the CPDL is still present in v1.9.  However, the removal of the CPDL is likely to be the first requirement implemented after the v1.9 release.
 
- Rich
---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@GetronicsGov.com
(301) 939-2722
 
-----Original Message-----
From: Robert Masters [mailto:rmasters@bbn.com]
Sent: Wednesday, February 07, 2001 9:35 AM
To: imc-cml@imc.org
Subject: CM_RetrieveKey

Hi,

I initialize the CM library (version 1.81) like so:

 cml_return_code = CM_CreateSessionExt(sessionID, &initSettings);
 if(cml_return_code != CM_NO_ERROR)
 {
  fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code);
  return false;
 }

where  initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate.

When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt.  I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE.  So I pass in the user certificate again.

Two questions:

(1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated?  I would think it would be called with the Issuer's DN.

(2) Why is my fetchDBObjects function being called at all to request certificates?  The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path.  I would think fetchDBObjects would only be called requesting CRLs. 

[RN]:  Essentially, the CPDL treats the application-supplied cert (or cert path) as a hint.  The CPDL was designed to build paths to a given DN, not a cert.  So the first thing the CPDL does is request the certs for the subject's DN, even though the CML always passes the subject's cert to the CPDL.
 
[RN]:  You are correct that once the path is built the CML will call your callback function to request the CRL issued by the root.

What am I doing wrong?

Bob Masters 

[RN]:  As far as I can tell, nothing.  One thing to try, though, is to call CM_SetPolicy() before calling CM_RetrieveKey().  In the PolicyData_struct that is passed as a parameter, set the initialPolicy field to NULL and the two members of the initPolValues field to zero (or FALSE).  Then call CM_RetrieveKey().  Hopefully, the path will now be found.

[RN]:  There is a bug in CM_RetrieveKey.c where the initial policy value flags get passed into the CPDL.  This bug has been fixed in v1.9 by changing the PolicyData_struct to use boolean values rather than re-using the Pol_cons_struct (and its short integer values).

------_=_NextPart_001_01C09125.E4998E20-- From owner-imc-cml Thu Feb 8 05:46:20 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id FAA16355 for imc-cml-bks; Thu, 8 Feb 2001 05:46:20 -0800 (PST) Received: from rospo1.bbn.com (rospo1.bbn.com [192.233.49.145]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA16347 for ; Thu, 8 Feb 2001 05:46:18 -0800 (PST) Received: from bbn.com (coldhcp3-53.bbn.com [207.123.171.53]) by rospo1.bbn.com (8.9.1a/8.9.1) with ESMTP id IAA15081; Thu, 8 Feb 2001 08:42:34 -0500 (EST) Message-ID: <3A82A3F6.121D117E@bbn.com> Date: Thu, 08 Feb 2001 08:49:42 -0500 From: Robert Masters X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Nicholas, Richard" CC: imc-cml@imc.org Subject: Re: CM_RetrieveKey References: <0B95FB5619B3D411817E006008A592592C2D25@wfhqex06.gfgsi.com> Content-Type: multipart/alternative; boundary="------------214E916EB3F52C70E7D39354" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --------------214E916EB3F52C70E7D39354 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Rich, Thanks for the help and the information. I tried calling CM_SetPolicy() as you suggested, with the initialPolicy field set to NULL (I failed to mention previously that I was already calling CM_SetPolicy() with a non-null initialPolicy). Setting initialPolcy to NULL seemed to work. CM_RetrieveKey returned 0. However, I noticed that fetchDBObjects was only called with a request for CRLs for the CA certificate. It was not called with a request for the same user certificate that I passed in to be validated (and when I turned off CRL checking, it wasn't called at all). So, here's some more questions for you: 1) Why does the CM library ask for the user certificate when initialPolicy is non-null and not ask for it when initialPolicy is null? 2) What does the initialPolicy have to do with building the path? 3) Is there any way I can get a path built with a non-null initialPolicy? One of my requirements is to do policy processing, and I need to set the initial policy. If I bypass the CPDL by building my own path and providing it to CM_RetrieveKey as a CertificationPath, would CM_RetrieveKey be able to validate it when initialPolicy is non-null? 4) Do I need CML 1.9? Thanks, Bob "Nicholas, Richard" wrote: > Bob,The answers to your specific questions are inline below. First > some general info:The CML uses the Cert Path Development Library > (CPDL) from CygnaCom Solutions to build certification paths. Like the > CML, the CPDL (aka. CPL) is also owned by U.S. Government and is in > the public domain. The CPDL is a generic path building library with > its own API and was not written specifically for the CML. This has > caused some minor integration issues for the CML when calling the CPDL > functions. Note that these are not problems with the CPDL > itself.Because of those issues and some inefficiencies caused by > duplication of functionality between the two libraries, the CML > development team has planned to remove the CPDL dependency from the > CML architecture at the earliest possible date. Unfortunately, other > CML development requirements have been given higher priorities and the > CPDL is still present in v1.9. However, the removal of the CPDL is > likely to be the first requirement implemented after the v1.9 > release.- Rich--------------------------- > Richard E. Nicholas > Principal Secure Systems Engineer > Getronics Government Solutions, LLC > Richard.Nicholas@GetronicsGov.com > (301) 939-2722-----Original Message----- > From: Robert Masters [mailto:rmasters@bbn.com] > Sent: Wednesday, February 07, 2001 9:35 AM > To: imc-cml@imc.org > Subject: CM_RetrieveKey > > > Hi, > > I initialize the CM library (version 1.81) like so: > > cml_return_code = CM_CreateSessionExt(sessionID, > &initSettings); > if(cml_return_code != CM_NO_ERROR) > { > fprintf(stderr, "Error: CM_CreateSessionExt returned > %hd\n", cml_return_code); > return false; > } > > where initSettings includes pointers to a fetchDBObjects > function and a freeDBObjects function, and a single trusted > root certificate. > > When calling CM_RetrieveKey, I specify CM_CERT_TYPE, > CM_SEARCH_LOCAL, and pass in a user certificate signed by > the trusted root certificate that I passed to > CM_CreateSessionExt. I get a return value of 21 > (CM_NO_PATH_FOUND). When my fetchDBObjects callback is > called, the DN parameter passed to it is for the subject of > the user certificate that I just passed in to be validated, > and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | > CROSS_CERT_TYPE. So I pass in the user certificate again. > > Two questions: > > (1) Why is my fetchDBObjects function being called with the > DN of certificate I just passed in to be validated? I would > think it would be called with the Issuer's DN. > > (2) Why is my fetchDBObjects function being called at all to > request certificates? The certificate I passed in was > signed by the root that I passed in to the initialization > function, so the CM library already has the complete path. > I would think fetchDBObjects would only be called requesting > CRLs. > > [RN]: Essentially, the CPDL treats the application-supplied cert (or > cert path) as a hint. The CPDL was designed to build paths to a given > DN, not a cert. So the first thing the CPDL does is request the certs > for the subject's DN, even though the CML always passes the subject's > cert to the CPDL. > [RN]: You are correct that once the path is built the CML will call > your callback function to request the CRL issued by the root. > > What am I doing wrong? > > Bob Masters > > [RN]: As far as I can tell, nothing. One thing to try, though, is to > call CM_SetPolicy() before calling CM_RetrieveKey(). In the > PolicyData_struct that is passed as a parameter, set the initialPolicy > field to NULL and the two members of the initPolValues field to zero > (or FALSE). Then call CM_RetrieveKey(). Hopefully, the path will now > be found. > > [RN]: There is a bug in CM_RetrieveKey.c where the initial policy > value flags get passed into the CPDL. This bug has been fixed in v1.9 > by changing the PolicyData_struct to use boolean values rather than > re-using the Pol_cons_struct (and its short integer values). --------------214E916EB3F52C70E7D39354 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Rich,
Thanks for the help and the information.  I tried calling CM_SetPolicy() as you suggested, with the initialPolicy field set to NULL (I failed to mention previously that I was already calling CM_SetPolicy() with a non-null initialPolicy).   Setting initialPolcy to NULL seemed to work.  CM_RetrieveKey returned 0.  However, I noticed that fetchDBObjects was only called with a request for CRLs for the CA certificate.  It was not called with a request for the same user certificate that I passed in to be validated (and when I turned off CRL checking, it wasn't called at all).  So, here's some more questions for you:

1) Why does the CM library ask for the user certificate when initialPolicy is non-null and not ask for it when initialPolicy is null?

2) What does the initialPolicy have to do with building the path?

3) Is there any way I can get a path built with a non-null initialPolicy?  One of my requirements is to do policy processing, and I need to set the initial policy.   If I bypass the CPDL by building my own path and providing it to CM_RetrieveKey as a CertificationPath, would CM_RetrieveKey be able to validate it when initialPolicy is non-null?

4) Do I need CML 1.9?

Thanks,
Bob
 

"Nicholas, Richard" wrote:

 Bob,The answers to your specific questions are inline below.  First some general info:The CML uses the Cert Path Development Library (CPDL) from CygnaCom Solutions to build certification paths.  Like the CML, the CPDL (aka. CPL) is also owned by U.S. Government and is in the public domain.  The CPDL is a generic path building library with its own API and was not written specifically for the CML.  This has caused some minor integration issues for the CML when calling the CPDL functions.  Note that these are not problems with the CPDL itself.Because of those issues and some inefficiencies caused by duplication of functionality between the two libraries, the CML development team has planned to remove the CPDL dependency from the CML architecture at the earliest possible date.  Unfortunately, other CML development requirements have been given higher priorities and the CPDL is still present in v1.9.  However, the removal of the CPDL is likely to be the first requirement implemented after the v1.9 release.- Rich---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@GetronicsGov.com
(301) 939-2722-----Original Message-----
From: Robert Masters [mailto:rmasters@bbn.com]
Sent: Wednesday, February 07, 2001 9:35 AM
To: imc-cml@imc.org
Subject: CM_RetrieveKey
 
Hi,

I initialize the CM library (version 1.81) like so:

 cml_return_code = CM_CreateSessionExt(sessionID, &initSettings);
 if(cml_return_code != CM_NO_ERROR)
 {
  fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code);
  return false;
 }

where  initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate.

When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt.  I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE.  So I pass in the user certificate again.

Two questions:

(1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated?  I would think it would be called with the Issuer's DN.

(2) Why is my fetchDBObjects function being called at all to request certificates?  The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path.  I would think fetchDBObjects would only be called requesting CRLs.

[RN]:  Essentially, the CPDL treats the application-supplied cert (or cert path) as a hint.  The CPDL was designed to build paths to a given DN, not a cert.  So the first thing the CPDL does is request the certs for the subject's DN, even though the CML always passes the subject's cert to the CPDL.
[RN]:  You are correct that once the path is built the CML will call your callback function to request the CRL issued by the root.
What am I doing wrong?

Bob Masters

[RN]:  As far as I can tell, nothing.  One thing to try, though, is to call CM_SetPolicy() before calling CM_RetrieveKey().  In the PolicyData_struct that is passed as a parameter, set the initialPolicy field to NULL and the two members of the initPolValues field to zero (or FALSE).  Then call CM_RetrieveKey().  Hopefully, the path will now be found.

[RN]:  There is a bug in CM_RetrieveKey.c where the initial policy value flags get passed into the CPDL.  This bug has been fixed in v1.9 by changing the PolicyData_struct to use boolean values rather than re-using the Pol_cons_struct (and its short integer values).

--------------214E916EB3F52C70E7D39354-- From owner-imc-cml Thu Feb 8 12:57:20 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id MAA01115 for imc-cml-bks; Thu, 8 Feb 2001 12:57:20 -0800 (PST) Received: from wfhqex05.gfgsi.com ([206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA01102 for ; Thu, 8 Feb 2001 12:57:14 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Thu, 8 Feb 2001 16:00:27 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D27@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: "'Robert Masters'" Cc: imc-cml@imc.org Subject: RE: CM_RetrieveKey Date: Thu, 8 Feb 2001 16:00:26 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C09212.29784B70" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C09212.29784B70 Content-Type: text/plain; charset="iso-8859-1" Bob, My answers are inline below. -----Original Message----- From: Robert Masters [mailto:rmasters@bbn.com] Sent: Thursday, February 08, 2001 8:50 AM To: Nicholas, Richard Cc: imc-cml@imc.org Subject: Re: CM_RetrieveKey Rich, Thanks for the help and the information. I tried calling CM_SetPolicy() as you suggested, with the initialPolicy field set to NULL (I failed to mention previously that I was already calling CM_SetPolicy() with a non-null initialPolicy). Setting initialPolcy to NULL seemed to work. CM_RetrieveKey returned 0. However, I noticed that fetchDBObjects was only called with a request for CRLs for the CA certificate. It was not called with a request for the same user certificate that I passed in to be validated (and when I turned off CRL checking, it wasn't called at all). So, here's some more questions for you: 1) Why does the CM library ask for the user certificate when initialPolicy is non-null and not ask for it when initialPolicy is null? [RN]: I don't have an answer for your specific question, since the Cert Path Development Library (CPDL) decides when it needs to request certificates or not to complete a path. In general, the CPDL uses several variables (subject and issuer DNs, signature algorithm, cert policies, key usage, validity dates, etc.) when building a path. When multiple certs exist, the CPDL uses a heuristic algorithm to choose the best cert to complete the path. 2) What does the initialPolicy have to do with building the path? [RN]: The initialPolicy tells the CPDL what cert policies are acceptable to the user. Given a choice of two certs to complete a path, one that complies with a user-acceptable policy and one that doesn't, the CPDL will choose the one that complies. 3) Is there any way I can get a path built with a non-null initialPolicy? One of my requirements is to do policy processing, and I need to set the initial policy. If I bypass the CPDL by building my own path and providing it to CM_RetrieveKey as a CertificationPath, would CM_RetrieveKey be able to validate it when initialPolicy is non-null? [RN]: My previous email was a little vague on the specific problem. The bug is with the initial policy values (require-explicit-policy and inhibit-policy-mapping). The CML header file (cmapi.h) and the API specify that those values should be set to either CM_NOT_SET or CM_SET. However, the v1.8.1 code expects those values to be either FALSE or TRUE (or zero and a value other than zero). When CM_NOT_SET (-1) is used, the code interprets that value as TRUE rather than FALSE, which can cause paths to fail to build. [RN]: Unfortunately, just using CM_SetPolicy() and setting the initial policy values to either TRUE or FALSE, rather than CM_SET and CM_NOT_SET is not a complete fix. Paths should now build (assuming everything else is correct), but that fix may cause path validation errors to occur. The complete fix has been made in v1.9 which is to be released tomorrow. [RN]: If a complete path is passed in, then the CM_RetrieveKey() will verify it when the an initialPolicy set is specified (non-NULL). Note, however, that CM_RetrieveKey() will call the CPDL to complete the path unless one of the certs in the path is either trusted or has been previously validated by CM_RetrieveKey(). 4) Do I need CML 1.9? [RN]: Not necessarily, but I'd recommend upgrading to v1.9 once it's available late tomorrow or Monday. Once v1.9 is released, I'll have time to put out a patch to v1.8.1 that fixes this bug, if there is interest. - Rich Thanks, Bob "Nicholas, Richard" wrote: Bob,The answers to your specific questions are inline below. First some general info:The CML uses the Cert Path Development Library (CPDL) from CygnaCom Solutions to build certification paths. Like the CML, the CPDL (aka. CPL) is also owned by U.S. Government and is in the public domain. The CPDL is a generic path building library with its own API and was not written specifically for the CML. This has caused some minor integration issues for the CML when calling the CPDL functions. Note that these are not problems with the CPDL itself.Because of those issues and some inefficiencies caused by duplication of functionality between the two libraries, the CML development team has planned to remove the CPDL dependency from the CML architecture at the earliest possible date. Unfortunately, other CML development requirements have been given higher priorities and the CPDL is still present in v1.9. However, the removal of the CPDL is likely to be the first requirement implemented after the v1.9 release.- Rich--------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722-----Original Message----- From: Robert Masters [ mailto:rmasters@bbn.com ] Sent: Wednesday, February 07, 2001 9:35 AM To: imc-cml@imc.org Subject: CM_RetrieveKey Hi, I initialize the CM library (version 1.81) like so: cml_return_code = CM_CreateSessionExt(sessionID, &initSettings); if(cml_return_code != CM_NO_ERROR) { fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code); return false; } where initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate. When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt. I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE. So I pass in the user certificate again. Two questions: (1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated? I would think it would be called with the Issuer's DN. (2) Why is my fetchDBObjects function being called at all to request certificates? The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path. I would think fetchDBObjects would only be called requesting CRLs. [RN]: Essentially, the CPDL treats the application-supplied cert (or cert path) as a hint. The CPDL was designed to build paths to a given DN, not a cert. So the first thing the CPDL does is request the certs for the subject's DN, even though the CML always passes the subject's cert to the CPDL. [RN]: You are correct that once the path is built the CML will call your callback function to request the CRL issued by the root. What am I doing wrong? Bob Masters [RN]: As far as I can tell, nothing. One thing to try, though, is to call CM_SetPolicy() before calling CM_RetrieveKey(). In the PolicyData_struct that is passed as a parameter, set the initialPolicy field to NULL and the two members of the initPolValues field to zero (or FALSE). Then call CM_RetrieveKey(). Hopefully, the path will now be found. [RN]: There is a bug in CM_RetrieveKey.c where the initial policy value flags get passed into the CPDL. This bug has been fixed in v1.9 by changing the PolicyData_struct to use boolean values rather than re-using the Pol_cons_struct (and its short integer values). ------_=_NextPart_001_01C09212.29784B70 Content-Type: text/html; charset="iso-8859-1"
Bob,
 
My answers are inline below.
-----Original Message-----
From: Robert Masters [mailto:rmasters@bbn.com]
Sent: Thursday, February 08, 2001 8:50 AM
To: Nicholas, Richard
Cc: imc-cml@imc.org
Subject: Re: CM_RetrieveKey

Rich,
Thanks for the help and the information.  I tried calling CM_SetPolicy() as you suggested, with the initialPolicy field set to NULL (I failed to mention previously that I was already calling CM_SetPolicy() with a non-null initialPolicy).   Setting initialPolcy to NULL seemed to work.  CM_RetrieveKey returned 0.  However, I noticed that fetchDBObjects was only called with a request for CRLs for the CA certificate.  It was not called with a request for the same user certificate that I passed in to be validated (and when I turned off CRL checking, it wasn't called at all).  So, here's some more questions for you:

1) Why does the CM library ask for the user certificate when initialPolicy is non-null and not ask for it when initialPolicy is null? 

[RN]:  I don't have an answer for your specific question, since the Cert Path Development Library (CPDL) decides when it needs to request certificates or not to complete a path.  In general, the CPDL uses several variables (subject and issuer DNs, signature algorithm, cert policies, key usage, validity dates, etc.) when building a path.  When multiple certs exist, the CPDL uses a heuristic algorithm to choose the best cert to complete the path.  

2) What does the initialPolicy have to do with building the path? 

[RN]:  The initialPolicy tells the CPDL what cert policies are acceptable to the user.  Given a choice of two certs to complete a path, one that complies with a user-acceptable policy and one that doesn't, the CPDL will choose the one that complies.  

3) Is there any way I can get a path built with a non-null initialPolicy?  One of my requirements is to do policy processing, and I need to set the initial policy.   If I bypass the CPDL by building my own path and providing it to CM_RetrieveKey as a CertificationPath, would CM_RetrieveKey be able to validate it when initialPolicy is non-null?

[RN]:  My previous email was a little vague on the specific problem.  The bug is with the initial policy values (require-explicit-policy and inhibit-policy-mapping).  The CML header file (cmapi.h) and the API specify that those values should be set to either CM_NOT_SET or CM_SET.  However, the v1.8.1 code expects those values to be either FALSE or TRUE (or zero and a value other than zero).  When CM_NOT_SET (-1) is used, the code interprets that value as TRUE rather than FALSE, which can cause paths to fail to build.

[RN]:  Unfortunately, just using CM_SetPolicy() and setting the initial policy values to either TRUE or FALSE, rather than CM_SET and CM_NOT_SET is not a complete fix.  Paths should now build (assuming everything else is correct), but that fix may cause path validation errors to occur.  The complete fix has been made in v1.9 which is to be released tomorrow.

[RN]:  If a complete path is passed in, then the CM_RetrieveKey() will verify it when the an initialPolicy set is specified (non-NULL).  Note, however, that CM_RetrieveKey() will call the CPDL to complete the path unless one of the certs in the path is either trusted or has been previously validated by CM_RetrieveKey().

4) Do I need CML 1.9?   

[RN]:  Not necessarily, but I'd recommend upgrading to v1.9 once it's available late tomorrow or Monday.  Once v1.9 is released, I'll have time to put out a patch to v1.8.1 that fixes this bug, if there is interest.

- Rich

Thanks,
Bob
 

"Nicholas, Richard" wrote:

 Bob,The answers to your specific questions are inline below.  First some general info:The CML uses the Cert Path Development Library (CPDL) from CygnaCom Solutions to build certification paths.  Like the CML, the CPDL (aka. CPL) is also owned by U.S. Government and is in the public domain.  The CPDL is a generic path building library with its own API and was not written specifically for the CML.  This has caused some minor integration issues for the CML when calling the CPDL functions.  Note that these are not problems with the CPDL itself.Because of those issues and some inefficiencies caused by duplication of functionality between the two libraries, the CML development team has planned to remove the CPDL dependency from the CML architecture at the earliest possible date.  Unfortunately, other CML development requirements have been given higher priorities and the CPDL is still present in v1.9.  However, the removal of the CPDL is likely to be the first requirement implemented after the v1.9 release.- Rich---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@GetronicsGov.com
(301) 939-2722-----Original Message-----
From: Robert Masters [mailto:rmasters@bbn.com]
Sent: Wednesday, February 07, 2001 9:35 AM
To: imc-cml@imc.org
Subject: CM_RetrieveKey
 
Hi,

I initialize the CM library (version 1.81) like so:

 cml_return_code = CM_CreateSessionExt(sessionID, &initSettings);
 if(cml_return_code != CM_NO_ERROR)
 {
  fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code);
  return false;
 }

where  initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate.

When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt.  I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE.  So I pass in the user certificate again.

Two questions:

(1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated?  I would think it would be called with the Issuer's DN.

(2) Why is my fetchDBObjects function being called at all to request certificates?  The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path.  I would think fetchDBObjects would only be called requesting CRLs.

[RN]:  Essentially, the CPDL treats the application-supplied cert (or cert path) as a hint.  The CPDL was designed to build paths to a given DN, not a cert.  So the first thing the CPDL does is request the certs for the subject's DN, even though the CML always passes the subject's cert to the CPDL.
[RN]:  You are correct that once the path is built the CML will call your callback function to request the CRL issued by the root.
What am I doing wrong?

Bob Masters

[RN]:  As far as I can tell, nothing.  One thing to try, though, is to call CM_SetPolicy() before calling CM_RetrieveKey().  In the PolicyData_struct that is passed as a parameter, set the initialPolicy field to NULL and the two members of the initPolValues field to zero (or FALSE).  Then call CM_RetrieveKey().  Hopefully, the path will now be found.

[RN]:  There is a bug in CM_RetrieveKey.c where the initial policy value flags get passed into the CPDL.  This bug has been fixed in v1.9 by changing the PolicyData_struct to use boolean values rather than re-using the Pol_cons_struct (and its short integer values).

------_=_NextPart_001_01C09212.29784B70-- From owner-imc-cml Mon Feb 12 12:30:41 2001 Received: by above.proper.com (8.9.3/8.9.3) id MAA19241 for imc-cml-bks; Mon, 12 Feb 2001 12:30:41 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA19214 for ; Mon, 12 Feb 2001 12:30:31 -0800 (PST) From: vlasich@securecomputing.com Received: from beach.sctc.com (root@localhost) by beach.sctc.com with ESMTP id f1CKIHm05304 for ; Mon, 12 Feb 2001 14:18:17 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com with ESMTP id f1CKIHN05300 for ; Mon, 12 Feb 2001 14:18:17 -0600 (CST) Received: from tornado.sctc.com (tornado.sctc.com [172.17.192.159]) by sphinx.sctc.com (8.8.8+Sun/8.7.3) with ESMTP id OAA15943 for ; Mon, 12 Feb 2001 14:37:43 -0600 (CST) Received: (from vlasich@localhost) by tornado.sctc.com (8.9.3+Sun/) id OAA10489 for imc-cml@imc.org; Mon, 12 Feb 2001 14:31:56 -0600 (CST) Message-Id: <200102122031.OAA10489@tornado.sctc.com> Subject: CRL Distribution Points and CML To: imc-cml@imc.org Date: Mon, 12 Feb 2001 14:31:56 -0600 (CST) X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I'm wondering if anybody can tell me if CML currently has any support built in for CRL Distribution Points? Also, are many CA vendors making use of this field? Thanks! --------------------------- Kevin Vlasich vlasich@securecomputing.com From owner-imc-cml Mon Feb 12 13:32:36 2001 Received: by above.proper.com (8.9.3/8.9.3) id NAA22895 for imc-cml-bks; Mon, 12 Feb 2001 13:32:36 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA22889 for ; Mon, 12 Feb 2001 13:32:34 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Mon, 12 Feb 2001 16:35:54 -0500 Message-ID: <0B95FB5619B3D411817E006008A5925945EC09@wfhqex06.gfgsi.com> From: "Pawling, John" To: "'vlasich@securecomputing.com'" , imc-cml@imc.org Subject: RE: CRL Distribution Points and CML Date: Mon, 12 Feb 2001 16:35:53 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Kevin, The CML processes the CRL Distribution Point (CRLDP) extension in X.509 v3 certificates as specified in the 1997 X.509 Recommendation and RFC 2459 PKIX Certificate/CRL Profile. It supports distribution points that are identified with a nameRelativeToCRLIssuer or with a fullName that uses either a directoryName name form or an LDAP URL in the uniformResouceIdentifier name form. The CML only supports directoryName forms in the cRLIssuer field of the distribution point. The CML can process multiple URI fields in the CRLDP (especially to handle the case in which the initial URI field indicates a null server name (LDAP:///...)). The CML also processes the corresponding Issuing Distribution Point extension in X.509 v2 CRLs as specified in the 1997 X.509 Recommendation and RFC 2459 PKIX Certificate/CRL Profile. The CML supports issuing distribution point extensions that contain a distribution point that is identified using either a directoryName name form or an LDAP URL in the uniformResouceIdentifier name form. The CML supports indirect CRLs that have the indirectCRL flag set to TRUE and contain the certificate issuer CRL entry extension. X.509 v3 certificates issued by Entrust CAs and Microsoft Windows 2000-based CAs commonly include a CRLDP. Also, X.509 v3 certificates issued for Fortezza Card users in conjunction with the Defense Message System program include a CRLDP that identifies an Indirect CRL that consolidates key compromise information (as specified in SDN.706). Please let me know if I can provide further information. =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== -----Original Message----- From: vlasich@securecomputing.com [mailto:vlasich@securecomputing.com] Sent: Monday, February 12, 2001 3:32 PM To: imc-cml@imc.org Subject: CRL Distribution Points and CML Hello, I'm wondering if anybody can tell me if CML currently has any support built in for CRL Distribution Points? Also, are many CA vendors making use of this field? Thanks! --------------------------- Kevin Vlasich vlasich@securecomputing.com From owner-imc-cml Tue Feb 13 10:41:59 2001 Received: by above.proper.com (8.9.3/8.9.3) id KAA23301 for imc-cml-bks; Tue, 13 Feb 2001 10:41:59 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA23286 for ; Tue, 13 Feb 2001 10:41:50 -0800 (PST) From: eboudreault@motus.com Subject: CM_DecodeCert To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Tue, 13 Feb 2001 13:41:46 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 13/02/2001 13:42:42 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id KAA23298 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I try to decode a certificate that include a PrivateKeyUsagePeriod extension, but when i execute that : ... CM_DecodeCert(sessionID, asn1_cert1, &Cert1); ... that's does not work. Why ??? This is the PrivateKeyUsagePeriod extension included in the certificate. ------------------------------------------------------------ 30 2F 06 03 55 1D 10 04 28 30 26 80 11 18 0F 32 30 30 31 30 32 31 33 31 38 32 31 30 39 5A 81 11 18 0F 32 30 30 32 30 32 31 33 31 38 32 31 30 39 5A ------------------------------------------------------------ Can you tell me if this extension is correctly encoded ??? If not, what is my error ? If it is, what can i do to decode correctly my certificate ??? Or Do you think it's an error in the library ??? Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Thu Feb 15 11:21:20 2001 Received: by above.proper.com (8.9.3/8.9.3) id LAA18028 for imc-cml-bks; Thu, 15 Feb 2001 11:21:20 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA18022 for ; Thu, 15 Feb 2001 11:21:18 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Thu, 15 Feb 2001 14:24:37 -0500 Message-ID: <0B95FB5619B3D411817E006008A5925945EC47@wfhqex06.gfgsi.com> From: "Pawling, John" To: imc-cml@imc.org Subject: RE: CM_DecodeCert Date: Thu, 15 Feb 2001 14:24:34 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id LAA18024 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric: In analyzing your certificate, using CM_DecodeCert there appears to be bad data in the private key usage period in the notBefore octet string which is defined as GeneralizedTime. The GeneralizedTime is in the format of "yyyymmddhhmmssZ", in your certificate it appears as: Binary hex 18 0F followed by 20010218182109Z. The notAfter portion of the private key usage period also contains 2 errant bytes - hex 18 and 0F followed by 20020213182109Z. I hope this helps you Tex -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Tuesday, February 13, 2001 1:42 PM To: imc-cml@imc.org Subject: CM_DecodeCert I try to decode a certificate that include a PrivateKeyUsagePeriod extension, but when i execute that : ... CM_DecodeCert(sessionID, asn1_cert1, &Cert1); ... that's does not work. Why ??? This is the PrivateKeyUsagePeriod extension included in the certificate. ------------------------------------------------------------ 30 2F 06 03 55 1D 10 04 28 30 26 80 11 18 0F 32 30 30 31 30 32 31 33 31 38 32 31 30 39 5A 81 11 18 0F 32 30 30 32 30 32 31 33 31 38 32 31 30 39 5A ------------------------------------------------------------ Can you tell me if this extension is correctly encoded ??? If not, what is my error ? If it is, what can i do to decode correctly my certificate ??? Or Do you think it's an error in the library ??? Thanks. **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Fri Feb 16 08:50:44 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id IAA11975 for imc-cml-bks; Fri, 16 Feb 2001 08:50:44 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA11971 for ; Fri, 16 Feb 2001 08:50:40 -0800 (PST) From: vlasich@securecomputing.com Received: from beach.sctc.com (root@localhost) by beach.sctc.com with ESMTP id f1GGHPh06812; Fri, 16 Feb 2001 10:17:25 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com with ESMTP id f1GGHPr06808; Fri, 16 Feb 2001 10:17:25 -0600 (CST) Received: from tornado.sctc.com (tornado.sctc.com [172.17.192.159]) by sphinx.sctc.com (8.8.8+Sun/8.7.3) with ESMTP id KAA11984; Fri, 16 Feb 2001 10:58:04 -0600 (CST) Received: (from vlasich@localhost) by tornado.sctc.com (8.9.3+Sun/) id KAA06361; Fri, 16 Feb 2001 10:51:53 -0600 (CST) Message-Id: <200102161651.KAA06361@tornado.sctc.com> Subject: Re: CRL Distribution Points and CML To: John.Pawling@GetronicsGov.com (Pawling, John) Date: Fri, 16 Feb 2001 10:51:52 -0600 (CST) Cc: vlasich@securecomputing.com ('vlasich@securecomputing.com'), imc-cml@imc.org In-Reply-To: <0B95FB5619B3D411817E006008A5925945EC09@wfhqex06.gfgsi.com> from "Pawling, John" at Feb 12, 2001 04:35:53 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: John, Thanks for your response. I do have some follow up questions though. 1) If I have CML configured for a particular LDAP directory in my config.cm file, but I receive a cert with a CRLDP extension that points to a different LDAP server, will CML try to connect and retrieve the CRL from the LDAP server in the CRLDP extension or will it look at the LDAP server that is defined in my config.cm file? 2) What happens if LDAP is turned off in config.cm and I receive a cert with an CRLDP extension pointing to an LDAP directory? Does CML attempt to contact the LDAP server in the CRLDP in this case? 3) Do you have any sample certificate paths that include certs with CRLDP extensions with an LDAP URI? Thanks. --------------------------- Kevin Vlasich vlasich@securecomputing.com > Kevin, > > The CML processes the CRL Distribution Point (CRLDP) extension in X.509 v3 > certificates as specified in the 1997 X.509 Recommendation and RFC 2459 PKIX > Certificate/CRL Profile. It supports distribution points that are > identified with a nameRelativeToCRLIssuer or with a fullName that uses > either a directoryName name form or an LDAP URL in the > uniformResouceIdentifier name form. The CML only supports directoryName > forms in the cRLIssuer field of the distribution point. The CML can process > multiple URI fields in the CRLDP (especially to handle the case in which the > initial URI field indicates a null server name (LDAP:///...)). > > The CML also processes the corresponding Issuing Distribution Point > extension in X.509 v2 CRLs as specified in the 1997 X.509 Recommendation and > RFC 2459 PKIX Certificate/CRL Profile. The CML supports issuing > distribution point extensions that contain a distribution point that is > identified using either a directoryName name form or an LDAP URL in the > uniformResouceIdentifier name form. The CML supports indirect CRLs that > have the indirectCRL flag set to TRUE and contain the certificate issuer CRL > entry extension. > > X.509 v3 certificates issued by Entrust CAs and Microsoft Windows 2000-based > CAs commonly include a CRLDP. Also, X.509 v3 certificates issued for > Fortezza Card users in conjunction with the Defense Message System program > include a CRLDP that identifies an Indirect CRL that consolidates key > compromise information (as specified in SDN.706). > > Please let me know if I can provide further information. > > =========================================== > John Pawling, John.Pawling@GetronicsGov.com > Getronics Government Solutions, LLC > =========================================== > > > -----Original Message----- > From: vlasich@securecomputing.com [mailto:vlasich@securecomputing.com] > Sent: Monday, February 12, 2001 3:32 PM > To: imc-cml@imc.org > Subject: CRL Distribution Points and CML > > > Hello, > > I'm wondering if anybody can tell me if CML currently has any support > built in for CRL Distribution Points? > > Also, are many CA vendors making use of this field? > > Thanks! > > > --------------------------- > Kevin Vlasich > vlasich@securecomputing.com From owner-imc-cml Fri Feb 16 09:39:36 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id JAA13927 for imc-cml-bks; Fri, 16 Feb 2001 09:39:36 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA13922 for ; Fri, 16 Feb 2001 09:39:33 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Fri, 16 Feb 2001 12:42:52 -0500 Message-ID: <0B95FB5619B3D411817E006008A592593AC532@wfhqex06.gfgsi.com> From: "McPherson, Clyde" To: vlasich@securecomputing.com, "Pawling, John" Cc: imc-cml@imc.org Subject: RE: CRL Distribution Points and CML Date: Fri, 16 Feb 2001 12:42:50 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Kevin: My comments are inline: -Tex John, Thanks for your response. I do have some follow up questions though. 1) If I have CML configured for a particular LDAP directory in my config.cm file, but I receive a cert with a CRLDP extension that points to a different LDAP server, will CML try to connect and retrieve the CRL from the LDAP server in the CRLDP extension or will it look at the LDAP server that is defined in my config.cm file? It will try to retrieve the CRL from the CRLDP. 2) What happens if LDAP is turned off in config.cm and I receive a cert with an CRLDP extension pointing to an LDAP directory? Does CML attempt to contact the LDAP server in the CRLDP in this case? In this case, it will not try to retrieve the CRL. 3) Do you have any sample certificate paths that include certs with CRLDP extensions with an LDAP URI? We have one, but it points to a LDAP URI that is internal to our testing environment. Thanks. --------------------------- Kevin Vlasich vlasich@securecomputing.com > Kevin, > > The CML processes the CRL Distribution Point (CRLDP) extension in X.509 v3 > certificates as specified in the 1997 X.509 Recommendation and RFC 2459 PKIX > Certificate/CRL Profile. It supports distribution points that are > identified with a nameRelativeToCRLIssuer or with a fullName that uses > either a directoryName name form or an LDAP URL in the > uniformResouceIdentifier name form. The CML only supports directoryName > forms in the cRLIssuer field of the distribution point. The CML can process > multiple URI fields in the CRLDP (especially to handle the case in which the > initial URI field indicates a null server name (LDAP:///...)). > > The CML also processes the corresponding Issuing Distribution Point > extension in X.509 v2 CRLs as specified in the 1997 X.509 Recommendation and > RFC 2459 PKIX Certificate/CRL Profile. The CML supports issuing > distribution point extensions that contain a distribution point that is > identified using either a directoryName name form or an LDAP URL in the > uniformResouceIdentifier name form. The CML supports indirect CRLs that > have the indirectCRL flag set to TRUE and contain the certificate issuer CRL > entry extension. > > X.509 v3 certificates issued by Entrust CAs and Microsoft Windows 2000-based > CAs commonly include a CRLDP. Also, X.509 v3 certificates issued for > Fortezza Card users in conjunction with the Defense Message System program > include a CRLDP that identifies an Indirect CRL that consolidates key > compromise information (as specified in SDN.706). > > Please let me know if I can provide further information. > > =========================================== > John Pawling, John.Pawling@GetronicsGov.com > Getronics Government Solutions, LLC > =========================================== > > > -----Original Message----- > From: vlasich@securecomputing.com [mailto:vlasich@securecomputing.com] > Sent: Monday, February 12, 2001 3:32 PM > To: imc-cml@imc.org > Subject: CRL Distribution Points and CML > > > Hello, > > I'm wondering if anybody can tell me if CML currently has any support > built in for CRL Distribution Points? > > Also, are many CA vendors making use of this field? > > Thanks! > > > --------------------------- > Kevin Vlasich > vlasich@securecomputing.com From owner-imc-cml Fri Feb 16 13:29:57 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id NAA26083 for imc-cml-bks; Fri, 16 Feb 2001 13:29:57 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA25402; Fri, 16 Feb 2001 13:22:59 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Fri, 16 Feb 2001 16:26:19 -0500 Message-ID: <0B95FB5619B3D411817E006008A5925945EC77@wfhqex06.gfgsi.com> From: "Pawling, John" To: "Pawling, John" Subject: v1.9 Certificate Management Library Now Available Date: Fri, 16 Feb 2001 16:26:11 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: All, Getronics Government Solutions has delivered the Version 1.9 Certificate Management Library (CML) for MS Windows, Solaris 2.7 and Linux. The v1.9 CML is freely available to everyone from the Getronics CML web page . This release includes two major enhancements. It implements the certificate policy processing requirements specified in the 2000 X.509 Recommendation. Also, the Lightweight Directory Access Protocol (LDAP) and database callback functions were moved from the CML to a separate, dynamic Storage & Retrieval Library (SRL). The v1.9 CML is described in the v1.9 CML Application Programming Interface (API) document. It implements the 2000 X.509 Recommendation certification path processing rules and SDN.706. It meets the majority of the IETF PKIX RFC 2459 Certificate/CRL Profile requirements. It uses the v1.2 Certificate Path Development Library (CPDL) developed by CygnaCom Solutions, an Entrust Technologies company, to provide robust certification path building capabilities such as using cross certificates. The CML has been used to validate X.509 Certificates and Certificate Revocation Lists (CRL) signed using the Digital Signature Algorithm (DSA) and RSA. Further enhancements, ports and testing of the CML are still in process. Further releases of the CML will be provided as significant capabilities are added. The following enhancements are included in the v1.9 CML release (compared with the v1.8 release): 1) Added support for 2000 X.509 certificate policy processing. We successfully tested the CML using test certificate paths that we created to thoroughly test the new features, including positive and negative tests. 2) Enhanced the internal RAM cache to store validated CRLs. This also included adding the hash of the certificates and CRLs to the RAM cache to uniquely identify the object in the cache. 3) Added ASN.1 decoding support for the new 2000 X.509 certificate and CRL extensions. 4) Enhanced CML so that it can be used with any LDAP library. This includes splitting the CML's database and LDAP callback functions into their own dynamic library (SRL). This moves the LDAP linkage from the CML to the SRL. The SRL also provides local certificate and CRL storage management functions. This included enhancing the SRL so that implementing the database callback functions will cause the native CML database to be disregarded. We tested the SRL with the Netscape LDAP library on Windows. We tested the SRL with the OpenLDAP library on Linux and Solaris. 5) Tested the v1.9 CML with the new version (v2.0) of the CPDL provided by CygnaCom to fix bugs in the previous CPDL release. 6) We fixed bugs in the v1.81 CML. The CML was always initializing the require-explicit-policy value to "True" (rather than using the value provided by the application). The CML was crashing when it encountered a CRL Distribution Point extension that included a Uniform Resource Identifier. 7) Enhanced CMTest automated test utility to test new features of v1.9 CML and SRL. 8) Delivered new CML and SRL documents. The following v1.9 CML files are available from the Getronics CML web page: 1) Windows_CMLLibv1.9.zip: MS Windows Dynamically Linked Libraries (DLL) 2) Windows_CM_Tool.tar.z: CM_Tool DLL 3) Solaris_CMLLibv1.9.tar.Z: Sun Solaris Libraries 4) Solaris_CM_Tool.tar.z: CM_Tool for Solaris 5) Linux_CMLLibv1.9.tar.Z: Linux Libraries 6) Linux_CM_Tool.tar.z: CM_Tool for Linux 7) CML_source.tar.Z: Source, including Windows project files 8) CMAPI_data.tar.Z: Test Certs and CRLs used to test v1.9 CML The v1.9 CML API document (CMv1.9api.doc, CMv1.9api.pdf), v1.9 SRL API document (SRLv1.9api.doc, SRLv1.9api.pdf), and v1.9 CML readme file are also available from the Getronics CML web page. All source code for the CML is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the CML without paying any royalties or licensing fees. The CML was originally developed by the U.S. Government. Getronics is enhancing and supporting the CML under contract to the U.S. Government. The U.S. Government is furnishing the CML software at no cost to the vendor subject to the conditions of the CML Public License provided with the CML software. The CML software is not subject to U.S. Government encryption export regulations, so it is freely available to everyone. The v1.9 CML uses the Getronics v1.3 R5 Enhanced SNACC ASN.1 Library to encode/decode objects. Getronics has successfully tested the v1.9 CML with the SNACC and CTIL DLLs delivered in conjunction with the v1.9 SFL. Source code for the Getronics-developed CTILs is available from . The actual crypto libraries are not provided with the CML or SFL. They must be independently obtained from the appropriate source. The v1.9 CML can be used in conjunction with the v1.2 CPDL to successfully meet all of the requirements of the Bridge Certification Authority Demonstration effort which includes cross-certified Entrust, Spyrus and Motorola v3 certificate domains. The CML_source.tar.Z file includes the CPDL source code and public license. provides more information regarding the CPDL. The National Institute of Standards and Technology (NIST) is providing a standard test suite of X.509 certificate paths that can be used for testing applications against RFC 2459. The CML was used to successfully process the NIST test data. The Internet Mail Consortium (IMC) has established a CML web page and a CML mail list which is used to: distribute information regarding CML releases; discuss CML-related issues; and allow CML users to provide feedback, comments, bug reports, etc. Subscription information for the imc-cml mailing list is at the IMC web site listed above. All comments regarding the CML source code and documents are welcome. This CML release announcement was sent to several mail lists, but please send all messages regarding the CML to the imc-cml mail list ONLY. Please do not send messages regarding the CML to any of the IETF mail lists. We will respond to all messages sent to the imc-cml mail list. =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== From owner-imc-cml Tue Feb 20 05:31:03 2001 Received: by above.proper.com (8.9.3/8.9.3) id FAA15043 for imc-cml-bks; Tue, 20 Feb 2001 05:31:03 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA15037 for ; Tue, 20 Feb 2001 05:31:01 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 20 Feb 2001 08:34:19 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D2C@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: imc-cml@imc.org Cc: "'eboudreault@motus.com'" Subject: RE: CM_DecodeCert Date: Tue, 20 Feb 2001 08:34:16 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id FAA15038 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric, More specifically, the ASN.1 error is caused because the extra ASN.1 GeneralizedTime tag and length bytes 0x180F should not be present. The PrivateKeyUsagePeriod extension, along with the other certificate and CRL extensions, are defined in an ASN.1 module that uses IMPLICIT tagging. Since the GeneralizedTime elements in the PrivateKeyUsagePeriod are already tagged, only the contents of the GeneralizedTime encoding is included, not its ASN.1 tag and length. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 > -----Original Message----- > From: Pawling, John [mailto:John.Pawling@GetronicsGov.com] > Sent: Thursday, February 15, 2001 2:25 PM > To: imc-cml@imc.org > Subject: RE: CM_DecodeCert > > > Eric: > > In analyzing your certificate, using CM_DecodeCert there > appears to be bad > data in the private key usage period in the notBefore octet > string which is > defined as GeneralizedTime. The GeneralizedTime is in the format of > "yyyymmddhhmmssZ", in your certificate it appears as: Binary hex 18 0F > followed by 20010218182109Z. The notAfter portion of the > private key usage > period also contains 2 errant bytes - hex 18 and 0F followed by > 20020213182109Z. > > I hope this helps you > Tex > > -----Original Message----- > From: eboudreault@motus.com [mailto:eboudreault@motus.com] > Sent: Tuesday, February 13, 2001 1:42 PM > To: imc-cml@imc.org > Subject: CM_DecodeCert > > > I try to decode a certificate that include a PrivateKeyUsagePeriod > extension, but when i execute that : > ... > CM_DecodeCert(sessionID, asn1_cert1, &Cert1); > ... > > that's does not work. Why ??? > > This is the PrivateKeyUsagePeriod extension included in the > certificate. > ------------------------------------------------------------ > 30 2F 06 03 55 1D 10 04 28 30 26 80 11 18 0F 32 30 30 31 30 > 32 31 33 31 38 32 31 30 39 5A 81 11 18 0F 32 30 30 32 30 32 > 31 33 31 38 32 31 30 39 5A > ------------------------------------------------------------ > > Can you tell me if this extension is correctly encoded ??? > If not, what is my error ? > If it is, what can i do to decode correctly my certificate ??? > > Or > > Do you think it's an error in the library ??? > > > Thanks. > > > ************************************************************** > ************** > > ****************** > > Eric Boudreault > ------------------------------------------------ > Programmeur > ------------------------------------------------ > Motus Technologies > 390, St-Vallier Est > Bureau 100 > Québec, Qc > G1K 3P6 > Tél.: 521-2100 ext.#242 > Fax.: 521-2101 > courriel: eboudreault@motus.com > ************************************************************** > ************** > > ****************** > > From owner-imc-cml Tue Feb 20 08:17:51 2001 Received: by above.proper.com (8.9.3/8.9.3) id IAA23581 for imc-cml-bks; Tue, 20 Feb 2001 08:17:51 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA23577 for ; Tue, 20 Feb 2001 08:17:50 -0800 (PST) From: vlasich@securecomputing.com Received: from beach.sctc.com (root@localhost) by beach.sctc.com with ESMTP id f1KGIOa00643 for ; Tue, 20 Feb 2001 10:18:24 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com with ESMTP id f1KGIOr00639 for ; Tue, 20 Feb 2001 10:18:24 -0600 (CST) Received: from tornado.sctc.com (tornado.sctc.com [172.17.192.159]) by sphinx.sctc.com (8.8.8+Sun/8.7.3) with ESMTP id KAA04949 for ; Tue, 20 Feb 2001 10:25:49 -0600 (CST) Received: (from vlasich@localhost) by tornado.sctc.com (8.9.3+Sun/) id KAA01123 for imc-cml@imc.org; Tue, 20 Feb 2001 10:19:15 -0600 (CST) Message-Id: <200102201619.KAA01123@tornado.sctc.com> Subject: CRL distribution points To: imc-cml@imc.org Date: Tue, 20 Feb 2001 10:19:14 -0600 (CST) X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I've been trying to get CML version 1.7.1 to respond to a CRL Distribution Point Extension (CRLDP), but have not been successfull. Here is what I'm trying to do. My config.com file has LDAP turned on and it pointing to a particular LDAP directory, lets say it's IP address is 255.255.255.1 I then try to verify a certificate that has a CRLDP pointing at a different LDAP directory, lets say it's IP is 255.255.255.2 Here is what the extension looks like when decoded with dumpasn1. SEQUENCE { 397 06 3: OBJECT IDENTIFIER cRLDistributionPoints (2 529 31) 402 04 42: OCTET STRING, encapsulates { 404 30 40: SEQUENCE { 406 30 38: SEQUENCE { 408 A0 36: [0] { 410 A0 34: [0] { 412 86 32: [6] 'ldap://255.255.255.2/o=SCC,c=US' : } : } : } : } : } : } However, CML never attempts to retrieve a CRL from the ldap server in the CRLDP, it only looks at the LDAP server that is in my config.com. I verified this by watching the network traffic with tcpdump. Both LDAP directories are on port 389. Do you have any suggestions on how I might get CML to look at the LDAP server in the CRLDP? Thank you. Kevin Vlasich From owner-imc-cml Tue Feb 20 08:55:57 2001 Received: by above.proper.com (8.9.3/8.9.3) id IAA24749 for imc-cml-bks; Tue, 20 Feb 2001 08:55:57 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA24745 for ; Tue, 20 Feb 2001 08:55:55 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 20 Feb 2001 11:59:13 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D2F@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: imc-cml@imc.org Cc: "'vlasich@securecomputing.com'" Subject: RE: CRL distribution points Date: Tue, 20 Feb 2001 11:59:11 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Kevin, CML version 1.8 was the first version that supported LDAP URLs in the CRL Distribution Points extension. CML v1.5, v1.6, v1.7 (and their maintenance releases) only processed X.500 DN name forms in the CRL distribution points, other name forms were ignored. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 > -----Original Message----- > From: vlasich@securecomputing.com [mailto:vlasich@securecomputing.com] > Sent: Tuesday, February 20, 2001 11:19 AM > To: imc-cml@imc.org > Subject: CRL distribution points > > > I've been trying to get CML version 1.7.1 to respond to a CRL > Distribution Point Extension (CRLDP), but have not been successfull. > > Here is what I'm trying to do. > > My config.com file has LDAP turned on and it pointing to a particular > LDAP directory, lets say it's IP address is 255.255.255.1 > > I then try to verify a certificate that has a CRLDP pointing at a > different LDAP directory, lets say it's IP is 255.255.255.2 Here is > what the extension looks like when decoded with dumpasn1. > > SEQUENCE { > 397 06 3: OBJECT IDENTIFIER > cRLDistributionPoints (2 529 31) > 402 04 42: OCTET STRING, encapsulates { > 404 30 40: SEQUENCE { > 406 30 38: SEQUENCE { > 408 A0 36: [0] { > 410 A0 34: [0] { > 412 86 32: [6] > 'ldap://255.255.255.2/o=SCC,c=US' > : } > : } > : } > : } > : } > : } > > > However, CML never attempts to retrieve a CRL from the ldap server in > the CRLDP, it only looks at the LDAP server that is in my config.com. > I verified this by watching the network traffic with tcpdump. > > Both LDAP directories are on port 389. > > Do you have any suggestions on how I might get CML to look at the LDAP > server in the CRLDP? > > Thank you. > > Kevin Vlasich > From owner-imc-cml Tue Feb 20 11:49:48 2001 Received: by above.proper.com (8.9.3/8.9.3) id LAA29181 for imc-cml-bks; Tue, 20 Feb 2001 11:49:48 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA29177 for ; Tue, 20 Feb 2001 11:49:43 -0800 (PST) From: eboudreault@motus.com Subject: Key usage flags To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Tue, 20 Feb 2001 14:49:57 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2001-02-20 14:50:33 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id LAA29178 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I want to know why these flags have these values : /* Key Usage Flags */ #define CM_DIGITAL_SIGNATURE 0x0001 #define CM_NON_REPUDIATION 0x0002 #define CM_KEY_ENCIPHERMENT 0x0004 #define CM_DATA_ENCIPHERMENT 0x0008 #define CM_KEY_AGREEMENT 0x0010 #define CM_KEY_CERT_SIGN 0x0020 #define CM_CRL_SIGN 0x0040 #define CM_ENCIPHER_ONLY 0x0080 #define CM_DECIPHER_ONLY 0x0100 and not these ones : /* Key Usage Flags */ #define CM_DIGITAL_SIGNATURE 0x8000 #define CM_NON_REPUDIATION 0x4000 #define CM_KEY_ENCIPHERMENT 0x2000 #define CM_DATA_ENCIPHERMENT 0x1000 #define CM_KEY_AGREEMENT 0x0800 #define CM_KEY_CERT_SIGN 0x0400 #define CM_CRL_SIGN 0x0200 #define CM_ENCIPHER_ONLY 0x0100 #define CM_DECIPHER_ONLY 0x0080 Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Tue Feb 20 12:54:43 2001 Received: by above.proper.com (8.9.3/8.9.3) id MAA00852 for imc-cml-bks; Tue, 20 Feb 2001 12:54:43 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA00848 for ; Tue, 20 Feb 2001 12:54:41 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 20 Feb 2001 15:58:00 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D33@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: "'eboudreault@motus.com'" , imc-cml@imc.org Subject: RE: Key usage flags Date: Tue, 20 Feb 2001 15:57:57 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id MAA00849 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric, While the key usage bits could have been defined in several different ways, the thought four years ago was that the existing defined values would not have to change as new bits were added to the ASN.1 named bit list. (I know that reason isn't very compelling, but there that's it.) - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 > -----Original Message----- > From: eboudreault@motus.com [mailto:eboudreault@motus.com] > Sent: Tuesday, February 20, 2001 2:50 PM > To: imc-cml@imc.org > Subject: Key usage flags > > > Hello, > > I want to know why these flags have these values : > > /* Key Usage Flags */ > #define CM_DIGITAL_SIGNATURE 0x0001 > #define CM_NON_REPUDIATION 0x0002 > #define CM_KEY_ENCIPHERMENT 0x0004 > #define CM_DATA_ENCIPHERMENT 0x0008 > #define CM_KEY_AGREEMENT 0x0010 > #define CM_KEY_CERT_SIGN 0x0020 > #define CM_CRL_SIGN 0x0040 > #define CM_ENCIPHER_ONLY 0x0080 > #define CM_DECIPHER_ONLY 0x0100 > > and not these ones : > > /* Key Usage Flags */ > #define CM_DIGITAL_SIGNATURE 0x8000 > #define CM_NON_REPUDIATION 0x4000 > #define CM_KEY_ENCIPHERMENT 0x2000 > #define CM_DATA_ENCIPHERMENT 0x1000 > #define CM_KEY_AGREEMENT 0x0800 > #define CM_KEY_CERT_SIGN 0x0400 > #define CM_CRL_SIGN 0x0200 > #define CM_ENCIPHER_ONLY 0x0100 > #define CM_DECIPHER_ONLY 0x0080 > > > Thanks. > > > ************************************************************** > ******************************** > > Eric Boudreault > ------------------------------------------------ > Programmeur > ------------------------------------------------ > Motus Technologies > 390, St-Vallier Est > Bureau 100 > Québec, Qc > G1K 3P6 > Tél.: 521-2100 ext.#242 > Fax.: 521-2101 > courriel: eboudreault@motus.com > ************************************************************** > ******************************** > From owner-imc-cml Wed Feb 21 13:00:48 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id NAA24444 for imc-cml-bks; Wed, 21 Feb 2001 13:00:48 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA24438 for ; Wed, 21 Feb 2001 13:00:47 -0800 (PST) From: eboudreault@motus.com Subject: Decoding a CRL To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Wed, 21 Feb 2001 16:01:01 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2001-02-21 16:01:34 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id NAA24441 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I want to know if exsist a function that decode a CRL with the c++ Snacc library, without using all existing DLLs. If not, what alternative i can use to reach my goal ??? Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Thu Feb 22 09:37:21 2001 Received: by above.proper.com (8.9.3/8.9.3) id JAA24098 for imc-cml-bks; Thu, 22 Feb 2001 09:37:21 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA24094 for ; Thu, 22 Feb 2001 09:37:17 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Thu, 22 Feb 2001 12:40:31 -0500 Message-ID: From: "Leonberger, Pierce" To: "'eboudreault@motus.com'" , imc-cml@imc.org Subject: RE: Decoding a CRL Date: Thu, 22 Feb 2001 12:40:30 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id JAA24095 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Yes and No. If you don't want to use LIBCERT to decode a CRL you need to compile ./asn1specs/authenticationframework.asn1 (in SNACC distribution) with the snacc compiler to produce the necessary code. Once the code has been generated you can do the following: -- CSM_Buffer encodedBuf("myCRL.crl"); CertificateList snaccCRL; if (decodeBuf(snaccCRL, encodedBuf)) cout << "Decode SUCCESS\n"; else cout << "Decode FAILURE\n"; -- If you need more information let me know. -Pierce -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Wednesday, February 21, 2001 4:01 PM To: imc-cml@imc.org Subject: Decoding a CRL Hi, I want to know if exsist a function that decode a CRL with the c++ Snacc library, without using all existing DLLs. If not, what alternative i can use to reach my goal ??? Thanks. **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Fri Feb 23 08:06:08 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id IAA25696 for imc-cml-bks; Fri, 23 Feb 2001 08:06:08 -0800 (PST) Received: from rospo1.bbn.com (rospo1.bbn.com [192.233.49.145]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA25690 for ; Fri, 23 Feb 2001 08:06:05 -0800 (PST) Received: from bbn.com (coldhcp3-53.bbn.com [207.123.171.53]) by rospo1.bbn.com (8.9.1a/8.9.1) with ESMTP id KAA08296; Fri, 23 Feb 2001 10:54:49 -0500 (EST) Message-ID: <3A96896E.1A3CA4A2@bbn.com> Date: Fri, 23 Feb 2001 11:01:50 -0500 From: Robert Masters X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Nicholas, Richard" CC: imc-cml@imc.org, Charles Lynn Subject: Re: CM_RetrieveKey References: <0B95FB5619B3D411817E006008A592592C2D27@wfhqex06.gfgsi.com> Content-Type: multipart/alternative; boundary="------------CCAEAC910AB4F8ADB67BD9FE" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --------------CCAEAC910AB4F8ADB67BD9FE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Rich, I downloaded and built CML v1.9. For some reason, it is now trying to free the memory I allocate in fetchDBObjects (by calling CMU_FreeObjList). I thought it was supposed to call my freeDBObjects to free this memory. Is this a bug? Thanks. Bob "Nicholas, Richard" wrote: > Bob,My answers are inline below. > > -----Original Message----- > From: Robert Masters [mailto:rmasters@bbn.com] > Sent: Thursday, February 08, 2001 8:50 AM > To: Nicholas, Richard > Cc: imc-cml@imc.org > Subject: Re: CM_RetrieveKey > > Rich, > Thanks for the help and the information. I tried calling > CM_SetPolicy() as you suggested, with the initialPolicy > field set to NULL (I failed to mention previously that I was > already calling CM_SetPolicy() with a non-null > initialPolicy). Setting initialPolcy to NULL seemed to > work. CM_RetrieveKey returned 0. However, I noticed that > fetchDBObjects was only called with a request for CRLs for > the CA certificate. It was not called with a request for > the same user certificate that I passed in to be validated > (and when I turned off CRL checking, it wasn't called at > all). So, here's some more questions for you: > > 1) Why does the CM library ask for the user certificate when > initialPolicy is non-null and not ask for it when > initialPolicy is null? > > [RN]: I don't have an answer for your specific question, since the > Cert Path Development Library (CPDL) decides when it needs to request > certificates or not to complete a path. In general, the CPDL uses > several variables (subject and issuer DNs, signature algorithm, cert > policies, key usage, validity dates, etc.) when building a path. When > multiple certs exist, the CPDL uses a heuristic algorithm to choose > the best cert to complete the path. > > 2) What does the initialPolicy have to do with building the > path? > > [RN]: The initialPolicy tells the CPDL what cert policies are > acceptable to the user. Given a choice of two certs to complete a > path, one that complies with a user-acceptable policy and one that > doesn't, the CPDL will choose the one that complies. > > 3) Is there any way I can get a path built with a non-null > initialPolicy? One of my requirements is to do policy > processing, and I need to set the initial policy. If I > bypass the CPDL by building my own path and providing it to > CM_RetrieveKey as a CertificationPath, would CM_RetrieveKey > be able to validate it when initialPolicy is non-null? > > [RN]: My previous email was a little vague on the specific problem. > The bug is with the initial policy values (require-explicit-policy and > inhibit-policy-mapping). The CML header file (cmapi.h) and the API > specify that those values should be set to either CM_NOT_SET or > CM_SET. However, the v1.8.1 code expects those values to be either > FALSE or TRUE (or zero and a value other than zero). When CM_NOT_SET > (-1) is used, the code interprets that value as TRUE rather than > FALSE, which can cause paths to fail to build. > > [RN]: Unfortunately, just using CM_SetPolicy() and setting the > initial policy values to either TRUE or FALSE, rather than CM_SET and > CM_NOT_SET is not a complete fix. Paths should now build (assuming > everything else is correct), but that fix may cause path validation > errors to occur. The complete fix has been made in v1.9 which is to > be released tomorrow. > > [RN]: If a complete path is passed in, then the CM_RetrieveKey() will > verify it when the an initialPolicy set is specified (non-NULL). > Note, however, that CM_RetrieveKey() will call the CPDL to complete > the path unless one of the certs in the path is either trusted or has > been previously validated by CM_RetrieveKey(). > > 4) Do I need CML 1.9? > > [RN]: Not necessarily, but I'd recommend upgrading to v1.9 once it's > available late tomorrow or Monday. Once v1.9 is released, I'll have > time to put out a patch to v1.8.1 that fixes this bug, if there is > interest. > > - Rich > > Thanks, > Bob > > > "Nicholas, Richard" wrote: > > > Bob,The answers to your specific questions are inline > > below. First some general info:The CML uses the Cert Path > > Development Library (CPDL) from CygnaCom Solutions to > > build certification paths. Like the CML, the CPDL (aka. > > CPL) is also owned by U.S. Government and is in the public > > domain. The CPDL is a generic path building library with > > its own API and was not written specifically for the CML. > > This has caused some minor integration issues for the CML > > when calling the CPDL functions. Note that these are not > > problems with the CPDL itself.Because of those issues and > > some inefficiencies caused by duplication of functionality > > between the two libraries, the CML development team has > > planned to remove the CPDL dependency from the CML > > architecture at the earliest possible date. > > Unfortunately, other CML development requirements have > > been given higher priorities and the CPDL is still present > > in v1.9. However, the removal of the CPDL is likely to be > > the first requirement implemented after the v1.9 release.- > > Rich--------------------------- > > Richard E. Nicholas > > Principal Secure Systems Engineer > > Getronics Government Solutions, LLC > > Richard.Nicholas@GetronicsGov.com > > (301) 939-2722-----Original Message----- > > From: Robert Masters [mailto:rmasters@bbn.com] > > Sent: Wednesday, February 07, 2001 9:35 AM > > To: imc-cml@imc.org > > Subject: CM_RetrieveKey > > > > > > Hi, > > > > I initialize the CM library (version 1.81) like > > so: > > > > cml_return_code = > > CM_CreateSessionExt(sessionID, &initSettings); > > if(cml_return_code != CM_NO_ERROR) > > { > > fprintf(stderr, "Error: CM_CreateSessionExt > > returned %hd\n", cml_return_code); > > return false; > > } > > > > where initSettings includes pointers to a > > fetchDBObjects function and a freeDBObjects > > function, and a single trusted root certificate. > > > > When calling CM_RetrieveKey, I specify > > CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a > > user certificate signed by the trusted root > > certificate that I passed to > > CM_CreateSessionExt. I get a return value of 21 > > (CM_NO_PATH_FOUND). When my fetchDBObjects > > callback is called, the DN parameter passed to > > it is for the subject of the user certificate > > that I just passed in to be validated, and the > > typeMask is USER_CERT_TYPE | CA_CERT_TYPE | > > CROSS_CERT_TYPE. So I pass in the user > > certificate again. > > > > Two questions: > > > > (1) Why is my fetchDBObjects function being > > called with the DN of certificate I just passed > > in to be validated? I would think it would be > > called with the Issuer's DN. > > > > (2) Why is my fetchDBObjects function being > > called at all to request certificates? The > > certificate I passed in was signed by the root > > that I passed in to the initialization function, > > so the CM library already has the complete > > path. I would think fetchDBObjects would only > > be called requesting CRLs. > > > > [RN]: Essentially, the CPDL treats the > > application-supplied cert (or cert path) as a hint. The > > CPDL was designed to build paths to a given DN, not a > > cert. So the first thing the CPDL does is request the > > certs for the subject's DN, even though the CML always > > passes the subject's cert to the CPDL. > > [RN]: You are correct that once the path is built the CML > > will call your callback function to request the CRL issued > > by the root. > > > > What am I doing wrong? > > > > Bob Masters > > > > [RN]: As far as I can tell, nothing. One thing to try, > > though, is to call CM_SetPolicy() before calling > > CM_RetrieveKey(). In the PolicyData_struct that is passed > > as a parameter, set the initialPolicy field to NULL and > > the two members of the initPolValues field to zero (or > > FALSE). Then call CM_RetrieveKey(). Hopefully, the path > > will now be found. > > [RN]: There is a bug in CM_RetrieveKey.c where the > > initial policy value flags get passed into the CPDL. This > > bug has been fixed in v1.9 by changing the > > PolicyData_struct to use boolean values rather than > > re-using the Pol_cons_struct (and its short integer > > values). > > --------------CCAEAC910AB4F8ADB67BD9FE Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Rich,
I downloaded and built CML v1.9.  For some reason, it is now trying to free the memory I allocate in fetchDBObjects (by calling CMU_FreeObjList).  I thought it was supposed to call my freeDBObjects to free this memory.  Is this a bug?

Thanks.
Bob

"Nicholas, Richard" wrote:

 Bob,My answers are inline below.
-----Original Message-----
From: Robert Masters [mailto:rmasters@bbn.com]
Sent: Thursday, February 08, 2001 8:50 AM
To: Nicholas, Richard
Cc: imc-cml@imc.org
Subject: Re: CM_RetrieveKey
 
Rich,
Thanks for the help and the information.  I tried calling CM_SetPolicy() as you suggested, with the initialPolicy field set to NULL (I failed to mention previously that I was already calling CM_SetPolicy() with a non-null initialPolicy).   Setting initialPolcy to NULL seemed to work.  CM_RetrieveKey returned 0.  However, I noticed that fetchDBObjects was only called with a request for CRLs for the CA certificate.  It was not called with a request for the same user certificate that I passed in to be validated (and when I turned off CRL checking, it wasn't called at all).  So, here's some more questions for you:

1) Why does the CM library ask for the user certificate when initialPolicy is non-null and not ask for it when initialPolicy is null?

[RN]:  I don't have an answer for your specific question, since the Cert Path Development Library (CPDL) decides when it needs to request certificates or not to complete a path.  In general, the CPDL uses several variables (subject and issuer DNs, signature algorithm, cert policies, key usage, validity dates, etc.) when building a path.  When multiple certs exist, the CPDL uses a heuristic algorithm to choose the best cert to complete the path. 
2) What does the initialPolicy have to do with building the path?
[RN]:  The initialPolicy tells the CPDL what cert policies are acceptable to the user.  Given a choice of two certs to complete a path, one that complies with a user-acceptable policy and one that doesn't, the CPDL will choose the one that complies.
3) Is there any way I can get a path built with a non-null initialPolicy?  One of my requirements is to do policy processing, and I need to set the initial policy.   If I bypass the CPDL by building my own path and providing it to CM_RetrieveKey as a CertificationPath, would CM_RetrieveKey be able to validate it when initialPolicy is non-null?
[RN]:  My previous email was a little vague on the specific problem.  The bug is with the initial policy values (require-explicit-policy and inhibit-policy-mapping).  The CML header file (cmapi.h) and the API specify that those values should be set to either CM_NOT_SET or CM_SET.  However, the v1.8.1 code expects those values to be either FALSE or TRUE (or zero and a value other than zero).  When CM_NOT_SET (-1) is used, the code interprets that value as TRUE rather than FALSE, which can cause paths to fail to build.

[RN]:  Unfortunately, just using CM_SetPolicy() and setting the initial policy values to either TRUE or FALSE, rather than CM_SET and CM_NOT_SET is not a complete fix.  Paths should now build (assuming everything else is correct), but that fix may cause path validation errors to occur.  The complete fix has been made in v1.9 which is to be released tomorrow.

[RN]:  If a complete path is passed in, then the CM_RetrieveKey() will verify it when the an initialPolicy set is specified (non-NULL).  Note, however, that CM_RetrieveKey() will call the CPDL to complete the path unless one of the certs in the path is either trusted or has been previously validated by CM_RetrieveKey().

4) Do I need CML 1.9? 
[RN]:  Not necessarily, but I'd recommend upgrading to v1.9 once it's available late tomorrow or Monday.  Once v1.9 is released, I'll have time to put out a patch to v1.8.1 that fixes this bug, if there is interest.

- Rich

Thanks,
Bob
 

"Nicholas, Richard" wrote:

Bob,The answers to your specific questions are inline below.  First some general info:The CML uses the Cert Path Development Library (CPDL) from CygnaCom Solutions to build certification paths.  Like the CML, the CPDL (aka. CPL) is also owned by U.S. Government and is in the public domain.  The CPDL is a generic path building library with its own API and was not written specifically for the CML.  This has caused some minor integration issues for the CML when calling the CPDL functions.  Note that these are not problems with the CPDL itself.Because of those issues and some inefficiencies caused by duplication of functionality between the two libraries, the CML development team has planned to remove the CPDL dependency from the CML architecture at the earliest possible date.  Unfortunately, other CML development requirements have been given higher priorities and the CPDL is still present in v1.9.  However, the removal of the CPDL is likely to be the first requirement implemented after the v1.9 release.- Rich---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@GetronicsGov.com
(301) 939-2722-----Original Message-----
From: Robert Masters [mailto:rmasters@bbn.com]
Sent: Wednesday, February 07, 2001 9:35 AM
To: imc-cml@imc.org
Subject: CM_RetrieveKey
 
Hi,

I initialize the CM library (version 1.81) like so:

 cml_return_code = CM_CreateSessionExt(sessionID, &initSettings);
 if(cml_return_code != CM_NO_ERROR)
 {
  fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code);
  return false;
 }

where  initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate.

When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt.  I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE.  So I pass in the user certificate again.

Two questions:

(1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated?  I would think it would be called with the Issuer's DN.

(2) Why is my fetchDBObjects function being called at all to request certificates?  The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path.  I would think fetchDBObjects would only be called requesting CRLs.

[RN]:  Essentially, the CPDL treats the application-supplied cert (or cert path) as a hint.  The CPDL was designed to build paths to a given DN, not a cert.  So the first thing the CPDL does is request the certs for the subject's DN, even though the CML always passes the subject's cert to the CPDL.
[RN]:  You are correct that once the path is built the CML will call your callback function to request the CRL issued by the root.
What am I doing wrong?

Bob Masters

[RN]:  As far as I can tell, nothing.  One thing to try, though, is to call CM_SetPolicy() before calling CM_RetrieveKey().  In the PolicyData_struct that is passed as a parameter, set the initialPolicy field to NULL and the two members of the initPolValues field to zero (or FALSE).  Then call CM_RetrieveKey().  Hopefully, the path will now be found.
[RN]:  There is a bug in CM_RetrieveKey.c where the initial policy value flags get passed into the CPDL.  This bug has been fixed in v1.9 by changing the PolicyData_struct to use boolean values rather than re-using the Pol_cons_struct (and its short integer values).
--------------CCAEAC910AB4F8ADB67BD9FE-- From owner-imc-cml Tue Feb 27 05:23:10 2001 Received: by above.proper.com (8.9.3/8.9.3) id FAA07492 for imc-cml-bks; Tue, 27 Feb 2001 05:23:10 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA07484 for ; Tue, 27 Feb 2001 05:23:09 -0800 (PST) From: eboudreault@motus.com Subject: Compiling ./asn1specs/authenticationframework.asn1 To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Tue, 27 Feb 2001 08:23:18 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2001-02-27 08:23:54 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id FAA07487 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I want to know why when i compile ./asn1specs/authenticationframework.asn (and the other needed files), it produce things like this : class DirectoryString: public AsnType { public: enum ChoiceIdEnum { teletexStringCid = 0, printableStringCid = 1, universalStringCid = 2, bmpStringCid = 3, uTF8StringCid = 4 }; enum ChoiceIdEnum choiceId; union { (null) teletexString; <----------------------------------- ???????? (null) printableString; <----------------------------------- ???????? (null) universalString; <----------------------------------- ???????? (null) bmpString; <----------------------------------- ???????? *uTF8String; }; DirectoryString(); DirectoryString (const DirectoryString &); ~DirectoryString(); AsnType *Clone() const; DirectoryString &operator = (const DirectoryString &); AsnLen BEncContent (BUF_TYPE b); void BDecContent (BUF_TYPE b, AsnTag tag, AsnLen elmtLen, AsnLen &bytesDecoded, ENV_TYPE env); AsnLen BEnc (BUF_TYPE b); void BDec (BUF_TYPE b, AsnLen &bytesDecoded, ENV_TYPE env); int BEncPdu (BUF_TYPE b, AsnLen &bytesEncoded); int BDecPdu (BUF_TYPE b, AsnLen &bytesDecoded); void Print (ostream &os) const; }; Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Tue Feb 27 11:11:11 2001 Received: by above.proper.com (8.9.3/8.9.3) id LAA12118 for imc-cml-bks; Tue, 27 Feb 2001 11:11:11 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA12113 for ; Tue, 27 Feb 2001 11:11:09 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 27 Feb 2001 14:14:27 -0500 Message-ID: From: "Colestock, Robert" To: "'eboudreault@motus.com'" Cc: "'imc-cml@imc.org'" Subject: RE: Compiling ./asn1specs/authenticationframework.asn1 Date: Tue, 27 Feb 2001 14:14:25 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id LAA12115 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: eboudreault: You have disabled the default processing for the built-in classes (we just added this logic on the last SNACC release). The flag for the compiler is "VDADER_RULES" to enable processing of these new built-in types. I assume you have modified the project settings? My SNACC compiler version on MS Windows does not produce the results below for any of my ASN definitions. Bob. -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Tuesday, February 27, 2001 8:23 AM To: imc-cml@imc.org Subject: Compiling ./asn1specs/authenticationframework.asn1 Hi, I want to know why when i compile ./asn1specs/authenticationframework.asn (and the other needed files), it produce things like this : class DirectoryString: public AsnType { public: enum ChoiceIdEnum { teletexStringCid = 0, printableStringCid = 1, universalStringCid = 2, bmpStringCid = 3, uTF8StringCid = 4 }; enum ChoiceIdEnum choiceId; union { (null) teletexString; <----------------------------------- ???????? (null) printableString; <----------------------------------- ???????? (null) universalString; <----------------------------------- ???????? (null) bmpString; <----------------------------------- ???????? *uTF8String; }; DirectoryString(); DirectoryString (const DirectoryString &); ~DirectoryString(); AsnType *Clone() const; DirectoryString &operator = (const DirectoryString &); AsnLen BEncContent (BUF_TYPE b); void BDecContent (BUF_TYPE b, AsnTag tag, AsnLen elmtLen, AsnLen &bytesDecoded, ENV_TYPE env); AsnLen BEnc (BUF_TYPE b); void BDec (BUF_TYPE b, AsnLen &bytesDecoded, ENV_TYPE env); int BEncPdu (BUF_TYPE b, AsnLen &bytesEncoded); int BDecPdu (BUF_TYPE b, AsnLen &bytesDecoded); void Print (ostream &os) const; }; Thanks. **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Wed Feb 28 05:54:13 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id FAA29048 for imc-cml-bks; Wed, 28 Feb 2001 05:54:13 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA29038 for ; Wed, 28 Feb 2001 05:54:11 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Wed, 28 Feb 2001 08:57:27 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D3B@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: "'Robert Masters'" Cc: imc-cml@imc.org, Charles Lynn Subject: RE: CM_RetrieveKey Date: Wed, 28 Feb 2001 08:57:22 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0A18E.5F891060" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0A18E.5F891060 Content-Type: text/plain; charset="iso-8859-1" Bob, Yes it is a bug. The calls to CMU_FreeObjList() should have been calls to the free object callback function provided by the application (in your case freeDBObjects). This bug, along with a couple of others reported to us, will be fixed in v1.9.1 (essentially a patch to 1.9). - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com -----Original Message----- From: Robert Masters [mailto:rmasters@bbn.com] Sent: Friday, February 23, 2001 11:02 AM To: Nicholas, Richard Cc: imc-cml@imc.org; Charles Lynn Subject: Re: CM_RetrieveKey Rich, I downloaded and built CML v1.9. For some reason, it is now trying to free the memory I allocate in fetchDBObjects (by calling CMU_FreeObjList). I thought it was supposed to call my freeDBObjects to free this memory. Is this a bug? Thanks. Bob "Nicholas, Richard" wrote: Bob,My answers are inline below. -----Original Message----- From: Robert Masters [ mailto:rmasters@bbn.com ] Sent: Thursday, February 08, 2001 8:50 AM To: Nicholas, Richard Cc: imc-cml@imc.org Subject: Re: CM_RetrieveKey Rich, Thanks for the help and the information. I tried calling CM_SetPolicy() as you suggested, with the initialPolicy field set to NULL (I failed to mention previously that I was already calling CM_SetPolicy() with a non-null initialPolicy). Setting initialPolcy to NULL seemed to work. CM_RetrieveKey returned 0. However, I noticed that fetchDBObjects was only called with a request for CRLs for the CA certificate. It was not called with a request for the same user certificate that I passed in to be validated (and when I turned off CRL checking, it wasn't called at all). So, here's some more questions for you: 1) Why does the CM library ask for the user certificate when initialPolicy is non-null and not ask for it when initialPolicy is null? [RN]: I don't have an answer for your specific question, since the Cert Path Development Library (CPDL) decides when it needs to request certificates or not to complete a path. In general, the CPDL uses several variables (subject and issuer DNs, signature algorithm, cert policies, key usage, validity dates, etc.) when building a path. When multiple certs exist, the CPDL uses a heuristic algorithm to choose the best cert to complete the path. 2) What does the initialPolicy have to do with building the path? [RN]: The initialPolicy tells the CPDL what cert policies are acceptable to the user. Given a choice of two certs to complete a path, one that complies with a user-acceptable policy and one that doesn't, the CPDL will choose the one that complies. 3) Is there any way I can get a path built with a non-null initialPolicy? One of my requirements is to do policy processing, and I need to set the initial policy. If I bypass the CPDL by building my own path and providing it to CM_RetrieveKey as a CertificationPath, would CM_RetrieveKey be able to validate it when initialPolicy is non-null? [RN]: My previous email was a little vague on the specific problem. The bug is with the initial policy values (require-explicit-policy and inhibit-policy-mapping). The CML header file (cmapi.h) and the API specify that those values should be set to either CM_NOT_SET or CM_SET. However, the v1.8.1 code expects those values to be either FALSE or TRUE (or zero and a value other than zero). When CM_NOT_SET (-1) is used, the code interprets that value as TRUE rather than FALSE, which can cause paths to fail to build. [RN]: Unfortunately, just using CM_SetPolicy() and setting the initial policy values to either TRUE or FALSE, rather than CM_SET and CM_NOT_SET is not a complete fix. Paths should now build (assuming everything else is correct), but that fix may cause path validation errors to occur. The complete fix has been made in v1.9 which is to be released tomorrow. [RN]: If a complete path is passed in, then the CM_RetrieveKey() will verify it when the an initialPolicy set is specified (non-NULL). Note, however, that CM_RetrieveKey() will call the CPDL to complete the path unless one of the certs in the path is either trusted or has been previously validated by CM_RetrieveKey(). 4) Do I need CML 1.9? [RN]: Not necessarily, but I'd recommend upgrading to v1.9 once it's available late tomorrow or Monday. Once v1.9 is released, I'll have time to put out a patch to v1.8.1 that fixes this bug, if there is interest. - Rich Thanks, Bob "Nicholas, Richard" wrote: Bob,The answers to your specific questions are inline below. First some general info:The CML uses the Cert Path Development Library (CPDL) from CygnaCom Solutions to build certification paths. Like the CML, the CPDL (aka. CPL) is also owned by U.S. Government and is in the public domain. The CPDL is a generic path building library with its own API and was not written specifically for the CML. This has caused some minor integration issues for the CML when calling the CPDL functions. Note that these are not problems with the CPDL itself.Because of those issues and some inefficiencies caused by duplication of functionality between the two libraries, the CML development team has planned to remove the CPDL dependency from the CML architecture at the earliest possible date. Unfortunately, other CML development requirements have been given higher priorities and the CPDL is still present in v1.9. However, the removal of the CPDL is likely to be the first requirement implemented after the v1.9 release.- Rich--------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722-----Original Message----- From: Robert Masters [ mailto:rmasters@bbn.com ] Sent: Wednesday, February 07, 2001 9:35 AM To: imc-cml@imc.org Subject: CM_RetrieveKey Hi, I initialize the CM library (version 1.81) like so: cml_return_code = CM_CreateSessionExt(sessionID, &initSettings); if(cml_return_code != CM_NO_ERROR) { fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code); return false; } where initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate. When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt. I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE. So I pass in the user certificate again. Two questions: (1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated? I would think it would be called with the Issuer's DN. (2) Why is my fetchDBObjects function being called at all to request certificates? The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path. I would think fetchDBObjects would only be called requesting CRLs. [RN]: Essentially, the CPDL treats the application-supplied cert (or cert path) as a hint. The CPDL was designed to build paths to a given DN, not a cert. So the first thing the CPDL does is request the certs for the subject's DN, even though the CML always passes the subject's cert to the CPDL. [RN]: You are correct that once the path is built the CML will call your callback function to request the CRL issued by the root. What am I doing wrong? Bob Masters [RN]: As far as I can tell, nothing. One thing to try, though, is to call CM_SetPolicy() before calling CM_RetrieveKey(). In the PolicyData_struct that is passed as a parameter, set the initialPolicy field to NULL and the two members of the initPolValues field to zero (or FALSE). Then call CM_RetrieveKey(). Hopefully, the path will now be found. [RN]: There is a bug in CM_RetrieveKey.c where the initial policy value flags get passed into the CPDL. This bug has been fixed in v1.9 by changing the PolicyData_struct to use boolean values rather than re-using the Pol_cons_struct (and its short integer values). ------_=_NextPart_001_01C0A18E.5F891060 Content-Type: text/html; charset="iso-8859-1"
Bob,
 
Yes it is a bug.  The calls to CMU_FreeObjList() should have been calls to the free object callback function provided by the application (in your case freeDBObjects).  This bug, along with a couple of others reported to us, will be fixed in v1.9.1 (essentially a patch to 1.9).
 
- Rich
---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@GetronicsGov.com

-----Original Message-----
From: Robert Masters [mailto:rmasters@bbn.com]
Sent: Friday, February 23, 2001 11:02 AM
To: Nicholas, Richard
Cc: imc-cml@imc.org; Charles Lynn
Subject: Re: CM_RetrieveKey

Rich,
I downloaded and built CML v1.9.  For some reason, it is now trying to free the memory I allocate in fetchDBObjects (by calling CMU_FreeObjList).  I thought it was supposed to call my freeDBObjects to free this memory.  Is this a bug?

Thanks.
Bob

"Nicholas, Richard" wrote:

 Bob,My answers are inline below.
-----Original Message-----
From: Robert Masters [mailto:rmasters@bbn.com]
Sent: Thursday, February 08, 2001 8:50 AM
To: Nicholas, Richard
Cc: imc-cml@imc.org
Subject: Re: CM_RetrieveKey
 
Rich,
Thanks for the help and the information.  I tried calling CM_SetPolicy() as you suggested, with the initialPolicy field set to NULL (I failed to mention previously that I was already calling CM_SetPolicy() with a non-null initialPolicy).   Setting initialPolcy to NULL seemed to work.  CM_RetrieveKey returned 0.  However, I noticed that fetchDBObjects was only called with a request for CRLs for the CA certificate.  It was not called with a request for the same user certificate that I passed in to be validated (and when I turned off CRL checking, it wasn't called at all).  So, here's some more questions for you:

1) Why does the CM library ask for the user certificate when initialPolicy is non-null and not ask for it when initialPolicy is null?

[RN]:  I don't have an answer for your specific question, since the Cert Path Development Library (CPDL) decides when it needs to request certificates or not to complete a path.  In general, the CPDL uses several variables (subject and issuer DNs, signature algorithm, cert policies, key usage, validity dates, etc.) when building a path.  When multiple certs exist, the CPDL uses a heuristic algorithm to choose the best cert to complete the path. 
2) What does the initialPolicy have to do with building the path?
[RN]:  The initialPolicy tells the CPDL what cert policies are acceptable to the user.  Given a choice of two certs to complete a path, one that complies with a user-acceptable policy and one that doesn't, the CPDL will choose the one that complies.
3) Is there any way I can get a path built with a non-null initialPolicy?  One of my requirements is to do policy processing, and I need to set the initial policy.   If I bypass the CPDL by building my own path and providing it to CM_RetrieveKey as a CertificationPath, would CM_RetrieveKey be able to validate it when initialPolicy is non-null?
[RN]:  My previous email was a little vague on the specific problem.  The bug is with the initial policy values (require-explicit-policy and inhibit-policy-mapping).  The CML header file (cmapi.h) and the API specify that those values should be set to either CM_NOT_SET or CM_SET.  However, the v1.8.1 code expects those values to be either FALSE or TRUE (or zero and a value other than zero).  When CM_NOT_SET (-1) is used, the code interprets that value as TRUE rather than FALSE, which can cause paths to fail to build.

[RN]:  Unfortunately, just using CM_SetPolicy() and setting the initial policy values to either TRUE or FALSE, rather than CM_SET and CM_NOT_SET is not a complete fix.  Paths should now build (assuming everything else is correct), but that fix may cause path validation errors to occur.  The complete fix has been made in v1.9 which is to be released tomorrow.

[RN]:  If a complete path is passed in, then the CM_RetrieveKey() will verify it when the an initialPolicy set is specified (non-NULL).  Note, however, that CM_RetrieveKey() will call the CPDL to complete the path unless one of the certs in the path is either trusted or has been previously validated by CM_RetrieveKey().

4) Do I need CML 1.9? 
[RN]:  Not necessarily, but I'd recommend upgrading to v1.9 once it's available late tomorrow or Monday.  Once v1.9 is released, I'll have time to put out a patch to v1.8.1 that fixes this bug, if there is interest.

- Rich

Thanks,
Bob
 

"Nicholas, Richard" wrote:

Bob,The answers to your specific questions are inline below.  First some general info:The CML uses the Cert Path Development Library (CPDL) from CygnaCom Solutions to build certification paths.  Like the CML, the CPDL (aka. CPL) is also owned by U.S. Government and is in the public domain.  The CPDL is a generic path building library with its own API and was not written specifically for the CML.  This has caused some minor integration issues for the CML when calling the CPDL functions.  Note that these are not problems with the CPDL itself.Because of those issues and some inefficiencies caused by duplication of functionality between the two libraries, the CML development team has planned to remove the CPDL dependency from the CML architecture at the earliest possible date.  Unfortunately, other CML development requirements have been given higher priorities and the CPDL is still present in v1.9.  However, the removal of the CPDL is likely to be the first requirement implemented after the v1.9 release.- Rich---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@GetronicsGov.com
(301) 939-2722-----Original Message-----
From: Robert Masters [mailto:rmasters@bbn.com]
Sent: Wednesday, February 07, 2001 9:35 AM
To: imc-cml@imc.org
Subject: CM_RetrieveKey
 
Hi,

I initialize the CM library (version 1.81) like so:

 cml_return_code = CM_CreateSessionExt(sessionID, &initSettings);
 if(cml_return_code != CM_NO_ERROR)
 {
  fprintf(stderr, "Error: CM_CreateSessionExt returned %hd\n", cml_return_code);
  return false;
 }

where  initSettings includes pointers to a fetchDBObjects function and a freeDBObjects function, and a single trusted root certificate.

When calling CM_RetrieveKey, I specify CM_CERT_TYPE, CM_SEARCH_LOCAL, and pass in a user certificate signed by the trusted root certificate that I passed to CM_CreateSessionExt.  I get a return value of 21 (CM_NO_PATH_FOUND). When my fetchDBObjects callback is called, the DN parameter passed to it is for the subject of the user certificate that I just passed in to be validated, and the typeMask is USER_CERT_TYPE | CA_CERT_TYPE | CROSS_CERT_TYPE.  So I pass in the user certificate again.

Two questions:

(1) Why is my fetchDBObjects function being called with the DN of certificate I just passed in to be validated?  I would think it would be called with the Issuer's DN.

(2) Why is my fetchDBObjects function being called at all to request certificates?  The certificate I passed in was signed by the root that I passed in to the initialization function, so the CM library already has the complete path.  I would think fetchDBObjects would only be called requesting CRLs.

[RN]:  Essentially, the CPDL treats the application-supplied cert (or cert path) as a hint.  The CPDL was designed to build paths to a given DN, not a cert.  So the first thing the CPDL does is request the certs for the subject's DN, even though the CML always passes the subject's cert to the CPDL.
[RN]:  You are correct that once the path is built the CML will call your callback function to request the CRL issued by the root.
What am I doing wrong?

Bob Masters

[RN]:  As far as I can tell, nothing.  One thing to try, though, is to call CM_SetPolicy() before calling CM_RetrieveKey().  In the PolicyData_struct that is passed as a parameter, set the initialPolicy field to NULL and the two members of the initPolValues field to zero (or FALSE).  Then call CM_RetrieveKey().  Hopefully, the path will now be found.
[RN]:  There is a bug in CM_RetrieveKey.c where the initial policy value flags get passed into the CPDL.  This bug has been fixed in v1.9 by changing the PolicyData_struct to use boolean values rather than re-using the Pol_cons_struct (and its short integer values).
------_=_NextPart_001_01C0A18E.5F891060-- From owner-imc-cml Mon Mar 5 07:18:23 2001 Received: by above.proper.com (8.9.3/8.9.3) id HAA29411 for imc-cml-bks; Mon, 5 Mar 2001 07:18:23 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA29399 for ; Mon, 5 Mar 2001 07:18:19 -0800 (PST) From: eboudreault@motus.com Subject: void InitASN1stuff() To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Mon, 5 Mar 2001 10:18:30 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2001-03-05 10:19:07 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id HAA29407 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, What i have to do to free all the stuff initialized in "void InitASN1stuff ()" ??? Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Tue Mar 6 14:20:49 2001 Received: by above.proper.com (8.9.3/8.9.3) id OAA09192 for imc-cml-bks; Tue, 6 Mar 2001 14:20:49 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA09186 for ; Tue, 6 Mar 2001 14:20:48 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 6 Mar 2001 17:25:59 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D43@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: imc-cml@imc.org Subject: RE: void InitASN1stuff() Date: Tue, 6 Mar 2001 17:25:58 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric, > What i have to do to free all the stuff initialized in "void > InitASN1stuff > ()" ??? The SNACC C library maintains two global hash tables to process ASN.1 ANYs, one for ANYs defined by OIDs and one for ANYs defined by integers. Unfortunately, the SNACC C library doesn't have any free functions to release the memory allocated for those global tables. This memory leak, which has been around since CML v1.1, has never been high enough on our priority list to fix. The hash table structures are defined in hash.h, part of the SNACC C library. You'll need to write code to traverse through both of those global hash tables to release the memory. The hash.c file, also in the SNACC C library, may be useful as well. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 From owner-imc-cml Wed Mar 7 11:40:25 2001 Received: by above.proper.com (8.9.3/8.9.3) id LAA15153 for imc-cml-bks; Wed, 7 Mar 2001 11:40:25 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA15139 for ; Wed, 7 Mar 2001 11:40:21 -0800 (PST) From: eboudreault@motus.com Subject: =?iso-8859-1?q?R=E9f=2E_=3A_RE=3A_void_InitASN1stuff=28=29?= To: "Nicholas, Richard" Cc: imc-cml@imc.org, owner-imc-cml@mail.imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Wed, 7 Mar 2001 14:40:36 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2001-03-07 14:41:09 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id LAA15145 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I'm ok with that, but i don't understand what is the utility of this member variable: typedef struct HashSlot { int leaf; Hash hash; void *value; Table *table; <---------------------------- } HashSlot; Can you explain me ???? Thanks. ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** Eric, > What i have to do to free all the stuff initialized in "void > InitASN1stuff > ()" ??? The SNACC C library maintains two global hash tables to process ASN.1 ANYs, one for ANYs defined by OIDs and one for ANYs defined by integers. Unfortunately, the SNACC C library doesn't have any free functions to release the memory allocated for those global tables. This memory leak, which has been around since CML v1.1, has never been high enough on our priority list to fix. The hash table structures are defined in hash.h, part of the SNACC C library. You'll need to write code to traverse through both of those global hash tables to release the memory. The hash.c file, also in the SNACC C library, may be useful as well. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 From owner-imc-cml Thu Mar 8 11:19:17 2001 Received: by above.proper.com (8.9.3/8.9.3) id LAA21669 for imc-cml-bks; Thu, 8 Mar 2001 11:19:17 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA21664 for ; Thu, 8 Mar 2001 11:19:15 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Thu, 8 Mar 2001 14:24:25 -0500 Message-ID: <0B95FB5619B3D411817E006008A592592C2D4C@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: "'eboudreault@motus.com'" Cc: "'imc-cml@imc.org'" Subject: =?iso-8859-1?Q?RE=3A_R=E9f=2E_=3A_RE=3A_void_InitASN1stuff=28=29?= Date: Thu, 8 Mar 2001 14:24:18 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id LAA21665 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric, > I'm ok with that, but i don't understand what is the utility > of this member > variable: > > typedef struct HashSlot > { > int leaf; > Hash hash; > void *value; > Table *table; <---------------------------- > } HashSlot; > > > Can you explain me ???? > > Thanks. The ASN.1 library source code in hash.c states: * Each entry in the table is either NULL (unused) or a pointer to an * object of type entry. The entry contains all the information about a * hash entry. The entry also contains a field indicating whether or not this * is a leaf node. If an entry isn't a leaf node then it references a table at * at the next level and not a value. Essentially, the table field in a HashSlot is used when collisions occur in the main hash table. When that happens, a new sub-table is created in that entry and the original entry and the new entry are added to the new sub-table. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 > ************************************************************** > ******************************** > > Eric Boudreault > ------------------------------------------------ > Programmeur > ------------------------------------------------ > Motus Technologies > 390, St-Vallier Est > Bureau 100 > Québec, Qc > G1K 3P6 > Tél.: 521-2100 ext.#242 > Fax.: 521-2101 > courriel: eboudreault@motus.com > ************************************************************** > ******************************** > > > > > > Eric, > > > What i have to do to free all the stuff initialized in "void > > InitASN1stuff > > ()" ??? > > The SNACC C library maintains two global hash tables to > process ASN.1 ANYs, > one for ANYs defined by OIDs and one for ANYs defined by integers. > Unfortunately, the SNACC C library doesn't have any free functions to > release the memory allocated for those global tables. This > memory leak, > which has been around since CML v1.1, has never been high > enough on our > priority list to fix. > > The hash table structures are defined in hash.h, part of the SNACC C > library. You'll need to write code to traverse through both of those > global > hash tables to release the memory. The hash.c file, also in > the SNACC C > library, may be useful as well. > > - Rich > --------------------------- > Richard E. Nicholas > Principal Secure Systems Engineer > Getronics Government Solutions, LLC > Richard.Nicholas@GetronicsGov.com > (301) 939-2722 > > > From owner-imc-cml Mon Mar 12 13:10:22 2001 Received: by above.proper.com (8.9.3/8.9.3) id NAA29651 for imc-cml-bks; Mon, 12 Mar 2001 13:10:22 -0800 (PST) Received: from mail.motus.qc.ca (mail.motus.qc.ca [207.236.155.221]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA29646 for ; Mon, 12 Mar 2001 13:10:20 -0800 (PST) From: eboudreault@motus.com Subject: CRL fields To: imc-cml@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Mon, 12 Mar 2001 16:10:36 -0500 X-MIMETrack: Serialize by Router on motus1/Motus Technologies Inc.(Release 5.0.5 |September 22, 2000) at 2001-03-12 16:11:08 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id NAA29648 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I want to know if there is a set of functions that validate all the fields of a CRL structure ? Thanks ********************************************************************************************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com ********************************************************************************************** From owner-imc-cml Mon Mar 12 13:37:57 2001 Received: by above.proper.com (8.9.3/8.9.3) id NAA00639 for imc-cml-bks; Mon, 12 Mar 2001 13:37:57 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA00635 for ; Mon, 12 Mar 2001 13:37:53 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Mon, 12 Mar 2001 16:43:01 -0500 Message-ID: <0B95FB5619B3D411817E006008A5925945EDDA@wfhqex06.gfgsi.com> From: "Pawling, John" To: imc-cml@imc.org Subject: RE: CRL fields Date: Mon, 12 Mar 2001 16:42:52 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id NAA00636 Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Eric, The CML CM_RetrieveKey function ASN.1 decodes, verifies, and checks CRLs as part of the X.509 certification path verification process. It checks the validity of the CRL fields that it uses as part of that process. Typically, this includes checking all of the fields in the CRL. If a CA includes extraneous, non-critical extensions in a CRL, then the CML CM_RetrieveKey function may not fully process those extensions. Tex/Rich: Please feel free to provide further info in answer to Eric's question. =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== -----Original Message----- From: eboudreault@motus.com [mailto:eboudreault@motus.com] Sent: Monday, March 12, 2001 4:11 PM To: imc-cml@imc.org Subject: CRL fields Hi, I want to know if there is a set of functions that validate all the fields of a CRL structure ? Thanks **************************************************************************** ****************** Eric Boudreault ------------------------------------------------ Programmeur ------------------------------------------------ Motus Technologies 390, St-Vallier Est Bureau 100 Québec, Qc G1K 3P6 Tél.: 521-2100 ext.#242 Fax.: 521-2101 courriel: eboudreault@motus.com **************************************************************************** ****************** From owner-imc-cml Wed Mar 14 13:13:20 2001 Received: by above.proper.com (8.9.3/8.9.3) id NAA19435 for imc-cml-bks; Wed, 14 Mar 2001 13:13:20 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA19427 for ; Wed, 14 Mar 2001 13:13:18 -0800 (PST) From: vlasich@securecomputing.com Received: from beach.sctc.com (root@localhost) by beach.sctc.com with ESMTP id f2ELEAh07566 for ; Wed, 14 Mar 2001 15:14:10 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com with ESMTP id f2ELE9K07562 for ; Wed, 14 Mar 2001 15:14:10 -0600 (CST) Received: from tornado.sctc.com (tornado.sctc.com [172.17.192.159]) by sphinx.sctc.com (8.8.8+Sun/8.7.3) with ESMTP id PAA02545 for ; Wed, 14 Mar 2001 15:14:53 -0600 (CST) Received: (from vlasich@localhost) by tornado.sctc.com (8.9.3+Sun/) id PAA08917 for imc-cml@imc.org; Wed, 14 Mar 2001 15:14:41 -0600 (CST) Message-Id: <200103142114.PAA08917@tornado.sctc.com> Subject: CML Feature Request To: imc-cml@imc.org Date: Wed, 14 Mar 2001 15:14:41 -0600 (CST) X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I have a feature request to CML that I would like to suggest: The ability to do a SRL_DatabaseRemove() and SRL_DatabaseRetrieve() by a unique hash value. SRL_DatabaseList() would also need to return this same hash value. It is my understanding that CML already makes use of a hash value internally to uniquely identify certs and CRLs, correct? Could you also make this value publicly available inside of the structs dbCertEntryInfo_LL and dbCRLEntryInfo_LL? I've run into the situation where I have multiple unique certificates in the database with the same DN and I would like to delete or retrieve a particular one. Having a unique hash value to identify the cert would be very handy. Thanks for you consideration. ------------------------------ Kevin Vlasich Computer Scientist Secure Computing Corp. vlasich@securecomputing.com From owner-imc-cml Thu Mar 15 13:23:26 2001 Received: by above.proper.com (8.9.3/8.9.3) id NAA08512 for imc-cml-bks; Thu, 15 Mar 2001 13:23:26 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.wangfed.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA08508 for ; Thu, 15 Mar 2001 13:23:24 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Thu, 15 Mar 2001 16:29:01 -0500 Message-ID: <0B95FB5619B3D411817E006008A5925945EE23@wfhqex06.gfgsi.com> From: "Pawling, John" To: imc-cml@imc.org Subject: RE: CML Feature Request Date: Thu, 15 Mar 2001 16:28:59 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Kevin, Thank you for your feedback. You are correct that the CML already makes use of a hash value internally to uniquely identify certs and CRLs. We agree with your recommendations to enhance the CML and will include them in the v2.0 release which we expect to deliver in early August 2001. Thank you again, =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== -----Original Message----- From: vlasich@securecomputing.com [mailto:vlasich@securecomputing.com] Sent: Wednesday, March 14, 2001 4:15 PM To: imc-cml@imc.org Subject: CML Feature Request I have a feature request to CML that I would like to suggest: The ability to do a SRL_DatabaseRemove() and SRL_DatabaseRetrieve() by a unique hash value. SRL_DatabaseList() would also need to return this same hash value. It is my understanding that CML already makes use of a hash value internally to uniquely identify certs and CRLs, correct? Could you also make this value publicly available inside of the structs dbCertEntryInfo_LL and dbCRLEntryInfo_LL? I've run into the situation where I have multiple unique certificates in the database with the same DN and I would like to delete or retrieve a particular one. Having a unique hash value to identify the cert would be very handy. Thanks for you consideration. ------------------------------ Kevin Vlasich Computer Scientist Secure Computing Corp. vlasich@securecomputing.com From owner-imc-cml Tue Mar 27 05:03:22 2001 Received: by above.proper.com (8.9.3/8.9.3) id FAA12647 for imc-cml-bks; Tue, 27 Mar 2001 05:03:22 -0800 (PST) Received: from menelao.polito.it (menelao.polito.it [130.192.3.30]) by above.proper.com (8.9.3/8.9.3) with SMTP id FAA12640 for ; Tue, 27 Mar 2001 05:03:20 -0800 (PST) Received: (qmail 9335 invoked from network); 27 Mar 2001 13:03:18 -0000 Received: from moscato.polito.it (HELO athena.polito.it) (130.192.1.19) by menelao.polito.it with SMTP; 27 Mar 2001 13:03:18 -0000 Message-ID: <3AC08F99.B6C39F11@athena.polito.it> Date: Tue, 27 Mar 2001 15:03:21 +0200 From: Diana Berbecaru X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: imc-cml Subject: CRL related question Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello, I'm trying to write a simple application that performs the validation of a certificate. I'm using the last version of CML, i. e. v1.9 I'm describing to you the steps I've made. 1. I initialized the SRL library using the default names (cert.db and CRL.db) for certificate and CRL databases and no LDAP. 2. I've added trusted certificates and CRL (issued by the CA whose certificate is trusted) to the database. I mention that I've used the data provided by CML for tests, namely the information from "entrust" directory, thus I don't use CRLs or certificates with extraneous extensions. 3. I've initialized the CML library passing to it as callback functions the SRL functions and as trusted certificates the ones obtained by a SRL_GetTrustedCerts call. For the revocation policy I used CM_REVCRL 4. When calling the CM_RetrieveKey to validate a certificate (issued by the CA whose certificate has been added as trusted certificate at the above step) I've got a CM_INVALID_PARAMETER error. I've got the same error even when I read the SRL settings from a configuration (srl.cfg) file. I mention that when I use CM_REVNONE the validation works fine. Does anybody know why I get such an error? Diana. From owner-imc-cml Tue Mar 27 06:34:46 2001 Received: by above.proper.com (8.9.3/8.9.3) id GAA19551 for imc-cml-bks; Tue, 27 Mar 2001 06:34:46 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.getronicsgov.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA19545 for ; Tue, 27 Mar 2001 06:34:44 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 27 Mar 2001 09:34:58 -0500 Message-ID: <0B95FB5619B3D411817E006008A5925957B99F@wfhqex06.gfgsi.com> From: "McPherson, Clyde" To: Diana Berbecaru , imc-cml Subject: RE: CRL related question Date: Tue, 27 Mar 2001 09:34:57 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Diana It sounds like one of your parameters for CM_RetrieveKey is not correct, if you are receiving CM_INVALID_PARAMETER. As a reference, in the distribution of the CML, there is the CM_Tool executable and source files, you may want to reference this tool, to help you with your application. Thanks Tex -----Original Message----- From: Diana Berbecaru [mailto:berbecar@athena.polito.it] Sent: Tuesday, March 27, 2001 8:03 AM To: imc-cml Subject: CRL related question Hello, I'm trying to write a simple application that performs the validation of a certificate. I'm using the last version of CML, i. e. v1.9 I'm describing to you the steps I've made. 1. I initialized the SRL library using the default names (cert.db and CRL.db) for certificate and CRL databases and no LDAP. 2. I've added trusted certificates and CRL (issued by the CA whose certificate is trusted) to the database. I mention that I've used the data provided by CML for tests, namely the information from "entrust" directory, thus I don't use CRLs or certificates with extraneous extensions. 3. I've initialized the CML library passing to it as callback functions the SRL functions and as trusted certificates the ones obtained by a SRL_GetTrustedCerts call. For the revocation policy I used CM_REVCRL 4. When calling the CM_RetrieveKey to validate a certificate (issued by the CA whose certificate has been added as trusted certificate at the above step) I've got a CM_INVALID_PARAMETER error. I've got the same error even when I read the SRL settings from a configuration (srl.cfg) file. I mention that when I use CM_REVNONE the validation works fine. Does anybody know why I get such an error? Diana. From owner-imc-cml Wed Mar 28 09:03:41 2001 Received: by above.proper.com (8.9.3/8.9.3) id JAA17402 for imc-cml-bks; Wed, 28 Mar 2001 09:03:41 -0800 (PST) Received: from wfhqex05.gfgsi.com (netva01.getronicsgov.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA17396 for ; Wed, 28 Mar 2001 09:03:40 -0800 (PST) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Wed, 28 Mar 2001 12:03:55 -0500 Message-ID: <0B95FB5619B3D411817E006008A5925957BA37@wfhqex06.gfgsi.com> From: "McPherson, Clyde" To: Diana Berbecaru , imc-cml Cc: "Nicholas, Richard" Subject: RE: CRL related question Date: Wed, 28 Mar 2001 12:03:54 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Diana: I have done more research into your problem using the entrust certificates. There appears to be a bug in our code in converting the Distribution Point full name into a string. This fix will be in our next release, which I think is scheduled for this coming Friday the 30th of March. If you need the modification now you can change line 2116 of CM_ReqOps.c which looks like the following: err = CMU_genname2str ((Gen_names_struct *)&distPts->dpName.name, &Pissuer); to err = CMU_genname2str (distPts->dpName.name.full, &Pissuer); Thanks for your input Tex -----Original Message----- From: Diana Berbecaru [mailto:berbecar@athena.polito.it] Sent: Tuesday, March 27, 2001 8:03 AM To: imc-cml Subject: CRL related question Hello, I'm trying to write a simple application that performs the validation of a certificate. I'm using the last version of CML, i. e. v1.9 I'm describing to you the steps I've made. 1. I initialized the SRL library using the default names (cert.db and CRL.db) for certificate and CRL databases and no LDAP. 2. I've added trusted certificates and CRL (issued by the CA whose certificate is trusted) to the database. I mention that I've used the data provided by CML for tests, namely the information from "entrust" directory, thus I don't use CRLs or certificates with extraneous extensions. 3. I've initialized the CML library passing to it as callback functions the SRL functions and as trusted certificates the ones obtained by a SRL_GetTrustedCerts call. For the revocation policy I used CM_REVCRL 4. When calling the CM_RetrieveKey to validate a certificate (issued by the CA whose certificate has been added as trusted certificate at the above step) I've got a CM_INVALID_PARAMETER error. I've got the same error even when I read the SRL settings from a configuration (srl.cfg) file. I mention that when I use CM_REVNONE the validation works fine. Does anybody know why I get such an error? Diana. From owner-imc-cml Tue Apr 3 04:03:15 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id EAA19754 for imc-cml-bks; Tue, 3 Apr 2001 04:03:15 -0700 (PDT) Received: from [212.112.43.2] (minotaur.linq.net [212.112.43.2] (may be forged)) by above.proper.com (8.9.3/8.9.3) with SMTP id EAA19748 for ; Tue, 3 Apr 2001 04:03:14 -0700 (PDT) Received: from no.name.available by [212.112.43.2] via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 3 Apr 2001 11:03:14 UT Received: by orion.linq.se with Internet Mail Service (5.5.2653.19) id ; Tue, 3 Apr 2001 12:59:57 +0200 Message-ID: <65C559669D59D211B5320008C7B98739034B5874@orion.linq.se> From: Erik Rissanen To: "'imc-cml@imc.org'" Subject: CM_RetrieveKey doesn't find a path Date: Tue, 3 Apr 2001 12:59:50 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0BC2D.3492CCC0" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0BC2D.3492CCC0 Content-Type: text/plain; charset="ISO-8859-1" I am unable to make CM_RetriveKey to work. It returns CM_NO_PATH_FOUND. CM_RequestEncCertPath on the same certificate works, so all the needed certificates are available. I have traced the code somewhat and I have found one difference between CM_RetrieveKey and CM_RequestEncCertPath that might make a difference. It is that CM_RetrieveKey tries to build the path to a validated certificate in the cache, while CM_RequestEncCertPath tries to build to a root certificate. I suspect that somehow the root certificate I am using is not in the validated cache. Could that be the problem? I use the SRL to store the certificates in the SRL managed database file. I create my own SRL session, which I pass on when I create the CML session. However in my first try, CML never fetched the trusted root certificate from the SRL by itself, which made CM_RequestEncCertPath fail with CM_NO_TRUSTED_CERTS. I fixed that by searching the SRL for trusted certificates myself and then including them in the CM_CreateSessionExt call. Did I do something wrong? According to the CML documentation CML should be able to fetch the trusted certificates from the SRL by itself. Are the trusted certificates that I pass in the CM_CreateSessionExt validated and put in the cache? Do I need to do that myself instead? Also, what are the units for the cache TTL in CM_CreateSession? Seconds? I set it to 300,000, which should be enough, so the root certificate will stay in the cache during this short program. Regards, Erik P.S. There is something wrong with the archives of this mailing list at http://www.imc.org/imc-cml/mail-archive/ (The archive contents is repeated for each new message.) ------_=_NextPart_001_01C0BC2D.3492CCC0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable CM_RetrieveKey doesn't find a path

I am unable to make CM_RetriveKey to = work. It returns CM_NO_PATH_FOUND. CM_RequestEncCertPath on the same = certificate works, so all the needed certificates are = available.

I have traced the code somewhat and I = have found one difference between CM_RetrieveKey and = CM_RequestEncCertPath that might make a difference. It is that = CM_RetrieveKey tries to build the path to a validated certificate in = the cache, while CM_RequestEncCertPath tries to build to a root = certificate.

I suspect that somehow the root = certificate I am using is not in the validated cache. Could that be the = problem?

I use the SRL to store the = certificates in the SRL managed database file. I create my own SRL = session, which I pass on when I create the CML session. However in my = first try, CML never fetched the trusted root certificate from the SRL = by itself, which made CM_RequestEncCertPath fail with = CM_NO_TRUSTED_CERTS. I fixed that by searching the SRL for trusted = certificates myself and then including them in the CM_CreateSessionExt = call. Did I do something wrong? According to the CML documentation CML = should be able to fetch the trusted certificates from the SRL by = itself.

Are the trusted certificates that I = pass in the CM_CreateSessionExt validated and put in the cache? Do I = need to do that myself instead?

Also, what are the units for the cache = TTL in CM_CreateSession? Seconds? I set it to 300,000, which should be = enough, so the root certificate will stay in the cache during this = short program.

Regards, Erik

P.S. There is something wrong with the = archives of this mailing list at http://www.imc.org/imc-cml/mail-archive/ (The = archive contents is repeated for each new message.)

------_=_NextPart_001_01C0BC2D.3492CCC0-- From owner-imc-cml Tue Apr 3 05:44:03 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id FAA27280 for imc-cml-bks; Tue, 3 Apr 2001 05:44:03 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.getronicsgov.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA27274 for ; Tue, 3 Apr 2001 05:44:01 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 3 Apr 2001 08:45:00 -0400 Message-ID: <0B95FB5619B3D411817E006008A592592C2DAF@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: "'Erik Rissanen'" , "'imc-cml@imc.org'" Subject: RE: CM_RetrieveKey doesn't find a path Date: Tue, 3 Apr 2001 08:44:59 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0BC3B.E4C4F7E0" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0BC3B.E4C4F7E0 Content-Type: text/plain; charset="iso-8859-1" Erik, My answers are inline. I am unable to make CM_RetriveKey to work. It returns CM_NO_PATH_FOUND. CM_RequestEncCertPath on the same certificate works, so all the needed certificates are available. I have traced the code somewhat and I have found one difference between CM_RetrieveKey and CM_RequestEncCertPath that might make a difference. It is that CM_RetrieveKey tries to build the path to a validated certificate in the cache, while CM_RequestEncCertPath tries to build to a root certificate. I suspect that somehow the root certificate I am using is not in the validated cache. Could that be the problem? [RN]: That is the most likely cause. As you noted, CM_RequestEncCertPath() builds a path up to a self-signed root cert, which may or may not be trusted. So it is possible for CM_RequestEncCertPath() to succeed and CM_RetrieveKey() to fail. I use the SRL to store the certificates in the SRL managed database file. I create my own SRL session, which I pass on when I create the CML session. However in my first try, CML never fetched the trusted root certificate from the SRL by itself, which made CM_RequestEncCertPath fail with CM_NO_TRUSTED_CERTS. I fixed that by searching the SRL for trusted certificates myself and then including them in the CM_CreateSessionExt call. Did I do something wrong? According to the CML documentation CML should be able to fetch the trusted certificates from the SRL by itself. [RN]: The CML will only retrieve the trusted certs from the SRL if the callback functions are not provided in the InitSettings_struct. If the callback functions are supplied, then the list of trusted certs in the InitSettings_struct is used instead (even if none are provided). If you want to have the CML use the SRL, then don't provide the callback functions. Are the trusted certificates that I pass in the CM_CreateSessionExt validated and put in the cache? Do I need to do that myself instead? [RN]: They are validated and stored in the cache. If the trusted certs are provided to CM_CreateSessionExt(), be sure to check that the function returned CM_NO_ERROR. Also, what are the units for the cache TTL in CM_CreateSession? Seconds? I set it to 300,000, which should be enough, so the root certificate will stay in the cache during this short program. [RN]: The cacheTTL is a variable of type time_t, which represents the time-to-live for objects in the cache, in seconds. Regards, Erik P.S. There is something wrong with the archives of this mailing list at http://www.imc.org/imc-cml/mail-archive/ (The archive contents is repeated for each new message.) [RN]: I sent a message to the mail list administrator alerting him to the problem. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 ------_=_NextPart_001_01C0BC3B.E4C4F7E0 Content-Type: text/html; charset="iso-8859-1" CM_RetrieveKey doesn't find a path
Erik,
 
My answers are inline.

I am unable to make CM_RetriveKey to work. It returns CM_NO_PATH_FOUND. CM_RequestEncCertPath on the same certificate works, so all the needed certificates are available.

I have traced the code somewhat and I have found one difference between CM_RetrieveKey and CM_RequestEncCertPath that might make a difference. It is that CM_RetrieveKey tries to build the path to a validated certificate in the cache, while CM_RequestEncCertPath tries to build to a root certificate.

I suspect that somehow the root certificate I am using is not in the validated cache. Could that be the problem?  

[RN]:  That is the most likely cause.  As you noted, CM_RequestEncCertPath() builds a path up to a self-signed root cert, which may or may not be trusted.  So it is possible for CM_RequestEncCertPath() to succeed and CM_RetrieveKey() to fail.

I use the SRL to store the certificates in the SRL managed database file. I create my own SRL session, which I pass on when I create the CML session. However in my first try, CML never fetched the trusted root certificate from the SRL by itself, which made CM_RequestEncCertPath fail with CM_NO_TRUSTED_CERTS. I fixed that by searching the SRL for trusted certificates myself and then including them in the CM_CreateSessionExt call. Did I do something wrong? According to the CML documentation CML should be able to fetch the trusted certificates from the SRL by itself. 

[RN]:  The CML will only retrieve the trusted certs from the SRL if the callback functions are not provided in the InitSettings_struct.  If the callback functions are supplied, then the list of trusted certs in the InitSettings_struct is used instead (even if none are provided).  If you want to have the CML use the SRL, then don't provide the callback functions.

Are the trusted certificates that I pass in the CM_CreateSessionExt validated and put in the cache? Do I need to do that myself instead? 

[RN]:  They are validated and stored in the cache.  If the trusted certs are provided to CM_CreateSessionExt(), be sure to check that the function returned CM_NO_ERROR. 

Also, what are the units for the cache TTL in CM_CreateSession? Seconds? I set it to 300,000, which should be enough, so the root certificate will stay in the cache during this short program. 

[RN]:  The cacheTTL is a variable of type time_t, which represents the time-to-live for objects in the cache, in seconds.

Regards, Erik

P.S. There is something wrong with the archives of this mailing list at http://www.imc.org/imc-cml/mail-archive/ (The archive contents is repeated for each new message.) 

[RN]:  I sent a message to the mail list administrator alerting him to the problem.

- Rich

---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@GetronicsGov.com
(301) 939-2722  

------_=_NextPart_001_01C0BC3B.E4C4F7E0-- From owner-imc-cml Tue Apr 3 07:22:49 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id HAA03890 for imc-cml-bks; Tue, 3 Apr 2001 07:22:49 -0700 (PDT) Received: from [212.112.43.2] (minotaur.linq.net [212.112.43.2] (may be forged)) by above.proper.com (8.9.3/8.9.3) with SMTP id HAA03884 for ; Tue, 3 Apr 2001 07:22:46 -0700 (PDT) Received: from no.name.available by [212.112.43.2] via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 3 Apr 2001 14:22:48 UT Received: by orion.linq.se with Internet Mail Service (5.5.2653.19) id ; Tue, 3 Apr 2001 16:19:30 +0200 Message-ID: <65C559669D59D211B5320008C7B98739034B5877@orion.linq.se> From: Erik Rissanen To: "'Nicholas, Richard'" , "'imc-cml@imc.org'" Subject: SV: CM_RetrieveKey doesn't find a path Date: Tue, 3 Apr 2001 16:19:23 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0BC49.151A6620" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0BC49.151A6620 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable =20 I have traced the code more now. It seems like my root certificate is = in the cache. BTW The reason to why I pass the callback function pointers = despite I am using the SRL is that I am writing an ISAPI extension DLL to the IIS = web server, and SRL cannot find its configuration file in the current = directory. It even seems like there is no current directory defined. However I do = the testing and debugging in a standrard exe, so I also tested without the callback pointers. There was no difference. =20 By tracing the CML code I found that the root certificate is in the = cache, but there is a call made to the function pointed to by CMU_CTILVerifySignature while building the path. That call fails. I = could not trace the execution of that function, so I don't know why it = failed. It returns 1, which is CM_MEMORY_ERROR. =20 I am using the sm_free3 CTIL with a NULL login, which caused me some problems while using SFL. SFL did not allways find the CSInst in it as applicable. Maybe something similar is happening here? Have you tested = the CML with NULL logins? Any ideas? =20 Regards, Erik =20 -----Ursprungligt meddelande----- Fr=E5n: Nicholas, Richard [mailto:Richard.Nicholas@GetronicsGov.com] Skickat: den 3 april 2001 14:45 Till: 'Erik Rissanen'; 'imc-cml@imc.org' =C4mne: RE: CM_RetrieveKey doesn't find a path Erik, =20 My answers are inline. I am unable to make CM_RetriveKey to work. It returns CM_NO_PATH_FOUND. CM_RequestEncCertPath on the same certificate works, so all the needed certificates are available. I have traced the code somewhat and I have found one difference between CM_RetrieveKey and CM_RequestEncCertPath that might make a difference. = It is that CM_RetrieveKey tries to build the path to a validated certificate = in the cache, while CM_RequestEncCertPath tries to build to a root = certificate. I suspect that somehow the root certificate I am using is not in the validated cache. Could that be the problem? =20 [RN]: That is the most likely cause. As you noted, = CM_RequestEncCertPath() builds a path up to a self-signed root cert, which may or may not be trusted. So it is possible for CM_RequestEncCertPath() to succeed and CM_RetrieveKey() to fail. I use the SRL to store the certificates in the SRL managed database = file. I create my own SRL session, which I pass on when I create the CML = session. However in my first try, CML never fetched the trusted root certificate = from the SRL by itself, which made CM_RequestEncCertPath fail with CM_NO_TRUSTED_CERTS. I fixed that by searching the SRL for trusted certificates myself and then including them in the CM_CreateSessionExt = call. Did I do something wrong? According to the CML documentation CML should = be able to fetch the trusted certificates from the SRL by itself.=20 [RN]: The CML will only retrieve the trusted certs from the SRL if the callback functions are not provided in the InitSettings_struct. If the callback functions are supplied, then the list of trusted certs in the InitSettings_struct is used instead (even if none are provided). If = you want to have the CML use the SRL, then don't provide the callback = functions. Are the trusted certificates that I pass in the CM_CreateSessionExt validated and put in the cache? Do I need to do that myself instead?=20 [RN]: They are validated and stored in the cache. If the trusted = certs are provided to CM_CreateSessionExt(), be sure to check that the function returned CM_NO_ERROR.=20 Also, what are the units for the cache TTL in CM_CreateSession? = Seconds? I set it to 300,000, which should be enough, so the root certificate will = stay in the cache during this short program.=20 [RN]: The cacheTTL is a variable of type time_t, which represents the time-to-live for objects in the cache, in seconds. Regards, Erik=20 P.S. There is something wrong with the archives of this mailing list at http://www.imc.org/imc-cml/mail-archive/ (The archive contents is = repeated for each new message.)=20 [RN]: I sent a message to the mail list administrator alerting him to = the problem. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 =20 ------_=_NextPart_001_01C0BC49.151A6620 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable CM_RetrieveKey doesn't find a path
 
I have=20 traced the code more now. It seems like my root certificate is in the = cache. BTW=20 The reason to why I pass the callback function pointers despite I = am using=20 the SRL is that I am writing an ISAPI extension DLL to the IIS web = server, and=20 SRL cannot find its configuration file in the current directory. It = even seems=20 like there is no current directory defined. However I do the testing = and=20 debugging in a standrard exe, so I also tested without the callback = pointers.=20 There was no difference.
 
By tracing the CML code I found that the = root=20 certificate is in the cache, but there is a call made to the function=20 pointed to by=20 CMU_CTILVerifySignature while = building the=20 path. That call fails. I could not trace the execution of that = function, so I=20 don't know why it failed. It returns 1, which is=20 CM_MEMORY_ERROR.
 
I am using the sm_free3 CTIL with a NULL = login, which=20 caused me some problems while using SFL. SFL did not allways find the = CSInst in=20 it as applicable. Maybe something similar is happening here? Have you = tested the=20 CML with NULL logins? Any ideas?
 
Regards, = Erik
 
-----Ursprungligt meddelande-----
Fr=E5n: = Nicholas, Richard=20 [mailto:Richard.Nicholas@GetronicsGov.com]
Skickat: den 3 = april 2001=20 14:45
Till: 'Erik Rissanen'; = 'imc-cml@imc.org'
=C4mne: RE:=20 CM_RetrieveKey doesn't find a path

Erik,
 
My=20 answers are inline.

I am unable to make CM_RetriveKey to = work. It=20 returns CM_NO_PATH_FOUND. CM_RequestEncCertPath on the same = certificate=20 works, so all the needed certificates are available.

I have traced the code somewhat and = I have found=20 one difference between CM_RetrieveKey and CM_RequestEncCertPath = that might=20 make a difference. It is that CM_RetrieveKey tries to build the = path to a=20 validated certificate in the cache, while CM_RequestEncCertPath = tries to=20 build to a root certificate.

I suspect that somehow the root = certificate I am=20 using is not in the validated cache. Could that be the=20 problem?  

[RN]:  That is the most likely cause.  As you = noted,=20 CM_RequestEncCertPath() builds a path up to a self-signed root cert, = which may=20 or may not be trusted.  So it is possible for = CM_RequestEncCertPath() to=20 succeed and CM_RetrieveKey() to fail.

I use the SRL to store the = certificates in=20 the SRL managed database file. I create my own SRL session, which I = pass on=20 when I create the CML session. However in my first try, CML never = fetched=20 the trusted root certificate from the SRL by itself, which made=20 CM_RequestEncCertPath fail with CM_NO_TRUSTED_CERTS. I fixed that = by=20 searching the SRL for trusted certificates myself and then = including them in=20 the CM_CreateSessionExt call. Did I do something wrong? According = to the CML=20 documentation CML should be able to fetch the trusted certificates = from the=20 SRL by itself. 

[RN]:  The CML will only retrieve the trusted = certs from=20 the SRL if the callback functions are not provided in the=20 InitSettings_struct.  If the callback functions are supplied, = then the=20 list of trusted certs in the InitSettings_struct is used instead = (even if none=20 are provided).  If you want to have the CML use the SRL, then = don't=20 provide the callback functions.

Are the trusted certificates = that I pass in=20 the CM_CreateSessionExt validated and put in the cache? Do I need = to do that=20 myself instead? 

[RN]:  They are validated and stored in the = cache.  If the trusted certs are provided to = CM_CreateSessionExt(),=20 be sure to check that the function returned=20 CM_NO_ERROR. 

Also, what are the units for = the cache TTL=20 in CM_CreateSession? Seconds? I set it to 300,000, which should be = enough,=20 so the root certificate will stay in the cache during this short=20 program. 

[RN]:  The cacheTTL is a variable of type = time_t,=20 which represents the time-to-live for objects in the cache, in=20 seconds.

Regards, Erik

P.S. There is something wrong with = the archives=20 of this mailing list at http://www.imc.org/imc-cml/mail-archive/ (The archive contents is repeated for = each new=20 message.) 

[RN]:  I sent a message to the mail list = administrator=20 alerting him to the problem.

- Rich

---------------------------
Richard E. = Nicholas
Principal Secure=20 Systems Engineer
Getronics Government Solutions,=20 LLC
Richard.Nicholas@GetronicsGov.com
(301)=20 = 939-2722  

= ------_=_NextPart_001_01C0BC49.151A6620-- From owner-imc-cml Tue Apr 3 08:35:08 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id IAA10904 for imc-cml-bks; Tue, 3 Apr 2001 08:35:08 -0700 (PDT) Received: from wfhqex05.gfgsi.com (netva01.getronicsgov.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA10895 for ; Tue, 3 Apr 2001 08:35:06 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id ; Tue, 3 Apr 2001 11:36:06 -0400 Message-ID: <0B95FB5619B3D411817E006008A592592C2DB2@wfhqex06.gfgsi.com> From: "Nicholas, Richard" To: "'Erik Rissanen'" Cc: "'imc-cml@imc.org'" , "Colestock, Robert" Subject: RE: CM_RetrieveKey doesn't find a path Date: Tue, 3 Apr 2001 11:36:03 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0BC53.CAAFCC00" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0BC53.CAAFCC00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Eric, I have traced the code more now. It seems like my root certificate is = in the cache. BTW The reason to why I pass the callback function pointers = despite I am using the SRL is that I am writing an ISAPI extension DLL to the IIS = web server, and SRL cannot find its configuration file in the current = directory. It even seems like there is no current directory defined. However I do = the testing and debugging in a standrard exe, so I also tested without the callback pointers. There was no difference. =20 By tracing the CML code I found that the root certificate is in the = cache, but there is a call made to the function pointed to by CMU_CTILVerifySignature while building the path. That call fails. I = could not trace the execution of that function, so I don't know why it = failed. It returns 1, which is CM_MEMORY_ERROR. =20 I am using the sm_free3 CTIL with a NULL login, which caused me some problems while using SFL. SFL did not allways find the CSInst in it as applicable. Maybe something similar is happening here? Have you tested = the CML with NULL logins? Any ideas? =20 Regards, Erik=20 =20 I don't have any ideas on why the CMU_CTILVerifySignature is failing. Something must be wrong with the CTIL initialization. I've cc'd Bob Colestock on this, perhaps he has an idea. =20 We have tested the CML using the various CTILs. Both the Crypto++ and = BSAFE CTILs were tested using the NULL login mechanism. The CM_Tool project contains a source file, CTIL_Login.cpp, that contains all of the code = we use to test the CML with the CTILs. You can take a look at the Crypto++ = section to see how it's initialized, but nothing special is going on in there. =20 - Rich =20 -----Ursprungligt meddelande----- Fr=E5n: Nicholas, Richard [mailto:Richard.Nicholas@GetronicsGov.com] Skickat: den 3 april 2001 14:45 Till: 'Erik Rissanen'; 'imc-cml@imc.org' =C4mne: RE: CM_RetrieveKey doesn't find a path Erik, =20 My answers are inline. I am unable to make CM_RetriveKey to work. It returns CM_NO_PATH_FOUND. CM_RequestEncCertPath on the same certificate works, so all the needed certificates are available. I have traced the code somewhat and I have found one difference between CM_RetrieveKey and CM_RequestEncCertPath that might make a difference. = It is that CM_RetrieveKey tries to build the path to a validated certificate = in the cache, while CM_RequestEncCertPath tries to build to a root = certificate. I suspect that somehow the root certificate I am using is not in the validated cache. Could that be the problem? =20 [RN]: That is the most likely cause. As you noted, = CM_RequestEncCertPath() builds a path up to a self-signed root cert, which may or may not be trusted. So it is possible for CM_RequestEncCertPath() to succeed and CM_RetrieveKey() to fail. I use the SRL to store the certificates in the SRL managed database = file. I create my own SRL session, which I pass on when I create the CML = session. However in my first try, CML never fetched the trusted root certificate = from the SRL by itself, which made CM_RequestEncCertPath fail with CM_NO_TRUSTED_CERTS. I fixed that by searching the SRL for trusted certificates myself and then including them in the CM_CreateSessionExt = call. Did I do something wrong? According to the CML documentation CML should = be able to fetch the trusted certificates from the SRL by itself.=20 [RN]: The CML will only retrieve the trusted certs from the SRL if the callback functions are not provided in the InitSettings_struct. If the callback functions are supplied, then the list of trusted certs in the InitSettings_struct is used instead (even if none are provided). If = you want to have the CML use the SRL, then don't provide the callback = functions. Are the trusted certificates that I pass in the CM_CreateSessionExt validated and put in the cache? Do I need to do that myself instead?=20 [RN]: They are validated and stored in the cache. If the trusted = certs are provided to CM_CreateSessionExt(), be sure to check that the function returned CM_NO_ERROR.=20 Also, what are the units for the cache TTL in CM_CreateSession? = Seconds? I set it to 300,000, which should be enough, so the root certificate will = stay in the cache during this short program.=20 [RN]: The cacheTTL is a variable of type time_t, which represents the time-to-live for objects in the cache, in seconds. Regards, Erik=20 P.S. There is something wrong with the archives of this mailing list at http://www.imc.org/imc-cml/mail-archive/ (The archive contents is = repeated for each new message.)=20 [RN]: I sent a message to the mail list administrator alerting him to = the problem. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 =20 ------_=_NextPart_001_01C0BC53.CAAFCC00 Content-Type: text/html; charset="iso-8859-1" CM_RetrieveKey doesn't find a path
Eric,
I have traced the code more now. It seems like my root certificate is in the cache. BTW The reason to why I pass the callback function pointers despite I am using the SRL is that I am writing an ISAPI extension DLL to the IIS web server, and SRL cannot find its configuration file in the current directory. It even seems like there is no current directory defined. However I do the testing and debugging in a standrard exe, so I also tested without the callback pointers. There was no difference.
 
By tracing the CML code I found that the root certificate is in the cache, but there is a call made to the function pointed to by CMU_CTILVerifySignature while building the path. That call fails. I could not trace the execution of that function, so I don't know why it failed. It returns 1, which is CM_MEMORY_ERROR.
 
I am using the sm_free3 CTIL with a NULL login, which caused me some problems while using SFL. SFL did not allways find the CSInst in it as applicable. Maybe something similar is happening here? Have you tested the CML with NULL logins? Any ideas?
 
Regards, Erik 
 
I don't have any ideas on why the CMU_CTILVerifySignature is failing.  Something must be wrong with the CTIL initialization.  I've cc'd Bob Colestock on this, perhaps he has an idea.
 
We have tested the CML using the various CTILs.  Both the Crypto++ and BSAFE CTILs were tested using the NULL login mechanism.  The CM_Tool project contains a source file, CTIL_Login.cpp, that contains all of the code we use to test the CML with the CTILs.  You can take a look at the Crypto++ section to see how it's initialized, but nothing special is going on in there.
 
- Rich
 
-----Ursprungligt meddelande-----
Från: Nicholas, Richard [mailto:Richard.Nicholas@GetronicsGov.com]
Skickat: den 3 april 2001 14:45
Till: 'Erik Rissanen'; 'imc-cml@imc.org'
Ämne: RE: CM_RetrieveKey doesn't find a path

Erik,
 
My answers are inline.

I am unable to make CM_RetriveKey to work. It returns CM_NO_PATH_FOUND. CM_RequestEncCertPath on the same certificate works, so all the needed certificates are available.

I have traced the code somewhat and I have found one difference between CM_RetrieveKey and CM_RequestEncCertPath that might make a difference. It is that CM_RetrieveKey tries to build the path to a validated certificate in the cache, while CM_RequestEncCertPath tries to build to a root certificate.

I suspect that somehow the root certificate I am using is not in the validated cache. Could that be the problem?  

[RN]:  That is the most likely cause.  As you noted, CM_RequestEncCertPath() builds a path up to a self-signed root cert, which may or may not be trusted.  So it is possible for CM_RequestEncCertPath() to succeed and CM_RetrieveKey() to fail.

I use the SRL to store the certificates in the SRL managed database file. I create my own SRL session, which I pass on when I create the CML session. However in my first try, CML never fetched the trusted root certificate from the SRL by itself, which made CM_RequestEncCertPath fail with CM_NO_TRUSTED_CERTS. I fixed that by searching the SRL for trusted certificates myself and then including them in the CM_CreateSessionExt call. Did I do something wrong? According to the CML documentation CML should be able to fetch the trusted certificates from the SRL by itself. 

[RN]:  The CML will only retrieve the trusted certs from the SRL if the callback functions are not provided in the InitSettings_struct.  If the callback functions are supplied, then the list of trusted certs in the InitSettings_struct is used instead (even if none are provided).  If you want to have the CML use the SRL, then don't provide the callback functions.

Are the trusted certificates that I pass in the CM_CreateSessionExt validated and put in the cache? Do I need to do that myself instead? 

[RN]:  They are validated and stored in the cache.  If the trusted certs are provided to CM_CreateSessionExt(), be sure to check that the function returned CM_NO_ERROR. 

Also, what are the units for the cache TTL in CM_CreateSession? Seconds? I set it to 300,000, which should be enough, so the root certificate will stay in the cache during this short program. 

[RN]:  The cacheTTL is a variable of type time_t, which represents the time-to-live for objects in the cache, in seconds.

Regards, Erik

P.S. There is something wrong with the archives of this mailing list at http://www.imc.org/imc-cml/mail-archive/ (The archive contents is repeated for each new message.) 

[RN]:  I sent a message to the mail list administrator alerting him to the problem.

- Rich

---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@GetronicsGov.com
(301) 939-2722  

------_=_NextPart_001_01C0BC53.CAAFCC00-- From owner-imc-cml Wed Apr 4 06:24:15 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id GAA24868 for imc-cml-bks; Wed, 4 Apr 2001 06:24:15 -0700 (PDT) Received: from [212.112.43.2] (minotaur.linq.net [212.112.43.2] (may be forged)) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA24863 for ; Wed, 4 Apr 2001 06:24:08 -0700 (PDT) Received: from no.name.available by [212.112.43.2] via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 4 Apr 2001 13:24:10 UT Received: by orion.linq.se with Internet Mail Service (5.5.2653.19) id ; Wed, 4 Apr 2001 15:20:51 +0200 Message-ID: <65C559669D59D211B5320008C7B98739034B5879@orion.linq.se> From: Erik Rissanen To: "'Nicholas, Richard'" Cc: "'imc-cml@imc.org'" , "Colestock, Robert" Subject: SV: CM_RetrieveKey doesn't find a path Date: Wed, 4 Apr 2001 15:20:47 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0BD0A.0FC9F430" Sender: owner-imc-cml@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0BD0A.0FC9F430 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable I have now figured out why the CMU_CTILVerifySignature call failed. It = was because there was something wrong with the CML project files (the = CM_Test project was missing), so cmctil.dll was never built. I did not notice = it since I had the old version of it in system32. The old version however = did not work, but failed. I have now rebuilt the CML so that I have a fresh cmctil.dll. =20 However there is still a problem. CSM_SignBuf::SetApplicableInstances = does not find any applicable instances since the test if (tmpInst->IsThisUsed() && = tmpInst->AccessCertificates() && (!bSignerOnlyFlag || tmpInst->IsSigner())) on line 96 in sm_SignBuf.cpp fails because = tmpInst->AccessCertificates() is NULL for my NULL login. =20 This causes CMU_CTILVerifySignature fail because it cannot find a = crypto token to use. =20 What can I do to solve this problem? Should I insert a dummy = certificate into the login, and what kind of certificate in that case? Or should I modify the test above to not fail if there are no certificates in the = login? =20 Regards, Erik =20 -----Ursprungligt meddelande----- Fr=E5n: Nicholas, Richard [mailto:Richard.Nicholas@GetronicsGov.com] Skickat: den 3 april 2001 17:36 Till: 'Erik Rissanen' Kopia: 'imc-cml@imc.org'; Colestock, Robert =C4mne: RE: CM_RetrieveKey doesn't find a path Eric, I have traced the code more now. It seems like my root certificate is = in the cache. BTW The reason to why I pass the callback function pointers = despite I am using the SRL is that I am writing an ISAPI extension DLL to the IIS = web server, and SRL cannot find its configuration file in the current = directory. It even seems like there is no current directory defined. However I do = the testing and debugging in a standrard exe, so I also tested without the callback pointers. There was no difference. =20 By tracing the CML code I found that the root certificate is in the = cache, but there is a call made to the function pointed to by CMU_CTILVerifySignature while building the path. That call fails. I = could not trace the execution of that function, so I don't know why it = failed. It returns 1, which is CM_MEMORY_ERROR. =20 I am using the sm_free3 CTIL with a NULL login, which caused me some problems while using SFL. SFL did not allways find the CSInst in it as applicable. Maybe something similar is happening here? Have you tested = the CML with NULL logins? Any ideas? =20 Regards, Erik=20 =20 I don't have any ideas on why the CMU_CTILVerifySignature is failing. Something must be wrong with the CTIL initialization. I've cc'd Bob Colestock on this, perhaps he has an idea. =20 We have tested the CML using the various CTILs. Both the Crypto++ and = BSAFE CTILs were tested using the NULL login mechanism. The CM_Tool project contains a source file, CTIL_Login.cpp, that contains all of the code = we use to test the CML with the CTILs. You can take a look at the Crypto++ = section to see how it's initialized, but nothing special is going on in there. =20 - Rich =20 -----Ursprungligt meddelande----- Fr=E5n: Nicholas, Richard [mailto:Richard.Nicholas@GetronicsGov.com] Skickat: den 3 april 2001 14:45 Till: 'Erik Rissanen'; 'imc-cml@imc.org' =C4mne: RE: CM_RetrieveKey doesn't find a path Erik, =20 My answers are inline. I am unable to make CM_RetriveKey to work. It returns CM_NO_PATH_FOUND. CM_RequestEncCertPath on the same certificate works, so all the needed certificates are available. I have traced the code somewhat and I have found one difference between CM_RetrieveKey and CM_RequestEncCertPath that might make a difference. = It is that CM_RetrieveKey tries to build the path to a validated certificate = in the cache, while CM_RequestEncCertPath tries to build to a root = certificate. I suspect that somehow the root certificate I am using is not in the validated cache. Could that be the problem? =20 [RN]: That is the most likely cause. As you noted, = CM_RequestEncCertPath() builds a path up to a self-signed root cert, which may or may not be trusted. So it is possible for CM_RequestEncCertPath() to succeed and CM_RetrieveKey() to fail. I use the SRL to store the certificates in the SRL managed database = file. I create my own SRL session, which I pass on when I create the CML = session. However in my first try, CML never fetched the trusted root certificate = from the SRL by itself, which made CM_RequestEncCertPath fail with CM_NO_TRUSTED_CERTS. I fixed that by searching the SRL for trusted certificates myself and then including them in the CM_CreateSessionExt = call. Did I do something wrong? According to the CML documentation CML should = be able to fetch the trusted certificates from the SRL by itself.=20 [RN]: The CML will only retrieve the trusted certs from the SRL if the callback functions are not provided in the InitSettings_struct. If the callback functions are supplied, then the list of trusted certs in the InitSettings_struct is used instead (even if none are provided). If = you want to have the CML use the SRL, then don't provide the callback = functions. Are the trusted certificates that I pass in the CM_CreateSessionExt validated and put in the cache? Do I need to do that myself instead?=20 [RN]: They are validated and stored in the cache. If the trusted = certs are provided to CM_CreateSessionExt(), be sure to check that the function returned CM_NO_ERROR.=20 Also, what are the units for the cache TTL in CM_CreateSession? = Seconds? I set it to 300,000, which should be enough, so the root certificate will = stay in the cache during this short program.=20 [RN]: The cacheTTL is a variable of type time_t, which represents the time-to-live for objects in the cache, in seconds. Regards, Erik=20 P.S. There is something wrong with the archives of this mailing list at http://www.imc.org/imc-cml/mail-archive/ (The archive contents is = repeated for each new message.)=20 [RN]: I sent a message to the mail list administrator alerting him to = the problem. - Rich --------------------------- Richard E. Nicholas Principal Secure Systems Engineer Getronics Government Solutions, LLC Richard.Nicholas@GetronicsGov.com (301) 939-2722 =20 ------_=_NextPart_001_01C0BD0A.0FC9F430 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable CM_RetrieveKey doesn't find a path
I have=20 now figured out why the  CMU_CTILVerifySignature call failed. It = was=20 because there was something wrong with the CML project files (the = CM_Test=20 project was missing), so cmctil.dll was never built. I did not notice = it since I=20 had the old version of it in system32. The old version however did not = work, but=20 failed. I have now rebuilt the CML so that I have a fresh=20 cmctil.dll.
 
However there is still a=20 problem. CSM_SignBuf::SetApplicableInstances does not find any = applicable=20 instances since the test
       &nb= sp;      =20 if (tmpInst->IsThisUsed()  && = tmpInst->AccessCertificates()=20 &&  (!bSignerOnlyFlag || tmpInst->IsSigner()))
on = line 96 in=20 sm_SignBuf.cpp fails because tmpInst->AccessCertificates() is = NULL for=20 my NULL login.
 
This=20 causes CMU_CTILVerifySignature fail because it cannot find a crypto = token to=20 use.
 
What=20 can I do to solve this problem? Should I insert a dummy certificate = into the=20 login, and what kind of certificate in that case? Or should I modify = the test=20 above to not fail if there are no certif