All,
Getronics Government Solutions has delivered the Version 2.0 Certificate
Management Library (CML) for Microsoft Windows, Sun Solaris 2.7 and Linux.
The v2.0 CML is freely available at:
<http://www.getronicsgov.com/hot/cml_home.htm>.
Applications requiring Public Key Infrastructure (PKI) security services
can use the CML to meet their X.509 certificate and Certificate Revocation
List (CRL) processing requirements. The v2.0 CML implements the 2000 X.509
Recommendation certification path verification processing rules. It
provides robust certification path development capabilities such as using
cross certificates. It meets the majority of the IETF PKIX RFC 2459
Certificate/CRL Profile requirements. The v2.0 CML Abstract Syntax
Notation One (ASN.1) decodes X.509 Certificates and CRLs. It is described
in the v2.0 CML Application Programming Interface (API) document. It
requires the v1.3 R7 Enhanced SNACC ASN.1 software that is freely available
at: <http://www.getronicsgov.com/hot/snacc_home.htm>.
The CML uses the accompanying Storage and Retrieval Library (SRL)
(optionally) to provide local certificate and CRL storage management
functions. The SRL (optionally) provides remote directory retrieval
capabilities using the Lightweight Directory Access Protocol (LDAP).
The CML has been thoroughly tested including validating X.509
Certificates and CRLs created by a variety of Certification
Authority (CA) products, and signed using the Digital Signature
Algorithm (DSA) and RSA algorithms. Further enhancements,
ports and testing of the CML are still in process. Further
releases of the CML will be provided as significant
capabilities are added.
The following enhancements are included in the v2.0 CML release
(compared with the v1.9.3 release):
1) Modified CML to use SNACC C++ ASN.1 library instead of SNACC C
ASN.1 library. This removed the CML dependency on the SNACC C
ASN.1 library. This eliminated the code that converts data in
SNACC C structures to CML C structures.
2) Enhanced CML to ASN.1 encode and decode certificates, CRLs,
attribute certificates, Clearance Attributes and components thereof
into SNACC C++ classes. Enhanced code that converts data in
SNACC C++ classes to CML C structures.
3) Modified CML to remove internal crypto function calls. v2.0 CML
only uses Crypto Token Interface Library (CTIL) API. This simplified
the CML because it only calls a single crypto API (i.e. the CTIL API).
It simplified the CML architecture because the cm_ctil library was
eliminated by moving the cm_ctil source code into the CML.
4) Changed CML to call the new CTILManager library instead of
LibCert to obtain CTIL-related services.
5) Added the capability to build an X.509 certification path
independently of the validation functions.
6) Added the capability to retrieve a CRL indicated by the PKIX
Subject Information Access (SIA) extension, if present, in a CA's
certificate.
7) Added new member to the InitSettings_struct, nMaxPaths, to allow
the application to indicate the maximum number of paths to build and
attempt to validate before returning a path validation error.
8) Deleted function CM_RequestDecCertPath() and replaced with
function, CM_RetrievePath() which builds, validates, and returns the
validated public key and the cert path.
9) Added the following new C++ classes to the CML: Certificate,
CRL, CertPath, ValidatedKey, and SignedAsnObj. The interface for
those classes is defined in the new CMAPI C++ header file. The new
Certificate and CRL classes include member functions to sign their
respective objects. These new classes are defined within the "CML"
C++ namespace to avoid name conflicts with similarly named classes
defined by the application or other libraries it includes.
10) Enhanced CM_Tool to use v2.0 CML and to test new features.
11) Enhanced CML process of creating and destroying sessions to be
thread-safe. This enhancement does not make the CML completely thread-
safe, but the CML is thread-safe when the application only uses a single
CM session per thread.
12) Tested CML with the following CTILs: MS Crypto API (CAPI) CTIL using
MS CAPI v2.0; Crypto++ CTIL and library; and BSAFE CTIL using RSA BSAFE
library.
13) Enhanced CML to provide robust certification path development
functionality to remove the dependency on external libraries. This change
provides greater flexibility to enhance the CML to meet customer
requirements that the previous architecture prohibited. This change
eliminated redundant code and processing between external and internal CML
certification path development code. The v2.0 CML has been successfully
used to develop and verify certification paths used in the Bridge
Certification Authority demonstration which includes cross-certified
hierarchical and non-hierarchical PKIs.
v2.0 CML API: The v2.0 CML provides the identical C language API as
provided by the v1.9 CML except that a new member, nMaxPaths, was added
to the InitSettings_struct (see above). The application can ignore the
new nMaxPaths member, if desired. Also, the application can use the
v2.0 CML to ASN.1 decode objects without creating a session. In
addition to the C language API, the v2.0 CML provides a C++ API for
ASN.1 encoding and decoding of objects into SNACC C++ classes.
The following enhancements are included in the v2.0 SRL release
(compared with the v1.9.3 release):
1) Added certificate type to database template.
2) Enhanced SRL to be thread-safe by allowing database files
to be shared by multiple sessions in a thread-safe manner.
3) Increased flexibility of controlling LDAP settings used by
the SRL. LDAPId handle can optionally be passed to the SRL.
In that case, the SRL will not perform the LDAP init and bind.
Added SRLi_ChangeLDAPInfo() function that provides the ability
to change the LDAP handle without destroying an SRL session.
The application can indicate which LDAP connection to use for
each operation. The application can switch between the LDAP
connections without destroying the CML session (the CML cache
stays resident). Added a function to the SRL that copies the
new LDAP settings into the SRL session settings so that the
next time the SRL performs a LDAP operation it has the correct
LDAP handle and settings.
v2.0 SRL API: The v2.0 SRL provides the identical API as provided
by the v1.9 SRL except for the changes described above.
The following v2.0 CML files are available from the Getronics CML
web page:
1) Windows_CML_Lib_v2.0.ZIP: MS Windows Dynamically Linked Libraries
2) Windows_CM_Tool_v2.0.ZIP: CM_Tool executable
3) Solaris_CML_Lib_v2.0.tar.Z: Sun Solaris Libraries
4) Solaris_CM_Tool_v2.0.tar.z: CM_Tool for Solaris
5) Linux_CML_Lib_v2.0.tar.Z: Linux Libraries
6) Linux_CM_Tool_v2.0.tar.z: CM_Tool for Linux
7) CML_source_v2.0.tar.Z: Source, including Windows project files
8) CMAPI_data.tar.Z: Test Certs and CRLs used to test CML
The v2.0 CML API document (CMv2.0api.doc, CMv2.0api.pdf), v2.0 SRL API
document (SRLv2.0api.doc, SRLv2.0api.pdf), and v2.0 CML readme file
are also available from the Getronics CML web page.
All source code for the CML is being provided at no cost and with no
financial limitations regarding its use and distribution. Organizations
can use the CML without paying any royalties or licensing fees. The
CML was originally developed by the U.S. Government. Getronics is
enhancing and supporting the CML under contract to the U.S. Government.
The U.S. Government is furnishing the CML software at no cost to the
vendor subject to the conditions of the CML Public License provided
with the CML software.
The CML makes calls to an algorithm-independent CTIL API that provides
access to a variety of external crypto libraries. There is a CTIL for
each crypto library that maps the generic CTIL API calls to the
specific calls for that crypto library. Getronics provides CTILs for
the Microsoft CAPI v2.0, Crypto++, RSA BSAFE, Spyrus SPEX/ 2 and
FORTEZZA Cryptologic Interface libraries. Getronics also provides a
PKCS #11 CTIL that enables PKCS #11-compliant libraries to be used
with the CML. The underlying, external crypto libraries are not
distributed as part of the CML software.
The CML implements the majority of the 2000 X.509 Recommendation features
and certification path validation requirements such as: name chaining; key
identifier chaining; signature verification using DSA and RSA; validity
date checking; revocation checking; name constraints; basic constraints;
certificate policies, mappings and constraints; subject and issuer
alternate names; key usage/extended key usage; private key usage period;
CRL distribution points; cross certificates; CRL extensions and CRL entry
extensions. There are some unsupported features such as Delta CRLs.
The CML meets the requirements stated in the SDN.706 Certificate/CRL
Profile required by the U.S. Defense Message System project.
Getronics has successfully tested the v2.0 CML with the SNACC and
CTIL libraries delivered with the v2.0 S/MIME Freeware Library (SFL).
Source code for the Getronics-developed CTILs is available from
<http://www.getronicsgov.com/hot/sfl_home.htm>.
The CML has been successfully tested with the Access Control
Library (ACL) that is freely available to everyone from:
<http://www.getronicsgov.com/hot/acl_home.htm>.
The v2.0 CML has been successfully used to build and verify
certification paths used in the Bridge Certification Authority (BCA)
demonstration which includes cross-certified hierarchical and non-
hierarchical PKIs.
The National Institute of Standards and Technology (NIST) is
providing a standard test suite of X.509 certification paths
<http://csrc.nist.gov/pki/testing/x509paths.html> that can be
used for testing applications against RFC 2459. The CML was
used to successfully process the NIST test data.
The CML meets the requirements stated in the SDN.706 Certificate/
CRL Profile required by the U.S. Defense Message System (DMS)
project.
The Internet Mail Consortium (IMC) has established a CML web page
<http://www.imc.org/imc-cml> and a CML mail list which is used to:
distribute information regarding CML releases; discuss CML-related
issues; and allow CML users to provide feedback, comments, bug
reports, etc. Subscription information for the imc-cml mailing list
is at the IMC web site listed above.
All comments regarding the CML source code and documents are welcome.
This CML release announcement was sent to several mail lists, but
please send all messages regarding the CML to the imc-cml mail list
ONLY. Please do not send messages regarding the CML to any of the IETF
mail lists. We will respond to all messages sent to the imc-cml mail
list.
===========================================
John Pawling, John.Pawling@xxxxxxxxxxxxxxxx
Getronics Government Solutions, LLC
===========================================