[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

v1.5 SFL Re-Delivered



All,

We made a mistake when we constructed the smR15CTI.zip file described in the
enclosed message.  We omitted the CTIL source code.  We have re-built,
checked and re-delivered a corrected smR15CTI.zip file which is now stored
on the Fortezza Developer's S/MIME Page
<http://www.armadillo.huntsville.al.us/software/smime>.  We also fixed
memory leaks in the SFL code that we uncovered during Solaris 2.7 memory
leak testing late last week.  The memory leak fixes are included in a new
smimeR15.zip file also stored on the Fortezza Developer's S/MIME Page.
Anybody who downloaded the smR15CTI.zip and smimeR15.zip files prior to the
afternoon of 14 February should re-download the new zip files currently
stored on the Fortezza Developer's SFL Web Page.  We sincerely apologize for
any inconvenience caused by this mistake.

============================================
John Pawling, Director - Systems Engineering
J.G. Van Dyke & Associates, Inc;
a Wang Government Services Company
john.pawling@xxxxxxxx
============================================ 

Original message:
=====================================================================
All,

J.G. Van Dyke and Associates (VDA), a Wang Government Services Company, has 
delivered Version 1.5 of the S/MIME Freeware Library (SFL) source code and 
Application Programming Interface (API).  The SFL source code files are 
freely available to everyone from the Fortezza Developer's S/MIME Page
<http://www.armadillo.huntsville.al.us/software/smime> (with no password 
control).  On 14 January 2000, the U.S. Department of Commerce, Bureau of 
Export Administration published a new regulation implementing an update to
the U.S. Government's encryption export policy 
<http://www.bxa.doc.gov/Encryption/Default.htm>.  In accordance with the 
revisions to the Export Administration Regulations (EAR) of 14 Jan 2000,
the downloading of the SFL source code is no longer password controlled.

The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message 
Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS) specifications. 
It also implements portions of the RFC 2633 Message Specification and 
RFC 2632 Certificate Handling document.  When used in conjunction with
the Crypto++ freeware library, the SFL implements the RFC 2631 
Diffie-Hellman (D-H) Key Agreement Method specification.  It has been 
successfully tested using the MS Windows NT/95/98 and Solaris 2.7 operating 
systems.  Further enhancements, ports and testing of the SFL are still in 
process.  Further releases of the SFL will be provided as significant 
capabilities are added. 

The SFL has been successfully used to sign, verify, encrypt and decrypt
CMS/ESS 
objects using: S/MIME v3 mandatory-to-implement algorithms (DSA, E-S D-H,
3DES) 
provided by the Crypto++ 3.1 library; RSA suite of algorithms provided by
the 
RSA BSAFE v4.2 and Crypto++ 3.1 libraries; and Fortezza suite of algorithms 
provided by the Fortezza Crypto Card.  The SFL uses the VDA-enhanced SNACC
v1.3 
ASN.1 Library to encode/decode objects. The v1.5 SFL release includes: SFL
High-
level library; Free (a.k.a. Crypto++) Crypto Token Interface Library (CTIL);

BSAFE CTIL; Fortezza CTIL; SPEX/ CTIL; PKCS #11 CTIL (still being tested);
VDA-
enhanced GNU SNACC v1.3 rev 0.07 ASN.1 Compiler and Library; test utilities;

test drivers and test data.  All CTILs were tested as Dynamically Linked 
Libraries (DLL) using MS Windows.  The Fortezza, BSAFE and Crypto++ CTILs
were
tested with the respective security libraries as shared objects using
Solaris 2.7.  

The SFL has been successfully used to exchange signedData and envelopedData 
messages with the Microsoft (MS) Internet Explorer Outlook Express v4.01 and

Netscape Communicator 4.X S/MIME v2 products.  Signed messages have been 
exchanged with the RSA S/MAIL, WorldTalk and Entrust S/MIME v2 products. 

The SFL has also been used to perform S/MIME v3 interoperability testing
with 
Microsoft that exercised the majority of the features specified by RFCs
2630, 
2631 and 2634.  This testing included the RSA, mandatory S/MIME V3 and
Fortezza 
suites of algorithms.  We have also performed limited S/MIME v3 testing with

Baltimore and Entrust.  We are also participating in the IETF S/MIME WG 
interoperability testing documented in the "Examples of S/MIME Messages" 
document.  We have used the SFL to successfully process all of the correct 
signedData and envelopedData messages included in the document.  We are 
continuing to set up test config files to use the SFL to test the other
cases 
included in the document such as signed receipts.  We also plan to provide 
sample messages for inclusion in the document.

The following enhancements are included in the v1.5 SFL release (compared
with 
the v1.4 release):

1) SNACC: Fixed ASN.1 INTEGER bug in which one-byte values were improperly 
processed. 

2) Fixed many memory leaks;

3) Full CounterSignature test suite (autohiAllSFLd.cfg);

4) CertificateBuilder utility generates private/public key pairs and 
certificates (there is a "README.txt" file in the root directory regarding
this 
utility). 

5) PKCS #11 CTIL project (SFL integrators need to separately obtain a PKCS
#11 
crypto library, but this project provides a good template for PKCS #11).  We

are still testing the PKCS #11 CTIL.

6) Developed new test code and configuration files to implement test cases;
and

7) Performed regression testing to ensure that aforementioned enhancements
did 
not break existing SFL functionality.


We are still in the process of enhancing and testing the SFL.  Future
releases 
will include: completion of PKCS #11 CTIL testing; SPEX/ CTIL 
encrypt/decrypt/ESDH capabilities; finish CertificateBuilder command line 
utility; modify PKCS #12 code in test utilities to provide interoperable key

storage; add "Certificate Management Messages over CMS" ASN.1 encode/decode 
functions; add enhanced test routines; bug fixes; support for other crypto
APIs 
(possible); and support for other operating systems. 

The SFL is developed to maximize portability to 32-bit operating 
systems.  In addition to testing on MS Windows and Solaris 2.7, we plan to
port 
the SFL to the following operating systems: Linux, HP/UX 11, IBM AIX 3.2 
(possibly), SCO 5.0 (possibly) and Macintosh (possibly).

The following SFL files are available from the Fortezza Developer's S/MIME
Page:

1) SFL Documents: Fact Sheet, Software Design Description, API, CTIL API, 
Software Test Description, Implementers Guide, Overview Briefing and Public 
License.
     
2) snacc1_5VDA.zip: Zip file containing SNACC v1.3 rev 0.07 ASN.1 Compiler
and 
Library source code compilable for Unix and MS Windows NT/95/98 that has
been 
enhanced by VDA to implement the Distinguished Encoding Rules.  Project
files 
and makefiles are included.  This file includes a sample test project 
demonstrating the use of the SNACC classes.

3) smimeR15.zip:  Zip file containing all SFL source code including: 
SFL Hi-Level source code; VDA-enhanced SNACC-generated ASN.1 source 
code; project files.  This file also contains test driver source code, 
sample CMS/ESS test data and test X.509 Certificates.  This file also 
includes test utilities to create X.509 Certificates that each include 
a D-H, DSA or RSA public key.  SNACC release and debug libraries
are compiled for MS Windows NT/95/98. MS Windows NT/95/98
project files and Unix makefiles are included for the SNACC code and
Crypto++.    

4) smR15CTI.zip:  Source code for the following CTILs: Test (no crypto), 
Crypto++, BSAFE, Fortezza, SPEX/ and PKCS #11.  The Win95/98/NT projects are

also included.  (NOTE: The Free (a.k.a. Crypto++) CTIL includes
VDA-developed 
source code to use the RSA public key algorithm implemented within the
external 
Crypto++ library.  As with all of the external crypto token libraries, the 
Crypto++ library is not distributed as part of the SFL source code.  
To use the Crypto++ library with the SFL, the application developer must 
independently obtain the Crypto++ library from the Crypto++ Web Page 
<http://www.eskimo.com/~weidai/cryptlib.html> and then compile it with 
the VDA-developed Crypto++ CTIL source code.  The RSA public key 
algorithm is covered by U.S. Patent 4,405,829 "Cryptographic Communication 
System and Method".  Within the U.S., users of the RSA public key algorithm 
provided by the external Crypto++ library must obtain a license from RSA 
granting them permission to use the RSA algorithm.)

5) csmime.mdl contains SFL Class diagrams created using Microsoft 
Visual Modeler (comes with MS Visual Studio 6.0, Enterprise Tools).
The file can also be viewed using Rational Rose C++ Demo 4.0
45 day evaluation copy which can be obtained from
<http://www.rational.com/uml/resources/practice_uml/index.jtmpl>.
Not all classes are documented in the MDL file at this time.

All source code for the SFL is being provided at no cost and with no 
financial limitations regarding its use and distribution. 
Organizations can use the SFL without paying any royalties or 
licensing fees.  VDA is developing the SFL under contract to the U.S. 
Government.  The U.S. Government is furnishing the SFL source code at no 
cost to the vendor subject to the conditions of the "SFL Public 
License" available from the VDA SFL Page and Fortezza Developer's 
S/MIME Page.

The SFL is composed of a high-level library that performs generic CMS 
and ESS processing independent of the crypto algorithms used to 
protect a specific object.  The SFL high-level library makes calls to 
an algorithm-independent CTIL API.  The underlying, external crypto
token libraries are not distributed as part of the SFL 
source code. The application developer must independently obtain these 
libraries and then link them with the SFL.  For example, the SFL uses 
the freeware Crypto++ library to obtain 3DES, D-H and DSA.  To use 
the SFL with Crypto++ the vendor must download the Crypto++ freeware 
library from the Crypto++ Web Page and then compile it with the  
VDA-developed Crypto++ CTIL source code.  

The Internet Mail Consortium (IMC) has established an SFL web page
<http://www.imc.org/imc-sfl>.  The IMC has also established an SFL
mail list which is used to: distribute information regarding SFL
releases; discuss SFL-related issues; and provide a means for SFL
users to provide feedback, comments, bug reports, etc.  Subscription
information for the imc-sfl mailing list is at the IMC web site
listed above.

The SFL documents and VDA-enhanced SNACC source code are also
available from the VDA SFL Web Page
<http://www.jgvandyke.com/services/infosec/sfl.htm>.

All comments regarding the SFL source code and documents are welcome. 
We recommend that comments should be sent to the imc-sfl mail list.  
We will respond to all messages on that list.

============================================
John Pawling, Director - Systems Engineering
J.G. Van Dyke & Associates, Inc;
a Wang Government Services Company
john.pawling@xxxxxxxx
============================================