[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

v2.1 S/MIME Freeware Library (SFL) Now Available



All,

Getronics Government Solutions has delivered the Version 2.1 
S/MIME Freeware Library (SFL) source code.  The SFL source code files
and documents are freely available at 
<http://www.getronicsgov.com/hot/sfl_home.htm>.  

The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message 
Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS)
specifications.  It also implements portions of the RFC 2633 Message 
Specification and RFC 2632 Certificate Handling document.  When used in 
conjunction with the Crypto++ freeware library, the SFL implements the 
RFC 2631 Diffie-Hellman (D-H) Key Agreement Method specification.  It 
has been successfully tested using the Microsoft (MS) Windows 
NT/98/2000/XP, Linux and Sun Solaris 2.8 operating systems.  Further 
enhancements, ports and testing of the SFL are still in process.  
Further releases of the SFL will be provided as significant 
capabilities are added. 

The SFL has been successfully used to sign, verify, encrypt and decrypt 
CMS/ESS objects using: DSA, E-S D-H, 3DES algorithms provided by the 
Crypto++ library; RSA suite of algorithms provided by the RSA BSAFE 6.0
Crypto-C and Crypto++ libraries; and Fortezza suite of algorithms 
provided by the Fortezza Crypto Card.  The v2.1 SFL uses the v2.1 
Certificate Management Library (CML) and v1.4 Enhanced SNACC (eSNACC) 
ASN.1 C++ Library to encode/decode objects.  The v2.1 SFL release 
includes: SFL High-level library; Free (a.k.a. Crypto++) Crypto Token
Interface Library (CTIL); BSAFE CTIL; Fortezza CTIL; SPEX/ CTIL; 
PKCS #11 CTIL; Microsoft CAPI v2.0 CTIL; test utilities; test drivers;
and test data.  All CTILs were tested as Dynamically Linked Libraries
(DLL) using MS Windows.  The Fortezza, BSAFE and Crypto++ CTILs
were tested with the respective security libraries as shared objects
using Linux and Solaris 2.8.  

The SFL has been successfully used to exchange signedData and 
envelopedData messages with the MS Internet Explorer Outlook Express 
v4.01, Netscape Communicator 4.X, Entrust and Baltimore S/MIME 
products.  Signed messages have been exchanged with the RSA S/MAIL and 
WorldTalk S/MIME v2 products. 

The SFL has also been used to perform S/MIME v3 interoperability 
testing with Microsoft that exercised the majority of the features 
specified by RFCs 2630, 2631 and 2634.  This testing included the RSA,
DSA, E-S D-H, 3DES, SHA and Fortezza algorithms.  We used the SFL to 
successfully process the SFL-supported sample data included in the
S/MIME WG "Examples of S/MIME Messages" document.  We also used the
SFL to generate S/MIME v3 sample messages that were included in the 
"Examples" document.

The use of the v2.1 SFL is described in the v2.1 SFL Application
Programming Interface (API) and v2.1 SFL Software Design Description
documents.  The use of the v2.1 CTIL API is described in the v2.1
CTIL API document. 


v2.1 SFL includes the following enhancements (compared to v2.0.1 
(Patch A) SFL and CTIL releases):

1) To make it easier for integrators to retrieve and compile the
source code for the ACL, SFL and CML libraries, we delivered a
consolidated release zip file including the source code, 
project files, make files, and readme files for
the SFL, CML, Storage Retrieval Library (SRL), ACL, CTIL, and
CTILManager libraries.  

2) Eliminated SFL dependency on the LibCert dynamic library to
reduce the complexity of integrating the SFL into applications.

3) Enhanced SFL to provide the signer's certificate that matches
the Issuer/Serial (or keyId) of an application-designated 
SignerInfo in a signedData object.  We also enhanced the SFL to
provide the encrypter's certificate that matches the 
Issuer/Serial (or keyId) of an application-designated 
originatorInfo in an envelopedData object.  This included
enhancing the SFL to use the SRL to store all certificates 
and CRLs extracted from the signedData or envelopedData objects 
into the SRL database.  

4) Enhanced SFL to optionally use the CML to build and validate:
recipients' certification paths as part of encrypting S/MIME 
messages; signer's certification path as part of verifying 
signed messages; and encrypter's certification path (if 
required for pairwise key generation) as part of decrypting 
a message.  This included enhancing the SFL to use the SRL to
retrieve certificates and CRLs from the SRL database.  These 
enhancements will significantly reduce the amount of time 
required by vendors to integrate the CML and SFL into their 
applications.

5) Enhanced SFL to use a standard Exception class that will
enable applications to catch all exceptions using the standard
class.  This enhancement will reduce the amount of time 
required to integrate the SFL, CML, ACL, and eSNACC libraries
into applications.  

6) SFL was updated to fix minor memory leaks and bugs.


v2.1 CTILs include the following enhancements (compared to
v2.0.1 release):

1) Eliminated the CTIL Manager Library dependency on the 
LibCert dynamic library to reduce the complexity of 
integrating the CTILs into applications.

2) Enhanced CTILs to decode and decrypt PKCS #12 files.
This eliminates the dependency on the OpenSSL library and
significantly reduces the size of the CTILs that used OpenSSL.  

3) Enhanced the CTIL API to allow all relevant crypto 
algorithm(s) (i.e. hash, signature, encryption, decryption, 
key management) to be specified per crypto operation.

4) Changed to use standard SMP Exception class derived 
from C++ std::exception class.  

5) MS CAPI CTIL was updated to fix minor memory leaks and bugs.


v2.1 CertificateBuilder utility includes the following enhancements
(compared to v2.0.1 release):

1) Added capability to generate X.509 (2000) Attribute Certificates
including X.501 Clearance attributes including user-selected values 
extracted from Security Policy Information File (SPIF) for the
security policy.  

2) Added capability to generate ESSSecurityLabels.  

3) Enhanced to use the standard Exception class.


We are still in the process of enhancing and testing the SFL.  Future 
releases may include: additional PKCS #11 CTIL testing;  
add "Certificate Management Messages over CMS" ASN.1 encode/decode 
functions; add enhanced test routines; bug fixes; and support for
other operating systems. 

The SFL is developed to maximize portability to 32-bit operating 
systems.  In addition to testing on MS Windows, Linux and Solaris 2.8, 
we may port the SFL to other operating systems.

All source code for the SFL is being provided at no cost and with no 
financial limitations regarding its use and distribution. 
Organizations can use the SFL without paying any royalties or 
licensing fees.  Getronics is developing the SFL under contract to 
the U.S. Government.  The U.S. Government is furnishing the SFL
source code at no cost to the vendor subject to the conditions of 
the "SFL Public License".

On 14 January 2000, the U.S. Department of Commerce, Bureau of 
Export Administration published a new regulation implementing an update 
to the U.S. Government's encryption export policy 
<http://www.bxa.doc.gov/Encryption/Default.htm>.  In accordance with 
the revisions to the Export Administration Regulations (EAR) of 14 Jan 
2000, the downloading of the SFL source code is not password controlled.

The SFL is composed of a high-level library that performs generic CMS 
and ESS processing independent of the crypto algorithms used to 
protect a specific object.  The SFL high-level library makes calls to 
an algorithm-independent CTIL API.  The underlying, external crypto
token libraries are not distributed as part of the SFL source code. 
The application developer must independently obtain these libraries and
then link them with the SFL.  
 
The SFL uses the CML and eSNACC ASN.1 Library to encode/decode
certificates, ACs, CRLs and components thereof.  The CML is freely
available at: <http://www.getronicsgov.com/hot/cml_home.htm>.

The SFL has been successfully tested in conjunction with the Access
Control Library (ACL) that is freely available to everyone from: 
<http://www.getronicsgov.com/hot/acl_home.htm>.

The National Institute of Standards and Technology (NIST) is providing 
test S/MIME messages (created by Getronics) at 
<http://csrc.nist.gov/pki/testing/x509paths.html>.  
Getronics used the SFL to successfully process the NIST test data.

NIST is using the SFL and CML as part of the NIST S/MIME Test 
Facility (NSMTF) that they are planning to host (see 
<http://csrc.ncsl.nist.gov/pki/smime/>).  Vendors will be able to use
the NSMTF to help determine if their products comply with the
IETF S/MIME v3 specifications and the Federal S/MIME v3 Client Profile. 

The SFL has been integrated into many applications to provide CMS/ESS
security services.  For example, the SFL was integrated into a security
plug-in for a commercial e-mail application that enabled the 
application to meet the Bridge Certification Authority Demonstration 
Phase II requirements including implementing ESS features such as
security labels.

The Internet Mail Consortium (IMC) has established an SFL web page
<http://www.imc.org/imc-sfl>.  The IMC has also established an SFL
mail list which is used to: distribute information regarding SFL
releases; discuss SFL-related issues; and provide a means for SFL
users to provide feedback, comments, bug reports, etc.  Subscription
information for the imc-sfl mailing list is at the IMC web site
listed above.

All comments regarding the SFL source code and documents are welcome.  
This SFL release announcement was sent to several mail lists, but 
please send all messages regarding the SFL to the imc-sfl mail list 
ONLY.  Please do not send messages regarding the SFL to any of the IETF 
mail lists.  We will respond to all messages sent to the imc-sfl mail 
list.

============================================
John Pawling, John.Pawling@xxxxxxxxxxxxxxxx
Getronics Government Solutions, LLC
============================================