All, DigitalNet Government Solutions has delivered the Version 2.3 Certificate Management Library (CML) for Microsoft Windows, Sun Solaris and Linux. The v2.3 CML and documentation is freely available at: <http://www.digitalnet.com/knowledge/cml_home.htm>. Applications requiring Public Key Infrastructure (PKI) security services can use the CML to meet their X.509 certificate and Certificate Revocation List (CRL) processing requirements. The v2.3 CML is described in the v2.3 CML Application Programming Interface (API) document. It implements the 2000 X.509 Recommendation certification path verification processing rules and SDN.706 profile. It meets the majority of the IETF PKIX RFC 3280 Certificate/CRL Profile requirements. There are some unsupported features such as Delta CRLs. The v2.3 CML Abstract Syntax Notation One (ASN.1) decodes X.509 Certificates and CRLs. It requires the v1.6 Enhanced SNACC ASN.1 software that is freely available from: <http://www.digitalnet.com/knowledge/snacc_home.htm>. The CML provides robust certification path building capabilities such as using cross certificates. The CML uses the accompanying Storage and Retrieval Library (SRL) (optionally) to provide local certificate and CRL storage management functions. The SRL (optionally) provides remote directory retrieval capabilities using the Lightweight Directory Access Protocol (LDAP). The CML has been thoroughly tested including validating X.509 Certificates and CRLs created by a variety of Certification Authority (CA) products, and signed using the Digital Signature Algorithm (DSA) and RSA algorithms. Further enhancements, ports and testing of the CML are still in process. Further releases of the CML will be provided as significant capabilities are added. CML v2.3 includes the following enhancements (compared to v2.2 CML release): 1) Added optional bitmask field to the InitSettings_struct to allow the application to specify which CTILs the CML should load during CM_CreateSessionExt(). The application can use this bitmask field rather than pass in a pointer to a valid CTIL::CSM_CtilMgr object in the pTokenObj field of the InitSettings_struct.
2) Created new C++ function, CML::SetTrustAnchors(), to allow an application to specify the trusted public keys for a CML session even when the trusted keys don't appear in certificates.
3) Created new C++ class, TrustAnchor, that allows the the application to optionally specify additional path validation constraints on each trust anchor when calling CML::SetTrustAnchors(). The additional constraints that may be specified are the maximum path length to accept and the name constraints to apply.
4) Enhanced the CML cache and session code to be thread-safe. Applications may now safely share a single CML session amongst multiple threads.
5) Enhanced CML to check name constraints of email addresses included in DNs.
6) Optimized CML path building algorithm for use with the Federal Bridge Certification Authority (FBCA) hierarchy.
7) Added two new fields to the C++ CertMatchData structure, canSignCerts and canSignCrls. These new fields enable callers of the CML::RequestCerts() C++ function to optionally restrict the certificates returned to having those key usage privileges.
8) Fixed bug in the policy mapping processing of path validation. The CML wasn't properly rejecting paths when the special any-policy value appeared in a policy mappings extension.
9) Enhanced CRL retrieval and validation code so the CML will now retrieve and validate multiple CRLs if necessary to check all revocation reasons, even when no distribution point is present in the certificate. Previous versions of the CML would only check a single complete CRL if no distribution point was present.
10) Added ECDSA-with-SHA256 and ECDSA-with-SHA384 to list of CML supported signature algorithms.
v2.3 SRL includes the following enhancements (compared to v2.2 SRL release):
1) Enhanced SRL to perform HTTP and FTP URL retrievals. 2) Removed SRL code that caused some UNIX systems to hang under certain circumstances when performing an LDAP bind. With the removal of the offending code, the SRL now relies completely on the LDAP library to timeout when an LDAP server is unreachable during a bind operation. During testing, some LDAP libraries would take up to 3 minutes to return from an LDAP bind when the server was down or unreachable. All source code for the CML is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the CML without paying any royalties or licensing fees. The CML was originally developed by the U.S. Government. DigitalNet is enhancing and supporting the CML under contract to the U.S. Government. The U.S. Government is furnishing the CML software at no cost to the vendor subject to the conditions of the CML Public License provided with the CML software.The CML makes calls to an algorithm-independent CTIL API that provides
access to a variety of external crypto libraries. There is a CTIL for
each crypto library that maps the generic CTIL API calls to the
specific calls for that crypto library. DigitalNet provides CTILs for
the Microsoft CAPI v2.0, Crypto++, RSA BSAFE, Spyrus SPEX/ and
FORTEZZA Cryptologic Interface libraries. DigitalNet also provides a
PKCS #11 CTIL that enables PKCS #11-compliant libraries to be used
with the CML. The underlying, external crypto libraries are not
distributed as part of the CML software.
The CML has been successfully tested with the v2.3 S/MIME Freeware
Library (SFL) that is freely available from
The CML has been successfully tested with the v2.3 Access Control
Library (ACL) that is freely available to everyone from:
The CML has been successfully used to build and verify
certificate paths used in the Bridge Certification Authority (BCA)
demonstration which includes cross-certified hierarchical and non-
hierarchical PKIs. The BCA Interoperability Test Suite (BITS)
is a free and openly available test resource provided to
facilitate vendor development of secure, interoperable Public
Key Enabled applications. The CML has been used to successfully
develop and verify the BITS X.509 certification paths available
The National Institute of Standards and Technology (NIST) is
providing a standard test suite of X.509 certificate paths
<http://csrc.nist.gov/pki/testing/x509paths.html> that can be
used for testing applications against RFC 2459. The CML was
used to successfully process the NIST test data.
The CML meets the requirements stated in the SDN.706 Certificate/
CRL Profile required by the U.S. Defense Message System (DMS)
The Internet Mail Consortium (IMC) has established a CML web page
<http://www.imc.org/imc-cml> and a CML mail list which is used to:
distribute information regarding CML releases; discuss CML-related
issues; and allow CML users to provide feedback, comments, bug
reports, etc. Subscription information for the imc-cml mailing list
is at the IMC web site listed above.
All comments regarding the CML source code and documents are welcome.
This CML release announcement was sent to several mail lists, but
please send all messages regarding the CML to the imc-cml mail list
ONLY. Please do not send messages regarding the CML to any of the IETF
mail lists. We will respond to all messages sent to the imc-cml mail
-- Matthew J. Bertapelle DigitalNet Government Solution, LLC www.DigitalNet.com