[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issues compiling auto_hi classes (and others issues)


I just want to make sure that everything is ok concerning my "NEW"
understanding of SFL - CML - SRL.
Here is some definitions:

MY_APP: my application
SFL: the SFL Lib
CML: the CML Lib
SRL: the SRL Lib
MY_CALLBACK: my custom CallBack Function
MY_CUSTOM_X509_STORE: my own store implemented with it's own API

Here is the order of processing steps:

I- MY_APP calls CML to search for a specific Cert.
   I.1- CML calls MY_CALLBACK to search for the specific Cert.
   I.2- MY_CALLBACK calls SRL to search internally for the specific Cert.
        I.2.1- SRL return to my callback with NO_CERT_FOUND (kind of)
   I.3- MY_CALLBACK calls MY_CUSTOM_X509_STORE to search for the Cert.
        I.3.1- MY_CUSTOM_X509_STORE returns CERT_FOUND (with the Cert).
   I.4- MY_CALLBACK returns to CML the Cert found.
   I.5- CML returns to MY_APP the Cert found.
II- MY_APP calls SFL with the Cert found.

Does it looks like the way to proceed?  So basically, it is MY_CALLBACK that
will call internally SRL and then MY_CUSTOM_X509_STORE in order to achieve
what I want...

-----Original Message-----
From: owner-imc-sfl@xxxxxxxxxxxx [mailto:owner-imc-sfl@xxxxxxxxxxxx]On
Behalf Of Nicholas, Richard
Sent: 19 mars, 2001 13:31
To: 'Simon Blanchet'
Cc: imc-sfl@xxxxxxx
Subject: RE: Issues compiling auto_hi classes (and others issues)


I'll leave question #1 for someone else, and try to answer #2.

> (Question #2)
> From my understanding of SFL - CML - SRL now it looks like
> CML (v1.9) is
> only used to provide Cert Path Validation and High Level
> access to "the real
> implementation of a cert store".  The Storage is handled by
> SRL.  I got some
> questions concerning CML vs SRL:
> 2.1 Is there a way to use Crypto++ (instead of RSA BSAFE) for
> cryptographic
> function needed by CML for path processing?  How?

The CML has two cryptographic interfaces, an internal one to make DSA,
SHA-1, RSA, MDx calls directly for signature verification, and the SFL CTIL
interface.  If you want to use the CTIL interface, simply provide a pointer
to a valid CSMIME object during the call to CM_CreateSessionExt().  (CSMIME
is sort of a container for CTIL instances.)

> 2.2 Is there a way to use SFL with CML (for path validation
> processing and
> high level access to storage) with SRL (for storage only) and
> finally with a
> custom-made CallBack_Function (only for certificate
> retrieval).

Not with the current version of the SFL, which doesn't use the CML at all.
The next version (v2.0, I believe) will support some level of CML & SRL
integration.  Exactly how tightly they will be integrated is TBD.

> To be more
> precise:  Let's say that someone want to use SRL to store the
> certificates
> but he don't want to use the default retrieval using a
> LDAP_Client provided
> library.  What he want to do is more:
> I- SFL needs someone's certificate to encrypt
> II- SFL calls CML to ask for certificate
> III- CML calls SRL to ask for certificate
> IV- SRL don't find the certificate asked for...
> V- CML (or SRL at this point?) use the "Custom_Made" CallBack
> Function to
> retrieve the certificate
> At step V let's just say that the certificate is not found
> locally nor it is
> available to a LDAP directory.  The certificate can be found
> at another
> place using a Custom_Made function...  I hope you got it.
> The question is:
> Is it feasible?  How?
> I was reading in CML API doc (v1.9) that there are 3
> different functions
> that can be provided to CM_CreateSessionExt()...  I have kind
> of a idea
> about how to do it but I'm really not sure if it will work
> (or if CML was
> designed for this specific case mentionned above).

As mentioned above, the current SFL does not call the CML.  I don't know if
the specific scenario you describe will be implemented in SFL v2.0 or not
(i.e., SFL calling CML to get a recipient's encryption certificate.)  I
suspect the finding of the correct recipient's certificate for outgoing
messages will likely still be an application responsibility.

I don't think the processing steps you listed above (I - V) would be the way
to go in any case.  The CML architecture already supports app-provided
callback functions for requesting objects (certs & CRLs).  (The CML
architecture was designed this way so that the SRL can be eliminated
altogether.)  I'd suggest you simply implement those callback functions to
call the SRL directly first and then if the cert or CRL is not found there,
then the function can call your app-specific retrieval/search function.

Hope that helps.

- Rich
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
(301) 939-2722

> |=========================================
> | Simon Blanchet
> | Software Designer
> |
> | Email: sblanche@xxxxxxxxxx
> |=========================================