[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: Newbie questions

-----Original Message-----
From: Colestock, Robert 
Sent: Tuesday, July 31, 2001 3:36 PM
To: 'green@xxxxxxxxxxx'
Cc: Pawling, John
Subject: RE: Newbie questions


Sorry about your frustration.  First, let me mention that our library was
not intended to build or sign certifiates.  We have a primitive (VERY
PRIMITIVE) capability to build certificates for unit development folder
testing of various public/private keys.  There is no documentation on any of
our test utilities (there is a limited GUIDE on certain features).  The
library focus is on building the SignedData and EnvelopedData components of
e-mail messages.

As to demonstrating the code, the autoHi test utility, though
all-encompasing, does demonstrate all library features.  For sign, verify,
encrypt and decrypt operations, each is handled by its own class (e.g.
CL_MsgToSign, in ./SMIME/testsrc/util/sm_CLMsgToSign.cpp) where each class
reads a simple configuration file containing strings for the various
components then performs the indicated operations (e.g. Signing the content
and producing a binary ASN.1 encoded SignedData).  This approach seemed
simple enough for demonstration purposes, but since all of our functionality
is contained in this one main program I can understand confusion (you are
not alone).  All of these test program sources perform a Fill(...), process,
then report on the results based on the configuration file (all performed by
the Check(...) function).  The master configuration file for our deliveries
is in ./SMIME/test/autohiAllSFLd.cfg.

Sorry again about the "CSM_CSInst::SetApplicable()" flag usage.  This design
goal has turned out to be a disaster for users, the original intent has
never been utilized.  The next release will default all of these flags on
since most users intend to use all defined logins, not a subset of logins.

As to a FAQ, I have been adding any such comments to the documentation
available on the web site as deliveries have been made.  I have also been
adding comments to the various README files in the root directory, ./SMIME.
Most of the details you seek are in the source code demonstrating the SFL
library usage.

As to building certificates using the CertificateBuilder GUI you mention;
don't.  It does build certificates (RSA included), but you need the newer
unreleased version for more reliability.  Your version also, will not
self-sign a certificate, it requires one of our test logins.  Your command
line version does not build private keys, the newer one will build PKCS12
files for RSA and DSA.  The input to the command line version is a
configuration file indicating the certificate details as well as the login.
The source is provided in the release (./SMIME/CertificateBuilderCL).  You
are correct in your observation about the key generation, since the SFL has
no need to generate keys, the API is not published.  The CertificateBuilder
utility makes calls to the Free3 CTIL classes detailed in
./SMIME/alg_libs/sm_free3, sm_CryptoKeysF3Rsa.h, sm_CryptoKeysDH.h,
sm_CryptoKeysDSA.h.  There is very limited functionality in these classes,
since the test certificates keys were not important to our testing.

<<<<Lastly, there is something horrible happening to the stack when we do:
As to this error, I have found a problem on the Linux system if the
specified file does not exist.  It appears to core dump, instead of properly
returning an error string on the exception stack.  I will investigate this
further, and pre-check for the existance of a specified file if possible,
but for now you can check to be sure that the file exists (stat call before
the AppLogin constructor).  I suspect the core dump has something to do with
the fact that the CTIL is a dynamically loaded shared object; the exception
stack sometimes has problems.  It works properly on the MS Windows platform.

Bob Colestock

-----Original Message-----
From: Darryl Green [mailto:green@xxxxxxxxxxx]
Sent: Thursday, July 12, 2001 10:15 PM
To: imc-sfl@xxxxxxx
Subject: Newbie questions

We have been gradually figuring out how to use SFL and seem to be able to
get signing to work (after we picked up on the need to use
CSM_CSInst::SetApplicable() as per an earlier reply in the archive).
However, we still have a number of questions we can't seem to figure out
from the doco or a trawl through the archives.

First question is - is there a FAQ? Or a collection of really simple
snippets that do some basic things (sign, verify would probably be enough).
The scope of the overall SFL libs means that it is hard to get a handle on
things to start off with, but I don't want to pester the list for help with
"trivial" problems.

We are trying to produce a cross-platform system (Linux and Windows) using
the free3 CTIL and RSA (algorithm, not BSAFE). Among other things, we need
to be able to produce a root CA cert and then issue further certs with
this.We want to do this on both Linux and Windows platforms. The main areas
we are not clear on at this stage are:

Is it possible to generate RSA keys using SFL with the free3 CTIL rather
than using openssl tools to produce them in PKCS12 format? I don't seem to
be able to find anything on key generation in the doco (or by digging about
in the code)?

I also noted that there are some issues with producing certificates - we
have been trying to figure out how to do so (unsuccessfully so far). We have
considered approaching this from various levels and have the following

Can the CertificateBuilder app actually produce (RSA) certs without an
existing cert using free3 CTIL?

I don't really understand what the GUI requires be filled in to actually
produce a cert or where it looks for the signature to issue the cert for
and/or the issuer's login info? I hear mention of a non-GUI
CertificateBuilder? Does this actually exist?

Lastly, there is something horrible happening to the stack when we do:

  int result = -1;
  char inputfile[] = "inputfile.txt"
  char outputfile[] = "outputfile.txt"

 // stack ok

 CSM_AppLogin login("libsm_free3DLL", "sm_free3dll newcert.p12 password");

 // outputfile[] corrupted
 // ....


This is on a Linux box - have yet to try on Windows. Is there something we
are doing wrong here?
Darryl Green
Project Manager, Realtime Systems
TAB Queensland Limited