Getronics Government Solutions has delivered Version 2.0 of the
S/MIME Freeware Library (SFL) source code. The SFL source code files
are freely available at <http://www.getronicsgov.com/hot/sfl_home.htm>.
The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message
Syntax (CMS) security protocol to support the digital signature and
encryption of data. It also implements RFC 2634 Enhanced Security
Services (ESS) including signed receipts, security labels, secure mail
list information, and signing certificate attributes. It also
implements portions of the RFC 2633 Message Specification and RFC 2632
Certificate Handling document. When used in conjunction with the
Crypto++ freeware library, the SFL implements the RFC 2631 Diffie-
Hellman (D-H) Key Agreement Method specification. It has been
successfully tested using the Microsoft (MS) Windows NT/98/2000, Linux
and Sun Solaris 2.7 operating systems. Further enhancements of the SFL
are still in process. Further releases will be provided as significant
capabilities are added.
The SFL has been successfully used to sign, verify, encrypt and decrypt
CMS/ESS objects using: DSA, E-S D-H, 3DES algorithms provided by the
Crypto++ library; RSA suite of algorithms provided by the RSA BSAFE v4.2
and Crypto++ libraries; and Fortezza suite of algorithms provided by
the Fortezza Crypto Card. The v2.0 SFL uses the v1.3 R7 Enhanced SNACC
ASN.1 C++ Library to encode/decode objects. The v2.0 SFL release includes:
SFL High-level library; Free (a.k.a. Crypto++) Crypto Token Interface
Library (CTIL); BSAFE CTIL; Fortezza CTIL; SPEX/ 2 CTIL; PKCS #11 CTIL;
Microsoft CAPI v2.0 CTIL; v1.3 R7 Enhanced SNACC ASN.1 Compiler and Library;
test utilities; test drivers; and test data. All CTILs were tested as
Dynamically Linked Libraries (DLL) using MS Windows. The Fortezza, BSAFE
and Crypto++ CTILs were tested with the respective security libraries as
shared objects using Linux and Solaris 2.7.
The SFL has been successfully used to exchange signedData and envelopedData
messages with the Microsoft (MS) Internet Explorer Outlook Express v4.01,
Netscape Communicator 4.X, Entrust and Baltimore S/MIME products. Signed
messages have been exchanged with the RSA S/MAIL and WorldTalk S/MIME v2
The SFL has also been used to perform S/MIME v3 interoperability testing
with Microsoft that exercised the majority of the features specified by
RFCs 2630, 2631 and 2634. This testing included the RSA, DSA, E-S D-H,
3DES, SHA and Fortezza algorithms. We used the SFL to successfully process
all of the SFL-supported sample data included in the S/MIME WG "Examples of
S/MIME Messages" document. We also used the SFL to generate S/MIME v3
sample messages that were included in the "Examples" document.
The use of the v2.0 SFL is described in the v2.0 SFL Application
Programming Interface (API) and v2.0 SDD documents. The v2.0 SMP
Components Setup Manual that describes the component installation
procedures for the v2.0 SFL, v2.0 Certificate Management Library (CML),
and v1.3 R7 Enhanced SNACC libraries. The use of the v2.0 CTIL API is
described in the v2.0 CTIL API document.
The following enhancements are included in the v2.0 SFL and CTIL releases
(compared with the v1.10 releases):
1) Moved common code in LibCert associated with using the CTIL API into
a new CTILManager library. Changed SFL to call new CTILManager library
instead of LibCert to obtain CTIL-related services.
2) Developed MS CAPI CTIL to provide access to these crypto algorithms
provided by MS CAPI v2.0: Triple-DES and RC2 for encryption/decryption;
RSA for key management; SHA-1 and MD5 for hashing; DSA and RSA for
signature generation/verification. Tested SFL with MS CAPI CTIL using
MS CAPI v2.0 with the MS Cryptographic Service Provider (CSP). Tested
MS CAPI CTIL using MS CAPI v2.0 with the DataKey CSP and smart card.
3) Enhanced SFL and CTILs to maximize thread-safety. Enhanced the CTILs
to be single-threaded in case a user attempts to share a single login.
4) Enhanced SFL to call v2.0 CML to decode certificates, Certificate
Revocation Lists, and components thereof.
v2.0 SFL API: The v2.0 SFL and CTILs provide the identical APIs as
provided by the v1.10 SFL and CTILs except that the SFL and CTIL symbols
are each contained in their own namespace (see below). Also, the CSM_OID
and CSMIME classes are provided by the v1.3 R7 Enhanced SNACC C++ ASN.1
Library AsnOid class (updated to include CSM_OID, but unchanged from the
Enhanced SNACC point of view).
Namespace: The v2.0 libraries use the "namespace" feature. The symbols for
each library are contained in its own namespace: SFL, CERT, CTIL, SNACC,
acl, CML. The namespace feature allows the compiler to isolate the symbols
for each library. This enhancement causes a minor impact to the source code
developed to use the libraries. The integrator will need to add a few
lines of code to each source code file (or, possibly, in an include file)
stating that the appropriate namespaces are being used such as:
"using namespace SFL;".
We are still in the process of enhancing the SFL. Future releases may
include: new features of updated S/MIME specifications (such as
compression, password-protected RecipientInfo, etc); "Certificate
Management Messages over CMS" ASN.1 encode/decode functions; bug fixes;
and support for other crypto APIs. The SFL is developed to maximize
portability to 32-bit operating systems. In addition to testing on
MS Windows, Linux and Solaris 2.7, we may port the SFL to other
The following SFL files are available from
1) SFL Documents: Fact Sheet, Software Design Description, API, CTIL
API, Software Test Description, Implementers Guide, Overview Briefing and
2) smimeR2.0.tar.gz: Source code, MS Windows NT/95/98/2000 project files
and Unix makefiles for SFL Hi-Level library.
3) snacc13r7rn.tar.gz (source code and binaries available from Getronics
Enhanced SNACC web page: <http://www.getronicsgov.com/hot/snacc_home.htm>):
Source code, MS Windows NT/95/98/2000 project files and Unix makefiles for
v1.3 R7 Enhanced SNACC ASN.1 Compiler and Library that has been enhanced by
Getronics to implement the Distinguished Encoding Rules. Source code is
compilable for Linux, Solaris 2.7 and MS Windows NT/95/98/2000. This
file includes a sample test project demonstrating the use of the SNACC
4) smCTIR2.0.tar.gz: Source code, MS Windows NT/95/98/2000 project files
and Unix makefiles for the following CTILs: Test (no crypto), Crypto++,
BSAFE, Fortezza, SPEX/ 2, PKCS #11 and Microsoft CAPI v2.0. The CTIL
source code includes PKCS #12 software developed by the OpenSSL Project
for use in the OpenSSL Toolkit <http://www.openssl.org/>
5) smLibCR2.0.tar.gz: Source code, MS Windows NT/98/2000 project files and
Unix makefiles for the CTILManager library that provides CTIL-related
processing services used by the SFL, ACL and CML.
6) smTest2.0.tar.gz: Source code, MS Windows NT/98/2000 project files and
Unix makefiles for test drivers used to test the SFL. This file also
includes sample CMS/ESS test data and test X.509 Certificates. This file
also includes the CertificateBuilder test utility that can be used to
create X.509 Certificates that each include a DSA or RSA public key.
7) csmime.mdl contains SFL Class diagrams created using Microsoft
Visual Modeler (comes with MS Visual Studio 6.0, Enterprise Tools).
The file can also be viewed using Rational Rose C++ Demo 4.0
45 day evaluation copy which can be obtained from
Not all classes are documented in the MDL file at this time.
All source code for the SFL is being provided at no cost and with no
financial limitations regarding its use and distribution.
Organizations can use the SFL without paying any royalties or
licensing fees. Getronics is developing the SFL under contract to
the U.S. Government. The U.S. Government is furnishing the SFL
source code at no cost to the vendor subject to the conditions of
the "SFL Public License".
On 14 January 2000, the U.S. Department of Commerce, Bureau of
Export Administration published a new regulation implementing an update
to the U.S. Government's encryption export policy
<http://www.bxa.doc.gov/Encryption/Default.htm>. In accordance with
the revisions to the Export Administration Regulations (EAR) of 14 Jan
2000, the downloading of the SFL source code is not password controlled.
The SFL is composed of a high-level library that performs generic CMS
and ESS processing independent of the crypto algorithms used to
protect a specific object. The SFL high-level library makes calls to
an algorithm-independent CTIL API. The underlying, external crypto
token libraries are not distributed as part of the SFL source code.
The application developer must independently obtain these libraries and
then link them with the SFL.
The SFL uses the CML and Enhanced SNACC ASN.1 Library to encode/decode
X.509 certificates, attribute certificates, Certificate Revocation Lists,
and components thereof. The CML is freely available at: <http://www.getronicsgov.com/hot/cml_home.htm>.
The SFL has been successfully tested in conjunction with the Access
Control Library (ACL) that is freely available to everyone at:
The National Institute of Standards and Technology (NIST) is providing
test S/MIME messages (created by Getronics) at
<http://csrc.nist.gov/pki/testing/x509paths.html>. Getronics used the
SFL to successfully process the NIST test data.
NIST is using the SFL and CML as part of the NIST S/MIME Test Facility
(NSMTF) that they are planning to host (see
<http://csrc.ncsl.nist.gov/pki/smime/>). Vendors will be able to use
the NSMTF to help determine if their products comply with the
IETF S/MIME v3 specifications and the Federal S/MIME v3 Client Profile.
The SFL has been integrated into many applications to provide CMS/ESS
security services. For example, the SFL was integrated into a security
plug-in for a commercial e-mail application that enabled the
application to meet the Bridge Certification Authority Demonstration
Phase II requirements including implementing ESS features such as
The Internet Mail Consortium (IMC) has established an SFL web page
<http://www.imc.org/imc-sfl>. The IMC has also established an SFL
mail list which is used to: distribute information regarding SFL
releases; discuss SFL-related issues; and provide a means for SFL
users to provide feedback, comments, bug reports, etc. Subscription
information for the imc-sfl mailing list is at the IMC web site
All comments regarding the SFL source code and documents are welcome.
This SFL release announcement was sent to several mail lists, but
please send all messages regarding the SFL to the imc-sfl mail list
ONLY. Please do not send messages regarding the SFL to any of the IETF
mail lists. We will respond to all messages sent to the imc-sfl mail
John Pawling, John.Pawling@xxxxxxxxxxxxxxxx
Getronics Government Solutions, LLC