Matt Bertapelle | 22 Jun 20:08 2004

v2.4 S/MIME Freeware Library (SFL) Now Available

All, DigitalNet Government Solutions has delivered the Version 2.4 S/MIME Freeware Library (SFL) source code. The SFL source code files and documents are freely available at <http://www.digitalnet.com/knowledge/sfl_home.htm>. The SFL implements the IETF S/MIME v3 RFC 3369 Cryptographic Message Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS) specifications. It implements portions of the RFC 2633 Message Specification, RFC 2632 Certificate Handling, and RFC 3370 CMS Algorithms specifications. When used in conjunction with the Crypto++ freeware library, the SFL implements the RFC 2631 Diffie-Hellman (D-H) Key Agreement Method specification. It has been successfully tested using the Microsoft (MS) Windows 2000/XP, Linux and Sun Solaris 2.8 operating systems. Further enhancements, ports and testing of the SFL are still in process. Further releases of the SFL will be provided as significant capabilities are added. The SFL has been successfully used to sign, verify, encrypt and decrypt CMS/ESS objects using: DSA, E-S D-H, 3DES algorithms provided by the Crypto++ library; RSA suite of algorithms provided by the RSA BSAFE 6.0 Crypto-C and Crypto++ libraries; and Fortezza suite of algorithms provided by the Fortezza Crypto Card. The v2.4 SFL uses the v2.4 Certificate Management Library (CML) and v1.6 Enhanced SNACC (eSNACC) ASN.1 C++ Library to encode/decode objects. The v2.4 SFL release includes: SFL High-level library; Free (a.k.a. Crypto++) Crypto Token Interface Library (CTIL); BSAFE CTIL; Fortezza CTIL; SPEX/ CTIL; PKCS #11 CTIL; Microsoft CAPI v2.0 CTIL; test utilities; test drivers; and test data. All CTILs were tested as Dynamically Linked Libraries (DLL) using MS Windows. The Fortezza, BSAFE and Crypto++ CTILs were tested with the respective security libraries as shared objects using Linux and Solaris 2.8. The SFL has been successfully used to exchange signedData and envelopedData messages with the MS Internet Explorer Outlook Express v4.01, Netscape Communicator 4.X, Entrust and Baltimore S/MIME products. Signed messages have been exchanged with the RSA S/MAIL and WorldTalk S/MIME v2 products. The SFL has also been used to perform S/MIME v3 interoperability testing with Microsoft that exercised the majority of the features specified by RFCs 3369, 3370, 2631 and 2634. This testing included the RSA, DSA, E-S D-H, 3DES, SHA and Fortezza algorithms. We used the SFL to successfully process the SFL-supported sample data included in the S/MIME WG "Examples of S/MIME Messages" document. We also used the SFL to generate S/MIME v3 sample messages that were included in the "Examples" document. The use of the v2.4 SFL is described in the v2.4 SFL Application Programming Interface (API) and v2.4 SFL Software Design Description documents. The use of the v2.4 CTIL API is described in the v2.4 CTIL API document. v2.4 SFL includes the following enhancements (compared to v2.3 SFL and CTIL releases):
1) Added support for the creation and processing of the RFC 3161-compliant Time Stamp Token content type.

2) Enhanced API to accomodate reciept hash.

3) Enhanced ASN.1 encode/decode functions with "Certificate Management Messages over CMS".

v2.4 CTILs include the following enhancements (compared to v2.3 release): 1) Added PKCS#11 interface for Crypto++. 2) Added key generation library for generating public/private key pairs, wrapping the private keys, and generating PKCS#12 files. 3) Added support for RFC 2437 PKCS #1 Optimal Asymetric Encryption Padding (RSAES-OAEP) key transport method of key management. The SFL is developed to maximize portability to 32-bit operating systems. In addition to testing on MS Windows, Linux and Solaris 2.8, we may port the SFL to other operating systems. All source code for the SFL is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the SFL without paying any royalties or licensing fees. DigitalNet is developing the SFL under contract to the U.S. Government. The U.S. Government is furnishing the SFL source code at no cost to the vendor subject to the conditions of the "SFL Public License". On 14 January 2000, the U.S. Department of Commerce, Bureau of Export Administration published a new regulation implementing an update to the U.S. Government's encryption export policy <http://www.bxa.doc.gov/Encryption/Default.htm>. In accordance with the revisions to the Export Administration Regulations (EAR) of 14 Jan 2000, the downloading of the SFL source code is not password controlled. The SFL is composed of a high-level library that performs generic CMS and ESS processing independent of the crypto algorithms used to protect a specific object. The SFL high-level library makes calls to an algorithm-independent CTIL API. The underlying, external crypto token libraries are not distributed as part of the SFL source code. The application developer must independently obtain these libraries and then link them with the SFL. The SFL uses the CML and eSNACC ASN.1 Library to encode/decode certificates, ACs, CRLs and components thereof. The CML is freely available at: <http://www.DigitalNet.com/knowledge/cml_home.htm>. The SFL has been successfully tested in conjunction with the Access Control Library (ACL) that is freely available to everyone from: <http://www.DigitalNet.com/knowledge/acl_home.htm>. The National Institute of Standards and Technology (NIST) is providing test S/MIME messages (created by DigitalNet) at <http://csrc.nist.gov/pki/testing/x509paths.html>. DigitalNet used the SFL to successfully process the NIST test data. NIST is using the SFL and CML as part of the NIST S/MIME Test Facility (NSMTF) that they are planning to host (see <http://csrc.ncsl.nist.gov/pki/smime/>). Vendors will be able to use the NSMTF to help determine if their products comply with the IETF S/MIME v3 specifications and the Federal S/MIME v3 Client Profile. The SFL has been integrated into many applications to provide CMS/ESS security services. For example, the SFL was integrated into a security plug-in for a commercial e-mail application that enabled the application to meet the Bridge Certification Authority Demonstration Phase II requirements including implementing ESS features such as security labels. The Internet Mail Consortium (IMC) has established an SFL web page <http://www.imc.org/imc-sfl>. The IMC has also established an SFL mail list which is used to: distribute information regarding SFL releases; discuss SFL-related issues; and provide a means for SFL users to provide feedback, comments, bug reports, etc. Subscription information for the imc-sfl mailing list is at the IMC web site listed above. All comments regarding the SFL source code and documents are welcome. This SFL release announcement was sent to several mail lists, but please send all messages regarding the SFL to the imc-sfl mail list ONLY. Please do not send messages regarding the SFL to any of the IETF mail lists. We will respond to all messages sent to the imc-sfl mail list. -- -- Matthew J. Bertapelle DigitalNet Government Solutions, LLC www.DigitalNet.com
Matt Bertapelle | 22 Jun 20:08 2004

v1.7 Enhanced SNACC Freeware Now Available

All,
DigitalNet Government Solutions has delivered the v1.7 eSNACC Abstract Syntax Notation.1 (ASN.1) Compiler, C++ library and C library source code compilable for Linux, Sun Solaris 2.8 and Microsoft (MS) Windows NT/98/2000/XP. The eSNACC software is freely available to everyone from: <http://digitalnet.com/knowledge/snacc_home.htm> The eSNACC ASN.1 software can be used to ASN.1 encode and decode objects. In past releases, DigitalNet improved the eSNACC C++ library to implement the Distinguished Encoding Rules (DER), support large ASN.1 INTEGERs, and improve memory usage. v1.7 eSNACC enhancements (compared to v1.6 release): 1) Added support for Packed Encoding Rules for C++. 2) Added support for string contraints checking in C++. 3) Enhanced the ASN.1 C library to provide equivalent capabilities of the ASN.1 C++ library, such as string content checking and UTF8 string bug fix). 4) Added support for relative-OID types. 5) Enhanced support for extensibility of 2002 ASN.1 syntax. We successfully tested the v1.7 eSNACC ASN.1 C++ and C libraries using the Simple Network Management Protocol (SNMP) v1 test suite (18,000 test cases) developed by the University of Oulu. We tested the v1.7 eSNACC release with the v2.3 S/MIME Freeware Library (SFL) available from <http://www.digitalnet.com/knowledge/sfl_home.htm> that uses the eSNACC ASN.1 software to encode and decode the IETF S/MIME v3 Cryptographic Message Syntax (RFC 3369) and Enhanced Security Services for S/MIME (RFC 2634) security protocol. We tested the v1.7 eSNACC release with the freeware v2.3 Certificate Management Library (CML) available from <http://www.digitalnet.com/knowledge/cml_home.htm> that uses the eSNACC ASN.1 software to encode and decode X.509 certificates, attribute certificates and Certificate Revocation Lists as specified in the 2000 X.509 Recommendation. We tested the v1.7 eSNACC release with the freeware v2.3 Access Control Library (ACL) available from <http://www.digitalnet.com/knowledge/acl_home.htm> that uses the eSNACC ASN.1 software to encode and decode security labels and other objects (such as Security Policy Information Files) required to provide rule based automated access control as specified in SDN.801. The eSNACC ASN.1 software implements the majority of the ASN.1 encoding/decoding rules as specified in the 1988 X.209 Recommendation. It implements the DER as specified in the 1997 X.690 Recommendation. It does not support all of the latest ASN.1 features, but there are strategies that allow it to be used to produce ASN.1 hex encodings that are identical to those produced by ASN.1 libraries that do support the latest ASN.1 features. Also note that many of the PKIX specs, such as RFC 3280 and RFC 2630, include 1988-compliant ASN.1 syntax modules which can be compiled using the eSNACC compiler. The eSNACC ASN.1 library is totally unencumbered as stated in the Enhanced SNACC Software Public License. All source code for the eSNACC software is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the eSNACC software without paying any royalties or licensing fees. The Internet Mail Consortium (IMC) has established an eSNACC web page <http://www.imc.org/imc-snacc/>. The IMC has established an eSNACC mail list which is used to: distribute information regarding eSNACC releases; discuss related issues; and provide a means for integrators to provide feedback, comments, bug reports, etc. Subscription information for the imc-snacc mail list is at the IMC web site listed above. We welcome all feedback regarding the eSNACC software. If bugs are reported, we will investigate each reported bug and, if required, produce a patch or an updated release of the software to repair the bug. This release announcement was sent to several mail lists, but please send all messages regarding the eSNACC software to the imc-snacc mail list ONLY. Please do not send messages regarding the eSNACC software to any of the IETF mail lists. We will respond to all messages sent to the imc-snacc mail list. -- -- Matthew J. Bertapelle DigitalNet Government Solutions, LLC www.DigitalNet.com
Matt Bertapelle | 22 Jun 20:08 2004

v2.4 Certificate Management Library (CML) Now Available

All, DigitalNet Government Solutions has delivered the Version 2.4 Certificate Management Library (CML) for Microsoft Windows, Sun Solaris and Linux. The v2.4 CML and documentation is freely available at: <http://www.digitalnet.com/knowledge/cml_home.htm>. Applications requiring Public Key Infrastructure (PKI) security services can use the CML to meet their X.509 certificate and Certificate Revocation List (CRL) processing requirements. The v2.4 CML is described in the v2.4 CML Application Programming Interface (API) document. It implements the 2000 X.509 Recommendation certification path verification processing rules and SDN.706 profile. It meets the majority of the IETF PKIX RFC 3280 Certificate/CRL Profile requirements. There are some unsupported features such as Delta CRLs. The v2.4 CML Abstract Syntax Notation One (ASN.1) decodes X.509 Certificates and CRLs. It requires the v1.6 Enhanced SNACC ASN.1 software that is freely available from: <http://www.digitalnet.com/knowledge/snacc_home.htm>. The CML provides robust certification path building capabilities such as using cross certificates. The CML uses the accompanying Storage and Retrieval Library (SRL) (optionally) to provide local certificate and CRL storage management functions. The SRL (optionally) provides remote directory retrieval capabilities using the Lightweight Directory Access Protocol (LDAP). The CML has been thoroughly tested including validating X.509 Certificates and CRLs created by a variety of Certification Authority (CA) products, and signed using the Digital Signature Algorithm (DSA) and RSA algorithms. Further enhancements, ports and testing of the CML are still in process. Further releases of the CML will be provided as significant capabilities are added. CML v2.4 includes the following enhancements (compared to v2.3 CML release): 1) Replaced the CTIL interface for the CML with a newly created PKCS#11 interface. 2) Implemention of a CRL server with support for the "Delta CRL" and "Freshest CRL" 2000 X.509 extensions.  This architectural change is a step toward the CML's migration of OCSP compatability. 3) Enhanced the API to support the option for the application to request the CML log path building and validation events to aid in debugging and troubleshooting. 4) Enhanced the API to include callback functions to allow an application to perform its own revocation processing, rather than the crlapi library. 5) Added the capability to cache invalid certificates and CRLs. 6) Added a CRL grace period that can be specified by the application when creating a CML session. The grace period allows the application to specify the amount of time past a CRL's nextUpdate during which the CML will treat the CRL as still current.


v2.4 SRL includes the following enhancements (compared to v2.3 SRL release):

1) Modified the default crlRefreshPeriod from 0 to LONG_MAX when CML creates an SRL session.  When zero, the CRLs in the database were always being treated as stale; the new default is the always treat them as fresh.

2) Added a location mask to SRL_URLrequestObjs() so the caller can specify whether to search the local databse, the remote server, or both.

3) Enhnaced LDAPInitSettings_struct with a timeout field that controls how long to wait for the ldap_result() function.  Previously, the timeout was hardcoded to 30 seconds.

All source code for the CML is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the CML without paying any royalties or licensing fees. The CML was originally developed by the U.S. Government. DigitalNet is enhancing and supporting the CML under contract to the U.S. Government. The U.S. Government is furnishing the CML software at no cost to the vendor subject to the conditions of the CML Public License provided with the CML software. The CML makes calls to an algorithm-independent CTIL API that provides
access to a variety of external crypto libraries. There is a CTIL for
each crypto library that maps the generic CTIL API calls to the
specific calls for that crypto library. DigitalNet provides CTILs for
the Microsoft CAPI v2.0, Crypto++, RSA BSAFE, Spyrus SPEX/ and
FORTEZZA Cryptologic Interface libraries. DigitalNet also provides a
PKCS #11 CTIL that enables PKCS #11-compliant libraries to be used
with the CML. The underlying, external crypto libraries are not
distributed as part of the CML software.


The CML has been successfully tested with the v2.4 S/MIME Freeware
Library (SFL) that is freely available from
<http://www.DigitalNet.com/knowledge/sfl_home.htm>.

The CML has been successfully tested with the v2.4 Access Control
Library (ACL) that is freely available to everyone from:
<http://www.DigitalNet.com/knowledge/acl_home.htm>.

The CML has been successfully used to build and verify
certificate paths used in the Bridge Certification Authority (BCA)
demonstration which includes cross-certified hierarchical and non-
hierarchical PKIs. The BCA Interoperability Test Suite (BITS)
is a free and openly available test resource provided to
facilitate vendor development of secure, interoperable Public
Key Enabled applications. The CML has been used to successfully
develop and verify the BITS X.509 certification paths available
from <http://bcatest.atl.DigitalNet.com>.

The National Institute of Standards and Technology (NIST) is
providing a standard test suite of X.509 certificate paths
<http://csrc.nist.gov/pki/testing/x509paths.html> that can be
used for testing applications against RFC 2459. The CML was
used to successfully process the NIST test data.

The CML meets the requirements stated in the SDN.706 Certificate/
CRL Profile required by the U.S. Defense Message System (DMS)
project.

The Internet Mail Consortium (IMC) has established a CML web page
<http://www.imc.org/imc-cml> and a CML mail list which is used to:
distribute information regarding CML releases; discuss CML-related
issues; and allow CML users to provide feedback, comments, bug
reports, etc. Subscription information for the imc-cml mailing list
is at the IMC web site listed above.

All comments regarding the CML source code and documents are welcome.
This CML release announcement was sent to several mail lists, but
please send all messages regarding the CML to the imc-cml mail list
ONLY. Please do not send messages regarding the CML to any of the IETF
mail lists. We will respond to all messages sent to the imc-cml mail
list. -- -- Matthew J. Bertapelle DigitalNet Government Solutions, LLC www.DigitalNet.com

Gmane