25 February 2002

Date: Mon, 25 Feb 2002 16:43:09 -0500 (EST)
From: "Pawling, John" <John.Pawling@GetronicsGov.com>
To: Multiple recipients of list <pki-twg@nist.gov>
Subject: v2.0.1 S/MIME Freeware Library (SFL) Now Available

Getronics Government Solutions has delivered Version 2.0.1 of the S/MIME Freeware Library (SFL) source code.  The SFL source code files are freely available at

http://www.getronicsgov.com/hot/sfl_home.htm

The v2.0.1 SFL fixes bugs present in the v2.0 SFL (see below).  It also includes enhancements to the CertificateBuilder utility.

The SFL implements the IETF S/MIME v3 RFC 2630 Cryptographic Message Syntax (CMS) and RFC 2634 Enhanced Security Services (ESS) specifications.

It also implements portions of the RFC 2633 Message Specification and RFC 2632 Certificate Handling document.  When used in conjunction with the Crypto++ freeware library, the SFL implements the RFC 2631 Diffie-Hellman (D-H) Key Agreement Method specification.  It has been successfully tested using the Microsoft (MS) Windows NT/98/2000/XP, Linux and Sun Solaris 2.8 operating systems.  Further enhancements, ports and testing of the SFL are still in process.  Further releases of the SFL will be provided as significant capabilities are added.

The SFL has been successfully used to sign, verify, encrypt and decrypt CMS/ESS objects using: DSA, E-S D-H, 3DES algorithms provided by the Crypto++ library; RSA suite of algorithms provided by the RSA BSAFE 6.0 Crypto-C and Crypto++ libraries; and Fortezza suite of algorithms provided by the Fortezza Crypto Card.  The v2.0.1 SFL uses the v1.3 R8 Enhanced SNACC ASN.1 C++ Library to encode/decode objects. The v2.0.1 SFL release includes: SFL High-level library; Free (a.k.a. Crypto++) Crypto Token Interface Library (CTIL); BSAFE CTIL; Fortezza CTIL; SPEX/ CTIL; PKCS #11 CTIL; MS CAPI v2.0 CTIL; v1.3 R8 Enhanced SNACC ASN.1 Compiler and Library; test utilities; test drivers; and test data.  All CTILs were tested as Dynamically Linked Libraries (DLL) using MS Windows.  The Fortezza, BSAFE and Crypto++ CTILs were tested with the respective security libraries as shared objects using Linux and Solaris 2.8. 

The SFL has been successfully used to exchange signedData and envelopedData messages with the MS Internet Explorer Outlook Express v4.01, Netscape Communicator 4.X, Entrust and Baltimore S/MIME products.  Signed messages have been exchanged with the RSA S/MAIL and WorldTalk S/MIME v2 products.

The SFL has also been used to perform S/MIME v3 interoperability testing with Microsoft that exercised the majority of the features specified by RFCs 2630, 2631 and 2634.  This testing included the RSA, DSA, E-S D-H, 3DES, SHA and Fortezza algorithms.  We used the SFL to successfully process all of the SFL-supported sample data included in the S/MIME WG "Examples of S/MIME Messages" document.  We also used the SFL to generate S/MIME v3 sample messages that were included in the "Examples" document.

The use of the v2.0.1 SFL is described in the v2.0 SFL Application Programming Interface (API) and v2.0 SDD documents.  The v2.0 SMP  Components Setup Manual that describes the component installation procedures for the v2.0.1 SFL, v2.0.1 Certificate Management Library (CML), and v1.3 R8 Enhanced SNACC libraries.  The use of the v2.0.1 CTIL API is described in the v2.0 CTIL API document.

The following enhancements are included in the v2.0.1 SFL and CTIL releases (compared with the v2.0 releases):

1) Fixed bug regarding the SFL ASN.1 decoding of security labels that  do not include any security categories. 

2) Fixed memory management errors that we discovered during memory leak testing of the release version of the SFL library that could not be detected while testing the debug version.

3) Enhanced MS CAPI CTIL to work with Datakey crypto service provider and smart card.

4) Enhanced CTILs by re-structuring to load the CSM_CSInst certificate after the initial creation.

5) Fixed a bug that impacted interoperability testing between messages protected using the Microsoft CAPI CTIL and Crypto++ CTIL. 

6) Tested RSA BSAFE 6.0 Crypto-C library using v2.0.1 SFL, CML and  BSAFE CTIL on MS Windows, Sun Solaris, Linux.

CERTIFICATE BUILDER Enhancements (used to create X.509 certificates): 

1) Added functionality to create a SubjectKeyIdentifier value by hashing the public key in the cert.  

2) Added logic to copy the signer SubjectKeyIdentifier into the produced certificate AuthKeyIdentifier extension.

3) Added support for populating AltSubjectName extension.

4) Self-signed certificates can now be generated. 

5) Added ability to populate certificatePolicy qualifier fields.

6) Corrected bugs.

We are still in the process of enhancing and testing the SFL.  Future releases may include: additional PKCS #11 CTIL testing; finish CertificateBuilder command line utility; enhancing CertificateBuilder to support creation of Attribute Certificates; add "Certificate Management Messages over CMS" ASN.1 encode/decode functions; add enhanced test routines; bug fixes; support for other crypto APIs; and support for other operating systems.

The SFL is developed to maximize portability to 32-bit operating systems.  In addition to testing on MS Windows, Linux and Solaris 2.8, we may port the SFL to other operating systems.

The following SFL files are available from

http://www.getronicsgov.com/hot/sfl_lib.htm

1) SFL Documents: Fact Sheet, Software Design Description, API, CTIL API, Software Test Description, Implementers Guide, Overview Briefing and Public License.    

2) smimeR2.0.1.tar.gz:  Source code, MS Windows project files and Unix makefiles for SFL Hi-Level library.

3) snacc13r8rn.tar.gz -- source code and binaries available from Getronics Enhanced SNACC web page:

http://www.getronicsgov.com/hot/snacc_home.htm

Source code, MS Windows project files and Unix makefiles for v1.3 R8 Enhanced SNACC ASN.1 Compiler and Library that has been enhanced by Getronics to implement the Distinguished Encoding Rules.  Source code is compilable for Linux, Solaris 2.8 and MS Windows NT/95/98/2000/XP. This file includes a sample test project demonstrating the use of the SNACC classes. 

4) smCTIR2.0.1.tar.gz:  Source code, MS Windows project files and  Unix makefiles for the following CTILs: Test (no crypto), Crypto++, BSAFE, Fortezza, SPEX/, PKCS #11 and MS CAPI v2.0.  The CTIL source code includes PKCS #12 software developed by the OpenSSL Project for use in the OpenSSL Toolkit

http://www.openssl.org/

5) sm_CTIL_MGR_R2.0.1.tar.gz: Source code, MS Windows project files and Unix makefiles for the CTILManager library that provides CTIL-related processing services used by the SFL, ACL and CML.

6) smTest2.0.1.tar.gz: Source code, MS Windows project files and Unix makefiles for test drivers used to test the SFL.  This file includes sample CMS/ESS test data and test X.509 Certificates.  It also includes the CertificateBuilder utility that can be used to create X.509 Certificates.

All source code for the SFL is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the SFL without paying any royalties or licensing fees.  Getronics is developing the SFL under contract to the U.S. Government.  The U.S. Government is furnishing the SFL source code at no cost to the vendor subject to the conditions of the "SFL Public License".

On 14 January 2000, the U.S. Department of Commerce, Bureau of Export Administration published a new regulation implementing an update to the U.S. Government's encryption export policy

http://www.bxa.doc.gov/Encryption/Default.htm

In accordance with the revisions to the Export Administration Regulations (EAR) of 14 Jan 2000, the downloading of the SFL source code is not password controlled.

The SFL is composed of a high-level library that performs generic CMS and ESS processing independent of the crypto algorithms used to protect a specific object.  The SFL high-level library makes calls to an algorithm-independent CTIL API.  The underlying, external crypto token libraries are not distributed as part of the SFL source code. The application developer must independently obtain these libraries and then link them with the SFL. 

The SFL uses the CML and Enhanced SNACC ASN.1 Library to encode/decode certificates, ACs, CRLs and components thereof.  The CML is freely available at:

http://www.getronicsgov.com/hot/cml_home.htm

The SFL has been successfully tested in conjunction with the Access Control Library (ACL) that is freely available to everyone from:

http://www.getronicsgov.com/hot/acl_home.htm

The National Institute of Standards and Technology (NIST) is providing test S/MIME messages (created by Getronics) at

http://csrc.nist.gov/pki/testing/x509paths.html

Getronics used the SFL to successfully process the NIST test data.

NIST is using the SFL and CML as part of the NIST S/MIME Test Facility (NSMTF) that they are planning to host -- see

http://csrc.ncsl.nist.gov/pki/smime/

Vendors will be able to use the NSMTF to help determine if their products comply with the IETF S/MIME v3 specifications and the Federal S/MIME v3 Client Profile.

The SFL has been integrated into many applications to provide CMS/ESS security services.  For example, the SFL was integrated into a security plug-in for a commercial e-mail application that enabled the application to meet the Bridge Certification Authority Demonstration Phase II requirements including implementing ESS features such as security labels.

The Internet Mail Consortium (IMC) has established an SFL web page

http://www.imc.org/imc-sfl

The IMC has also established an SFL mail list which is used to: distribute information regarding SFL releases; discuss SFL-related issues; and provide a means for SFL users to provide feedback, comments, bug reports, etc.  Subscription information for the imc-sfl mailing list is at the IMC web site listed above.

All comments regarding the SFL source code and documents are welcome. This SFL release announcement was sent to several mail lists, but please send all messages regarding the SFL to the imc-sfl mail list ONLY.  Please do not send messages regarding the SFL to any of the IETF mail lists.  We will respond to all messages sent to the imc-sfl mail list.

============================================

John Pawling, John.Pawling@GetronicsGov.com
Getronics Government Solutions, LLC

============================================