The CryptoSys PKI Toolkit provides you with an interface to public key cryptography functions from Visual Basic, VB6, VBA, VB.NET, VB2005/8/x, C/C++ and C# programs on any modern Windows system (W8/W7/2008/Vista/2003/XP/2K/NT4/Me/W9x).
Read the Manual | Features | BUY NOW | Download Trial | Examples
Licensed Users | Feedback | Support | Documentation | FAQ | Programming | SAT Mexico | FirmaSAT | German Health Service | Chile SII | Portugal DGCI | .NET Interface | Other Interfaces | Known Issues | Error Codes | Integrity | Contact | Search
You can create and read both enveloped-data (encrypted) and signed-data Cryptographic Message Syntax (CMS, PKCS#7) objects, which you can use in S/MIME email messages; verify the digital signature in a signed-data CMS object; generate and manage RSA public and private keys; carry out "raw" RSA encryption and digital signing, make PKCS#10 certificate request files, and create and manage X.509 certificate files.
See how the CryptoSys PKI Toolkit compared in the CMS (RFC 3852) Implementation Report [PDF (98 kB)] back in 2009 (we're implementation #3).
Other utilities included in the toolkit are the ability to generate message digest hash values using SHA-1/224/256/384/512 and MD5; generate HMAC keyed-hash message authentication values, wipe files using 7-pass DOD standards, generate cryptographically-secure random numbers to the strict NIST SP800-90 standard†, prompt for a password, and convert to and from base64- and hexadecimal-encoded formats. There is a 64-bit version included - see Using on a 64-bit system. If you just need standard symmetrical cryptography, see our alternative product CryptoSys API.
† Note 2013-09-21: Our implementation does not use the Dual EC_DRBG component of NIST 800-90 that potentially contains an NSA backdoor. CryptoSys PKI does not use OpenSSL in any form.
CryptoSys PKI uses a straightforward Win32 DLL which is compatible with all modern versions of Windows (W8/W7/2008/Vista/2003/XP/2K/NT4/Me/W9x). There is no "COM", no "Active-X", and no requirement to "register" it with Windows to use it. The installed executable has a small footprint of about 500 kB. Developers can easily distribute it with their projects made in Visual Basic, VBA, C, C++, VB.NET/VB2005+ or C# (in fact, in any other programming language that will let you call Win32 API functions including Delphi - see Extra Interfaces). A separate compilation for 64-bit systems is also included.
For more information on how the RSA key data is stored and how the various functions work together, see RSA Key Formats. For some examples, see the Examples section below. For the theory and more detailed explanations of how RSA is used in practical applications, see RSA algorithm including its use in creating ISO/IEC 9796 signatures in the AUTACK scheme.
Note that the CryptoSys PKI Toolkit is totally independent from our original CryptoSys API product. The two packages do different things and do not require the other in order to work: see a Comparison of CryptoSys Features for a summary.
“ First of All, GREAT PRODUCT your CryptoSys PKI Toolkit. Really, Congratulation on this Great Product, I really liked it. ”
“ I just got my licensed version and try succesfully to distribute my PKI based application on my alternate notebook : it took me a few seconds and it works fine. I spent in the past a lot of time trying to find a so easy to use software for cryptographic actions. Thanks again ! ”
“ Great product - just what I was looking for - bought a copy this morning. ”
“ It seems to be a very good and powerful toolkit ”
“ Thank you very much for the quick and detailed answer. It helped me a lot and now my program works pretty good, I have signed and encrypted my data successfully. ”
“ I wanted to let you know we [purchased] CryptoSys Software to include in an ERP project we are working on in Mexico. I had tried other digital signature products that required the certificate (with private) key first be stored in the Win certificate store and then I wasn't getting the correct signature. So, I guess there is something special about how you are using the .key file that is provided by SAT Mexico. I am very glad I came across your product. Thank you ”
- Herman K.
“ Last Tuesday I have completed the certification process in the DGCI. Everything is as they intend. So CryptoSys PKI can "attack" the Portuguese market. :-) ”
There are two manuals available: one main manual and a supplementary one for .NET users. See the CryptoSys PKI Manual page.
Download the latest Trial Edition of the CryptoSys PKI Toolkit now. Use either
Unzip the zip file and run the
setup.exe program inside it, or download the exe program directly and run it.
The Trial Edition is fully-functional and the download includes the full set of manuals and test functions in Visual Basic (VB6/VBA), VB.NET, C and C#. Please read the licence conditions for the Trial Edition. The latest version 3.10.1 is dated 23 September 2014. The trial period is 60 days from the date first installed on your system.
Is there a virus in these? Some of the more paranoid anti-virus checkers (notably AntiVir) sometimes show that these downloads contain a "Generic trojan-dropper". This is a false positive. The files are clean. You can upload the files individually to the AV vendors' sites and they will be shown as clean.
Please note that all the above files are digitally signed with our signing certificate under the name of D.I. Management Services Pty Limited. You can check the integrity of your DLLs here.
You need to have administrator rights when installing and uninstalling.
You can purchase a licenced version here. Existing licence holders can download the latest Developer Version here.
There is an example of each function in the
and a series of tests in VB6/VBA, VB.NET/VB2005, C/C++ and C# provided with the installation download.
These test programs should be in
C:\Program Files\CryptoSysPKI, or
C:\Program Files (x86)\CryptoSysPKI
on a 64-bit machine.
See the PKI Examples Page for more details and more examples.
We get lots of queries asking how to use the
RSA_Raw functions to do simple RSA encryption
See Raw RSA Techniques for a guide to
methods available in the latest version, including the
If you want more detailed information about the different formats in which RSA keys can be stored,
how the keys are used to create X.509 certificates,
and all the different functions in the Toolkit that create, read and save the key data,
you may find the information in RSA Key Formats useful.
See also Importing an RSA key from known parameters.
The CryptoSys PKI Toolkit includes full support for the private key files published by the Servicio de Administración Tributaria in Mexico. See SAT Mexico Example for some sample code. New improved version 5 of FirmaSAT utility to create digital signatures in SAT versions 2.0 and 3.0 format (and now versions 2.2 and 3.2) and more now available. See FirmaSAT.
2014-09-09: The CryptoSys PKI Toolkit should comply with the requirements of the security interface for data exchange for the German health service version 3.0. See Data Exchange in the German Health Service with CryptoSys PKI.
“ CryptoSys PKI Toolkit erfüllt alle Voraussetzungen, die notwendig sind, gemäß der Security Schnittstelle für den Datenaustausch im Gesundheitswesen Version 1.5, um mit den Datenannahmestellen der gesetzlichen Krankenkassen und dem ITSG-Trustcenter zu kommunizieren. Anders als bei DAKOTA stehen hier alle notwendigen Prozeduren in einer einzigen DLL zur Verfügung. Für das Erstellen der Zertifizierungsanfrage, dem Einlesen der Zertifizierungsantwort, dem Signieren / Verschlüsseln der Nachricht und der Speicherung der Daten (Zertifikate, privater Schlüssel, Annahme-pkcs.key) sind Beispiele in VB vorhanden. Sowohl der Zertifikatsantrag (PKCS#10 Format) beim ITSG-Trustcenter als auch die Datenübermittlung (PKCS#7 Format) an AOK, IKK, BKK, LKK, Knappschaft wurden erfolgreich durchgeführt. CryptoSys PKI Toolkit wird im Leistungserbringerverfahren und im Arbeitgeberverfahren erfolgreich eingesetzt. ”
“ Just to update you, after last changes, now everything is going on like a music. ”
On the XML-Dsig and the Chile SII page we look at creating digital signatures in XML documents (XML-Dsig) using the standards for electronic invoices set by the Servicio de Impuestos Internos (SII) of Chile ("Internal Revenue Service"). We show how you could use our CryptoSys PKI Toolkit to do the cryptographic operations to sign, read and verify the necessary files, and we give some hints on how to do the [expletive deleted] canonicalization.
On the Portugal DGCI Billing Software Certification page we look at the new Billing Software Certification (Certificação de Software Facturação) scheme introduced by the Portugal General Directorate of Taxes (Direcção Geral dos Impostos) (DGCI) in June 2010. We point out the problems that are guaranteed to arise in using the OpenSLL software in the manner suggested, as well as apparent errors in the test vectors provided.
We provide some code using our CryptoSys PKI Toolkit that analyzes the test vectors given in the technical specification and create and verify signatures in the format as specified. There is some more code that shows how you could create your own RSA keys and create a self-signed X.509 certificate from them.
See Writing an interface in another programming language for advice and examples in how to use CryptoSys PKI with other programming languages, including Visual FoxPro and PowerBuilder.
For Delphi, see the page Using Delphi with CryptoSys API, CryptoSys PKI for more details and some sample code.
Check the integrity of your PKI software against our published checksums and message digests.
(23 September 2014)
(2 September 2014)
CIPHER_DecryptBytesPadwhich use the specified block cipher algorithm, mode and padding to encrypt and decrypt data in a byte array. Padding is added if required before encryption and removed after decryption. The equivalent .NET methods are
Cipher.Encrypt Method (Byte, Byte, Byte, CipherAlgorithm, Mode, Padding).and
Cipher.Decrypt Method (Byte, Byte, Byte, CipherAlgorithm, Mode, Padding).
PBE_Kdf2Hexto derive a key of any length from a password using the PBKDF2 algorithm from PKCS#5. The equivalent .NET methods are
Pbe.Kdf2 (Int32, String, String, Int32).
Cms.MakeEnvData Method (String, String, String, CipherAlgorithm, Cms.EnvDataOptions)and
Cms.MakeEnvDataFromString Method (String, String, String, CipherAlgorithm, Cms.EnvDataOptions)to simplify using AES as the content encryption algorithm.
PKI_Versionto return a five-digit number of the form
Major * 10000 + Minor * 100 + Release. For example, version 3.10.0 will return the number 31000 whereas version 3.9.4 would have returned 394.
(4 October 2012 to 9 October 2013)
Rng.Initializeso they always create a new seed file, even if one does not exist (the previous behaviour was to fail with an error if the seed file did not exist).
Public Const PKI_X509_DECIMAL As Long = &H8000to
&H8000&(this is required to fix a bug in VB6).
(8 September 2012)
PKI_X509_LDAPto the functions
X509_QueryCertto display the distinguished name in LDAP string form as per [RFC4514]. This is intended to help users who wish to create an
<X509SubjectName>element within an
<X509Data>in an XML-DSIG document. For more details see LDAP String Representation of Distinguished Names.
PKI_X509_DECIMALto the functions
X509_QueryCertto display the serial number in decimal form instead of hexadecimal. Use to create an
<X509SerialNumber>element in XML-DSIG.
TITLEto supported attribute types when specifying a distinguished name for an X.509 certificate.
(14 January 2012)
PFX_MakeFileso it now creates PFX files in the exact format that OpenSSL creates with weak 40-bit encryption of the certificate as default behaviour†.
RSA_ReadPrivateKeyFromPFXto read a private key directly from a PFX file into an internal key string. Note that this is different from the existing
RSA_GetPrivateKeyFromPFXfunction which just extracts the encrypted PKCS-8 file and saves it. We try to use the convention "Read" to mean read-into-internal-string and "Get" to mean extract-and-save-as-a-file.
X509_GetCertFromPFXto cope with encrypted certificates.
RSA_PublicKeyFromPrivatefunction to convert an internal private key string into a public one. This is useful if you only have a private key file like a PFX file.
† This change is to help users of certain brain-dead web service in Mexico that apparently cannot cope with anything else. Thanks to Adrián Galván for pointing this out to us.
(1 July 2011)
CNV_CheckUTF8Fileto check if a file contains valid UTF-8 characters.
PKI_CMS_BIGFILEoption to the
CMS_ReadEnvDatato cope more efficiently with large files. This option allows, in theory, files of unlimited length to be enveloped. In addition, the 16 MB limit on the usual mode has been removed.
CMS_MakeEnvDatafunction to fail if any of the specified certificate files are missing or corrupted.
inputIsBase64option in functions that read base64-encoded CMS files like
CMS_QuerySigData. These functions (and their .NET equivalents) will now detect the encoding of the input file automatically.
Cms Classto reflect new or obsolete options. Added the
Cms.SigDataOptionsenumeration to provide advanced options and complement the
CMS_MakeSigDatawere meant to use SHA-2 but didn't.
RSA_SavePublicKey. The file is now saved in the exact same format as OpenSSL; i.e. "Unix" line endings and a line-length of 64 characters. This is specifically to help users in Portugal with the peculiar standards enforced by the DGCI (and should not make any difference to other users).
(23 August 2010)
PAD_HexBlockto provide PKCS#5/7 padding to encryption blocks and the equivalent functions to remove the padding,
PAD_UnpadHex. The corresponding .NET methods are
CNV_UTF8BytesFromLatin1to handle UTF-8 encoded data correctly using byte arrays instead of strings. These replace the deprecated functions
CNV_CheckUTF8Bytes, and the corresponding method
Cnv.CheckUTF8(Byte)to replace the deprecated
CNV_CheckUTF8and Cnv.CheckUTF8(String). See also UTF-8 and Latin-1.
CNV_ByteEncodingand equivalent method
Cnv.ByteEncodingto convert encoding in a byte array between UTF-8 and Latin-1.
CNV_HexFilterand non-ASCII characters,
(2 May 2010)
X509_MakeCRLfunction to make a basic X.509 certificate revocation list (CRL).
X509_CheckCertInCRLfunction to check if a given X.509 certificate has been revoked in an X.509 certificate revocation list (CRL).
OCSP_MakeRequestfunction to create an Online Certification Status Protocol (OCSP) request as a base64 string.
OCSP_ReadResponsefunction to read a response to an Online Certification Status Protocol (OCSP) request and output the main results in text form.
X509_TextDumpfunction to dump details of X.509 certificate (or a CRL or a PKCS10 CSR) to a text file.
X509_ValidatePathfunction to validate a certificate path, either in the form of a list of X.509 certificate filenames or in a PKCS7 "certs-only" certificate chain file (.p7b or .p7c).
X509_MakeCertfunction to allow the creation of a new X.509 certificate using a PKCS#10 Certificate Signing Request (CSR).
X509_VerifyCertfunction to also verify X.509 Certificate Revocation List (CRL) and PKCS#10 Certificate Signing Request (CSR) documents.
CMS_ReadSigData[ToString]functions, allowing the user to pass the data directly as a base64 string or PEM string; and added the automatic detection of format for input files.
(19 December 2009)
Rng.Strength) or to make easier to use with
StringBuildertypes, e.g. Rsa.KeyBytes.
(21 February 2009)
X509Make_CertSelffunctions, and added more options for distinguished names.
PEM_FileToBinFilefunctions to enable you to convert files between ASN.1 DER/BER binary format and PEM format.
WIPE_Filefunction - up to three times faster for large files.
RSA_FromXMLStringfunction to allow the import of a restricted RSA private key from XML data consisting only of the
<D>fields. The resulting "internal" key string can be used to sign raw data but cannot be saved in a private key file. This is useful to reproduce certain test vectors.
PKI_EMSIG_ISO9796option to the
RSA_DecodeMsgfunctions to enable the user to encode and decode a message according to ISO/IEC 9796-1.
RSA_RawPublicfunctions to sign and decrypt RSA signatures using the "RSA2" method used in ISO/IEC 9796-1, ANSI X9.31 and P1363.
RSA_MakeKeysso it does not clash with the des-EDE3-CBC block cipher option.
(2 February 2008)
shaXXXWithRSAEncryption" with SHA-224/256/384/512 for
RSA_KemUnwrapwhich will wrap (encrypt) and unwrap (decrypt) secret keying data for a recipient with the recipient's RSA key using the RSA-KEM ("Simple RSA.html") algorithm [withdrawn in v3.4].
CIPHER_KeyUnwrapusing AES-wrap and Triple DES wrap.
CMS_QueryEnvDatafunction, and included the ability to pass a base64- or PEM-encoded certificate list to
(2 August 2007)
X509_MakeCertSelf. See Specifying Distinguished Names for more details.
RSA_KeyMatchfunction to verify that a pair of RSA private and public key strings are matched.
TDEA_File. To prevent accidental misuse, if an error occurs when using this function, the output file will now not exist.
CMS_MakeEnvDatafunction to conform with the PKI requirements of the German Health System.
(27 March 2007)
RSA_KeyHashCodefunction to allow comparison of internal key strings.
HMACfunctions to compute a keyed hash value,
Thanks to all users who have suggested improvements and in particular to Bernd Rech for his suggestions, advice and help.
For more information, please send us a message.
This page last updated 19 November 2014