Changes in earlier versions

Changes in Version 3.7 (June 2011):

• Added the function CNV_CheckUTF8File to check if a file contains valid UTF-8 characters.
• Added the PKI_CMS_BIGFILE option to the CMS_MakeEnvData and CMS_ReadEnvData to cope more efficiently with large files. This option allows, in theory, files of unlimited length to be enveloped. In addition, the 16 MB limit on the usual mode has been removed.
• Changed the behaviour of the CMS_MakeEnvData function to fail if any of the specified certificate files are missing or corrupted.
• Removed the restriction on the number of recipients allowed in CMS_MakeEnvData[FromString].
• Removed the requirement to specify the PKI_CMS_FORMAT_BASE64/inputIsBase64 option in functions that read base64-encoded CMS files like CMS_ReadEnvData, CMS_ReadSigData, CMS_QueryEnvData and CMS_QuerySigData. These functions (and their .NET equivalents) will now detect the encoding of the input file automatically.
• Added new overloads to the methods in the Cms Class to reflect new or obsolete options. Added the Cms.SigDataOptions enumeration to provide advanced options and complement the Cms.EnvDataOptions enumeration.
• Fixed issues where some of the more exotic option combinations for CMS_MakeEnvData and CMS_MakeSigData were meant to use SHA-2 but didn't.
• Fixed issue where certain obscure inputs to the raw RSA functions would cause a GPF error.
• Tweaked the format of the public key file created using the PKI_FORMAT_SSL option when using RSA_MakeKeys and RSA_SavePublicKey. The file is now saved in the exact same format as OpenSSL; i.e. "Unix" line endings and a line-length of 64 characters. This is specifically to help users in Portugal with the peculiar standards enforced by the DGCI (and should not make any difference to other users).

Changes in Version 3.6 (August 2010):

• Added new padding functions PAD_BytesBlock and PAD_HexBlock to provide PKCS#5/7 padding to encryption blocks and the equivalent functions to remove the padding, PAD_UnpadBytes and PAD_UnpadHex. The corresponding .NET methods are Cipher.Pad and Cipher.Unpad.
• Added new functions CNV_Latin1FromUTF8Bytes and CNV_UTF8BytesFromLatin1 to handle UTF-8 encoded data correctly using byte arrays instead of strings. These replace the deprecated functions CNV_Latin1FromUTF8 and CNV_UTF8FromLatin1.
• Added the new function CNV_CheckUTF8Bytes, and the corresponding method Cnv.CheckUTF8(Byte[]) to replace the deprecated CNV_CheckUTF8 and Cnv.CheckUTF8(String). See also UTF-8 and Latin-1.
• Added the new function CNV_ByteEncoding and equivalent method Cnv.ByteEncoding to convert encoding in a byte array between UTF-8 and Latin-1.
• Added new .NET methods to handle base64 strings in a safe manner and to convert directly between hex and base64 encodings: Cnv.FromBase64, Cnv.ToBase64, Cnv.Base64Filter, Cnv.Base64FromHex, Cnv.HexFromBase64, and Cnv.StringFromBase64.
• Added a full set of VB.NET examples to this manual with cross references.
• Improved the level of detail for all .NET Classes and Methods with full cross references to the new examples and the equivalent VB6/C functions.
• Fixed issue with CNV_HexFilter and non-ASCII characters,
• Improved the way the Secure Random Number Generator gathers entropy across threads.

Changes in version 3.5 (2 May 2010):

• Added the X509_MakeCRL function to make a basic X.509 certificate revocation list (CRL).
• Added the X509_CheckCertInCRL function to check if a given X.509 certificate has been revoked in an X.509 certificate revocation list (CRL).
• Added the OCSP_MakeRequest function to create an Online Certification Status Protocol (OCSP) request as a base64 string.
• Added the OCSP_ReadResponse function to read a response to an Online Certification Status Protocol (OCSP) request and output the main results in text form.
• Added the X509_TextDump function to dump details of X.509 certificate (or a CRL or a PKCS10 CSR) to a text file.
• Added the X509_ValidatePath function to validate a certificate path, either in the form of a list of X.509 certificate filenames or in a PKCS7 "certs-only" certificate chain file (.p7b or .p7c).
• Updated the X509_MakeCert function to allow the creation of a new X.509 certificate using a PKCS#10 Certificate Signing Request (CSR).
• Updated the X509_VerifyCert function to also verify X.509 Certificate Revocation List (CRL) and PKCS#10 Certificate Signing Request (CSR) documents.
• Added more options to the X509_QueryCert function.
• Improved the options for input to the CMS_ReadEnvData[ToString] and CMS_ReadSigData[ToString] functions, allowing the user to pass the data directly as a base64 string or PEM string; and added the automatic detection of format for input files.

Changes in version 3.4 (19 December 2009):

• All DLL executables are now signed with our code authentication certificate.
• Added functions to detect the platform of the underlying DLL. See Detecting Win32 or X64 platform, General.IsWin64 Method and General.Platform Method.
• Removed RSA-KEM functions.
• Updated this manual with the List of .NET Methods and Cross-reference between Functions and .NET Methods.

Changes in version 3.3:

• Compiled using VS2008 for both Win32 and X64.
• Added the ability to include more extensions and other features to new X.509 certificates when using the X509_MakeCert and X509Make_CertSelf functions, and added more options for distinguished names.
• Added the PEM_FileFromBinFile and PEM_FileToBinFile functions to enable you to convert files between ASN.1 DER/BER binary format and PEM format.
• Incorporated a faster BigDigits mathematics algorithm to speed up RSA modular exponential calculations.
• Improved the performance of the WIPE_File function - up to three times faster for large files.
• Amended the RSA_FromXMLString function to allow the import of a restricted RSA private key from XML data consisting only of the <Modulus>, <Exponent> and <D> fields. The resulting "internal" key string can be used to sign raw data but cannot be saved in a private key file. This is useful to reproduce certain test vectors.
• Added specialist options to enable users to create digital signatures suitable for use in an AUTACK message. See AUTACK messages and ISO/IEC 9796-1 signatures. In particular, this includes
  • Adding a PKI_EMSIG_ISO9796 option to the RSA_EncodeMsg and RSA_DecodeMsg functions to enable the user to encode and decode a message according to ISO/IEC 9796-1.
  • Adding a specialist option to the RSA_RawPrivate and RSA_RawPublic functions to sign and decrypt RSA signatures using the "RSA2" method used in ISO/IEC 9796-1, ANSI X9.31 and P1363.
• Changed the value of PKI_KEYGEN_INDICATE option in RSA_MakeKeys() so it does not clash with the des-EDE3-CBC block cipher option.

Changes in version 3.2:

• Added a new generic block cipher function with AES and Triple DES. See CIPHER_Bytes, CIPHER_Hex, and CIPHER_File.
• Added SHA-224 to the selection of message digest hash functions and added the HASH_HexFromHex and HMAC_HexFromHex functions.
• Added the option to use the newer PKCS#1 signature algorithms "shaXXXWithRSAEncryption" with SHA-224/256/384/512 for X509_MakeCert[Self] and X509_CertRequest.
• Added the ability to make, read and verify CMS signed-data objects using message digest algorithms SHA-224/256/384/512. See CMS_MakeSigData[FromString].
• Added the ability to make and read CMS enveloped-data objects using the AES-128/192/256 content encryption algorithms. See CMS_MakeEnvData[FromString].
• Added [provisionally in this release] the ability to make and read CMS enveloped-data objects using the RSA-KEM ("Simple RSA") key encryption algorithm. [Withdrawn in v3.4].
• Added the primitive functions RSA_KemWrap and RSA_KemUnwrap which will wrap (encrypt) and unwrap (decrypt) secret keying data for a recipient with the recipient's RSA key using the RSA-KEM ("Simple RSA") algorithm; and added the block cipher key wrap functions CIPHER_KeyWrap and CIPHER_KeyUnwrap using AES-wrap and Triple DES wrap. (Note that the function name is [was] RSA_KemWrap, not KeyWrap.)
• Added options to save and read encrypted private keys with improved security using AES-128/192/256 and SHA-224/256/384/512 when using the RSA_SaveEncPrivateKey and RSA_ReadEncPrivateKey functions.
• Added the ability to pass both X.509 certificate data and RSA private and public key data to the X.509 and RSA functions using a PEM-encoded string instead of a file.
• Improved the handling of enveloped-data objects by adding the CMS_QueryEnvData function, and included the ability to pass a base64- or PEM-encoded certificate list to CMS_MakeEnvData and CMS_MakeSigData.

Changes in version 3.1:

• Added the ability to specify any valid UTF-8 characters in a distinguished name, including CJK characters, when creating an X.509 certificate with X509_MakeCert or X509_MakeCertSelf. See Specifying Distinguished Names for more details.
• Added the RSA_KeyMatch function to verify that a pair of RSA private and public key strings are matched.
• Added the functionality to all the X.509 certificate functions to allow the user to specify an input X.509 certificate as a base64 string instead of using a file.
• Improved the functions that read ASN.1 data to avoid security issues arising from badly-formed data.
• Increased the speed when encrypting large files using TDEA_File. To prevent accidental misuse, if an error occurs when using this function, the output file will now not exist.
• Specialist Option: Added an alternative TeleTrusT content encryption algorithm to the CMS_MakeEnvData function to conform with the PKI requirements of the German Health System.

Changes in version 3.0:

• Introduced a new, more secure, random number generator (RNG) based on NIST SP800-90 [SP80090] and Ferguson and Schneier's "Fortuna" method from Practical Cryptography [FERG03]. See Random Number Generator.
• Incorporated extra security by encrypting "internal" RSA key strings to prevent security breaches by accidental disclosure - see Internal key strings. Added the RSA_KeyHashCode function to allow comparison of internal key strings.
• Added the SHA-384 and SHA-512 message digest algorithms to the HASH functions.
• Added the HMAC functions to compute a keyed hash value, HMAC_HexFromBytes and HMAC_Bytes.
• Added functions to query an X.509 certificate file X509_KeyUsageFlags and X509_QueryCert.
• Added functions to read in a X.509 certificate file directly as a base64 string and save the string as a file X509_ReadStringFromFile and X509_SaveFileFromString.

Changes in version 2.9:

• Introduced the .NET class library as a more convenient and safer interface for C# and VB.NET programmers. Interface source code in C# is included.
• Added the CMS_MakeSigDataFromSigValue function to create a SignedData object directly from a pre-computed signature value.
• Added the CNV_CheckUTF8 function to check whether a string contains only valid UTF-8 characters.
• Added CFB, OFB and CTR modes for the Triple DES block cipher. See, for example, TDEA_BytesMode.
• Added the RNG_Number function to generate a random number in a given range.
• Various minor improvements in error handling and thread local storage.

Changes in version 2.8:

• Added SHA-256 algorithm to Message Digest Hash functions.
• Added functions to extract X.509 certificates from other file formats: see X509_GetCertFromP7Chain and X509_GetCertFromPFX.
• Improved handling of CMS SignedData objects including new CMS_VerifySigData and CMS_QuerySigData functions.
• Added support to verify DSA signatures as well as RSA in CMS signed data objects.
• Removed 'ByRef' parameters nMajor and nMinor in PKI_Version.

Changes in version 2.7:

• Added syntax for VB.NET and C# to this manual.
• X509_VerifyCert() can now verify certificates signed using DSA.
• Added ability to RSA_ReadEncPrivateKey() to read PKCS#8 files encrypted with RC2.
• Made minor changes to make CMS_ReadEnvData() and CMS_ReadEnvDataToString() more tolerant of different input formats, including adding support to read data encrypted with RC2.
• Added support for PBES2 password-based encryption for RSA_MakeKeys() and RSA_SaveEncPrivateKey().
• Added ability to save RSA keys directly in PEM or OpenSSL format when using RSA_MakeKeys().
• Added option to save new X.509 certificates in PEM base64 format when using X509_MakeCert() and X509_MakeCertSelf()
• Added option to encode distinguished names as UTF8String and to decode multi-byte distinguished names into 8-bit ASCII, if possible.

[Contents] [Index]