Changes in earlier versions

Changes in version 3.5:

• Added the X509_MakeCRL function to make a basic X.509 certificate revocation list (CRL).
• Added the X509_CheckCertInCRL function to check if a given X.509 certificate has been revoked in an X.509 certificate revocation list (CRL).
• Added the OCSP_MakeRequest function to create an Online Certification Status Protocol (OCSP) request as a base64 string.
• Added the OCSP_ReadResponse function to read a response to an Online Certification Status Protocol (OCSP) request and output the main results in text form.
• Added the X509_TextDump function to dump details of X.509 certificate (or a CRL or a PKCS10 CSR) to a text file.
• Added the X509_ValidatePath function to validate a certificate path, either in the form of a list of X.509 certificate filenames or in a PKCS7 "certs-only" certificate chain file (.p7b or .p7c).
• Updated the X509_MakeCert function to allow the creation of a new X.509 certificate using a PKCS#10 Certificate Signing Request (CSR).
• Updated the X509_VerifyCert function to also verify X.509 Certificate Revocation List (CRL) and PKCS#10 Certificate Signing Request (CSR) documents.
• Added more options to the X509_QueryCert function.
• Improved the options for input to the CMS_ReadEnvData[ToString] and CMS_ReadSigData[ToString] functions, allowing the user to pass the data directly as a base64 string or PEM string; and added the automatic detection of format for input files.

Changes in version 3.4:

• All DLL executables are now signed with our code authentication certificate.
• Added functions to detect the platform of the underlying DLL. See Detecting Win32 or X64 platform, General.IsWin64 Method and General.Platform Method.
• Removed RSA-KEM functions.
• Updated this manual with the List of .NET Methods and Cross-reference between Functions and .NET Methods.

Changes in version 3.3:

• Compiled using VS2008 for both Win32 and X64.
• Added the ability to include more extensions and other features to new X.509 certificates when using the X509_MakeCert and X509Make_CertSelf functions, and added more options for distinguished names.
• Added the PEM_FileFromBinFile and PEM_FileToBinFile functions to enable you to convert files between ASN.1 DER/BER binary format and PEM format.
• Incorporated a faster BigDigits mathematics algorithm to speed up RSA modular exponential calculations.
• Improved the performance of the WIPE_File function - up to three times faster for large files.
• Amended the RSA_FromXMLString function to allow the import of a restricted RSA private key from XML data consisting only of the <Modulus>, <Exponent> and <D> fields. The resulting "internal" key string can be used to sign raw data but cannot be saved in a private key file. This is useful to reproduce certain test vectors.
• Added specialist options to enable users to create digital signatures suitable for use in an AUTACK message. See AUTACK messages and ISO/IEC 9796-1 signatures. In particular, this includes
  • Adding a PKI_EMSIG_ISO9796 option to the RSA_EncodeMsg and RSA_DecodeMsg functions to enable the user to encode and decode a message according to ISO/IEC 9796-1.
  • Adding a specialist option to the RSA_RawPrivate and RSA_RawPublic functions to sign and decrypt RSA signatures using the "RSA2" method used in ISO/IEC 9796-1, ANSI X9.31 and P1363.
• Changed the value of PKI_KEYGEN_INDICATE option in RSA_MakeKeys() so it does not clash with the des-EDE3-CBC block cipher option.

Changes in version 3.2:

• Added a new generic block cipher function with AES and Triple DES. See CIPHER_Bytes, CIPHER_Hex, and CIPHER_File.
• Added SHA-224 to the selection of message digest hash functions and added the HASH_HexFromHex and HMAC_HexFromHex functions.
• Added the option to use the newer PKCS#1 signature algorithms "shaXXXWithRSAEncryption" with SHA-224/256/384/512 for X509_MakeCert[Self] and X509_CertRequest.
• Added the ability to make, read and verify CMS signed-data objects using message digest algorithms SHA-224/256/384/512. See CMS_MakeSigData[FromString].
• Added the ability to make and read CMS enveloped-data objects using the AES-128/192/256 content encryption algorithms. See CMS_MakeEnvData[FromString].
• Added [provisionally in this release] the ability to make and read CMS enveloped-data objects using the RSA-KEM ("Simple RSA") key encryption algorithm. [Withdrawn in v3.4].
• Added the primitive functions RSA_KemWrap and RSA_KemUnwrap which will wrap (encrypt) and unwrap (decrypt) secret keying data for a recipient with the recipient's RSA key using the RSA-KEM ("Simple RSA") algorithm; and added the block cipher key wrap functions CIPHER_KeyWrap and CIPHER_KeyUnwrap using AES-wrap and Triple DES wrap. (Note that the function name is [was] RSA_KemWrap, not KeyWrap.)
• Added options to save and read encrypted private keys with improved security using AES-128/192/256 and SHA-224/256/384/512 when using the RSA_SaveEncPrivateKey and RSA_ReadEncPrivateKey functions.
• Added the ability to pass both X.509 certificate data and RSA private and public key data to the X.509 and RSA functions using a PEM-encoded string instead of a file.
• Improved the handling of enveloped-data objects by adding the CMS_QueryEnvData function, and included the ability to pass a base64- or PEM-encoded certificate list to CMS_MakeEnvData and CMS_MakeSigData.

Changes in version 3.1:

• Added the ability to specify any valid UTF-8 characters in a distinguished name, including CJK characters, when creating an X.509 certificate with X509_MakeCert or X509_MakeCertSelf. See Specifying Distinguished Names for more details.
• Added the RSA_KeyMatch function to verify that a pair of RSA private and public key strings are matched.
• Added the functionality to all the X.509 certificate functions to allow the user to specify an input X.509 certificate as a base64 string instead of using a file.
• Improved the functions that read ASN.1 data to avoid security issues arising from badly-formed data.
• Increased the speed when encrypting large files using TDEA_File. To prevent accidental misuse, if an error occurs when using this function, the output file will now not exist.
• Specialist Option: Added an alternative TeleTrusT content encryption algorithm to the CMS_MakeEnvData function to conform with the PKI requirements of the German Health System.

Changes in version 3.0:

• Introduced a new, more secure, random number generator (RNG) based on NIST SP800-90 [SP80090] and Ferguson and Schneier's "Fortuna" method from Practical Cryptography [FERG03]. See Random Number Generator.
• Incorporated extra security by encrypting "internal" RSA key strings to prevent security breaches by accidental disclosure - see Internal key strings. Added the RSA_KeyHashCode function to allow comparison of internal key strings.
• Added the SHA-384 and SHA-512 message digest algorithms to the HASH functions.
• Added the HMAC functions to compute a keyed hash value, HMAC_HexFromBytes and HMAC_Bytes.
• Added functions to query an X.509 certificate file X509_KeyUsageFlags and X509_QueryCert.
• Added functions to read in a X.509 certificate file directly as a base64 string and save the string as a file X509_ReadStringFromFile and X509_SaveFileFromString.

Changes in version 2.9:

• Introduced the .NET class library as a more convenient and safer interface for C# and VB.NET programmers. Interface source code in C# is included.
• Added the CMS_MakeSigDataFromSigValue function to create a SignedData object directly from a pre-computed signature value.
• Added the CNV_CheckUTF8 function to check whether a string contains only valid UTF-8 characters.
• Added CFB, OFB and CTR modes for the Triple DES block cipher. See, for example, TDEA_BytesMode.
• Added the RNG_Number function to generate a random number in a given range.
• Various minor improvements in error handling and thread local storage.

Changes in version 2.8:

• Added SHA-256 algorithm to Message Digest Hash functions.
• Added functions to extract X.509 certificates from other file formats: see X509_GetCertFromP7Chain and X509_GetCertFromPFX.
• Improved handling of CMS SignedData objects including new CMS_VerifySigData and CMS_QuerySigData functions.
• Added support to verify DSA signatures as well as RSA in CMS signed data objects.
• Removed 'ByRef' parameters nMajor and nMinor in PKI_Version.

Changes in version 2.7:

• Added syntax for VB.NET and C# to this manual.
• X509_VerifyCert() can now verify certificates signed using DSA.
• Added ability to RSA_ReadEncPrivateKey() to read PKCS#8 files encrypted with RC2.
• Made minor changes to make CMS_ReadEnvData() and CMS_ReadEnvDataToString() more tolerant of different input formats, including adding support to read data encrypted with RC2.
• Added support for PBES2 password-based encryption for RSA_MakeKeys() and RSA_SaveEncPrivateKey().
• Added ability to save RSA keys directly in PEM or OpenSSL format when using RSA_MakeKeys().
• Added option to save new X.509 certificates in PEM base64 format when using X509_MakeCert() and X509_MakeCertSelf()
• Added option to encode distinguished names as UTF8String and to decode multi-byte distinguished names into 8-bit ASCII, if possible.

[Contents] [Index]