Spotlights:

SecretAgent DAS
SpotlightContent

 

  SecretAgent Command Line Interface (SA5CLI) - Change History

 

SecretAgent 5.9.4

rather than aborting, a warning is now issued when -k is not specified and a READONLY file is encountered during autoencrypting/autodecrypting

already encrypted/signed files are now skipped when encrypting/signing folders and the user is told to use the -Y option to override this behavior

supports the iKey via CAPI in the same manner as does the Windows GUI

accepts 'sa5so.cfg' entries that appear at the end of the file without a following newline

index creation now records only the names of the certificate and CRL files rather than their complete paths; when loading such files it is assumed that they reside in the same folder as the corresponding index file ('caindex', resp. 'crlindex')

SecretAgent 5.9.3

reads sa5.cfg from RANDDIR/SA5HOME rather than current working directory

dereferences environment variables found in configuration files; for example, if a -@ $HOME/user.cfg is a line in a configuration file (say sa5.cfg) the command line will now expand the embedded environment variable $HOME into /home/tj

supports either ST= or SP= in configuration files to provide state/province information to be included in distinguished names when generating self-signed certificates or certificate requests

supports reading from a pipe and from the console when -Z1 is specified

now warns the user that CMS does not support compression when -L1 or -L2 is combined with -C1

now overwrites filenames during zap operations: files are renamed 26 times using the lowercase letters of the alphabet prior to removal

now removes empty directories/folders during zap operations: folders are renamed 26 times using the lowercase letters of the alphabet prior to removal from the file system

now inserts correct OIDs for AES-192 and AES-256 into CMS archives

SecretAgent 5.9.2

no longer aborts decrypt operations when the -d argument specifies a path containing a file with a single character filename

SecretAgent 5.9.1

improves the hash value displayed when using -H

adds support for Entrust profiles; requires the following Entrust libraries (available separately from Entrust):

Windows: entapi32.dll, enterr.dll, and etfile32.dll (Entrust Authority PKCS#7 Toolkit for C 6.0 SP4 patch 96312 or higher)

Solaris: libEntrust.so, libentapi.so (Entrust Authority PKCS#7 Toolkit for C 6.0 SP4 or higher)

to access an Entrust profile, you must use the sa5cli_e.exe/sa5_e versions of sa5cli.exe/sa5 with the following syntax:

sa5_e -w1 -s entrust.ini,my.epf test.txt
sa5_e -w1 -d entrust.ini,my.epf test.txt.sa5

improves PKCS#11 support for devices that do not enforce the CKA_ID of certificates to match the CKA_ID of private keys

now accepts .p7b or .p7c files for -d and -s operations both as individual files and within specified key history paths

outputs .p7c files in addition to certificate files when importing PKCS#12 files

improves the command line syntax checking and error messages

supports zapping files larger than 2GB on UNIX-based systems

now outputs .p7c files and certificate files when inspecting PKCS#11 devices

SecretAgent 5.9.0

supports SecretAgent DAS server-mediated decryption

permits the replacement of recipient certificates in an encrypted archive by combining -e and -d options

creates valid PKCS#7 files when the input files are base64 encoded

separates the date/time and reason code fields when inspecting CRLS

SecretAgent 5.8.0

supports the -F1 option during key generation

provides additional options in the sa5so.cfg file

includes support for using PKCS#11 devices for private key operations on Windows, Linux, and Solaris:

Usage: -d label,library or -s <certfile>,label,library.

For example:

sa5cli -w1 -d green,c:\windows\system32\p11lib.dll file.sa5
sa5 -w1 -e. -s green.cer,green,/usr/local/p11dev/p11lib.so a.txt

supports using Microsoft Windows' CAPI for private key operations:

Usage: -d CAPI or -s <certfile>,CAPI

For example:

sa5cli -w1 -d CAPI file.sa5
sa5cli -w1 -e. -s user.cer,CAPI a.txt

will look for the sa5so.cfg first in the root or Windows System folder and then in the folder in which the command line executable resides

allows decryption of files when only the private key file exists

allows users to specify an output path when decrypting

marks decrypted files with permissions such that only the decrypting user can read the files (UNIX only)

supports operations on folders (-e, -d, -z) whereby users can specify a
folder to encrypt, decrypt, or zap

applies proper date/time to files when decrypting on UNIX systems

removes whitespace from DN components during key generation

conforms to RFC 3280 when performing path validation and successfully
passes NIST's PKITS test suite

supports CMS sign only operations with ECC keys

allows users to use/create private keys without password protection
by including -Q

supports overwriting read only files during auto-encryption with -k

allows users to specify output paths without the trailing slash

properly disables validity checking when the -n option is used -e

allows users to specify an output filename when supplying the -L2
option to -e and there is only 1 input file

supports zapping entire folders with optional recursion (-z -A)

obeys sa5so.cfg settings preventing the creation of separate archives

includes a sample sa5so.cfg that lists all available ciphers

supports multiple key recovery agents via the sa5so.cfg file

properly handles files larger than 4GB on Solaris systems

adds key history support for by allowing users to specify a private key path with -d

supports PKCS#7 files (.p7b, .p7c) as arguments to -e

changes the way -R works: CRL checking is still enabled, but will no longer fail if it cannot locate a CRL for a particular issuer; to require CRLs at all levels, add USECRLS=1 to the sa5so.cfg file

allows -I and -R to use the same folder: their respective index files have been renamed 'caindex' and 'crlindex' allowing them to reside in the same directory

adds support for using 'stdin' and 'stdout' to make the command line
behave as a UNIX-like filter (supported on all platforms)

supports an additional -w flag (-w3) that will output just the filenames that are contained in an encrypted archive

supports combining the zap operation with encrypt or decrypt operations to remove plaintext/ciphertext in one operation

SecretAgent 5.7.1.4

provides improved zap performance on UNIX systems

SecretAgent 5.7.1.3

includes a new flag to the -i option: -i2 will cause an error to occur if the user says no when prompted to overwrite a file

SecretAgent 5.7.1.2

allows a PKCS #7 file to be supplied to -e as a recipient certificate: the first acceptable certificate in the PKCS #7 file is used and all other certificates in the file are ignored

corrects a defect in the base64 encoding of output files: output is now padded to ensure it is a multiple of 4 bytes.

SecretAgent 5.7.1

supports either filename or filename.cer in the -e operation

properly includes the subject key identifier extension as the hash of the public key rather than the .kyp filename

checks certificates supplied to the -e operation for proper key usage and validity; use -n to revert to old behavior

discards inappropriate certificates when creating PKCS#12 files

applies the -l switch correctly

adds support for reading the password from the SA5PWD environment
variable

can create PKCS#12 files from base64 encoded certificates

displays embedded extensions when inspecting CRLs or certificate requests

includes the ability to inspect a SecretAgent archive (-w1 filename.sa5)

correctly prompts for passwords on UNIX systems

supports the creation of CMS (RFC 3369) formatted archives

adds the ability to create a certificate request from an existing certificate and private key (-x -s)

supports PKCS#12 files with 1 or more private keys

supports PKCS#12 files with CRLs

provides improved zap information

masks passwords when decrypting self-decrypting archives

no longer prompts for a password when the -g option is specified without the -o option

displays informative messages when a user attempts to perform an operation prohibited by the sa5so.cfg file

provides improved error messages and reporting

supports PKCS#12 files with either .p12 or .pfx extensions

supports naming self-decrypting archives with either .exe or ._xe

supports enveloped signatures

supports multiple output platforms for self-decrypting archives

supports prompting before overwriting files (-i)

SecretAgent 5.6.0

Utilizes ISC's FIPS 140-1 Level 1 Validated CDK7

displays the SHA-1 fingerprint of certificates when inspecting

adds the -H option to hash files

SecretAgent 5.5.1

improves command line argument checking

correctly determines that file.cer.sa5 is an encrypted file rather than a certificate during decryption

correctly returns a non-zero value when failing to create a PKCS#7 file
because the first certificate in the input file could not be located

deprecates the -v option for decrypt and verify or verify only; use -s
instead

correctly uses sa5cli when displaying the help information on Windows systems

outputs signature algorithm information when inspecting certificate
requests

exits gracefully when a user attempts to create a self-decrypting archive without a password

no longer writes/overwrites the certificate file prior to checking for the existence of the private key file during key generation

displays proper signature algorithm with inspecting ECC US-B type certificates
     
           
   
Products | News | Support | Company | Terms of Use | Copyright
© 2004-2007 Information Security Corporation. All rights reserved.