SecretAgent API and CLI Support

Downloads
Change History

Description	Date	Notes

SA5CLI 5.9.1 man page	9/15/05	A man page for release 5.9.1 of the sa5 executable (with corrected -x info)

SA5CLI 5.9.0 man page	6/02/05	A man page for release 5.9.0 of the sa5 executable (adds DAS support)

SA5CLI 5.8.0 man page	3/31/05	A man page for release 5.8.0 of the sa5 executable

SA5CLI 5.7.2 man page	9/09/04	A man page for release 5.7.2 of the sa5 executable

SA5CLI 5.7.1 README File	10/28/03	The README file (in text format) that is provided with release 5.7.1 of the software

SA5CLI 5.6 README File	07/25/02	The README file (in text format) that is provided with release 5.6 of the software

SA5CLI 5.2.8 README File	06/11/01	The README file (in text format) that is provided with release 5.2.8 of the software

SecretAgent 5.9.4

rather than aborting, a warning is now issued when -k is not specified and a READONLY file is encountered during autoencrypting/autodecrypting
already encrypted/signed files are now skipped when encrypting/signing folders and the user is told to use the -Y option to override this behavior
supports the iKey via CAPI in the same manner as does the Windows GUI
accepts 'sa5so.cfg' entries that appear at the end of the file without a following newline
index creation now records only the names of the certificate and CRL files rather than their complete paths; when loading such files it is assumed that they reside in the same folder as the corresponding index file ('caindex', resp. 'crlindex')

SecretAgent 5.9.3

reads sa5.cfg from RANDDIR/SA5HOME rather than current working directory
dereferences environment variables found in configuration files; for example, if a -@ $HOME/user.cfg is a line in a configuration file (say sa5.cfg) the command line will now expand the embedded environment variable $HOME into /home/tj
supports either ST= or SP= in configuration files to provide state/province information to be included in distinguished names when generating self-signed certificates or certificate requests
supports reading from a pipe and from the console when -Z1 is specified
now warns the user that CMS does not support compression when -L1 or -L2 is combined with -C1
now overwrites filenames during zap operations: files are renamed 26 times using the lowercase letters of the alphabet prior to removal
now removes empty directories/folders during zap operations: folders are renamed 26 times using the lowercase letters of the alphabet prior to removal from the file system
now inserts correct OIDs for AES-192 and AES-256 into CMS archives

SecretAgent 5.9.2

no longer aborts decrypt operations when the -d argument specifies a path containing a file with a single character filename

SecretAgent 5.9.1

improves the hash value displayed when using -H
adds support for Entrust profiles; requires the following Entrust libraries (available separately from Entrust):
to access an Entrust profile, you must use the sa5cli_e.exe/sa5_e versions of sa5cli.exe/sa5 with the following syntax:
improves PKCS#11 support for devices that do not enforce the CKA_ID of certificates to match the CKA_ID of private keys
now accepts .p7b or .p7c files for -d and -s operations both as individual files and within specified key history paths
outputs .p7c files in addition to certificate files when importing PKCS#12 files
improves the command line syntax checking and error messages
supports zapping files larger than 2GB on UNIX-based systems
now outputs .p7c files and certificate files when inspecting PKCS#11 devices

SecretAgent 5.9.0

supports DAS server-mediated decryption
permits the replacement of recipient certificates in an encrypted archive by combining -e and -d options
creates valid PKCS#7 files when the input files are base64 encoded
separates the date/time and reason code fields when inspecting CRLs

SecretAgent 5.8.0

supports the -F1 option during key generation
provides additional options in the sa5so.cfg file
includes support for using PKCS#11 devices for private key operations on Windows, Linux, and Solaris:
supports using Microsoft Windows' CAPI for private key operations:
allows decryption of files when only the private key file exists
allows users to specify an output path when decrypting
marks decrypted files with permissions such that only the decrypting user can read the files (UNIX only)
supports operations on folders (-e, -d, -z) whereby users can specify a folder to encrypt, decrypt, or zap
applies proper date/time to files when decrypting on UNIX systems
removes whitespace from DN components during key generation
conforms to RFC 3280 when performing path validation and successfully passes NIST's PKITS test suite
supports CMS sign only operations with ECC keys
allows users to use/create private keys without password protection by including -Q
supports overwriting read only files during auto-encryption with -k
allows users to specify output paths without the trailing slash
properly disables validity checking when the -n option is used -e
allows users to specify an output filename when supplying the -L2 option to -e and there is only 1 input file
supports zapping entire folders with optional recursion (-z -A)
obeys sa5so.cfg settings preventing the creation of separate archives; includes a sample sa5so.cfg that lists all available ciphers; supports multiple key recovery agents via the sa5so.cfg file
properly handles files larger than 4GB on Solaris systems
adds key history support for by allowing users to specify a private key path with -d
supports PKCS#7 files (.p7b, .p7c) as arguments to -e
changes the way -R works: CRL checking is still enabled, but will no longer fail if it cannot locate a CRL for a particular issuer; to require CRLs at all levels, add USECRLS=1 to the sa5so.cfg file
allows -I and -R to use the same folder: their respective index files have been renamed 'caindex' and 'crlindex' allowing them to reside in the same directory
adds support for using 'stdin' and 'stdout' to make the command line behave as a UNIX-like filter (supported on all platforms)
supports an additional -w flag (-w3) that will output just the filenames that are contained in an encrypted archive
supports combining the zap operation with encrypt or decrypt operations to remove plaintext/ciphertext in one operation

SecretAgent 5.7.1.4

provides improved zap performance on UNIX systems

SecretAgent 5.7.1.3

includes a new flag to the -i option: -i2 will cause an error to occur if the user says no when prompted to overwrite a file

SecretAgent 5.7.1.2

allows a PKCS #7 file to be supplied to -e as a recipient certificate: the first acceptable certificate in the PKCS #7 file is used and all other certificates in the file are ignored
corrects a defect in the base64 encoding of output files: output is now padded to ensure it is a multiple of 4 bytes.

SecretAgent 5.7.1

supports either filename or filename.cer in the -e operation
properly includes the subject key identifier extension as the hash of the public key rather than the .kyp filename
checks certificates supplied to the -e operation for proper key usage and validity; use -n to revert to old behavior
discards inappropriate certificates when creating PKCS#12 files
applies the -l switch correctly
adds support for reading the password from the SA5PWD environment variable
can create PKCS#12 files from base64 encoded certificates
displays embedded extensions when inspecting CRLs or certificate requests
includes the ability to inspect a SecretAgent archive (-w1 filename.sa5)
correctly prompts for passwords on UNIX systems
supports the creation of CMS (RFC 3369) formatted archives
adds the ability to create a certificate request from an existing certificate and private key (-x -s)
supports PKCS#12 files with 1 or more private keys
supports PKCS#12 files with CRLs
provides improved zap information
masks passwords when decrypting self-decrypting archives
no longer prompts for a password when the -g option is specified without the -o option
displays informative messages when a user attempts to perform an operation prohibited by the sa5so.cfg file
provides improved error messages and reporting
supports PKCS#12 files with either .p12 or .pfx extensions
supports naming self-decrypting archives with either .exe or ._xe
supports enveloped signatures
supports multiple output platforms for self-decrypting archives
supports prompting before overwriting files (-i)

SecretAgent 5.6.0

Utilizes ISC's FIPS 140-1 Level 1 Validated CDK7
displays the SHA-1 fingerprint of certificates when inspecting
adds the -H option to hash files

SecretAgent 5.5.1

improves command line argument checking
correctly determines that file.cer.sa5 is an encrypted file rather than a certificate during decryption
correctly returns a non-zero value when failing to create a PKCS#7 file
because the first certificate in the input file could not be located
deprecates the -v option for decrypt and verify or verify only; use -s
instead
correctly uses sa5cli when displaying the help information on Windows systems
outputs signature algorithm information when inspecting certificate
requests
exits gracefully when a user attempts to create a self-decrypting archive without a password
no longer writes/overwrites the certificate file prior to checking for the existence of the private key file during key generation
displays proper signature algorithm with inspecting ECC US-B type certificates

NOTE: All SA5API packages support the same command line syntax as the identically numbered release of the SA5CLI. For example, if you need documentation on the syntax supported by the sa5cli() entry point in each of the linkable libraries distributed with SA5API 5.7.2, consult the 5.7.2 SA5CLI man page.