SecretAgent® API and CLI Support

  • Downloads
  • History 6.x
  • Knowledgebase
Description
Date
Notes
 
 
SA7CLI 7.0.1 README File
5/05/14
The README file (in text format) that is provided with release 7.0.1 of the software

SA6CLI 6.3.1 README file
4/02/15
The README file for release 6.3.1 of the sa6 executable
 
 
SA6CLI 6.2.4 man page
3/06/12
A man page for release 6.2.4 of the sa6 executable
SA6CLI 6.2.4 README File
3/06/12
The README file for release 6.2.4 of the sa6 executable
SecretAgent 6.2.4

Bug fixes:

  • sign operations no longer crash when presented with a '.' private key specification
  • all signatures employing SHA-2 are now correctly validated
  • CertOpenStore() calls now specify the READONLY flag to prevent some rare deadlock conditions

Documentation update:

  • inclusion of '--format 5' information: '--format 5' specifies the use of algorithms that provide backwards compatibility with SecretAgent version 5.x (more precisely 5.6 and above); the same can be accomplished with '--digest 4' and '--kdf 0'
SecretAgent 6.2.2

Operational changes:

  • the standard KDF for NSA Suite B ECC DH key exchange is now the default for both SecretAgent and CMS output formats ('--kdf')
  • added '--resumable' to permit the resumption of some interrupted decrypt operations
  • transitioned to the use of AES-256 for the proptection of PKCS#8 (.prv) files
  • added SHA-224 support for CMS
  • added supports for DAS URL redirection with DAS v2.0 and above

Changes in text output:

  • key exchange algorithm IDs are now output when inspecting ciphertext archives
  • certificate inspection now supports more extension types
  • verbose mode includes timing information for DAS operations

Bug fixes:

  • '--recurse' with '--decrypt' now properly builds a subtree in the destination path
  • the decryption process for mixed ECC and DSA/DH recipients has been corrected
  • PKCS#12 files generated by Oracle Wallet and Windows 7 that 'include all properties' can now be successfully imported
  • the OCSP 'No Revocation Checking' extension is now properly displayed
  • archive recipients can again be successfully replaced
  • temporary working files are removed and a proper error message is generated if the user attempts to use a DSA certificate to create a CMS archive
SecretAgent 6.1.3

Operational change:

  • the first cipher specified as allowed in 'sa6so.cfg' becomes the default cipher
SecretAgent 6.1.2

Operational changes:

  • using '-w 4' with OCSP verification will output the OCSP request as well as the server's response

Changes in text output:

  • the software identification lines now include the date of compliation

Bug fixes:

  • OCSP responses containing any of the following are now handled properly:
      - more than one response
      - an error code from the server
      - keyHash as the responderID value
SecretAgent 6.1.0.9

Operational changes:

  • improved performance
  • the software distribution now includes both 32- and 64-bit executables
  • added '--no-threads' to disable thread use during cryptographic operations
  • added '--smime-body' to allow the specification of a message body when creating S/MIME CMS archives
  • OCSP is now supported in '--val-cert': use '--ocsp-server <url>' with ' --ocsp-cert <file>' to perform an OCSP revocation check after other checks to confirm that the certificate is valid
  • added '--output-certs' to save recipient certificates during decrypt, verify, inspect, and OCSP operations
  • added the '--force' ('-f') option to decryption to output plaintext regardless of integrity check failures
  • added proxy server support for DAS transactions: '--proxy-server', '--proxy-port', '--proxy-user', '--proxy-pin'
  • added support for SHA-224, SHA-256, SHA-384, and SHA-512 when creating .sa5 and .p7m archives (for both integrity checking and signature purposes)
  • added support for the creation and decryption of '.spe' PBE-protected archives for which the new modes AES-192-CTR ('--cipher 14') and AES-256-CTR ('--cipher 16') are available
  • the 'sa6so.cfg' administrative configuration filefile may now specify one or more DAS server URLs

Changes in tText output:

  • use of '--output-certs' causes the location and filename of each saved certificate to be displayed
  • during certificates inspection an otherName principalName in a subjectAltName extension is now decoded into UTF-8 rather than displayed in HEX
  • '--val-cert' operations that request OCSP checking will disply the OCSP response

Bug fixes:

  • error detection/reporting now works properly when decrypting a raw CMS archive ('--format 2') with MIME processing enabled ('--format 1' or '.p7m' files with no format specification)
  • PKCS #11 token certificates without CKA_ID attributes are now handled properly
  • PKCS #11 key generation now works properly if the '--gen-key-type' argument includes the '.kyp' file extension
  • PKCS #11 key generation now obeys the '--encoding' argument
  • plaintext that is a multiple of 16 bytes is now truncated to the correct length when decrypting raw CMS archives ('--format 2')
  • archived credentials in Microsoft Windows CAPI/CNG can now be used
  • S/MIME messages generated by Outlook 2010 using the subject key identifier method of specifying recipients can be decrypted
  • '.spe' is now recognized as a valid file extension for self-decrypting archives
  • forward slashes are now accepted in path- and filenames on Windows
  • certificate inspection now properly displays otherName principalName attributes as UTF-8
  • the command line PBE-protected archive reader now properly errors if the user fails to provide a password
SecretAgent 6.0.33

Operational changes:

  • a new '--das-check' command checks DAS COI membership

Changes in text output:

  • filename displays now use backslashes ('\') on Windows and forward slashes ('/') on UNIX

Bug fixes:

  • CNG decryption (Windows Vista Only) now checks to see if a certificate/private key pair matches the recipientInfo PDU instead of always attempting to unwrap
  • internal MIME headers in S/MIME messages are now produced that Thunderbird 2.0.0.17 can successfully parse and display
  • the validatation of detached signatures on S/MIME messages that contain multiple blank lines of varying length has been corrected
  • decryption/verification of S/MIME messages with an internal multipart/alternative MIME message body (a mix of HTML and Text) no longer causes a crash
SecretAgent 6.0.32

Operational changes (UNIX only):

  • improved entropy gathering for random number generation
  • support added for the use of CACs with the libcoolkeys PKCS#11 libary

Changes in text output:

  • '--print-info' now properly displays 'sha224RSA' (instead of 'unknown') when displaying certificates with SHA224-based RSA signatures

Bug fixes:

  • a temporary '.ba0' file is no longer left on disk when a CMS signature operation fails
  • Base64-encoded CMS archives are now properly decrypted
  • encryption now succeeds when a folder is specified as the output location ('-o folder/')
  • inspection of a certificate containing an empty alternative name extension no longer causes a crash
  • ECDSA signatures are now properly encoded in CMS archives
SecretAgent 6.0.31

Operational changes:

  • CRLs which contain a FreshestCRL extension are no longer rejected unless the security policy file ('sa6so.cfg') explicitly specifies that they be rejected

Changes in text output:

  • ' --print-policy' now states whether CRLs which contain a FreshestCRL extension are considered valid or not

Bug fixes:

  • crashes no longer occur when using ActivIdentity's Linux client for smartcard access
SecretAgent 6.0.30

Operational changes:

  • the ' client-auth' switch has been renamed 'das-auth'
  • the 'dasuser' switch is now 'das-user'
  • decrypt operations on multiple files continues after the occurence of an input file error
  • a new 'das-list' switch explicitly specifies the URIs to be dereferenced to reach an appropriate DAS server (rather than using the URIs embedded in the COI certificate)
  • a COI name (together with a 'das-list') may be specified in a certificate's SAN otherName field using OID 1.3.6.1.4.1.31623.1.1
  • a new 'das-timeout' switch specifies the timeout value to use for DAS connection attempts

Changes in text output:

  • using '--verbosity 4' will output additional DAS connection information
  • the "Extensions:" section label is no longer output when inspecting a certificate that contains no extensions
  • changes to the display of extensions during certificate inspection:
    • spacing is improved; in particular, SAN output is better aligned
    • SAN otherName values that SecretAgent doesn't understand are now preceeded by '0x' to indicate that the values are HEX-encoded
    • SAN ediPartyName and registerID now display properly

Bug fixes:

  • 'Broken Pipe' is no longer erroneaously reported when the software is unable to connect to a DAS server
SecretAgent 6.0.29

Operational changes:

  • the new command line syntax supports long switches; to use the old command line syntax, set SA5PROCESSING=1 in the environment
  • the '--format' option now supports all output formats so that it is no longer necessary to specify output format by file extension
  • signing certificates may be supplied by a filename argument referencing a PKCS #7 PDU
  • '--verify' always outputs the certificate in the specified file and never uses it for validation
  • superencryption is again supported
  • option arguments containing environment variables read from a configuration file are automatically expanded
  • the sa6so.cfg security policy file may be located in more common folders (see man page)

Archive changes:

  • one or more recipientInfo blobs, each of which represents the intersection of two or more communities of interest (COI), may be included in an archive header; to use such a blob for decryption, the user must have access to all of the private keys for the COIs being "intersected"
  • NIST/RFC 3394 AES key wrapping is now used in PBE-protected archives (i.e., self-decrypting archives or "SDAs")
  • new message attributes are now supported: security label, priority, color
  • a new '--output-all' option causes the '$$msg$message$txt.tmp' message body and '$$msg$audits$bin.tmp' archive history files (included in an archive by the SecretAgent 6 GUI) to be output during decryption if they are present

Key management changes:

  • support has been added for SHA-224 per FIPS 180-2 (as amended by the change notice of 25 Feb 2004)
  • the executable now enforces NIST FIPS 186-3 draft and SP 800-57 recommendations for key size and message digest choices for ECC operations
  • one may now specify a PKCS #12 password that differs from the PKCS #8 password used to protect the key being exported
  • '--import-p12' now supports the installation of credentials onto a PKCS #11 token
  • '--gen-key' now accepts a complete DN and supports key generation on a PKCS #11 device; when PKCS #11 is used to generate a certificate request, the subsequent '--install-cert' command will properly load its certificate onto that same device

Performance changes:

  • CMS processing supports STDIN/STDOUT, no longer creates temporary disk files, and is much faster overall due to complete reliance on in-memory operations

Changes in text output:

  • archive inspection will now report:
    • security label info
    • COI intersection info that might be contained in a recipientInfo blob
  • the display of SAN Othername values has been modified to align with Microsoft's
  • error messages supggesting the use of a particular command line option have been updated to the new command line syntax

Bug fixes:

  • a persistent entropy value is now properly stored in .secretagent.random or in the Windows registry
  • compression is properly applied when encrypting from STDIN using the SA5 archive format
  • SDA key recovery now works with passwords more than 16 bytes in length; an SDA employing RSA-based key recovery may be decrypted with the recovery agent's private RSA key by specifying '-d store' rather than '-d'
Installing on SA 6.2.4 and CSPid on 64-bit CentOS 6.4

Assuming a clean, out-of-the-box CentOS setup (using only VMware's easy install default options), the following command will properly install the support library required by SecretAgent CLI 6.2.4:

# yum install libstdc++.i686

NOTE: All SA6API packages support the same command line syntax as the identically numbered release of the SA6CLI. For example, if you need documentation on the syntax supported by the sa5cli() entry point in each of the linkable libraries distributed with SA6API 6.2.4, consult the 6.2.4 SA6CLI man page.