CryptoSys PKI Toolkit

The CryptoSys PKI Toolkit provides you with an interface to public key cryptography functions from Visual Basic, VB6, VBA, VB.NET, VB2005/8/x, C/C++ and C# programs on any Windows system (W95/98/Me/NT4/2K/XP/2003/Vista/2008/W7).

Features | Manual | Examples | Feedback | Download | Buy Now | Licensed Users | Support | FAQ | Programming | SAT Mexico | FirmaSAT | German Health Service | .NET Interface | Linux Version | Other Interfaces | Known Issues | Integrity | Contact | Comment | Search

You can create and read both enveloped-data (encrypted) and signed-data Cryptographic Message Syntax (CMS, PKCS#7) objects, which you can use in S/MIME email messages; verify the digital signature in a signed-data CMS object; generate and manage RSA public and private keys; carry out "raw" RSA encryption and digital signing, make PKCS#10 certificate request files, and create and manage X.509 certificate files.
2009-03-30: See how the CryptoSys PKI Toolkit compares in the CMS (RFC 3852) Implementation Report [PDF (98 kB)] (we're implementation #3).

Other utilities included in the toolkit are the ability to generate message digest hash values using SHA-1, MD5, MD2, SHA-224/256/384/512; generate HMAC keyed-hash message authentication values, wipe files using 7-pass DOD standards, generate cryptographically-secure random numbers to the strict NIST SP800-90 standard, prompt for a password, and convert to and from base64- and hexadecimal-encoded formats. There is a 64-bit version included - see Using on a 64-bit system. If you just need standard symmetrical cryptography, see our alternative product CryptoSys API.

Last year's visits

Latest releases:

2010-05-02: New Version 3.5 released 2 May 2010.

2010-05-20: Version 2.0.2 of FirmaSAT utility to create SAT Mexico digital signatures.

2010-06-30: PKI Examples VB6 to VB.NET.

2010-03-17: Using Delphi with CryptoSys PKI

2010-06-25: Writing an interface in another programming language.

2009-09-04: Complete update to SAT Mexico page.

2009-01-27: XML-Dsig and the Chile SII.

Features

• Provides over 100 core functions to provide PKI cryptography and utilities
• Includes detailed 250-page manual
• Interfaces for VB6/VBA, C/C++, VB.NET/VB2005/8/x, C# and other languages
• Create Cryptographic Message Syntax (CMS, PKCS#7) objects suitable to use in S/MIME messages
• Create and manage X.509 certificates
• Create and check X.509 certificate revocation lists (CRLs)
• Make and read OSCP requests and responses
• Make PKCS#10 certificate request files
• Provides RSA public key encryption and signing
• Generate and manage RSA public and private keys
• Carry out "raw" RSA encryption and decryption
• Encrypt key data for transport using the PKCS#1 algorithm (v1.5 and OEAP)
• Encrypt with symmetrical block ciphers Triple-DES and AES-128/192/256 in 5 standard modes
• Generate message digests (hash values) using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, MD2 and MD5
• Generate HMAC keyed hash authentication codes
• Generate secure random numbers
• Convert data to and from base64- and hexadecimal-encoded format
• Totally thread-safe.
• Runs on any Win32 operating system: 95/98/NT4/2K/XP/2003/Vista/W7. X64 version included.
• Independent of Microsoft Cryptographic API (CRAPi).
• Does not use COM or Active-X or require registering with RegSvr32 to use.
• A Linux Version is available separately.
• Automatic self-checking of software integrity and key functions on start up.

CryptoSys PKI uses a straightforward Win32 DLL which is compatible with all versions of 32-bit Windows (95/98/Me/NT/2K/XP/2003/Vista/W7). There is no "COM", no "Active-X", and no requirement to "register" it with Windows to use it. The installed executable has a small footprint of about 480 kB. Developers can easily distribute it with their projects made in Visual Basic, VBA, C, C++, VB.NET/VB2005/8 or C# (in fact, in any other programming language that will let you call Win32 API functions including Delphi - see Extra Interfaces). A separate compilation for 64-bit systems is also included. For more information on how the RSA key data is stored and how the various functions work together, see RSA Key Formats. For some examples, see the Examples section below. For the theory and more detailed explanations of how RSA is used in practical applications, see RSA algorithm including its use in creating ISO/IEC 9796 signatures in the AUTACK scheme.

Note that the CryptoSys PKI Toolkit is totally independent from our original CryptoSys API product. The two packages do different things and do not require the other in order to work: see a Comparison of CryptoSys Features for a summary.

Feedback on the CryptoSys PKI Toolkit

Manual

There are two manuals available: one main manual and a supplementary one for .NET users. See the CryptoSys PKI Manual page.

Download

Download a free Trial Version of the CryptoSys PKI Toolkit now.

• WinZip self-extracting EXE file (1461 kB) or
• Zipped version with instructions (1445 kB)

The install program and the product functions have been tested on W98, W2K, XP, Vista and W7 systems. The functions have been tested using Visual Basic 6, Microsoft Office VBA (97 and 2003), Microsoft Visual C++ (versions 5 through 9) and Borland C++Builder version 5.5. The core DLL has been compiled for both Win32 and X64 systems using VS2008. The Win32 version uses Cloanto's LegacyExtender program to make it compatible with the older Windows W9x systems.

The Trial Edition is fully-functional and the download includes the full set of manuals and test functions in Visual Basic (VB6), VB.NET, C and C#. Please read the licence conditions for the Trial Edition. The latest version 3.5 was released on 2 May 2010. The trial period is 60 days from the date first installed on your system.

You need to have administrator rights when installing and uninstalling.

You can purchase a licenced version here. Existing licence holders can download the latest Developer Version here.

Examples

There is an example of each function in the manual and a series of tests in VB6/VBA, VB.NET/VB2005, C/C++ and C# provided with the installation download. These test programs should be in C:\Program Files\CryptoSysPKI.

See the PKI Examples Page for more details and more examples.

We get lots of queries asking how to use the RSA_Raw functions to do simple RSA encryption and signing. See Raw RSA Techniques for a guide to methods available in the latest version, including the EncodeMsg and DecodeMsg functions. If you want more detailed information about the different formats in which RSA keys can be stored, how the keys are used to create X.509 certificates, and all the different functions in the Toolkit that create, read and save the key data, you may find the information in RSA Key Formats useful. See also Importing an RSA key from known parameters.

Mexican Government SAT

The CryptoSys PKI Toolkit includes full support for the private key files published by the Servicio de Administración Tributaria in Mexico. See SAT Mexico Example for some sample code. New improved version of utility to create digital signatures in SAT v2.0 format and more now available. See FirmaSAT.

Security interface for the German health care insurances services

The CryptoSys PKI Toolkit complies with the requirements of the security interface for data exchange for the German health service version 1.5. See Data Exchange in the German Health Service with CryptoSys PKI.

Interfaces to other programming languages

See Writing an interface in another programming language for advice and examples in how to use CryptoSys PKI with other programming languages, including Visual FoxPro and PowerBuilder.

For Delphi, see the page Using Delphi with CryptoSys API, CryptoSys PKI for more details and some sample code.

Linux Version

There is a beta release of a Linux Version of CryptoSys PKI. The Toolkit is provided as a static library which can be compiled with your own source code.

Integrity

Check the integrity of your PKI software against our published checksums and message digests.

New or Updated in the latest versions

Version 3.5:

(2 May 2010)

• Added the X509_MakeCRL function to make a basic X.509 certificate revocation list (CRL).
• Added the X509_CheckCertInCRL function to check if a given X.509 certificate has been revoked in an X.509 certificate revocation list (CRL).
• Added the OCSP_MakeRequest function to create an Online Certification Status Protocol (OCSP) request as a base64 string.
• Added the OCSP_ReadResponse function to read a response to an Online Certification Status Protocol (OCSP) request and output the main results in text form.
• Added the X509_TextDump function to dump details of X.509 certificate (or a CRL or a PKCS10 CSR) to a text file.
• Added the X509_ValidatePath function to validate a certificate path, either in the form of a list of X.509 certificate filenames or in a PKCS7 "certs-only" certificate chain file (.p7b or .p7c).
• Updated the X509_MakeCert function to allow the creation of a new X.509 certificate using a PKCS#10 Certificate Signing Request (CSR).
• Updated the X509_VerifyCert function to also verify X.509 Certificate Revocation List (CRL) and PKCS#10 Certificate Signing Request (CSR) documents.
• Added more options to the X509_QueryCert function.
• Improved the options for input to the CMS_ReadEnvData[ToString] and CMS_ReadSigData[ToString] functions, allowing the user to pass the data directly as a base64 string or PEM string; and added the automatic detection of format for input files.

Version 3.4:

(19 December 2009)

• All DLL executables are now signed with our code authentication certificate.
• Added functions to detect the platform of the underlying DLL. See Detecting Win32 or X64 platform, General.IsWin64 Method and General.Platform Method.
• Removed RSA-KEM functions introduced provisionally in v3.2. We'll put them back when the final RFC comes out and proper test vectors are released and if there is any demand (which we doubt).
• Added various overloads to the .NET class library for missing options (e.g. Rng.BytesWithPrompt Method with Rng.Strength) or to make easier to use with StringBuilder types, e.g. Rsa.KeyBytes.
• Updated the main manual with a complete List of .NET Methods and Cross-reference between Functions and .NET Methods.

Version 3.3:

(21 February 2009)

• Compiled using VS2008 for both Win32 and X64.
• Added the ability to include more extensions and other features to new X.509 certificates when using the X509_MakeCert and X509Make_CertSelf functions, and added more options for distinguished names.
• Added the PEM_FileFromBinFile and PEM_FileToBinFile functions to enable you to convert files between ASN.1 DER/BER binary format and PEM format.
• Incorporated a faster BigDigits mathematics algorithm to speed up RSA modular exponential calculations.
• Improved the performance of the WIPE_File function - up to three times faster for large files.
• Amended the RSA_FromXMLString function to allow the import of a restricted RSA private key from XML data consisting only of the <Modulus>, <Exponent> and <D> fields. The resulting "internal" key string can be used to sign raw data but cannot be saved in a private key file. This is useful to reproduce certain test vectors.
• Added specialist options to enable users to create digital signatures suitable for use in an AUTACK message. See AUTACK messages and ISO/IEC 9796-1 signatures. In particular, this includes
  • Adding a PKI_EMSIG_ISO9796 option to the RSA_EncodeMsg and RSA_DecodeMsg functions to enable the user to encode and decode a message according to ISO/IEC 9796-1.
  • Adding a specialist option to the RSA_RawPrivate and RSA_RawPublic functions to sign and decrypt RSA signatures using the "RSA2" method used in ISO/IEC 9796-1, ANSI X9.31 and P1363.
• Changed the value of PKI_KEYGEN_INDICATE option in RSA_MakeKeys so it does not clash with the des-EDE3-CBC block cipher option.

Version 3.2:

(2 February 2008)

• Added a new generic block cipher function with AES and Triple DES. See CIPHER_Bytes, CIPHER_Hex, and CIPHER_File.
• Added SHA-224 to the selection of message digest hash functions and added the HASH_HexFromHex and HMAC_HexFromHex functions.
• Added the option to use the newer PKCS-1 signature algorithms "shaXXXWithRSAEncryption" with SHA-224/256/384/512 for X509_MakeCert[Self] and X509_CertRequest.
• Added the ability to make, read and verify CMS signed-data objects using message digest algorithms SHA-224/256/384/512. See CMS_MakeSigData[FromString].
• Added the ability to make and read CMS enveloped-data objects using the AES-128/192/256 content encryption algorithms. See CMS_MakeEnvData[FromString].
• Added [provisionally in this release] the ability to make and read CMS enveloped-data objects using the RSA-KEM ("Simple RSA") key encryption algorithm [withdrawn in v3.4].
• Added the primitive functions RSA_KemWrap and RSA_KemUnwrap which will wrap (encrypt) and unwrap (decrypt) secret keying data for a recipient with the recipient's RSA key using the RSA-KEM ("Simple RSA.html") algorithm [withdrawn in v3.4].
• Added the block cipher key wrap functions CIPHER_KeyWrap and CIPHER_KeyUnwrap using AES-wrap and Triple DES wrap.
• Added options to save and read encrypted private keys with improved security using AES-128/192/256 and SHA-224/256/384/512 when using the RSA_SaveEncPrivateKey and RSA_ReadEncPrivateKey functions.
• Added the ability to pass both X.509 certificate data and RSA private and public key data to the X.509 and RSA functions using a PEM-encoded string instead of a file.
• Improved the handling of enveloped-data objects by adding the CMS_QueryEnvData function, and included the ability to pass a base64- or PEM-encoded certificate list to CMS_MakeEnvData and CMS_MakeSigData.

Version 3.1:

(2 August 2007)

• Added the ability to specify any valid UTF-8 characters in a distinguished name, including CJK characters, when creating an X.509 certificate with X509_MakeCert or X509_MakeCertSelf. See Specifying Distinguished Names for more details.
• Added the RSA_KeyMatch function to verify that a pair of RSA private and public key strings are matched.
• Added the functionality to all the X.509 certificate functions to allow the user to specify an input X.509 certificate as a base64 string instead of using a file.
• Improved the functions that read ASN.1 data to avoid security issues arising from badly-formed data.
• Increased the speed when encrypting large files using TDEA_File. To prevent accidental misuse, if an error occurs when using this function, the output file will now not exist.
• Specialist Option: Added an alternative TeleTrusT content encryption algorithm to the CMS_MakeEnvData function to conform with the PKI requirements of the German Health System.

Version 3.0:

(27 March 2007)

• Introduced a new, more secure, random number generator (RNG) based on NIST SP800-90 and Ferguson and Schneier's "Fortuna" method from Practical Cryptography. See Random Number Generator.
• Incorporated extra security by encrypting "internal" RSA key strings to prevent security breaches by accidental disclosure - see Internal key strings. Added the RSA_KeyHashCode function to allow comparison of internal key strings.
• Added the SHA-384 and SHA-512 message digest algorithms to the HASH functions.
• Added the HMAC functions to compute a keyed hash value, HMAC_HexFromBytes and HMAC_Bytes.
• Added functions to query an X.509 certificate file X509_KeyUsageFlags and X509_QueryCert.
• Added functions to read in a X.509 certificate file directly as a base64 string and save the string as a file X509_ReadStringFromFile and X509_SaveFileFromString.

Thanks to all users who have suggested improvements and in particular to Bernd Rech for his suggestions, advice and help.

Contact

For more information, please Email Us. To comment on this page, see below.

This page last updated 15 July 2010

Copyright © 2002-10 D.I. Management Services Pty Limited ABN 78 083 210 584 Sydney, Australia. All rights reserved.
<www.di-mgt.com.au>   <www.cryptosys.net>

CryptoSys Home | PKI Home | Purchase | Search | Cryptography Software Code | Contact us