NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0495:  FIA_X509_EXT.1.2 Test Clarification

Publication Date
2020.01.29

Protection Profiles
PP_APP_v1.3

Other References
FIA_X509_EXT.1.2

Issue Description

FIA_X509_EXT.1.2 Tests 1-3 are required to be tested on the “CA issuing the TOE’s certificate;” however, many TOEs use X.509 certificates for authentication without having a TOE certificate. The tests need to be generalized to apply to any certificate that the TOE needs to validate.  Also, Test 3 is redundant with other tests.

Resolution

FIA_X509_EXT.1.2 tests are modified as follows, with strikethroughs indicating deletions and underlines indicating additions:

Tests
The tests described must be performed in conjunction with the other certificate services evaluation activities, including the functions in FIA_X509_EXT.2.1. If the application
supports chains of length four or greater, the evaluator shall create a chain of at least four certificates: the node certificate to be tested, two Intermediate CAs, and the selfsigned
Root CA. If the application supports a maximum trust depth of two, then a chain with no Intermediate CA should instead be created.

Test 1: The evaluator shall construct a certificate path, such ensure that the certificate of at least one of the CAs issuing the TOE's certificate in the chain does not contain the basicConstraints extension. The evaluator shall confirm that validation of the certificate path fails (i) as part of the validation of the peer certificate belonging to this chain; and/or (ii) when attempting to add the CA certificate without the basicConstraints extension to the TOE's trust store.

Test 2: The evaluator shall construct a certificate path, such ensure that the certificate of at least one of the CAs issuing the TOE's certificate in the chain has the CA flag in the basicConstraints extension not set (or set to FALSE). The evaluator shall confirm that validation of the certificate path fails (i) as part of the validation of the peer certificate belonging to this chain; and/or (ii) when attempting to add the CA certificate with the CA flag not set (or set to FALSE) in the basicConstraints extension to the TOE's trust store.


Test 3: The evaluator shall construct a certificate path, such that the certificate of the CA issuing the TOE's certificate has the CA flag in the basicConstraints extension set to TRUE. The validation of the certificate path succeeds.

Justification

See issue description.

 
 
Site Map              Contact Us              Home