In VPNC MOD 2.4, for both FCS_CKM_EXT.2 (under GPOS and APP) and FCS_CKM_EXT.4 (under APP), the SFRs indicate that the selection is a "choose one of".  However, the Application Notes for both instances of FCS_CKM_EXT.2 indicate that both selections can be specified. For FCS_CKM_EXT.4, the Application Note specifies an instance where both selections must be selected.

FCS_CKM_EXT.2.1 in Section 5.1.2.1 of MOD_VPN_CLI_v2.4 is modified as follows, with strikethrough in red highlighting denoting deletion:

FCS_CKM_EXT.2.1

The [selection, choose one of: VPN client, OS] shall store persistent secrets and private keys when not in use in OS-provided key storage.

FCS_CKM_EXT.2.1 in Section 5.3.2.1 of MOD_VPN_CLI_v2.4 is modified as follows, with strikethrough in red highlighting denoting deletion:

FCS_CKM_EXT.2.1

The [selection, choose one of: TOE, TOE platform] shall store persistent secrets and private keys when not in use in platform-provided key storage.

FCS_CKM_EXT.4.1 in Section 5.3.2.1 of MOD_VPN_CLI_v2.4 is modified as follows, with strikethrough in red highlighting denoting deletion:

FCS_CKM_EXT.4.1

The [selection, choose one of: TOE, TOE platform] shall zeroize all plaintext secret and private cryptographic keys and CSPs when no longer required.

FCS_CKM_EXT.2 and FCS_CKM_EXT.4 extended component definitions in Section  C.2.1.1 of MOD_VPN_CLI_v2.4 are modified as follows, with strikethrough in red highlighting denoting deletion:

FCS_CKM_EXT.2.1

The [selection, choose one of: VPN client, OS] shall store persistent secrets and private keys when not in use in OS-provided key storage.

...

FCS_CKM_EXT.4.1

The [selection, choose one of: TOE, TOE platform] shall zeroize all plaintext secret and private cryptographic keys and CSPs when no longer required.

See issue description.