TD0742: Updates to Certificate Revocation (FIA_X509_EXT.1) for Base Virtualization PP v1.1
TD0605 addressed the following:
Three items are addressed via this TD: revocation checking, and validation of ECC certificates.
Revocation methods do not include OCSP stapling or OCSP multi-stapling, limiting the functionality that could be evaluated. Adding these methods requires updates to the testing, as well. In addition, there are cases where certificates are short lived, or used in scenarios where revocation checking is not possible (e.g., when a network connection is not available at the time the certificate is intended to be validated).
Validation of certificates, if not done correctly, can introduce vulnerabilities (like CVE-2020-0601). Testing to ensure proper validation of Elliptic Curve Cryptography (ECC) certificates is lacking allowing spoofing attacks to exist in evaluated products.
Suite B Documents were moved to historical status (RFC 8423) and the Commercial National Security Algorithm (CNSA) Suite has replaced Suite B.
The following corrections are needed for TD0605:
- The text provided for test 5a & 5b references FCS_COP.1(3) and this text is consistent with now superceded TD0526. However, version 1.1 of the PP does not contain this SFR; version 1.0 of the PP did but was sunset in 2021.
- The comment relative to FIA_X509_EXT.4 is that it should be added as a selection-based requirement yet only the text for the test is higlighted.
This TD supersedes TD0605, which is now archived.
PP_BASE_VIRTUALIZATION_V1.1 is modified as follows, with highlight indicating additions:
The first application note for FIA_X509_EXT.1.1 is modified as follows:
Application Note: This SFR must be included in the ST if the selection for FPT_TUD_EXT.1.3 is “digital signature mechanism,” or if the selection for FTP_ITC_EXT.1 includes “IPsec,” “TLS,” or “TLS/HTTPS.” or if "certificate-based authentication of the remote peer" is selected in FTP_ITC_EXT.1.1, or if "authentication based on X.509 certificates" is selected in FIA_UAU.5.1.
Test 3 for FIA_X509_EXT.1.1 is modified as follows:
Test 3: (conditional, performed except for use cases identified in exceptions that cannot be configured to allow revocation) The evaluator shall test that the TOE can properly handle revoked certificates – conditional on whether CRL, OCSP, OCSP stapling, or OCSP multi-stapling is selected; if multiple methods are selected, and then a test is performed for each method. The evaluator has to only test one up in the trust chain (future revisions may require to ensure the validation is done up the entire chain). The evaluator shall ensure that a valid certificate is used, and that the validation function succeeds. The evaluator shall then attempt the test with a certificate that will be revoked (for each method chosen in the selection) and verify that the validation function fails.If the exceptions are configurable, the evaluator shall attempt to configure the exceptions to allow revocation checking for each function indicated in FIA_X509_EXT.2.
FIA_X509_EXT.4 is a a selection-based SFR added as follows:
FIA_X509_EXT.4 Exceptions to X509 Certificate Revocation Checking
FIA_X509_EXT.4.1 The OS shall provide alternate functionality to standard X509 certificate revocation checking for the following exceptions: [selection: firmware checking of updates: invalidate automatic updates if the firmware certificate is compromised; [assignment: other exceptions and corresponding functionality]].
The evaluator will ensure the TSS describes, for each exception, the alternate functionality the TOE implements to handle the lack of certificate revocation. The description must be consistent with the selection in the requirement.
Test 1: For each exception, the evaluator shall configure the TSF as necessary to meet the exceptional condition described, and exercise the function using a certificate chain without revocation information. The evaluator shall attempt to examine TSF logging or behavior as described in the TSS to confirm the alternative action described is performed. For example, in the case of firmware updates that invalidate automatic updates, the evaluator shall invoke an automatic update and observe that the update is not performed. In other cases, the TSS describes the alternative action.
The new revocation methods and associated testing and the (conditional) test for ECC validation address gaps and help prevent exploitation of spoofing vulnerabilities.
In cases where certificates are short lived, or used in scenarios where revocation checking is not possible (e.g., when a network connection is not available at the time the certificate is intended to be validated - especially when presence of a network connection introduces unacceptable risk), it is acceptable for the issuer to convey continued certificate validity information via other mechanisms, such as removing a certificate in the certificate validation chain from the trust-store or from certificate pinning mechanisms.
RFC5759 should be replaced with RFC8603 per RFC8423.
Tests 5a and 5b should be relabeled as Test 5 and Test 6, and the reference to FCS_COP.1(3) should be changed to FCS_COP.1/SIG