The NIT issued a technical decision for clarification about FCS_TLSC_EXT.1.1, Test 2.

Updated 3/13/2019 to also apply to NDcPP V2.1 and ND SD V2.1

FCS_DTLSC_EXT.1.1, FCS_DTLSC_EXT.2.1, FCS_TLSC_EXT.1.1, FCS_TLSC_EXT.2.1 Test 2 shall be replaced as follows:

The goal of the following test is to verify that the TOE accepts only certificates with appropriate values in the extendedKeyUsage extension, and implicitly that the TOE correctly parses the extendedKeyUsage extension as part of X.509v3 server certificate validation.

Test 2: The evaluator shall attempt to establish the connection using a server with a server certificate that contains the Server Authentication purpose in the extendedKeyUsage extension and verify that a connection is established. The evaluator shall repeat this test using a different, but otherwise valid and trusted, certificate that lacks the Server Authentication purpose in the extendedKeyUsage extension and ensure that a connection is not established. Ideally, the two certificates should be similar in structure, the types of identifiers used, and the chain of trust.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201801.pdf

Interception and modification of traffic/certificates “in flight” is not mandatory or necessary to satisfy any certificate-related testing requirements. It is sufficient to reconfigure the IT entities in the test environment to present different certificates that would satisfy test objectives. In implementing Test 2 it is recommended to create two similar certificates signed by the same CA, one with the extendedKeyUsage extension containing Server Authentication and one without, and then use the same authorized IT entity to present them to the TOE.

It is not acceptable to simply edit an existing certificate to change the purpose in the extendedKeyUsage extension, as doing so will result in an invalid certificate due to a signature mismatch. Consequently, it would not be possible to attribute a connection rejection to the extendedKeyUsage extension parsing.