Archived
TD0495: FIA_X509_EXT.1.2 Test Clarification
Publication Date
2020.01.29
Protection Profiles
PP_APP_v1.3
Other References
FIA_X509_EXT.1.2
Issue Description
FIA_X509_EXT.1.2 Tests 1-3 are required to be tested on the “CA issuing the TOE’s certificate;” however, many TOEs use X.509 certificates for authentication without having a TOE certificate. The tests need to be generalized to apply to any certificate that the TOE needs to validate. Also, Test 3 is redundant with other tests. Resolution
FIA_X509_EXT.1.2 tests are modified as follows, with strikethroughs indicating deletions and underlines indicating additions: Tests Test 1: The evaluator shall construct a certificate path, such ensure that the certificate of at least one of the CAs issuing the TOE's certificate in the chain does not contain the basicConstraints extension. The evaluator shall confirm that validation of the certificate path fails (i) as part of the validation of the peer certificate belonging to this chain; and/or (ii) when attempting to add the CA certificate without the basicConstraints extension to the TOE's trust store. Test 2: The evaluator shall construct a certificate path, such ensure that the certificate of at least one of the CAs issuing the TOE's certificate in the chain has the CA flag in the basicConstraints extension not set (or set to FALSE). The evaluator shall confirm that validation of the certificate path fails (i) as part of the validation of the peer certificate belonging to this chain; and/or (ii) when attempting to add the CA certificate with the CA flag not set (or set to FALSE) in the basicConstraints extension to the TOE's trust store.
Justification
See issue description. |