GSA / piv-conformance

Tool to verify conformance to the PIV data model per most recent releases of FIPS 201 and associated publications
Other
25 stars 14 forks source link

test 11.7.2.4.1 doesn't support Policy Identifier=2.16.840.1.101.3.2.1.3.39 being present in the certificate #311

Closed dbcolston closed 11 months ago

dbcolston commented 2 years ago

The Content Signing Certificate being tested contains a policy identifier of 2.16.840.1.101.3.2.1.3.39, however the test tool is failing this test case.

        X509v3 Key Usage: critical
            Digital Signature
        X509v3 Certificate Policies: 
            Policy: 2.16.840.1.101.3.2.1.3.39
dbcolston commented 2 years ago

Yes, but in our case, they are present in the certificate itself so I don’t think that mapping is needed.

Barry

From: Todd Johnson @.> Sent: Friday, July 01, 2022 8:44 PM To: GSA/piv-conformance @.> Cc: dbcolston @.>; Author @.> Subject: Re: [GSA/piv-conformance] test 11.7.2.4.1 doesn't support Policy Identifier=2.16.840.1.101.3.2.1.3.39 being present in the certificate (Issue #311)

Technically, they can also be mapped policies too. This would apply for both signature and encryption certificates.

— Reply to this email directly, view it on GitHub https://github.com/GSA/piv-conformance/issues/311#issuecomment-1172799861 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AN54F2Y2PTUKZ46KO7FCS6DVR6GE7ANCNFSM52NYALJA . You are receiving this because you authored the thread. https://github.com/notifications/beacon/AN54F22FPSOSISGB64ZIXKLVR6GE7A5CNFSM52NYALJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOIXTYC5I.gif Message ID: @. @.> >

bob-fontana commented 1 year ago

If memory serves correctly, the way this should work is that the PDVAL stuff should be handled by Sun or BC depending on which you've configured the software to use. They are not designed to work together, (Sun + BC). Pick one that works. Policy mapping was supported using either, however, my own mileage varied and took quite a bit of fussing with the PDVAL code to get support for both.

Ensure the up-to-date trust anchors are specified in the config files.

The spreadsheet has a crude way to specify for certificate policies are expected to be in a certificate. We built out a few examples, however, there is still a manual step of creating the databases from the spreadsheet sources. I'm no sure how much of that process was documented. Look in the venv subdirectory for some clues.

Direct policies may not work concurrently. In other words, if there is policy mapping going on for some certs but no policy mapping for others, it's possible that one or the other doesn't work. I didn't look into that very far.