Closed dbcolston closed 11 months ago
Yes, but in our case, they are present in the certificate itself so I don’t think that mapping is needed.
Barry
From: Todd Johnson @.> Sent: Friday, July 01, 2022 8:44 PM To: GSA/piv-conformance @.> Cc: dbcolston @.>; Author @.> Subject: Re: [GSA/piv-conformance] test 11.7.2.4.1 doesn't support Policy Identifier=2.16.840.1.101.3.2.1.3.39 being present in the certificate (Issue #311)
Technically, they can also be mapped policies too. This would apply for both signature and encryption certificates.
— Reply to this email directly, view it on GitHub https://github.com/GSA/piv-conformance/issues/311#issuecomment-1172799861 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AN54F2Y2PTUKZ46KO7FCS6DVR6GE7ANCNFSM52NYALJA . You are receiving this because you authored the thread. https://github.com/notifications/beacon/AN54F22FPSOSISGB64ZIXKLVR6GE7A5CNFSM52NYALJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOIXTYC5I.gif Message ID: @. @.> >
If memory serves correctly, the way this should work is that the PDVAL stuff should be handled by Sun or BC depending on which you've configured the software to use. They are not designed to work together, (Sun + BC). Pick one that works. Policy mapping was supported using either, however, my own mileage varied and took quite a bit of fussing with the PDVAL code to get support for both.
Ensure the up-to-date trust anchors are specified in the config files.
The spreadsheet has a crude way to specify for certificate policies are expected to be in a certificate. We built out a few examples, however, there is still a manual step of creating the databases from the spreadsheet sources. I'm no sure how much of that process was documented. Look in the venv subdirectory for some clues.
Direct policies may not work concurrently. In other words, if there is policy mapping going on for some certs but no policy mapping for others, it's possible that one or the other doesn't work. I didn't look into that very far.
The Content Signing Certificate being tested contains a policy identifier of 2.16.840.1.101.3.2.1.3.39, however the test tool is failing this test case.