The designer will ensure the application using PKI validates certificates for expiration, confirms origin is from a DoD authorized CA, and verifies the certificate has not been revoked by CRL or OCSP, and CRL cache (if used) is updated at least daily.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6129	APP3305	SV-6129r1_rule	IATS-1 IATS-2	High

Description
The application should not provide access to users or other entities using expired, revoked or improperly signed certificates because the identity cannot be verified.

STIG	Date
Application Security and Development STIG	2014-04-03

Details

Check Text ( C-2943r1_chk )
If the application is not PK-enabled, this check is not applicable. If the application resides on the SIPRNet and PKI infrastructure is unavailable, this check is not applicable. This check is not applicable where system users are determined to be information privileged individuals, volunteers, or reservists, as required in the DoDI 8520.2. DoD test certificates can be obtained from the following website: http://jitc.fhu.disa.mil/pki/lab2.html Note: Before executing this check, the following certificate types need to be obtained: • Expired • Revoked • Improperly Signed If the application is PK-enabled and is not using DoD PKI certificates, the application representative will need to provide these certificates. If the application is a web-application that utilizes client certificates, validate the proper functioning of the PKI-functionality using a laptop configured for the Application SRR using an expired and revoked certificate. This laptop contains three user profiles: One with a revoked certificate, one with an expired certificate, and one with an improperly signed certificate. Log on each of the user accounts for which there is an associated “bad certificate” profile and perform selected functions in the application that require the use of a certificate (e.g., authentication). 1) If the expired, revoked, or improperly signed certificate can be used for application functions, it is a finding. Also, review the web server’s configuration to ascertain whether appropriate certificate validity checks are occurring. 2) If the web server does not check for and deny expired, revoked, or improperly signed certificates, it is a finding. If the application is not a web-application, work with an application SA to identify PK-enabled application functions, and then sequentially install the invalid certificates, testing each of the functions against each of the certificates. 3) Any successful use of any of the invalid certificates is a finding. If a finding is found in any of the preceding steps, document the details of the finding to include the following: • Which of the invalid certificates was accepted (potentially more than one). • The specific application functions that accepted the invalid certificate. *Note: Do not use (WS-Security, SAML, and XML) security libraries that do not perform full certificate validation adequately. Checking should include the certificate against the CA’s Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP).

Check Text ( C-2943r1_chk )

If the application is not PK-enabled, this check is not applicable.

If the application resides on the SIPRNet and PKI infrastructure is unavailable, this check is not applicable.

This check is not applicable where system users are determined to be information privileged individuals, volunteers, or reservists, as required in the DoDI 8520.2.

DoD test certificates can be obtained from the following website:
http://jitc.fhu.disa.mil/pki/lab2.html

Note: Before executing this check, the following certificate types need to be obtained:
• Expired
• Revoked
• Improperly Signed

If the application is PK-enabled and is not using DoD PKI certificates, the application representative will need to provide these certificates.

If the application is a web-application that utilizes client certificates, validate the proper functioning of the PKI-functionality using a laptop configured for the Application SRR using an expired and revoked certificate. This laptop contains three user profiles: One with a revoked certificate, one with an expired certificate, and one with an improperly signed certificate. Log on each of the user accounts for which there is an associated “bad certificate” profile and perform selected functions in the application that require the use of a certificate (e.g., authentication).

1) If the expired, revoked, or improperly signed certificate can be used for application functions, it is a finding.

Also, review the web server’s configuration to ascertain whether appropriate certificate validity checks are occurring.

2) If the web server does not check for and deny expired, revoked, or improperly signed certificates, it is a finding.

If the application is not a web-application, work with an application SA to identify PK-enabled application functions, and then sequentially install the invalid certificates, testing each of the functions against each of the certificates.

3) Any successful use of any of the invalid certificates is a finding.

If a finding is found in any of the preceding steps, document the details of the finding to include the following:

• Which of the invalid certificates was accepted (potentially more than one).
• The specific application functions that accepted the invalid certificate.

*Note: Do not use (WS-Security, SAML, and XML) security libraries that do not perform full certificate validation adequately. Checking should include the certificate against the CA’s Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP).

Fix Text (F-17021r1_fix)
Enable the application to provide certificate validation.