Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

Certification Path Validation Test Tool

A test tool for checking X.509 certificate path validation

The Certification-Path-Validation Test Tool (CPT) is a set of open-source tools that enable testing of X.509-certificate-path validation according to RFC 5280 in applications and libraries. It offers

  • the capability to generate X.509 certificates, revocation lists and OCSP responses from an XML test definition using a generic engine,
  • a predefined test suite covering the important aspects of RFC 5280,
  • easy extensibility and adaptability of the supplied test cases for specific requirements or application contexts,
  • additional tools for the execution of the test cases against TLS and IPsec implementations.

Background

In digital communication, certificates allow to authenticate communication partners and verify public keys. These certificates bind a public key to the identity of its owner within the framework of a public-key infrastructure (PKI). The most widely used standard for certificates is X.509v3. The data formats for certificates, revocation lists and OCSP responses as well as their processing are specified in RFCs 5280 and 6960. There, steps for the validity check of a certificate, the so-called certificate path validation, are described in detail.

Nevertheless, a large number of errors in certificate path validation in cryptographic libraries and applications have been reported in recent years. These errors resulted from incorrect interpretations of the standard or programming errors.

The CPT with its integrated test suite addresses this problem by allowing flexible test-data generation and checking the structural correctness of an implementation of X.509-certificate-path validation.

The CPT was developed on behalf of the German Federal Office for Information Security (BSI) by MTG AG as prime contractor and cryptosource GmbH as subcontractor and is maintained by the two vendors.

Licence

The Certification-Path-Validation Test Tool (CPT) is available under the European Union Public Licence. However, the licences of the individual components must be followed. This applies in particular to components published under MIT- Licence, CDDL and Apache 2.0 Licence. A detailed list can be found in the licence text.

Downloads

CPT Basis Tool

The CPT Basis Tool implements the test data generation and generates a CRL and an OCSP server for the test execution. In addition, a textual test specification is available, which describes the test suite delivered with the CPT Basis Tool. The XML format for the test-case specifications is compliant with TR-03124.

Changes to version 1.0

  • OCSP support has been implemented.
  • Accordingly, 20 new test cases for OCSP have been added to the test specification.
  • The field "overwrite" in the XML description of the test certificates has been removed.
  • Variables can now be defined in the PKI objects, which can be referenced within these PKI objects.Tool Extensions

Tool Extensions

The extensions include a TLS test client and test server based on the Botan crypto library, which presents the test certificates generated with the CPT Basis Tool to the other side in a TLS handshake and records the test result. Furthermore, a web application for carrying out the tests on a browser is included as a TLS client. For testing the certificate-path validation in IPsec applications, a test tool based on the strongSwan IPsec implementation exists. To use this tool, get the suitable strongSwan version and modify it with the included patch in accordance to the instructions.

Changes to version 1.0

  • OCSP stacking support has been implemented.
  • Mechanism for more reliable detection of a fully executed TLS handshake has been implemented.
  • Mechanism to use multiple ports for improved stability has been implemented.

Tools for testing cryptography libraries

For testing, the certification path validation in cryptography libraries two additional tools exist. The first one tests the native libraries B otan, mbedTLS, and OpenSSL. The second one tests the implementation of any Java JCA/JCE conform cryptogr aphy provider. The libraries under test need to be downloaded and installed separately for each tool.There are two additional tools for testing the certificate path validation in cryptographic libraries. The first one performs the tests against the C/C++ libraries Botan, mbedTLS and OpenSSL. The second allows testing of arbitrary Java Cryptography Providers via the JCA API. For of both tools, the test objects must be downloaded and installed separately.

GitHub

The CPT and all extensions are also available on GitHub at:

Documentation

Test Specification and User Manuals

Report on test results

As part of the development of the Certification-Path-Validation Test Tool, tests were conducted on selected crypto libraries and applications that implemented certificate-path validation. A summary of the test results is available in:

Archive

CPT Basis Tool

Tool Extensions

Test Specification and User Manuals

Contact

For general questions on CPT

cpt@bsi.bund.de

For technical questions on CPT

Dr. Vangelis Karatsiolis
Dr. Falko Strenzke
MTG AG
www.mtg.de
cpt@mtg.de

Similar topics

Back to Free software