Hi Jeroen,
Thanks for the swift reply. I should give you some examples of my failing code:
Example 1: Validate private key type
RULE_SET DIGTCERT,
DESC("Certificate checks."),
CAPTION("Certificate checks") SEV(2)
DOMAIN CERTS,
DESC("User Certificates"),
SELECT(racf(certificate_trusted=(TRUST,HIGHTRUST),
certificate_id<>(irrcerta,irrsitec)))
DEFINE type=RACF £keytype_OK TRUE WHERE,
(class=digtcert segment=certdata certprvt='RSA-CRT')
RULE CERTS_KEYTYPE DOMAIN(CERTS),
SET(DIGTCERT),
DESC("Certificate Keytype."),
CAPTION("Certificate keytype")
TEST 1.Keytype,
/*racf(certprvt='RSA-CRT')*/,
racf(£keytype_OK),
DESC("Certificate key type must be in valid list.")
ENDRULE
Result:
CKR0114 12 Value selection for field CERTPRVT not supported at CKR4CRL(UIDX010Z) line 15
Example 2: Validate certificate signing algorithm
RULE_SET DIGTCERT,
DESC("Certificate checks."),
CAPTION("Certificate checks") SEV(2)
DOMAIN TRUCERTS,
DESC("Certificates that are trusted or highly trusted"),
SELECT(certificate(certificate_trusted=(hightrust,trust)))
RULE CERTS_Algorithm DOMAIN(TRUCERTS),
SET(DIGTCERT),
DESC("Certificate Algorithm."),
CAPTION("Certificate Algorithm")
TEST 1.Algorithm certificate(CERTIFICATE_SIGNING_ALG<>'sha256RSA'),
DESC("Certificate signing algorithm validation.")
ENDRULE
Result:
CKR0432 12 Format X.509-objectid not supported for selection - field
CERTIFICATE_SIGNING_ALG at CKR4CRL(UIDX010) line 17
Example 3: Validate keysize
RULE_SET DIGTCERT,
DESC("Certificate checks."),
CAPTION("Certificate checks") SEV(2)
DOMAIN CERTS,
DESC("User Certificates"),
SELECT(racf(certificate_trusted=(TRUST,HIGHTRUST),
certificate_id<>(irrcerta,irrsitec)))
DEFINE type=RACF £keysize_OK TRUE WHERE,
(class=digtcert segment=certdata certprvs>=2048)
RULE CERTS_KEYSIZE DOMAIN(CERTS),
SET(DIGTCERT),
DESC("Certificate Keysize."),
CAPTION("Certificate keysize")
TEST 1.Keysize,
racf(certprvs>=2048),
/*racf(£keysize_OK)*/,
DESC("Certificate key size must be at least 2048.")
ENDRULE
Result:
All certificates appear non-compliant. In reality, the keysize for all
certificates is 2048 or more.
Actual value of test field is blank.
Test result
Test value is compliant No Test is true No
Non-compliant audit finding Yes Relative audit priority 20
Lookup against
Actual value of test field
Test definition
Test name 1.Keysize
Test lookup base field name
Test field name CERTPRVS
Relational operator >=
Compliance comparison value 2048
Test type n/a,(non-)compliant compliant
Presumably I've got something basic wrong in each case.
Pete Buckley,
AXA
------------------------------
Peter Buckley
------------------------------
Original Message:
Sent: Fri April 22, 2022 07:31 AM
From: Jeroen Tiggelman
Subject: Compliance rules for Certificates
Hi Pete,
You write:
> I can't seem to use the values of these in selection criteria or tests.
I am not immediately sure what you experience.
> the private key size and type, and the certificate signing algorithm
I think that maps to fields CERTPRVS, CERTPRVT, and CERTIFICATE_SIGNING_ALG in TYPE=CERTIFICATE. (The first two also have longer aliases CERT_PRIVATE_KEY_SIZE and CERT_PRIVATE_KEY_TYPE, resp.)
In menu option RA.5.1 you can find the selection input fields under "Other fields" (the first two) and "Signing algorithm".
How can I help you?
------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
Original Message:
Sent: Fri April 22, 2022 06:28 AM
From: Peter Buckley
Subject: Compliance rules for Certificates
Hi,
I'm trying to build some compliance rules for digital certificates held in RACF, using zSecure 2.4.
I would like to be able to validate the private key size and type, and the certificate signing algorithm. However I can't seem to use the values of these in selection criteria or tests.
Is there a way to achieve this?
I've been looking through the Carla manual and the field definitions (types RACF, CERTIFICATE) in IN.D, but I can't see anything to tell me which fields can be used in selections. Is there some obvious information that I'm missing?
Thanks,
Pete Buckley
AXA
------------------------------
Peter Buckley
------------------------------