Define a <specification-id>.validation field for each CMPv2 specification, where <specification-id> is the specification identifier. See below for the supported specification settings.
For example, the following code defines customization rules with the enable-sha1, relaxed and password-based identifiers.
cagw: cmp: specification: customizations: enable-sha1: # value used to identify this entry, i.e. specificationName passed in the request validation: permitted-digest-algorithms: - SHA-1 # Adds this value to the list if not already present relaxed: validation: permitted-digest-algorithms: - SHA-1 - SHA-384- # If the last character is '-' it means remove this value from list if it is present excluded-tests: - TS_33_310.certRequestId # Ignore the actual value, the spec says this value MUST be 0 but AS tool does not use that value - certConf.SignatureBased.extraCertsPresent # Ignore checking if extaraCerts are present, spec says they SHALL be omitted but AS tool provides them and we're just going to ignore them password-based: validation: permitted-digest-algorithms: - SHA-1 excluded-tests: - TS_33_310.certRequestId - ir.Protection.rejectPBM # Enable PBM for just IR operations as KUR must be signed by previously issued certificate for the device - certconf.Protection.rejectPBM # Since only IR is PBM enabled, and certConf uses the same protection as the initial request, certConf for KUR won't be affectedMandatory: Define at least one specification.
excluded-tests
The list of specific tests to be excluded during validation of the message.
Mandatory: No.
implementation
The extended validation mechanism. Supported values are:
- RFC_4210
- TS_33_310
Mandatory: No. This optional value defaults to TS_33_310.
minimum-ec-key-length
The minimal key length allowed for EC (Elliptic-curve) public keys.
Mandatory: No. This optional value defaults to 256 bits.
minimum-rsa-key-length
The minimal key length allowed for RSA public keys.
Mandatory: No. This optional value defaults to 2048 bits.
permitted-digest-algorithms
The list of supported one-way digest algorithms. Supported list items are:
- SHA-256
- SHA-384
Mandatory: No. When omitting this optional value, both SHA-256 and SHA-384 are supported.
permitted-ec-public-key-algorithms
The list of algorithms of supported EC public keys. Supported list items are:
- secp256r1
- secp384r1
Mandatory: No. When omitting this optional value, both secp256r1 and secp384r1 are supported.
permitted-mac-algorithms
The list of supported MAC (Message Authentication Code) algorithms.
Mandatory: No. When omitting this value, a default list is built from the permitted-digest-algorithms value.
permitted-signature-algorithms
The list of supported signing algorithms.
Mandatory: No. This option defaults to a list built from the following specification.customization settings.
- permitted-digest-algorithms
- permitted-signature-classes
permitted-signature-classes
The list of supported signature algorithm classes. Supported list items are:
- rsa
- ecdsa
Mandatory: No. When omitting this optional value, both rsa and ecdsa are supported.