~~NOTOC~~
====== Szenario 12.4: Interoperabilität ======
**Kategorie:** [[.:start|Import/Export]] \\
**Komplexität:** ⭐⭐⭐⭐ (Hoch) \\
**Voraussetzungen:** Verschiedene Systeme/Plattformen \\
**Geschätzte Zeit:** 30-45 Minuten
----
===== Beschreibung =====
Dieses Szenario beschreibt die **plattformübergreifende Interoperabilität** von Zertifikaten und Schlüsseln. Bei PQ-Kryptographie ist besondere Vorsicht geboten, da nicht alle Systeme bereits ML-DSA/ML-KEM unterstützen.
**Interoperabilitäts-Herausforderungen:**
* **Format-Unterschiede** - PEM vs. DER vs. PFX
* **Algorithmus-Support** - Klassisch vs. PQ vs. Hybrid
* **Plattform-Eigenheiten** - Windows, Linux, macOS, Java
* **Version-Unterschiede** - OpenSSL 1.x vs. 3.x
----
===== Kompatibilitätsmatrix =====
^ System ^ RSA ^ ECDSA ^ ML-DSA ^ ML-KEM ^ Hybrid ^
| **OpenSSL 3.6+** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **OpenSSL 3.0-3.5** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **.NET 9+** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **Java 21+** | ✅ | ✅ | 🟡 (Bouncy Castle) | 🟡 | ❌ |
| **Windows SChannel** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **macOS Security** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **Firefox/NSS** | ✅ | ✅ | ❌ | 🟡 | ❌ |
| **Chrome/BoringSSL** | ✅ | ✅ | ❌ | 🟡 | ❌ |
🟡 = Experimentell/Preview-Support
----
===== Workflow =====
flowchart TD
SOURCE[Quell-System] --> DETECT{Algorithmus?}
DETECT -->|Klassisch| DIRECT[Direkter Export]
DETECT -->|PQ| CHECK{Ziel unterstützt PQ?}
CHECK -->|Ja| PQEXPORT[PQ-Export]
CHECK -->|Nein| HYBRID{Hybrid verfügbar?}
HYBRID -->|Ja| CLASSICAL[Klassischen Teil extrahieren]
HYBRID -->|Nein| FAIL[Nicht kompatibel]
DIRECT --> FORMAT[Format konvertieren]
PQEXPORT --> FORMAT
CLASSICAL --> FORMAT
FORMAT --> TARGET[Ziel-System]
style FAIL fill:#ffebee
style TARGET fill:#e8f5e9
----
===== Code-Beispiel: Format-Konvertierung =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
public class CertificateConverter
{
public byte[] ConvertFormat(
byte[] sourceData,
CertificateFormat sourceFormat,
CertificateFormat targetFormat,
string password = null)
{
// 1. In .NET-Objekt laden
var cert = LoadCertificate(sourceData, sourceFormat, password);
// 2. Im Zielformat exportieren
return ExportCertificate(cert, targetFormat, password);
}
private X509Certificate2 LoadCertificate(
byte[] data,
CertificateFormat format,
string password)
{
return format switch
{
CertificateFormat.Der =>
new X509Certificate2(data),
CertificateFormat.Pem =>
X509Certificate2.CreateFromPem(Encoding.UTF8.GetString(data)),
CertificateFormat.Pfx =>
new X509Certificate2(data, password,
X509KeyStorageFlags.Exportable),
_ => throw new NotSupportedException($"Format {format} nicht unterstützt")
};
}
private byte[] ExportCertificate(
X509Certificate2 cert,
CertificateFormat format,
string password)
{
return format switch
{
CertificateFormat.Der =>
cert.RawData,
CertificateFormat.Pem =>
Encoding.UTF8.GetBytes(cert.ExportCertificatePem()),
CertificateFormat.Pfx =>
cert.Export(X509ContentType.Pfx, password),
_ => throw new NotSupportedException($"Format {format} nicht unterstützt")
};
}
}
public enum CertificateFormat
{
Der,
Pem,
Pfx,
P7b
}
----
===== Code-Beispiel: Java KeyStore (JKS) Integration =====
public class JavaKeystoreInterop
{
public void ExportForJava(
X509Certificate2 certificate,
X509Certificate2Collection chain,
string jksPath,
string storePassword,
string keyPassword,
string alias)
{
// PKCS#12 erstellen (Java kann dies importieren)
var collection = new X509Certificate2Collection { certificate };
foreach (var ca in chain)
{
collection.Add(ca);
}
var pfxBytes = collection.Export(X509ContentType.Pfx, keyPassword);
var pfxPath = Path.GetTempFileName();
File.WriteAllBytes(pfxPath, pfxBytes);
try
{
// keytool aufrufen
var process = Process.Start(new ProcessStartInfo
{
FileName = "keytool",
Arguments = $"-importkeystore " +
$"-srckeystore \"{pfxPath}\" " +
$"-srcstoretype PKCS12 " +
$"-srcstorepass \"{keyPassword}\" " +
$"-destkeystore \"{jksPath}\" " +
$"-deststoretype JKS " +
$"-deststorepass \"{storePassword}\" " +
$"-destkeypass \"{keyPassword}\" " +
$"-alias \"{alias}\"",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
});
process.WaitForExit();
if (process.ExitCode == 0)
{
Console.WriteLine($"JKS erstellt: {jksPath}");
}
else
{
var error = process.StandardError.ReadToEnd();
throw new Exception($"keytool Fehler: {error}");
}
}
finally
{
File.Delete(pfxPath);
}
}
public X509Certificate2 ImportFromJks(
string jksPath,
string storePassword,
string keyPassword,
string alias)
{
var pfxPath = Path.GetTempFileName();
try
{
// JKS zu PKCS#12 konvertieren
var process = Process.Start(new ProcessStartInfo
{
FileName = "keytool",
Arguments = $"-importkeystore " +
$"-srckeystore \"{jksPath}\" " +
$"-srcstoretype JKS " +
$"-srcstorepass \"{storePassword}\" " +
$"-srcalias \"{alias}\" " +
$"-destkeystore \"{pfxPath}\" " +
$"-deststoretype PKCS12 " +
$"-deststorepass \"{keyPassword}\"",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
});
process.WaitForExit();
if (process.ExitCode != 0)
{
throw new Exception(process.StandardError.ReadToEnd());
}
// PKCS#12 laden
return new X509Certificate2(pfxPath, keyPassword,
X509KeyStorageFlags.Exportable);
}
finally
{
if (File.Exists(pfxPath))
File.Delete(pfxPath);
}
}
}
----
===== Code-Beispiel: Hybrid-Zertifikat Fallback =====
public class HybridCertificateFallback
{
public X509Certificate2 GetCompatibleCertificate(
X509Certificate2 hybridCert,
PlatformCapabilities targetCapabilities)
{
using var ctx = PqCryptoContext.Initialize();
// Prüfen ob Hybrid-Zertifikat
var algorithm = hybridCert.GetKeyAlgorithm();
if (!IsHybridAlgorithm(algorithm))
{
// Kein Hybrid - direkt zurückgeben
return hybridCert;
}
// Ziel unterstützt PQ?
if (targetCapabilities.SupportsPqAlgorithms)
{
return hybridCert;
}
// Fallback: Klassischen Teil extrahieren
Console.WriteLine("Ziel unterstützt kein PQ - verwende klassischen Fallback");
// Alternative Zertifikat-Kette laden (falls vorhanden)
var classicalCert = FindClassicalAlternative(hybridCert);
if (classicalCert != null)
{
return classicalCert;
}
throw new NotSupportedException(
"Ziel-System unterstützt weder PQ noch ist ein klassisches Fallback verfügbar"
);
}
private bool IsHybridAlgorithm(string algorithm)
{
return algorithm.Contains("ML-DSA") ||
algorithm.Contains("ML-KEM") ||
algorithm.Contains("DILITHIUM") ||
algorithm.Contains("KYBER");
}
private X509Certificate2 FindClassicalAlternative(X509Certificate2 hybridCert)
{
// Suche nach Zertifikat mit gleichem Subject aber klassischem Algorithmus
// Dies erfordert eine entsprechende Infrastruktur (Dual-Certificates)
using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var alternatives = store.Certificates
.Find(X509FindType.FindBySubjectDistinguishedName, hybridCert.Subject, validOnly: true)
.Where(c => !IsHybridAlgorithm(c.GetKeyAlgorithm()))
.OrderByDescending(c => c.NotAfter)
.FirstOrDefault();
return alternatives;
}
}
public class PlatformCapabilities
{
public bool SupportsPqAlgorithms { get; set; }
public bool SupportsTls13 { get; set; }
public string[] SupportedKeyExchanges { get; set; }
public string[] SupportedSignatures { get; set; }
public static PlatformCapabilities Detect()
{
return new PlatformCapabilities
{
SupportsPqAlgorithms = CheckPqSupport(),
SupportsTls13 = CheckTls13Support(),
SupportedKeyExchanges = GetSupportedKeyExchanges(),
SupportedSignatures = GetSupportedSignatures()
};
}
private static bool CheckPqSupport()
{
try
{
// Prüfen ob OpenSSL 3.6+ mit PQ-Provider verfügbar
return OpenSslInterop.IsOpenSsl36OrNewer();
}
catch
{
return false;
}
}
private static bool CheckTls13Support()
{
return Environment.OSVersion.Platform == PlatformID.Win32NT
? Environment.OSVersion.Version >= new Version(10, 0, 17763) // Windows 1809+
: true; // Linux/macOS haben TLS 1.3
}
private static string[] GetSupportedKeyExchanges() =>
new[] { "X25519", "secp384r1", "secp256r1" };
private static string[] GetSupportedSignatures() =>
new[] { "RSA", "ECDSA", "Ed25519" };
}
----
===== Code-Beispiel: Cross-Platform Chain Validation =====
public class CrossPlatformChainValidator
{
public ValidationResult ValidateForPlatform(
X509Certificate2 certificate,
TargetPlatform platform)
{
var result = new ValidationResult { Platform = platform };
// 1. Algorithmus-Kompatibilität prüfen
var algorithm = certificate.GetKeyAlgorithm();
result.AlgorithmSupported = IsAlgorithmSupported(algorithm, platform);
if (!result.AlgorithmSupported)
{
result.Errors.Add($"Algorithmus {algorithm} nicht unterstützt auf {platform}");
}
// 2. Key-Größe prüfen
var keySize = certificate.GetRSAPublicKey()?.KeySize
?? certificate.GetECDsaPublicKey()?.KeySize
?? 0;
result.KeySizeSupported = IsKeySizeSupported(keySize, platform);
// 3. Extensions prüfen
foreach (var ext in certificate.Extensions)
{
if (!IsExtensionSupported(ext.Oid.Value, platform))
{
result.Warnings.Add($"Extension {ext.Oid.FriendlyName} möglicherweise nicht unterstützt");
}
}
// 4. Chain validieren
using var chain = new X509Chain();
result.ChainValid = chain.Build(certificate);
result.IsValid = result.AlgorithmSupported &&
result.KeySizeSupported &&
result.ChainValid &&
!result.Errors.Any();
return result;
}
private bool IsAlgorithmSupported(string algorithm, TargetPlatform platform)
{
var pqAlgorithms = new[] { "ML-DSA", "ML-KEM", "DILITHIUM", "KYBER" };
var isPq = pqAlgorithms.Any(pq => algorithm.Contains(pq));
if (!isPq) return true; // Klassisch = überall unterstützt
return platform switch
{
TargetPlatform.DotNet9 => true,
TargetPlatform.OpenSsl36 => true,
TargetPlatform.Java21BouncyCastle => true,
_ => false
};
}
private bool IsKeySizeSupported(int keySize, TargetPlatform platform)
{
// Die meisten Plattformen unterstützen RSA 2048-4096, ECDSA P-256/P-384
return keySize >= 2048;
}
private bool IsExtensionSupported(string oid, TargetPlatform platform)
{
// Standard-Extensions sind überall unterstützt
var standardOids = new[]
{
"2.5.29.15", // Key Usage
"2.5.29.17", // SAN
"2.5.29.19", // Basic Constraints
"2.5.29.37" // Extended Key Usage
};
return standardOids.Contains(oid);
}
}
public enum TargetPlatform
{
Windows,
Linux,
MacOS,
Java21BouncyCastle,
DotNet9,
OpenSsl36,
Browser
}
public class ValidationResult
{
public TargetPlatform Platform { get; set; }
public bool IsValid { get; set; }
public bool AlgorithmSupported { get; set; }
public bool KeySizeSupported { get; set; }
public bool ChainValid { get; set; }
public List Errors { get; set; } = new();
public List Warnings { get; set; } = new();
}
----
===== Branchenspezifische Interoperabilität =====
^ Branche ^ Haupt-Plattformen ^ Format ^ Besonderheit ^
| **Banking** | Java + .NET | JKS, PFX | FIPS-Compliance |
| **Healthcare** | Windows + Linux | PFX, PEM | HL7/FHIR Integration |
| **IoT** | Embedded Linux | DER | Ressourcen-Limitiert |
| **Cloud** | Multi-Platform | PEM | Container/Kubernetes |
----
===== Verwandte Szenarien =====
^ Beziehung ^ Szenario ^ Beschreibung ^
| **Grundlage** | [[.:pem_export|12.1 PEM Export]] | Linux-Format |
| **Grundlage** | [[.:pfx_export|12.2 PFX Export]] | Windows-Format |
| **Verwandt** | [[de:int:pqcrypt:szenarien:tls:hybrid_tls|10.4 Hybrid TLS]] | PQ-TLS Kompatibilität |
| **Verwandt** | [[de:int:pqcrypt:konzepte:algorithmen|Algorithmen]] | PQ-Grundlagen |
----
<< [[.:pkcs7_chain|← 12.3 PKCS#7 Chain]] | [[.:start|↑ Import/Export]] | [[de:int:pqcrypt:szenarien:start|→ Alle Szenarien]] >>
{{tag>szenario import export interop cross-platform java openssl}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//