~~NOTOC~~
====== Scenario 12.4: Interoperability ======
**Category:** [[.:start|Import/Export]] \\
**Complexity:** **** (High) \\
**Prerequisites:** Various systems/platforms \\
**Estimated Time:** 30-45 minutes
----
===== Description =====
This scenario describes **cross-platform interoperability** of certificates and keys. With PQ cryptography, special care is required as not all systems yet support ML-DSA/ML-KEM.
**Interoperability Challenges:**
* **Format differences** - PEM vs. DER vs. PFX
* **Algorithm support** - Classical vs. PQ vs. Hybrid
* **Platform specifics** - Windows, Linux, macOS, Java
* **Version differences** - OpenSSL 1.x vs. 3.x
----
===== Compatibility Matrix =====
^ System ^ RSA ^ ECDSA ^ ML-DSA ^ ML-KEM ^ Hybrid ^
| **OpenSSL 3.6+** | Yes | Yes | Yes | Yes | Yes |
| **OpenSSL 3.0-3.5** | Yes | Yes | No | No | No |
| **.NET 9+** | Yes | Yes | Yes | Yes | Yes |
| **Java 21+** | Yes | Yes | Partial (Bouncy Castle) | Partial | No |
| **Windows SChannel** | Yes | Yes | No | No | No |
| **macOS Security** | Yes | Yes | No | No | No |
| **Firefox/NSS** | Yes | Yes | No | Partial | No |
| **Chrome/BoringSSL** | Yes | Yes | No | Partial | No |
Partial = Experimental/Preview support
----
===== Workflow =====
flowchart TD
SOURCE[Source System] --> DETECT{Algorithm?}
DETECT -->|Classical| DIRECT[Direct Export]
DETECT -->|PQ| CHECK{Target supports PQ?}
CHECK -->|Yes| PQEXPORT[PQ Export]
CHECK -->|No| HYBRID{Hybrid available?}
HYBRID -->|Yes| CLASSICAL[Extract classical part]
HYBRID -->|No| FAIL[Not compatible]
DIRECT --> FORMAT[Convert format]
PQEXPORT --> FORMAT
CLASSICAL --> FORMAT
FORMAT --> TARGET[Target System]
style FAIL fill:#ffebee
style TARGET fill:#e8f5e9
----
===== Code Example: Format Conversion =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
public class CertificateConverter
{
public byte[] ConvertFormat(
byte[] sourceData,
CertificateFormat sourceFormat,
CertificateFormat targetFormat,
string password = null)
{
// 1. Load into .NET object
var cert = LoadCertificate(sourceData, sourceFormat, password);
// 2. Export in target format
return ExportCertificate(cert, targetFormat, password);
}
private X509Certificate2 LoadCertificate(
byte[] data,
CertificateFormat format,
string password)
{
return format switch
{
CertificateFormat.Der =>
new X509Certificate2(data),
CertificateFormat.Pem =>
X509Certificate2.CreateFromPem(Encoding.UTF8.GetString(data)),
CertificateFormat.Pfx =>
new X509Certificate2(data, password,
X509KeyStorageFlags.Exportable),
_ => throw new NotSupportedException($"Format {format} not supported")
};
}
private byte[] ExportCertificate(
X509Certificate2 cert,
CertificateFormat format,
string password)
{
return format switch
{
CertificateFormat.Der =>
cert.RawData,
CertificateFormat.Pem =>
Encoding.UTF8.GetBytes(cert.ExportCertificatePem()),
CertificateFormat.Pfx =>
cert.Export(X509ContentType.Pfx, password),
_ => throw new NotSupportedException($"Format {format} not supported")
};
}
}
public enum CertificateFormat
{
Der,
Pem,
Pfx,
P7b
}
----
===== Code Example: Java KeyStore (JKS) Integration =====
public class JavaKeystoreInterop
{
public void ExportForJava(
X509Certificate2 certificate,
X509Certificate2Collection chain,
string jksPath,
string storePassword,
string keyPassword,
string alias)
{
// Create PKCS#12 (Java can import this)
var collection = new X509Certificate2Collection { certificate };
foreach (var ca in chain)
{
collection.Add(ca);
}
var pfxBytes = collection.Export(X509ContentType.Pfx, keyPassword);
var pfxPath = Path.GetTempFileName();
File.WriteAllBytes(pfxPath, pfxBytes);
try
{
// Call keytool
var process = Process.Start(new ProcessStartInfo
{
FileName = "keytool",
Arguments = $"-importkeystore " +
$"-srckeystore \"{pfxPath}\" " +
$"-srcstoretype PKCS12 " +
$"-srcstorepass \"{keyPassword}\" " +
$"-destkeystore \"{jksPath}\" " +
$"-deststoretype JKS " +
$"-deststorepass \"{storePassword}\" " +
$"-destkeypass \"{keyPassword}\" " +
$"-alias \"{alias}\"",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
});
process.WaitForExit();
if (process.ExitCode == 0)
{
Console.WriteLine($"JKS created: {jksPath}");
}
else
{
var error = process.StandardError.ReadToEnd();
throw new Exception($"keytool error: {error}");
}
}
finally
{
File.Delete(pfxPath);
}
}
public X509Certificate2 ImportFromJks(
string jksPath,
string storePassword,
string keyPassword,
string alias)
{
var pfxPath = Path.GetTempFileName();
try
{
// Convert JKS to PKCS#12
var process = Process.Start(new ProcessStartInfo
{
FileName = "keytool",
Arguments = $"-importkeystore " +
$"-srckeystore \"{jksPath}\" " +
$"-srcstoretype JKS " +
$"-srcstorepass \"{storePassword}\" " +
$"-srcalias \"{alias}\" " +
$"-destkeystore \"{pfxPath}\" " +
$"-deststoretype PKCS12 " +
$"-deststorepass \"{keyPassword}\"",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
});
process.WaitForExit();
if (process.ExitCode != 0)
{
throw new Exception(process.StandardError.ReadToEnd());
}
// Load PKCS#12
return new X509Certificate2(pfxPath, keyPassword,
X509KeyStorageFlags.Exportable);
}
finally
{
if (File.Exists(pfxPath))
File.Delete(pfxPath);
}
}
}
----
===== Code Example: Hybrid Certificate Fallback =====
public class HybridCertificateFallback
{
public X509Certificate2 GetCompatibleCertificate(
X509Certificate2 hybridCert,
PlatformCapabilities targetCapabilities)
{
using var ctx = PqCryptoContext.Initialize();
// Check if hybrid certificate
var algorithm = hybridCert.GetKeyAlgorithm();
if (!IsHybridAlgorithm(algorithm))
{
// Not hybrid - return directly
return hybridCert;
}
// Target supports PQ?
if (targetCapabilities.SupportsPqAlgorithms)
{
return hybridCert;
}
// Fallback: Extract classical part
Console.WriteLine("Target does not support PQ - using classical fallback");
// Load alternative certificate chain (if available)
var classicalCert = FindClassicalAlternative(hybridCert);
if (classicalCert != null)
{
return classicalCert;
}
throw new NotSupportedException(
"Target system supports neither PQ nor is a classical fallback available"
);
}
private bool IsHybridAlgorithm(string algorithm)
{
return algorithm.Contains("ML-DSA") ||
algorithm.Contains("ML-KEM") ||
algorithm.Contains("DILITHIUM") ||
algorithm.Contains("KYBER");
}
private X509Certificate2 FindClassicalAlternative(X509Certificate2 hybridCert)
{
// Search for certificate with same subject but classical algorithm
// This requires corresponding infrastructure (Dual-Certificates)
using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var alternatives = store.Certificates
.Find(X509FindType.FindBySubjectDistinguishedName, hybridCert.Subject, validOnly: true)
.Where(c => !IsHybridAlgorithm(c.GetKeyAlgorithm()))
.OrderByDescending(c => c.NotAfter)
.FirstOrDefault();
return alternatives;
}
}
public class PlatformCapabilities
{
public bool SupportsPqAlgorithms { get; set; }
public bool SupportsTls13 { get; set; }
public string[] SupportedKeyExchanges { get; set; }
public string[] SupportedSignatures { get; set; }
public static PlatformCapabilities Detect()
{
return new PlatformCapabilities
{
SupportsPqAlgorithms = CheckPqSupport(),
SupportsTls13 = CheckTls13Support(),
SupportedKeyExchanges = GetSupportedKeyExchanges(),
SupportedSignatures = GetSupportedSignatures()
};
}
private static bool CheckPqSupport()
{
try
{
// Check if OpenSSL 3.6+ with PQ provider is available
return OpenSslInterop.IsOpenSsl36OrNewer();
}
catch
{
return false;
}
}
private static bool CheckTls13Support()
{
return Environment.OSVersion.Platform == PlatformID.Win32NT
? Environment.OSVersion.Version >= new Version(10, 0, 17763) // Windows 1809+
: true; // Linux/macOS have TLS 1.3
}
private static string[] GetSupportedKeyExchanges() =>
new[] { "X25519", "secp384r1", "secp256r1" };
private static string[] GetSupportedSignatures() =>
new[] { "RSA", "ECDSA", "Ed25519" };
}
----
===== Code Example: Cross-Platform Chain Validation =====
public class CrossPlatformChainValidator
{
public ValidationResult ValidateForPlatform(
X509Certificate2 certificate,
TargetPlatform platform)
{
var result = new ValidationResult { Platform = platform };
// 1. Check algorithm compatibility
var algorithm = certificate.GetKeyAlgorithm();
result.AlgorithmSupported = IsAlgorithmSupported(algorithm, platform);
if (!result.AlgorithmSupported)
{
result.Errors.Add($"Algorithm {algorithm} not supported on {platform}");
}
// 2. Check key size
var keySize = certificate.GetRSAPublicKey()?.KeySize
?? certificate.GetECDsaPublicKey()?.KeySize
?? 0;
result.KeySizeSupported = IsKeySizeSupported(keySize, platform);
// 3. Check extensions
foreach (var ext in certificate.Extensions)
{
if (!IsExtensionSupported(ext.Oid.Value, platform))
{
result.Warnings.Add($"Extension {ext.Oid.FriendlyName} may not be supported");
}
}
// 4. Validate chain
using var chain = new X509Chain();
result.ChainValid = chain.Build(certificate);
result.IsValid = result.AlgorithmSupported &&
result.KeySizeSupported &&
result.ChainValid &&
!result.Errors.Any();
return result;
}
private bool IsAlgorithmSupported(string algorithm, TargetPlatform platform)
{
var pqAlgorithms = new[] { "ML-DSA", "ML-KEM", "DILITHIUM", "KYBER" };
var isPq = pqAlgorithms.Any(pq => algorithm.Contains(pq));
if (!isPq) return true; // Classical = supported everywhere
return platform switch
{
TargetPlatform.DotNet9 => true,
TargetPlatform.OpenSsl36 => true,
TargetPlatform.Java21BouncyCastle => true,
_ => false
};
}
private bool IsKeySizeSupported(int keySize, TargetPlatform platform)
{
// Most platforms support RSA 2048-4096, ECDSA P-256/P-384
return keySize >= 2048;
}
private bool IsExtensionSupported(string oid, TargetPlatform platform)
{
// Standard extensions are supported everywhere
var standardOids = new[]
{
"2.5.29.15", // Key Usage
"2.5.29.17", // SAN
"2.5.29.19", // Basic Constraints
"2.5.29.37" // Extended Key Usage
};
return standardOids.Contains(oid);
}
}
public enum TargetPlatform
{
Windows,
Linux,
MacOS,
Java21BouncyCastle,
DotNet9,
OpenSsl36,
Browser
}
public class ValidationResult
{
public TargetPlatform Platform { get; set; }
public bool IsValid { get; set; }
public bool AlgorithmSupported { get; set; }
public bool KeySizeSupported { get; set; }
public bool ChainValid { get; set; }
public List Errors { get; set; } = new();
public List Warnings { get; set; } = new();
}
----
===== Industry-Specific Interoperability =====
^ Industry ^ Main Platforms ^ Format ^ Specifics ^
| **Banking** | Java + .NET | JKS, PFX | FIPS Compliance |
| **Healthcare** | Windows + Linux | PFX, PEM | HL7/FHIR Integration |
| **IoT** | Embedded Linux | DER | Resource-Limited |
| **Cloud** | Multi-Platform | PEM | Container/Kubernetes |
----
===== Related Scenarios =====
^ Relationship ^ Scenario ^ Description ^
| **Foundation** | [[.:pem_export|12.1 PEM Export]] | Linux format |
| **Foundation** | [[.:pfx_export|12.2 PFX Export]] | Windows format |
| **Related** | [[en:int:pqcrypt:szenarien:tls:hybrid_tls|10.4 Hybrid TLS]] | PQ-TLS Compatibility |
| **Related** | [[en:int:pqcrypt:konzepte:algorithmen|Algorithms]] | PQ Fundamentals |
----
<< [[.:pkcs7_chain|<- 12.3 PKCS#7 Chain]] | [[.:start|^ Import/Export]] | [[en:int:pqcrypt:szenarien:start|-> All Scenarios]] >>
{{tag>scenario import export interop cross-platform java openssl}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//