~~NOTOC~~
====== Scenarij 12.4: Interoperabilnost ======
**Kategorija:** [[.:start|Uvoz/Izvoz]] \\
**Složenost:** ⭐⭐⭐⭐ (Visoka) \\
**Preduvjeti:** Različiti sustavi/platforme \\
**Procijenjeno vrijeme:** 30-45 minuta
----
===== Opis =====
Ovaj scenarij opisuje **međuplatformsku interoperabilnost** certifikata i ključeva. Kod PQ-kriptografije potreban je poseban oprez jer ne podržavaju svi sustavi ML-DSA/ML-KEM.
**Izazovi interoperabilnosti:**
* **Razlike u formatima** - PEM vs. DER vs. PFX
* **Podrška algoritama** - Klasični vs. PQ vs. Hibridni
* **Posebnosti platformi** - Windows, Linux, macOS, Java
* **Razlike u verzijama** - OpenSSL 1.x vs. 3.x
----
===== Matrica kompatibilnosti =====
^ Sustav ^ RSA ^ ECDSA ^ ML-DSA ^ ML-KEM ^ Hibridni ^
| **OpenSSL 3.6+** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **OpenSSL 3.0-3.5** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **.NET 9+** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **Java 21+** | ✅ | ✅ | 🟡 (Bouncy Castle) | 🟡 | ❌ |
| **Windows SChannel** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **macOS Security** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **Firefox/NSS** | ✅ | ✅ | ❌ | 🟡 | ❌ |
| **Chrome/BoringSSL** | ✅ | ✅ | ❌ | 🟡 | ❌ |
🟡 = Eksperimentalna/Preview podrška
----
===== Tijek rada =====
flowchart TD
SOURCE[Izvorni sustav] --> DETECT{Algoritam?}
DETECT -->|Klasični| DIRECT[Direktan izvoz]
DETECT -->|PQ| CHECK{Cilj podržava PQ?}
CHECK -->|Da| PQEXPORT[PQ izvoz]
CHECK -->|Ne| HYBRID{Hibrid dostupan?}
HYBRID -->|Da| CLASSICAL[Ekstrakcija klasičnog dijela]
HYBRID -->|Ne| FAIL[Nije kompatibilno]
DIRECT --> FORMAT[Konverzija formata]
PQEXPORT --> FORMAT
CLASSICAL --> FORMAT
FORMAT --> TARGET[Ciljni sustav]
style FAIL fill:#ffebee
style TARGET fill:#e8f5e9
----
===== Primjer koda: Konverzija formata =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
public class CertificateConverter
{
public byte[] ConvertFormat(
byte[] sourceData,
CertificateFormat sourceFormat,
CertificateFormat targetFormat,
string password = null)
{
// 1. Učitavanje u .NET objekt
var cert = LoadCertificate(sourceData, sourceFormat, password);
// 2. Izvoz u ciljni format
return ExportCertificate(cert, targetFormat, password);
}
private X509Certificate2 LoadCertificate(
byte[] data,
CertificateFormat format,
string password)
{
return format switch
{
CertificateFormat.Der =>
new X509Certificate2(data),
CertificateFormat.Pem =>
X509Certificate2.CreateFromPem(Encoding.UTF8.GetString(data)),
CertificateFormat.Pfx =>
new X509Certificate2(data, password,
X509KeyStorageFlags.Exportable),
_ => throw new NotSupportedException($"Format {format} nije podržan")
};
}
private byte[] ExportCertificate(
X509Certificate2 cert,
CertificateFormat format,
string password)
{
return format switch
{
CertificateFormat.Der =>
cert.RawData,
CertificateFormat.Pem =>
Encoding.UTF8.GetBytes(cert.ExportCertificatePem()),
CertificateFormat.Pfx =>
cert.Export(X509ContentType.Pfx, password),
_ => throw new NotSupportedException($"Format {format} nije podržan")
};
}
}
public enum CertificateFormat
{
Der,
Pem,
Pfx,
P7b
}
----
===== Primjer koda: Java KeyStore (JKS) integracija =====
public class JavaKeystoreInterop
{
public void ExportForJava(
X509Certificate2 certificate,
X509Certificate2Collection chain,
string jksPath,
string storePassword,
string keyPassword,
string alias)
{
// Kreiranje PKCS#12 (Java može ovo uvesti)
var collection = new X509Certificate2Collection { certificate };
foreach (var ca in chain)
{
collection.Add(ca);
}
var pfxBytes = collection.Export(X509ContentType.Pfx, keyPassword);
var pfxPath = Path.GetTempFileName();
File.WriteAllBytes(pfxPath, pfxBytes);
try
{
// Poziv keytool
var process = Process.Start(new ProcessStartInfo
{
FileName = "keytool",
Arguments = $"-importkeystore " +
$"-srckeystore \"{pfxPath}\" " +
$"-srcstoretype PKCS12 " +
$"-srcstorepass \"{keyPassword}\" " +
$"-destkeystore \"{jksPath}\" " +
$"-deststoretype JKS " +
$"-deststorepass \"{storePassword}\" " +
$"-destkeypass \"{keyPassword}\" " +
$"-alias \"{alias}\"",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
});
process.WaitForExit();
if (process.ExitCode == 0)
{
Console.WriteLine($"JKS kreiran: {jksPath}");
}
else
{
var error = process.StandardError.ReadToEnd();
throw new Exception($"keytool greška: {error}");
}
}
finally
{
File.Delete(pfxPath);
}
}
public X509Certificate2 ImportFromJks(
string jksPath,
string storePassword,
string keyPassword,
string alias)
{
var pfxPath = Path.GetTempFileName();
try
{
// Konverzija JKS u PKCS#12
var process = Process.Start(new ProcessStartInfo
{
FileName = "keytool",
Arguments = $"-importkeystore " +
$"-srckeystore \"{jksPath}\" " +
$"-srcstoretype JKS " +
$"-srcstorepass \"{storePassword}\" " +
$"-srcalias \"{alias}\" " +
$"-destkeystore \"{pfxPath}\" " +
$"-deststoretype PKCS12 " +
$"-deststorepass \"{keyPassword}\"",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
});
process.WaitForExit();
if (process.ExitCode != 0)
{
throw new Exception(process.StandardError.ReadToEnd());
}
// Učitavanje PKCS#12
return new X509Certificate2(pfxPath, keyPassword,
X509KeyStorageFlags.Exportable);
}
finally
{
if (File.Exists(pfxPath))
File.Delete(pfxPath);
}
}
}
----
===== Primjer koda: Hibridni certifikat Fallback =====
public class HybridCertificateFallback
{
public X509Certificate2 GetCompatibleCertificate(
X509Certificate2 hybridCert,
PlatformCapabilities targetCapabilities)
{
using var ctx = PqCryptoContext.Initialize();
// Provjera je li hibridni certifikat
var algorithm = hybridCert.GetKeyAlgorithm();
if (!IsHybridAlgorithm(algorithm))
{
// Nije hibrid - vrati direktno
return hybridCert;
}
// Cilj podržava PQ?
if (targetCapabilities.SupportsPqAlgorithms)
{
return hybridCert;
}
// Fallback: Ekstrakcija klasičnog dijela
Console.WriteLine("Cilj ne podržava PQ - koristi se klasični fallback");
// Učitavanje alternativnog lanca certifikata (ako postoji)
var classicalCert = FindClassicalAlternative(hybridCert);
if (classicalCert != null)
{
return classicalCert;
}
throw new NotSupportedException(
"Ciljni sustav ne podržava PQ niti je dostupan klasični fallback"
);
}
private bool IsHybridAlgorithm(string algorithm)
{
return algorithm.Contains("ML-DSA") ||
algorithm.Contains("ML-KEM") ||
algorithm.Contains("DILITHIUM") ||
algorithm.Contains("KYBER");
}
private X509Certificate2 FindClassicalAlternative(X509Certificate2 hybridCert)
{
// Traženje certifikata s istim Subject ali klasičnim algoritmom
// Ovo zahtijeva odgovarajuću infrastrukturu (Dual-Certificates)
using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var alternatives = store.Certificates
.Find(X509FindType.FindBySubjectDistinguishedName, hybridCert.Subject, validOnly: true)
.Where(c => !IsHybridAlgorithm(c.GetKeyAlgorithm()))
.OrderByDescending(c => c.NotAfter)
.FirstOrDefault();
return alternatives;
}
}
public class PlatformCapabilities
{
public bool SupportsPqAlgorithms { get; set; }
public bool SupportsTls13 { get; set; }
public string[] SupportedKeyExchanges { get; set; }
public string[] SupportedSignatures { get; set; }
public static PlatformCapabilities Detect()
{
return new PlatformCapabilities
{
SupportsPqAlgorithms = CheckPqSupport(),
SupportsTls13 = CheckTls13Support(),
SupportedKeyExchanges = GetSupportedKeyExchanges(),
SupportedSignatures = GetSupportedSignatures()
};
}
private static bool CheckPqSupport()
{
try
{
// Provjera je li OpenSSL 3.6+ s PQ providerom dostupan
return OpenSslInterop.IsOpenSsl36OrNewer();
}
catch
{
return false;
}
}
private static bool CheckTls13Support()
{
return Environment.OSVersion.Platform == PlatformID.Win32NT
? Environment.OSVersion.Version >= new Version(10, 0, 17763) // Windows 1809+
: true; // Linux/macOS imaju TLS 1.3
}
private static string[] GetSupportedKeyExchanges() =>
new[] { "X25519", "secp384r1", "secp256r1" };
private static string[] GetSupportedSignatures() =>
new[] { "RSA", "ECDSA", "Ed25519" };
}
----
===== Primjer koda: Cross-Platform validacija lanca =====
public class CrossPlatformChainValidator
{
public ValidationResult ValidateForPlatform(
X509Certificate2 certificate,
TargetPlatform platform)
{
var result = new ValidationResult { Platform = platform };
// 1. Provjera kompatibilnosti algoritma
var algorithm = certificate.GetKeyAlgorithm();
result.AlgorithmSupported = IsAlgorithmSupported(algorithm, platform);
if (!result.AlgorithmSupported)
{
result.Errors.Add($"Algoritam {algorithm} nije podržan na {platform}");
}
// 2. Provjera veličine ključa
var keySize = certificate.GetRSAPublicKey()?.KeySize
?? certificate.GetECDsaPublicKey()?.KeySize
?? 0;
result.KeySizeSupported = IsKeySizeSupported(keySize, platform);
// 3. Provjera ekstenzija
foreach (var ext in certificate.Extensions)
{
if (!IsExtensionSupported(ext.Oid.Value, platform))
{
result.Warnings.Add($"Ekstenzija {ext.Oid.FriendlyName} možda nije podržana");
}
}
// 4. Validacija lanca
using var chain = new X509Chain();
result.ChainValid = chain.Build(certificate);
result.IsValid = result.AlgorithmSupported &&
result.KeySizeSupported &&
result.ChainValid &&
!result.Errors.Any();
return result;
}
private bool IsAlgorithmSupported(string algorithm, TargetPlatform platform)
{
var pqAlgorithms = new[] { "ML-DSA", "ML-KEM", "DILITHIUM", "KYBER" };
var isPq = pqAlgorithms.Any(pq => algorithm.Contains(pq));
if (!isPq) return true; // Klasični = podržano svuda
return platform switch
{
TargetPlatform.DotNet9 => true,
TargetPlatform.OpenSsl36 => true,
TargetPlatform.Java21BouncyCastle => true,
_ => false
};
}
private bool IsKeySizeSupported(int keySize, TargetPlatform platform)
{
// Većina platformi podržava RSA 2048-4096, ECDSA P-256/P-384
return keySize >= 2048;
}
private bool IsExtensionSupported(string oid, TargetPlatform platform)
{
// Standardne ekstenzije podržane su svuda
var standardOids = new[]
{
"2.5.29.15", // Key Usage
"2.5.29.17", // SAN
"2.5.29.19", // Basic Constraints
"2.5.29.37" // Extended Key Usage
};
return standardOids.Contains(oid);
}
}
public enum TargetPlatform
{
Windows,
Linux,
MacOS,
Java21BouncyCastle,
DotNet9,
OpenSsl36,
Browser
}
public class ValidationResult
{
public TargetPlatform Platform { get; set; }
public bool IsValid { get; set; }
public bool AlgorithmSupported { get; set; }
public bool KeySizeSupported { get; set; }
public bool ChainValid { get; set; }
public List Errors { get; set; } = new();
public List Warnings { get; set; } = new();
}
----
===== Interoperabilnost specifična za industriju =====
^ Industrija ^ Glavne platforme ^ Format ^ Posebnost ^
| **Bankarstvo** | Java + .NET | JKS, PFX | FIPS usklađenost |
| **Zdravstvo** | Windows + Linux | PFX, PEM | HL7/FHIR integracija |
| **IoT** | Embedded Linux | DER | Ograničeni resursi |
| **Cloud** | Multi-Platform | PEM | Container/Kubernetes |
----
===== Povezani scenariji =====
^ Povezanost ^ Scenarij ^ Opis ^
| **Osnova** | [[.:pem_export|12.1 PEM izvoz]] | Linux format |
| **Osnova** | [[.:pfx_export|12.2 PFX izvoz]] | Windows format |
| **Povezano** | [[hr:int:pqcrypt:szenarien:tls:hybrid_tls|10.4 Hibridni TLS]] | PQ-TLS kompatibilnost |
| **Povezano** | [[hr:int:pqcrypt:konzepte:algorithmen|Algoritmi]] | PQ osnove |
----
<< [[.:pkcs7_chain|← 12.3 PKCS#7 lanac]] | [[.:start|↑ Uvoz/Izvoz]] | [[hr:int:pqcrypt:szenarien:start|→ Svi scenariji]] >>
{{tag>scenarij uvoz izvoz interop cross-platform java openssl}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//