~~NOTOC~~
====== Scenarij 5.4: Validacija politika ======
**Kategorija:** [[.:start|Validacija i povjerenje]] \\
**Složenost:** ⭐⭐⭐⭐ (Visoka) \\
**Preduvjeti:** Lanac certifikata s Policy ekstenzijama \\
**Procijenjeno vrijeme:** 15-20 minuta
----
===== Opis =====
Ovaj scenarij opisuje **validaciju politika certifikata** prema RFC 5280. Validacija politika osigurava da certifikati odgovaraju organizacijskim zahtjevima:
* **Certificate Policies** (OID 2.5.29.32) - Koje politike vrijede?
* **Policy Mappings** (OID 2.5.29.33) - Prijevodi politika između CA
* **Policy Constraints** (OID 2.5.29.36) - Ograničenja nasljeđivanja politika
* **Inhibit anyPolicy** (OID 2.5.29.54) - Deaktivacija anyPolicy
----
===== Tijek rada =====
flowchart TD
CHAIN[Lanac certifikata] --> EXTRACT[Ekstrakcija politika]
EXTRACT --> MAP[Primjena Policy Mappinga]
MAP --> INHERIT[Provjera nasljeđivanja politika]
INHERIT --> CONSTRAINT[Provjera ograničenja]
CONSTRAINT --> ANY{anyPolicy dopušteno?}
ANY -->|Da| MATCH[Provjera podudaranja politika]
ANY -->|Ne| EXPLICIT[Potrebna eksplicitna politika]
MATCH --> OK{Politika ispunjena?}
EXPLICIT --> OK
OK -->|Da| VALID[Politika valjana]
OK -->|Ne| INVALID[Politika prekršena]
style VALID fill:#e8f5e9
style INVALID fill:#ffebee
----
===== Primjer koda (C#) =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography.X509Certificates;
using var ctx = PqCryptoContext.Initialize();
// Učitavanje certifikata
var serverCert = ctx.LoadCertificate("server.crt.pem");
var intermediate = ctx.LoadCertificate("intermediate-ca.crt.pem");
var root = ctx.LoadCertificate("root-ca.crt.pem");
// Definiranje potrebne politike
var requiredPolicy = new Oid("1.3.6.1.4.1.99999.1.1"); // Primjer OID
// Lanac s provjerom politika
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(intermediate);
chain.ChainPolicy.ExtraStore.Add(root);
// Dodavanje Certificate Policies
chain.ChainPolicy.CertificatePolicy.Add(requiredPolicy);
// Izgradnja i validacija lanca
bool isValid = chain.Build(serverCert);
// Provjera grešaka politika
var policyErrors = chain.ChainElements
.SelectMany(e => e.ChainElementStatus)
.Where(s => s.Status == X509ChainStatusFlags.InvalidPolicyConstraints ||
s.Status == X509ChainStatusFlags.NoIssuanceChainPolicy)
.ToList();
if (policyErrors.Any())
{
Console.WriteLine("Validacija politika neuspješna:");
foreach (var error in policyErrors)
{
Console.WriteLine($" {error.StatusInformation}");
}
}
else
{
Console.WriteLine("Validacija politika uspješna");
}
----
===== Ekstrakcija politika iz certifikata =====
public class PolicyExtractor
{
public List ExtractPolicies(X509Certificate2 cert)
{
var policies = new List();
// Certificate Policies Extension (2.5.29.32)
var policyExt = cert.Extensions["2.5.29.32"];
if (policyExt == null) return policies;
// ASN.1 parsiranje
var reader = new AsnReader(policyExt.RawData, AsnEncodingRules.DER);
var sequence = reader.ReadSequence();
while (sequence.HasData)
{
var policyInfo = sequence.ReadSequence();
var policyOid = policyInfo.ReadObjectIdentifier();
var policy = new CertificatePolicy
{
PolicyIdentifier = policyOid
};
// Opcionalno: Policy Qualifiers
if (policyInfo.HasData)
{
var qualifiers = policyInfo.ReadSequence();
while (qualifiers.HasData)
{
var qualifier = qualifiers.ReadSequence();
var qualifierId = qualifier.ReadObjectIdentifier();
// CPS URI (1.3.6.1.5.5.7.2.1)
if (qualifierId == "1.3.6.1.5.5.7.2.1")
{
policy.CpsUri = qualifier.ReadCharacterString(UniversalTagNumber.IA5String);
}
// User Notice (1.3.6.1.5.5.7.2.2)
else if (qualifierId == "1.3.6.1.5.5.7.2.2")
{
policy.UserNotice = ParseUserNotice(qualifier);
}
}
}
policies.Add(policy);
}
return policies;
}
}
----
===== Važni Policy OID-ovi =====
^ OID ^ Naziv ^ Korištenje ^
| **2.5.29.32.0** | anyPolicy | Sve politike dopuštene |
| **2.16.840.1.101.3.2.1.3.13** | id-fpki-common-policy | US Federal PKI |
| **0.4.0.194121.1.2** | NCP | EU Fizička osoba |
| **0.4.0.194112.1.2** | QCP | EU Kvalificirani certifikat |
| **2.23.140.1.2.1** | DV-SSL | Domain Validated |
| **2.23.140.1.2.2** | OV-SSL | Organization Validated |
| **2.23.140.1.1** | EV-SSL | Extended Validation |
----
===== Policy Mappings =====
public class PolicyMapper
{
// Ekstrakcija Policy Mappinga iz CA certifikata
public Dictionary ExtractMappings(X509Certificate2 caCert)
{
var mappings = new Dictionary();
// Policy Mappings Extension (2.5.29.33)
var mappingExt = caCert.Extensions["2.5.29.33"];
if (mappingExt == null) return mappings;
var reader = new AsnReader(mappingExt.RawData, AsnEncodingRules.DER);
var sequence = reader.ReadSequence();
while (sequence.HasData)
{
var mapping = sequence.ReadSequence();
var issuerPolicy = mapping.ReadObjectIdentifier();
var subjectPolicy = mapping.ReadObjectIdentifier();
mappings[issuerPolicy] = subjectPolicy;
}
return mappings;
}
// Propagacija politike kroz lanac
public HashSet PropagatePolicy(
X509Certificate2[] chain,
string requiredPolicy)
{
var validPolicies = new HashSet { requiredPolicy };
// Od Root-a do End-Entity
for (int i = chain.Length - 1; i > 0; i--)
{
var ca = chain[i];
var mappings = ExtractMappings(ca);
var newPolicies = new HashSet();
foreach (var policy in validPolicies)
{
if (mappings.TryGetValue(policy, out var mapped))
{
newPolicies.Add(mapped);
}
else
{
newPolicies.Add(policy);
}
}
validPolicies = newPolicies;
}
return validPolicies;
}
}
----
===== Politike po industrijama =====
^ Industrija ^ Politika ^ OID raspon ^ Zahtjevi ^
| **eIDAS** | QCP-n, QCP-l | 0.4.0.194112.* | Kvalificirani certifikati |
| **PSD2** | PSD2-QWAC | 0.4.0.19495.* | Payment Services |
| **US Federal** | FBCA | 2.16.840.1.101.3.* | Federal Bridge CA |
| **Zdravstvo DE** | gematik | 1.2.276.0.76.4.* | Telematik infrastruktura |
----
===== Kontrola pristupa temeljena na politikama =====
public class PolicyBasedAccess
{
private readonly Dictionary _policyAccessMap = new()
{
["2.23.140.1.1"] = AccessLevel.HighSecurity, // EV
["2.23.140.1.2.2"] = AccessLevel.MediumSecurity, // OV
["2.23.140.1.2.1"] = AccessLevel.LowSecurity, // DV
["2.5.29.32.0"] = AccessLevel.Minimal // anyPolicy
};
public AccessLevel DetermineAccessLevel(X509Certificate2 cert)
{
var policies = new PolicyExtractor().ExtractPolicies(cert);
var highestLevel = AccessLevel.None;
foreach (var policy in policies)
{
if (_policyAccessMap.TryGetValue(policy.PolicyIdentifier, out var level))
{
if (level > highestLevel)
{
highestLevel = level;
}
}
}
return highestLevel;
}
}
public enum AccessLevel
{
None = 0,
Minimal = 1,
LowSecurity = 2,
MediumSecurity = 3,
HighSecurity = 4
}
----
===== Povezani scenariji =====
^ Odnos ^ Scenarij ^ Opis ^
| **Preduvjet** | [[.:chain_validation|5.2 Validacija lanca]] | Validirati lanac |
| **Sljedeći korak** | [[.:name_constraints|5.5 Ograničenja imena]] | Provjera imena |
| **Povezano** | [[hr:int:pqcrypt:szenarien:pki:certificate_policy_definieren|1.5 Certificate Policy]] | Definiranje politika |
----
<< [[.:revocation_check|← 5.3 Provjera opoziva]] | [[.:start|↑ Pregled validacije]] | [[.:name_constraints|5.5 Ograničenja imena →]] >>
{{tag>scenarij validacija politika x509 rfc5280}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//