~~NOTOC~~
====== Scenarij 6.1: Kreiranje CRL-a ======
**Kategorija:** [[.:start|Opoziv (Revocation)]] \\
**Složenost:** ⭐⭐⭐ (Srednja) \\
**Preduvjeti:** CA certifikat i ključ \\
**Procijenjeno vrijeme:** 15-20 minuta
----
===== Opis =====
Ovaj scenarij opisuje **kreiranje Certificate Revocation List (CRL)** prema RFC 5280. CRL-ovi su potpisane liste opozvanih certifikata koje CA objavljuje.
**Polja CRL-a:**
* **issuer** - DN CA koji izdaje
* **thisUpdate** - Vrijeme izdavanja
* **nextUpdate** - Sljedeće planirano ažuriranje
* **revokedCertificates** - Lista opozvanih serijskih brojeva
* **signature** - CA potpis
----
===== Tijek rada =====
flowchart LR
REV[Opozvani certifikati] --> BUILD[CRL Builder]
BUILD --> SIGN[Potpisivanje s CA]
SIGN --> PUBLISH[Objavljivanje]
PUBLISH --> CDP[Ažuriranje CDP URL-a]
style SIGN fill:#e8f5e9
----
===== Primjer koda (C#) =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography.X509Certificates;
using var ctx = PqCryptoContext.Initialize();
// Učitavanje CA
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");
// Kreiranje CRL Buildera
var crlBuilder = new CertificateRevocationListBuilder();
// Dodavanje opozvanih certifikata
crlBuilder.AddEntry(
serialNumber: new byte[] { 0x01, 0x02, 0x03 },
revocationTime: new DateTimeOffset(2024, 6, 15, 10, 30, 0, TimeSpan.Zero),
reason: X509RevocationReason.KeyCompromise
);
crlBuilder.AddEntry(
serialNumber: new byte[] { 0x01, 0x02, 0x04 },
revocationTime: DateTimeOffset.UtcNow.AddDays(-7),
reason: X509RevocationReason.CessationOfOperation
);
// Generiranje CRL-a
byte[] crlBytes = crlBuilder.Build(
issuerCertificate: caCert,
crlNumber: BigInteger.Parse("1000"),
nextUpdate: DateTimeOffset.UtcNow.AddDays(7),
hashAlgorithm: HashAlgorithmName.SHA256,
rsaSignaturePadding: null, // Za PQ nije relevantno
mode: CryptoMode.Hybrid
);
// Spremanje CRL-a
File.WriteAllBytes("intermediate-ca.crl", crlBytes);
// Konverzija CRL-a u PEM
var crlPem = ctx.ToPem(crlBytes, "X509 CRL");
File.WriteAllText("intermediate-ca.crl.pem", crlPem);
Console.WriteLine("CRL kreiran:");
Console.WriteLine($" Unosi: {crlBuilder.Entries.Count}");
Console.WriteLine($" CRL Number: 1000");
Console.WriteLine($" Next Update: {DateTimeOffset.UtcNow.AddDays(7):yyyy-MM-dd}");
----
===== Ažuriranje CRL-a iz postojećeg CRL-a =====
public class CrlUpdater
{
public byte[] UpdateCrl(
byte[] existingCrl,
X509Certificate2 caCert,
AsymmetricAlgorithm caKey,
IEnumerable? newEntries = null)
{
using var ctx = PqCryptoContext.Initialize();
// Parsiranje postojećeg CRL-a
var parsedCrl = ctx.ParseCrl(existingCrl);
// Novi builder s postojećim unosima
var builder = new CertificateRevocationListBuilder();
foreach (var entry in parsedCrl.Entries)
{
builder.AddEntry(entry.SerialNumber, entry.RevocationTime, entry.Reason);
}
// Dodavanje novih unosa
if (newEntries != null)
{
foreach (var entry in newEntries)
{
builder.AddEntry(entry.SerialNumber, entry.RevocationTime, entry.Reason);
}
}
// Nova CRL-Nummer (inkrementirana)
var newCrlNumber = parsedCrl.CrlNumber + 1;
// Kreiranje novog CRL-a
return builder.Build(
issuerCertificate: caCert,
crlNumber: newCrlNumber,
nextUpdate: DateTimeOffset.UtcNow.AddDays(7),
hashAlgorithm: HashAlgorithmName.SHA256,
mode: CryptoMode.Hybrid
);
}
}
----
===== CRL ekstenzije =====
// CRL s ekstenzijama
var crlBuilder = new CertificateRevocationListBuilder();
// CRL ekstenzije
crlBuilder.AddExtension(
oid: "2.5.29.20", // CRL Number
critical: false,
value: BuildCrlNumberExtension(1001)
);
crlBuilder.AddExtension(
oid: "2.5.29.35", // Authority Key Identifier
critical: false,
value: BuildAkiExtension(caCert)
);
crlBuilder.AddExtension(
oid: "2.5.29.28", // Issuing Distribution Point
critical: true,
value: BuildIdpExtension(
distributionPoint: "http://crl.example.com/intermediate.crl",
onlyContainUserCerts: true
)
);
// Ekstenzije unosa (po opozvanom certifikatu)
crlBuilder.AddEntry(
serialNumber: revokedSerial,
revocationTime: DateTimeOffset.UtcNow,
reason: X509RevocationReason.KeyCompromise,
extensions: new X509ExtensionCollection
{
// Invalidity Date (kada je stvarno kompromitiran)
BuildInvalidityDateExtension(compromiseDate),
// Certificate Issuer (ako je Indirect CRL)
BuildCertificateIssuerExtension(certIssuerDn)
}
);
----
===== Razlozi opoziva (RFC 5280) =====
^ Kod ^ Razlog ^ Opis ^
| 0 | unspecified | Bez specifičnog razloga |
| 1 | keyCompromise | Ključ kompromitiran |
| 2 | cACompromise | CA kompromitiran |
| 3 | affiliationChanged | Pripadnost promijenjena |
| 4 | superseded | Zamijenjen novim certifikatom |
| 5 | cessationOfOperation | Rad ukinut |
| 6 | certificateHold | Privremeno blokiran |
| 8 | removeFromCRL | Ukloniti iz CRL-a (ukinuti Hold) |
| 9 | privilegeWithdrawn | Ovlaštenje povučeno |
| 10 | aACompromise | Attribut-autoritet kompromitiran |
----
===== Konfiguracija CRL Distribution Pointa =====
// Izdavanje certifikata s CDP-om
var cert = ctx.IssueCertificate(
csr,
issuerCert: caCert,
issuerKey: caKey,
extensions: new ExtBuilder()
.CrlDistributionPoint(
uri: "http://crl.example.com/intermediate.crl",
ldapUri: "ldap://ldap.example.com/cn=Intermediate-CA,o=Example,c=DE?certificateRevocationList"
)
.Build()
);
----
===== Zahtjevi za CRL po industrijama =====
^ Industrija ^ Maks. nextUpdate ^ Format ^ Distribucija ^
| **WebPKI** | 7 dana | DER | HTTP |
| **Enterprise** | 24 sata | DER/PEM | HTTP, LDAP |
| **Energetika/SCADA** | 30 dana | DER | Offline |
| **Zdravstvo** | 24 sata | DER | HTTP |
**Najbolja praksa:** Ažurirati CRL prije nextUpdate (50-75% razdoblja valjanosti).
----
===== Povezani scenariji =====
^ Odnos ^ Scenarij ^ Opis ^
| **Alternativa** | [[.:ocsp_responder|6.2 OCSP Responder]] | Online provjera |
| **Proširenje** | [[.:delta_crl|6.3 Delta-CRL]] | Inkrementalna ažuriranja |
| **Preduvjet** | [[.:zertifikat_widerrufen|6.4 Opoziv certifikata]] | Proces opoziva |
----
<< [[.:start|← Pregled opoziva]] | [[hr:int:pqcrypt:szenarien:start|↑ Scenariji]] | [[.:ocsp_responder|6.2 OCSP Responder →]] >>
{{tag>scenarij opoziv crl revocation pki}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//