~~NOTOC~~
====== Scenario 12.3: PKCS#7 Chain Export ======
**Categoria:** [[.:start|Import/Export]] \\
**Complessita:** ⭐⭐ (Bassa) \\
**Prerequisiti:** Catena di certificati \\
**Tempo stimato:** 10-15 minuti
----
===== Descrizione =====
Questo scenario descrive l'**export e import di catene di certificati in formato PKCS#7**. PKCS#7 (anche CMS - Cryptographic Message Syntax) e ideale per la distribuzione di catene di certificati senza chiavi private.
**Caratteristiche PKCS#7:**
* **Contenuto:** Solo certificati (nessuna chiave privata!)
* **Utilizzo:** Distribuzione chain, S/MIME
* **Estensioni:** .p7b, .p7c
* **Encoding:** DER (Binary) o PEM (Base64)
----
===== Code-Esempio: Esportare chain come PKCS#7 =====
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
public class Pkcs7ChainExporter
{
public byte[] ExportChain(X509Certificate2Collection certificates)
{
// SignedCms senza firma (solo certificati)
var content = new ContentInfo(Array.Empty());
var signedCms = new SignedCms(content, detached: true);
// Aggiungere certificati
foreach (var cert in certificates)
{
signedCms.Certificates.Add(cert);
}
// Esportare come PKCS#7 (DER)
return signedCms.Encode();
}
public void ExportToFile(
X509Certificate2Collection certificates,
string outputPath,
bool asPem = false)
{
var p7bBytes = ExportChain(certificates);
if (asPem)
{
// Formato PEM
var pem = new StringBuilder();
pem.AppendLine("-----BEGIN PKCS7-----");
pem.AppendLine(Convert.ToBase64String(p7bBytes, Base64FormattingOptions.InsertLineBreaks));
pem.AppendLine("-----END PKCS7-----");
File.WriteAllText(outputPath, pem.ToString());
}
else
{
// Binary (DER)
File.WriteAllBytes(outputPath, p7bBytes);
}
Console.WriteLine($"PKCS#7 esportato: {outputPath} ({certificates.Count} certificati)");
}
}
----
===== Code-Esempio: Importare PKCS#7 =====
public class Pkcs7ChainImporter
{
public X509Certificate2Collection ImportChain(byte[] p7bBytes)
{
var collection = new X509Certificate2Collection();
collection.Import(p7bBytes);
Console.WriteLine($"{collection.Count} certificati importati");
return collection;
}
public X509Certificate2Collection ImportFromFile(string filePath)
{
byte[] data;
var content = File.ReadAllText(filePath);
if (content.Contains("-----BEGIN PKCS7-----"))
{
// Formato PEM
var base64 = Regex.Match(
content,
@"-----BEGIN PKCS7-----(.*?)-----END PKCS7-----",
RegexOptions.Singleline
).Groups[1].Value.Trim();
data = Convert.FromBase64String(base64);
}
else
{
// Binary (DER)
data = File.ReadAllBytes(filePath);
}
return ImportChain(data);
}
}
----
===== PKCS#7 con OpenSSL =====
# Creare PKCS#7 da piu certificati
openssl crl2pkcs7 -nocrl \
-certfile root-ca.pem \
-certfile intermediate-ca.pem \
-certfile server.pem \
-out chain.p7b \
-outform DER
# PKCS#7 come PEM
openssl crl2pkcs7 -nocrl \
-certfile chain.pem \
-out chain.p7b \
-outform PEM
# Ispezionare PKCS#7
openssl pkcs7 -in chain.p7b -print_certs -noout
# Estrarre certificati da PKCS#7
openssl pkcs7 -in chain.p7b -print_certs -out extracted.pem
----
===== Utilizzo in vari sistemi =====
^ Sistema ^ Utilizzo PKCS#7 ^ Formato ^
| **Windows** | Store CA intermedie | .p7b (DER) |
| **IIS** | SSL Certificate Chain | .p7b |
| **Java** | Import Trust Store | .p7b (DER) |
| **S/MIME** | Crittografia E-Mail | Parte del messaggio |
| **Code Signing** | Timestamp + Chain | Incorporato |
----
===== Scenari correlati =====
^ Relazione ^ Scenario ^ Descrizione ^
| **Alternativo** | [[.:pem_export|12.1 PEM Export]] | Chain come PEM |
| **Correlato** | [[.:pfx_export|12.2 PFX Export]] | Con Private Key |
| **Prerequisito** | [[it:int:pqcrypt:szenarien:pki:ca_hierarchie|1.3 Gerarchia CA]] | Costruire chain |
----
<< [[.:pfx_export|← 12.2 PFX Export]] | [[.:start|↑ Import/Export]] | [[.:interop|12.4 Interoperabilita →]] >>
{{tag>scenario import export pkcs7 chain p7b}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//