~~NOTOC~~
====== Scenario 5.3: Controllo revoca ======
**Categoria:** [[.:start|Validazione e fiducia]] \\
**Complessità:** Media \\
**Prerequisiti:** Certificato con CDP/OCSP \\
**Tempo stimato:** 10-15 minuti
----
===== Descrizione =====
Questo scenario descrive la **verifica dello stato di revoca** di un certificato tramite CRL (Certificate Revocation List) o OCSP (Online Certificate Status Protocol).
**Metodi:**
^ Metodo ^ Vantaggi ^ Svantaggi ^
| **CRL** | Funziona offline, batch | File grandi, ritardo |
| **OCSP** | Tempo reale, risposte piccole | Dipendenza online |
| **OCSP Stapling** | Privacy, performance | Configurazione server |
----
===== Workflow =====
flowchart TD
CERT[Verificare certificato] --> HAS_OCSP{URL OCSP?}
HAS_OCSP -->|Si| OCSP[Richiesta OCSP]
HAS_OCSP -->|No| CRL[Scaricare CRL]
OCSP --> OCSP_CHECK{Stato?}
CRL --> CRL_CHECK{Nella CRL?}
OCSP_CHECK -->|good| OK[Non revocato]
OCSP_CHECK -->|revoked| REVOKED[Revocato]
OCSP_CHECK -->|unknown| CRL
CRL_CHECK -->|No| OK
CRL_CHECK -->|Si| REVOKED
style OK fill:#e8f5e9
style REVOKED fill:#ffebee
----
===== Esempio codice: Verifica OCSP =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography.X509Certificates;
using var ctx = PqCryptoContext.Initialize();
// Caricare certificato
var cert = ctx.LoadCertificate("server.crt.pem");
var issuer = ctx.LoadCertificate("intermediate-ca.crt.pem");
// Estrarre URL OCSP dal certificato
var ocspUrl = ctx.GetOcspUrl(cert);
if (!string.IsNullOrEmpty(ocspUrl))
{
// Creare richiesta OCSP
var ocspRequest = ctx.CreateOcspRequest(cert, issuer);
// Inviare richiesta OCSP
using var http = new HttpClient();
http.DefaultRequestHeaders.Add("Content-Type", "application/ocsp-request");
var response = await http.PostAsync(ocspUrl,
new ByteArrayContent(ocspRequest));
var ocspResponseBytes = await response.Content.ReadAsByteArrayAsync();
// Parsare risposta OCSP
var status = ctx.ParseOcspResponse(ocspResponseBytes, cert, issuer);
Console.WriteLine($"Stato OCSP: {status.Status}");
Console.WriteLine($" Prodotto: {status.ProducedAt}");
Console.WriteLine($" Valido fino a: {status.NextUpdate}");
if (status.Status == OcspStatus.Revoked)
{
Console.WriteLine($" Revocato: {status.RevocationTime}");
Console.WriteLine($" Motivo: {status.RevocationReason}");
}
}
----
===== Esempio codice: Verifica CRL =====
public class CrlChecker
{
private readonly Dictionary _crlCache = new();
public async Task CheckCrl(X509Certificate2 cert, X509Certificate2 issuer)
{
using var ctx = PqCryptoContext.Initialize();
// Estrarre URL CDP dal certificato
var cdpUrl = ctx.GetCrlDistributionPoint(cert);
if (string.IsNullOrEmpty(cdpUrl))
{
return new RevocationStatus { Status = RevocationStatusCode.Unknown };
}
// CRL dalla cache o scaricare
var crl = await GetOrDownloadCrl(cdpUrl, issuer);
// Cercare Serial Number nella CRL
var serialNumber = cert.SerialNumber;
var entry = crl.Entries.FirstOrDefault(e =>
e.SerialNumber.Equals(serialNumber, StringComparison.OrdinalIgnoreCase));
if (entry != null)
{
return new RevocationStatus
{
Status = RevocationStatusCode.Revoked,
RevocationTime = entry.RevocationDate,
Reason = entry.Reason
};
}
return new RevocationStatus
{
Status = RevocationStatusCode.Good,
NextUpdate = crl.NextUpdate
};
}
private async Task GetOrDownloadCrl(string cdpUrl, X509Certificate2 issuer)
{
// Verificare cache
if (_crlCache.TryGetValue(cdpUrl, out var cached))
{
if (cached.NextUpdate > DateTime.UtcNow)
{
return cached.Crl;
}
}
// Scaricare CRL
using var http = new HttpClient();
var crlBytes = await http.GetByteArrayAsync(cdpUrl);
// Parsare e verificare CRL
using var ctx = PqCryptoContext.Initialize();
var crl = ctx.ParseCrl(crlBytes);
// Verificare firma
if (!ctx.VerifyCrlSignature(crl, issuer))
{
throw new CryptographicException("Firma CRL non valida");
}
// Aggiornare cache
_crlCache[cdpUrl] = new CrlCache
{
Crl = crl,
NextUpdate = crl.NextUpdate
};
return crl;
}
}
----
===== OCSP Stapling =====
public class OcspStapling
{
// Lato server: ottenere risposta OCSP in anticipo
public async Task GetStapledOcspResponse(
X509Certificate2 serverCert,
X509Certificate2 issuer)
{
using var ctx = PqCryptoContext.Initialize();
var ocspUrl = ctx.GetOcspUrl(serverCert);
var request = ctx.CreateOcspRequest(serverCert, issuer);
using var http = new HttpClient();
var response = await http.PostAsync(ocspUrl,
new ByteArrayContent(request));
return await response.Content.ReadAsByteArrayAsync();
}
// Lato client: verificare risposta stapled
public OcspStatus ValidateStapledResponse(
byte[] stapledResponse,
X509Certificate2 serverCert,
X509Certificate2 issuer)
{
using var ctx = PqCryptoContext.Initialize();
var status = ctx.ParseOcspResponse(stapledResponse, serverCert, issuer);
// Verificare freschezza
if (status.ProducedAt < DateTime.UtcNow.AddHours(-24))
{
throw new CryptographicException("Risposta OCSP troppo vecchia");
}
return status;
}
}
----
===== Controllo revoca basato su .NET Chain =====
// Metodo più semplice: usare X509Chain
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(15);
// Opzionale: solo CRL o solo OCSP
// chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; // Solo CRL in cache
bool isValid = chain.Build(cert);
// Estrarre stato revoca dalla chain
var revocationErrors = chain.ChainElements
.SelectMany(e => e.ChainElementStatus)
.Where(s => s.Status.HasFlag(X509ChainStatusFlags.Revoked) ||
s.Status.HasFlag(X509ChainStatusFlags.RevocationStatusUnknown))
.ToList();
if (revocationErrors.Any())
{
foreach (var error in revocationErrors)
{
Console.WriteLine($"Problema revoca: {error.StatusInformation}");
}
}
----
===== Requisiti specifici per settore =====
^ Settore ^ Metodo ^ Max. ritardo ^ Fallback ^
| **WebPKI** | OCSP Must-Staple | Tempo reale | Soft-Fail |
| **Settore finanziario** | OCSP + CRL | 4 ore | Hard-Fail |
| **Sanità** | CRL | 24 ore | Soft-Fail |
| **Energia/SCADA** | CRL (Offline) | 7 giorni | Hard-Fail |
**Soft-Fail vs Hard-Fail:**
* **Soft-Fail:** Se non raggiungibile → accettare certificato
* **Hard-Fail:** Se non raggiungibile → rifiutare certificato
----
===== Scenari correlati =====
^ Relazione ^ Scenario ^ Descrizione ^
| **Prerequisito** | [[.:chain_validation|5.2 Validazione Chain]] | Costruire chain |
| **Correlato** | [[it:int:pqcrypt:szenarien:widerruf:crl_erstellen|6.1 Creare CRL]] | Generare CRL |
| **Correlato** | [[it:int:pqcrypt:szenarien:widerruf:ocsp_responder|6.2 OCSP Responder]] | Gestire OCSP |
----
<< [[.:chain_validation|← 5.2 Validazione Chain]] | [[.:start|↑ Panoramica validazione]] | [[.:policy_validation|5.4 Validazione Policy →]] >>
{{tag>scenario validazione revoca crl ocsp}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//