~~NOTOC~~
====== Scenario 6.4: Revocare certificato ======

<WRAP round info>
**Categoria:** [[.:start|Revoca (Revocation)]] \\
**Complessità:** Media \\
**Prerequisiti:** Certificato e accesso CA \\
**Tempo stimato:** 10-15 minuti
</WRAP>

----

===== Descrizione =====

Questo scenario descrive il **processo completo per la revoca di un certificato**. Una revoca è necessaria in caso di:

  * **Compromissione chiave** - Chiave rubata/persa
  * **Sostituzione** - Nuovo certificato emesso
  * **Cessazione attività** - Servizio non più attivo
  * **Cambio affiliazione** - Dipendente lascia l'organizzazione
  * **Violazione policy** - Certificato non conforme alle direttive

----

===== Workflow =====

<mermaid>
flowchart TD
    REQUEST[Richiesta revoca] --> VERIFY[Verificare autorizzazione]
    VERIFY --> REASON[Documentare motivo]
    REASON --> DB[Inserire in Revocation DB]
    DB --> CRL[Aggiornare CRL]
    DB --> OCSP[Aggiornare OCSP]
    CRL --> PUBLISH[Pubblicare]
    OCSP --> PUBLISH
    PUBLISH --> NOTIFY[Notificare stakeholder]
    NOTIFY --> ARCHIVE[Archiviare documentazione]

    style REQUEST fill:#ffebee
    style PUBLISH fill:#e8f5e9
</mermaid>

----

===== Esempio codice (C#) =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

using var ctx = PqCryptoContext.Initialize();

// Zu widerrufendes Zertifikat laden
var certToRevoke = ctx.LoadCertificate("server.crt.pem");

// CA-Zugriff
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");

// Widerruf dokumentieren
var revocationRecord = new RevocationRecord
{
    SerialNumber = certToRevoke.SerialNumber,
    Subject = certToRevoke.Subject,
    RevocationTime = DateTimeOffset.UtcNow,
    Reason = X509RevocationReason.KeyCompromise,
    RequestedBy = "admin@example.com",
    RequestedAt = DateTimeOffset.UtcNow,
    ApprovedBy = "security@example.com",
    Notes = "Private Key möglicherweise in Git Repository exponiert"
};

// In Datenbank speichern
var revocationDb = new RevocationDatabase("revocations.db");
revocationDb.AddRevocation(revocationRecord);

Console.WriteLine($"Zertifikat widerrufen:");
Console.WriteLine($"  Serial: {revocationRecord.SerialNumber}");
Console.WriteLine($"  Subject: {revocationRecord.Subject}");
Console.WriteLine($"  Grund: {revocationRecord.Reason}");
Console.WriteLine($"  Zeit: {revocationRecord.RevocationTime:yyyy-MM-dd HH:mm:ss} UTC");
</code>

----

===== Aggiornare CRL e OCSP =====

<code csharp>
public class RevocationManager
{
    private readonly RevocationDatabase _db;
    private readonly X509Certificate2 _caCert;
    private readonly AsymmetricAlgorithm _caKey;

    public async Task RevokeAndPublish(
        X509Certificate2 certificate,
        X509RevocationReason reason,
        string requestedBy)
    {
        using var ctx = PqCryptoContext.Initialize();

        // 1. In Datenbank eintragen
        var record = new RevocationRecord
        {
            SerialNumber = certificate.SerialNumber,
            Subject = certificate.Subject,
            RevocationTime = DateTimeOffset.UtcNow,
            Reason = reason,
            RequestedBy = requestedBy
        };
        _db.AddRevocation(record);

        // 2. Neue CRL generieren
        var crlBuilder = new CertificateRevocationListBuilder();
        foreach (var rev in _db.GetAllRevocations())
        {
            crlBuilder.AddEntry(
                HexToBytes(rev.SerialNumber),
                rev.RevocationTime,
                rev.Reason
            );
        }

        var nextCrlNumber = _db.GetNextCrlNumber();
        var crlBytes = crlBuilder.Build(
            _caCert,
            nextCrlNumber,
            DateTimeOffset.UtcNow.AddDays(7),
            HashAlgorithmName.SHA256,
            mode: CryptoMode.Hybrid
        );

        // 3. CRL veröffentlichen
        await PublishCrl(crlBytes);

        // 4. OCSP Cache invalidieren (falls Stapling)
        InvalidateOcspCache(certificate.SerialNumber);

        // 5. Benachrichtigung senden
        await NotifyStakeholders(record);
    }

    private async Task PublishCrl(byte[] crlBytes)
    {
        // Lokal speichern
        File.WriteAllBytes("current.crl", crlBytes);

        // Auf CDP hochladen
        using var http = new HttpClient();
        var content = new ByteArrayContent(crlBytes);
        await http.PutAsync("https://crl.example.com/intermediate.crl", content);

        Console.WriteLine("CRL veröffentlicht");
    }

    private async Task NotifyStakeholders(RevocationRecord record)
    {
        // E-Mail an Zertifikatsinhaber
        // E-Mail an Security-Team
        // Ticket erstellen
        Console.WriteLine($"Benachrichtigungen gesendet für {record.SerialNumber}");
    }
}
</code>

----

===== Motivi di revoca e utilizzo =====

^  Codice  ^  Motivo  ^  Quando utilizzare  ^  Urgenza  ^
| 0 | unspecified | Nessun motivo specifico | Normale |
| 1 | keyCompromise | Chiave compromessa/rubata | **CRITICO** |
| 2 | cACompromise | CA compromessa | **CRITICO** |
| 3 | affiliationChanged | Organizzazione cambiata | Normale |
| 4 | superseded | Nuovo certificato emesso | Normale |
| 5 | cessationOfOperation | Servizio cessato | Normale |
| 6 | certificateHold | Sospeso temporaneamente | Bassa |
| 9 | privilegeWithdrawn | Privilegio revocato | Normale |

<WRAP round alert>
**keyCompromise (1):** Azioni immediate richieste!
  * Aggiornare CRL immediatamente
  * Informare tutti i sistemi interessati
  * Emettere nuovo certificato
  * Avviare analisi forense
</WRAP>

----

===== Certificate Hold e revoca =====

<code csharp>
public class CertificateHoldManager
{
    // Zertifikat temporär sperren
    public void PlaceOnHold(string serialNumber, string reason)
    {
        _db.AddRevocation(new RevocationRecord
        {
            SerialNumber = serialNumber,
            RevocationTime = DateTimeOffset.UtcNow,
            Reason = X509RevocationReason.CertificateHold,
            Notes = reason,
            IsOnHold = true
        });

        RegenerateCrl();
    }

    // Hold aufheben
    public void RemoveFromHold(string serialNumber, string reason)
    {
        var record = _db.GetRevocation(serialNumber);
        if (record?.Reason != X509RevocationReason.CertificateHold)
        {
            throw new InvalidOperationException("Nur Hold-Zertifikate können freigegeben werden");
        }

        // In Delta-CRL mit RemoveFromCrl markieren
        _db.MarkAsRemovedFromHold(serialNumber);

        // Oder aus Basis-CRL entfernen
        _db.DeleteRevocation(serialNumber);

        RegenerateCrl();
    }
}
</code>

----

===== Audit Trail =====

<code csharp>
public class RevocationAudit
{
    public void LogRevocation(RevocationRecord record)
    {
        var auditEntry = new
        {
            Timestamp = DateTimeOffset.UtcNow,
            Action = "CERTIFICATE_REVOKED",
            SerialNumber = record.SerialNumber,
            Subject = record.Subject,
            Reason = record.Reason.ToString(),
            RequestedBy = record.RequestedBy,
            ApprovedBy = record.ApprovedBy,
            Notes = record.Notes,
            ClientIp = GetClientIp(),
            UserAgent = GetUserAgent()
        };

        // In Audit-Log schreiben
        var json = JsonSerializer.Serialize(auditEntry);
        File.AppendAllText("audit.log", json + Environment.NewLine);

        // SIEM benachrichtigen
        SendToSiem(auditEntry);
    }
}
</code>

----

===== Requisiti di revoca specifici per settore =====

^  Settore  ^  Max. tempo propagazione  ^  Quattro occhi  ^  Audit  ^
| **WebPKI** | 24 ore | Opzionale | Obbligatorio |
| **Settore finanziario** | 4 ore | Obbligatorio | Obbligatorio |
| **Sanità** | 24 ore | Obbligatorio | 10 anni |
| **Energia/SCADA** | 7 giorni | Obbligatorio | Obbligatorio |
| **Governo** | 24 ore | Obbligatorio | 30 anni |

----

===== Scenari correlati =====

^  Relazione  ^  Scenario  ^  Descrizione  ^
| **Passo successivo** | [[.:crl_erstellen|6.1 Creare CRL]] | Aggiornare CRL |
| **Passo successivo** | [[.:ocsp_responder|6.2 OCSP Responder]] | Fornire stato |
| **Correlato** | [[it:int:pqcrypt:szenarien:verwaltung:rekey|4.2 Rekey]] | Nuovo certificato |

----

<< [[.:delta_crl|← 6.3 Delta-CRL]] | [[.:start|↑ Panoramica revoca]] | [[it:int:pqcrypt:szenarien:start|→ Tutti gli scenari]] >>

{{tag>scenario revoca revocation processo audit}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//