~~NOTOC~~
====== Scenarij 12.4: Interoperabilnost ======
**Kategorija:** [[.:start|Uvoz/Izvoz]] \\
**Kompleksnost:** ⭐⭐⭐⭐ (Visoka) \\
**Predpogoji:** Različni sistemi/platforme \\
**Predviden čas:** 30-45 minut
----
===== Opis =====
Ta scenarij opisuje **medplatformsko interoperabilnost** certifikatov in ključev. Pri PQ kriptografiji je potrebna posebna previdnost, saj še vsi sistemi ne podpirajo ML-DSA/ML-KEM.
**Izzivi interoperabilnosti:**
* **Razlike v formatih** - PEM vs. DER vs. PFX
* **Podpora algoritmov** - Klasični vs. PQ vs. Hibridni
* **Posebnosti platform** - Windows, Linux, macOS, Java
* **Razlike verzij** - OpenSSL 1.x vs. 3.x
----
===== Matrika združljivosti =====
^ Sistem ^ RSA ^ ECDSA ^ ML-DSA ^ ML-KEM ^ Hibridni ^
| **OpenSSL 3.6+** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **OpenSSL 3.0-3.5** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **.NET 9+** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **Java 21+** | ✅ | ✅ | 🟡 (Bouncy Castle) | 🟡 | ❌ |
| **Windows SChannel** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **macOS Security** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **Firefox/NSS** | ✅ | ✅ | ❌ | 🟡 | ❌ |
| **Chrome/BoringSSL** | ✅ | ✅ | ❌ | 🟡 | ❌ |
🟡 = Eksperimentalna/Predogledna podpora
----
===== Potek dela =====
flowchart TD
SOURCE[Izvorni sistem] --> DETECT{Algoritem?}
DETECT -->|Klasični| DIRECT[Neposredni izvoz]
DETECT -->|PQ| CHECK{Cilj podpira PQ?}
CHECK -->|Da| PQEXPORT[PQ izvoz]
CHECK -->|Ne| HYBRID{Hibridni na voljo?}
HYBRID -->|Da| CLASSICAL[Ekstrakcija klasičnega dela]
HYBRID -->|Ne| FAIL[Ni združljivo]
DIRECT --> FORMAT[Pretvorba formata]
PQEXPORT --> FORMAT
CLASSICAL --> FORMAT
FORMAT --> TARGET[Ciljni sistem]
style FAIL fill:#ffebee
style TARGET fill:#e8f5e9
----
===== Primer kode: Pretvorba formata =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
public class CertificateConverter
{
public byte[] ConvertFormat(
byte[] sourceData,
CertificateFormat sourceFormat,
CertificateFormat targetFormat,
string password = null)
{
// 1. Nalaganje v .NET objekt
var cert = LoadCertificate(sourceData, sourceFormat, password);
// 2. Izvoz v ciljnem formatu
return ExportCertificate(cert, targetFormat, password);
}
private X509Certificate2 LoadCertificate(
byte[] data,
CertificateFormat format,
string password)
{
return format switch
{
CertificateFormat.Der =>
new X509Certificate2(data),
CertificateFormat.Pem =>
X509Certificate2.CreateFromPem(Encoding.UTF8.GetString(data)),
CertificateFormat.Pfx =>
new X509Certificate2(data, password,
X509KeyStorageFlags.Exportable),
_ => throw new NotSupportedException($"Format {format} ni podprt")
};
}
private byte[] ExportCertificate(
X509Certificate2 cert,
CertificateFormat format,
string password)
{
return format switch
{
CertificateFormat.Der =>
cert.RawData,
CertificateFormat.Pem =>
Encoding.UTF8.GetBytes(cert.ExportCertificatePem()),
CertificateFormat.Pfx =>
cert.Export(X509ContentType.Pfx, password),
_ => throw new NotSupportedException($"Format {format} ni podprt")
};
}
}
public enum CertificateFormat
{
Der,
Pem,
Pfx,
P7b
}
----
===== Primer kode: Integracija Java KeyStore (JKS) =====
public class JavaKeystoreInterop
{
public void ExportForJava(
X509Certificate2 certificate,
X509Certificate2Collection chain,
string jksPath,
string storePassword,
string keyPassword,
string alias)
{
// Ustvarjanje PKCS#12 (Java lahko to uvozi)
var collection = new X509Certificate2Collection { certificate };
foreach (var ca in chain)
{
collection.Add(ca);
}
var pfxBytes = collection.Export(X509ContentType.Pfx, keyPassword);
var pfxPath = Path.GetTempFileName();
File.WriteAllBytes(pfxPath, pfxBytes);
try
{
// Klic keytool
var process = Process.Start(new ProcessStartInfo
{
FileName = "keytool",
Arguments = $"-importkeystore " +
$"-srckeystore \"{pfxPath}\" " +
$"-srcstoretype PKCS12 " +
$"-srcstorepass \"{keyPassword}\" " +
$"-destkeystore \"{jksPath}\" " +
$"-deststoretype JKS " +
$"-deststorepass \"{storePassword}\" " +
$"-destkeypass \"{keyPassword}\" " +
$"-alias \"{alias}\"",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
});
process.WaitForExit();
if (process.ExitCode == 0)
{
Console.WriteLine($"JKS ustvarjen: {jksPath}");
}
else
{
var error = process.StandardError.ReadToEnd();
throw new Exception($"Napaka keytool: {error}");
}
}
finally
{
File.Delete(pfxPath);
}
}
public X509Certificate2 ImportFromJks(
string jksPath,
string storePassword,
string keyPassword,
string alias)
{
var pfxPath = Path.GetTempFileName();
try
{
// Pretvorba JKS v PKCS#12
var process = Process.Start(new ProcessStartInfo
{
FileName = "keytool",
Arguments = $"-importkeystore " +
$"-srckeystore \"{jksPath}\" " +
$"-srcstoretype JKS " +
$"-srcstorepass \"{storePassword}\" " +
$"-srcalias \"{alias}\" " +
$"-destkeystore \"{pfxPath}\" " +
$"-deststoretype PKCS12 " +
$"-deststorepass \"{keyPassword}\"",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
});
process.WaitForExit();
if (process.ExitCode != 0)
{
throw new Exception(process.StandardError.ReadToEnd());
}
// Nalaganje PKCS#12
return new X509Certificate2(pfxPath, keyPassword,
X509KeyStorageFlags.Exportable);
}
finally
{
if (File.Exists(pfxPath))
File.Delete(pfxPath);
}
}
}
----
===== Primer kode: Nadomestni mehanizem za hibridne certifikate =====
public class HybridCertificateFallback
{
public X509Certificate2 GetCompatibleCertificate(
X509Certificate2 hybridCert,
PlatformCapabilities targetCapabilities)
{
using var ctx = PqCryptoContext.Initialize();
// Preverjanje ali je hibridni certifikat
var algorithm = hybridCert.GetKeyAlgorithm();
if (!IsHybridAlgorithm(algorithm))
{
// Ni hibridni - neposredna vrnitev
return hybridCert;
}
// Ali cilj podpira PQ?
if (targetCapabilities.SupportsPqAlgorithms)
{
return hybridCert;
}
// Nadomestni mehanizem: Ekstrakcija klasičnega dela
Console.WriteLine("Cilj ne podpira PQ - uporaba klasičnega nadomestnega mehanizma");
// Nalaganje alternativne certifikatne verige (če je na voljo)
var classicalCert = FindClassicalAlternative(hybridCert);
if (classicalCert != null)
{
return classicalCert;
}
throw new NotSupportedException(
"Ciljni sistem ne podpira niti PQ niti klasičnega nadomestnega mehanizma"
);
}
private bool IsHybridAlgorithm(string algorithm)
{
return algorithm.Contains("ML-DSA") ||
algorithm.Contains("ML-KEM") ||
algorithm.Contains("DILITHIUM") ||
algorithm.Contains("KYBER");
}
private X509Certificate2 FindClassicalAlternative(X509Certificate2 hybridCert)
{
// Iskanje certifikata z enakim Subject a klasičnim algoritmom
// To zahteva ustrezno infrastrukturo (dvojni certifikati)
using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var alternatives = store.Certificates
.Find(X509FindType.FindBySubjectDistinguishedName, hybridCert.Subject, validOnly: true)
.Where(c => !IsHybridAlgorithm(c.GetKeyAlgorithm()))
.OrderByDescending(c => c.NotAfter)
.FirstOrDefault();
return alternatives;
}
}
public class PlatformCapabilities
{
public bool SupportsPqAlgorithms { get; set; }
public bool SupportsTls13 { get; set; }
public string[] SupportedKeyExchanges { get; set; }
public string[] SupportedSignatures { get; set; }
public static PlatformCapabilities Detect()
{
return new PlatformCapabilities
{
SupportsPqAlgorithms = CheckPqSupport(),
SupportsTls13 = CheckTls13Support(),
SupportedKeyExchanges = GetSupportedKeyExchanges(),
SupportedSignatures = GetSupportedSignatures()
};
}
private static bool CheckPqSupport()
{
try
{
// Preverjanje ali je OpenSSL 3.6+ s PQ ponudnikom na voljo
return OpenSslInterop.IsOpenSsl36OrNewer();
}
catch
{
return false;
}
}
private static bool CheckTls13Support()
{
return Environment.OSVersion.Platform == PlatformID.Win32NT
? Environment.OSVersion.Version >= new Version(10, 0, 17763) // Windows 1809+
: true; // Linux/macOS imata TLS 1.3
}
private static string[] GetSupportedKeyExchanges() =>
new[] { "X25519", "secp384r1", "secp256r1" };
private static string[] GetSupportedSignatures() =>
new[] { "RSA", "ECDSA", "Ed25519" };
}
----
===== Primer kode: Medplatformska validacija verige =====
public class CrossPlatformChainValidator
{
public ValidationResult ValidateForPlatform(
X509Certificate2 certificate,
TargetPlatform platform)
{
var result = new ValidationResult { Platform = platform };
// 1. Preverjanje združljivosti algoritma
var algorithm = certificate.GetKeyAlgorithm();
result.AlgorithmSupported = IsAlgorithmSupported(algorithm, platform);
if (!result.AlgorithmSupported)
{
result.Errors.Add($"Algoritem {algorithm} ni podprt na {platform}");
}
// 2. Preverjanje velikosti ključa
var keySize = certificate.GetRSAPublicKey()?.KeySize
?? certificate.GetECDsaPublicKey()?.KeySize
?? 0;
result.KeySizeSupported = IsKeySizeSupported(keySize, platform);
// 3. Preverjanje razširitev
foreach (var ext in certificate.Extensions)
{
if (!IsExtensionSupported(ext.Oid.Value, platform))
{
result.Warnings.Add($"Razširitev {ext.Oid.FriendlyName} morda ni podprta");
}
}
// 4. Validacija verige
using var chain = new X509Chain();
result.ChainValid = chain.Build(certificate);
result.IsValid = result.AlgorithmSupported &&
result.KeySizeSupported &&
result.ChainValid &&
!result.Errors.Any();
return result;
}
private bool IsAlgorithmSupported(string algorithm, TargetPlatform platform)
{
var pqAlgorithms = new[] { "ML-DSA", "ML-KEM", "DILITHIUM", "KYBER" };
var isPq = pqAlgorithms.Any(pq => algorithm.Contains(pq));
if (!isPq) return true; // Klasični = povsod podprti
return platform switch
{
TargetPlatform.DotNet9 => true,
TargetPlatform.OpenSsl36 => true,
TargetPlatform.Java21BouncyCastle => true,
_ => false
};
}
private bool IsKeySizeSupported(int keySize, TargetPlatform platform)
{
// Večina platform podpira RSA 2048-4096, ECDSA P-256/P-384
return keySize >= 2048;
}
private bool IsExtensionSupported(string oid, TargetPlatform platform)
{
// Standardne razširitve so podprte povsod
var standardOids = new[]
{
"2.5.29.15", // Key Usage
"2.5.29.17", // SAN
"2.5.29.19", // Basic Constraints
"2.5.29.37" // Extended Key Usage
};
return standardOids.Contains(oid);
}
}
public enum TargetPlatform
{
Windows,
Linux,
MacOS,
Java21BouncyCastle,
DotNet9,
OpenSsl36,
Browser
}
public class ValidationResult
{
public TargetPlatform Platform { get; set; }
public bool IsValid { get; set; }
public bool AlgorithmSupported { get; set; }
public bool KeySizeSupported { get; set; }
public bool ChainValid { get; set; }
public List Errors { get; set; } = new();
public List Warnings { get; set; } = new();
}
----
===== Panožna interoperabilnost =====
^ Panoga ^ Glavne platforme ^ Format ^ Posebnost ^
| **Bančništvo** | Java + .NET | JKS, PFX | FIPS skladnost |
| **Zdravstvo** | Windows + Linux | PFX, PEM | HL7/FHIR integracija |
| **IoT** | Vdelani Linux | DER | Omejeni viri |
| **Oblak** | Več platform | PEM | Vsebniki/Kubernetes |
----
===== Povezani scenariji =====
^ Povezava ^ Scenarij ^ Opis ^
| **Osnova** | [[.:pem_export|12.1 PEM izvoz]] | Linux format |
| **Osnova** | [[.:pfx_export|12.2 PFX izvoz]] | Windows format |
| **Povezano** | [[sl:int:pqcrypt:szenarien:tls:hybrid_tls|10.4 Hibridni TLS]] | PQ-TLS združljivost |
| **Povezano** | [[sl:int:pqcrypt:konzepte:algorithmen|Algoritmi]] | PQ osnove |
----
<< [[.:pkcs7_chain|← 12.3 PKCS#7 veriga]] | [[.:start|↑ Uvoz/Izvoz]] | [[sl:int:pqcrypt:szenarien:start|→ Vsi scenariji]] >>
{{tag>scenarij uvoz izvoz interop medplatformski java openssl}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//