~~NOTOC~~
====== Scenarij 5.4: Validacija politik ======
**Kategorija:** [[.:start|Validacija in zaupanje]] \\
**Kompleksnost:** ⭐⭐⭐⭐ (Visoka) \\
**Predpogoji:** Veriga certifikatov z razširitvami politik \\
**Predviden čas:** 15-20 minut
----
===== Opis =====
Ta scenarij opisuje **validacijo politik certifikatov** po RFC 5280. Validacija politik zagotavlja, da certifikati ustrezajo organizacijskim zahtevam:
* **Certificate Policies** (OID 2.5.29.32) - Katere politike veljajo?
* **Policy Mappings** (OID 2.5.29.33) - Prevodi politik med CA-ji
* **Policy Constraints** (OID 2.5.29.36) - Omejitve dedovanja politik
* **Inhibit anyPolicy** (OID 2.5.29.54) - Deaktivacija anyPolicy
----
===== Potek dela =====
flowchart TD
CHAIN[Veriga certifikatov] --> EXTRACT[Ekstrakcija politik]
EXTRACT --> MAP[Uporaba Policy Mappings]
MAP --> INHERIT[Preverjanje dedovanja politik]
INHERIT --> CONSTRAINT[Preverjanje omejitev]
CONSTRAINT --> ANY{anyPolicy dovoljen?}
ANY -->|Da| MATCH[Preverjanje ujemanja politik]
ANY -->|Ne| EXPLICIT[Potrebna eksplicitna politika]
MATCH --> OK{Politika izpolnjena?}
EXPLICIT --> OK
OK -->|Da| VALID[Politika veljavna]
OK -->|Ne| INVALID[Politika kršena]
style VALID fill:#e8f5e9
style INVALID fill:#ffebee
----
===== Primer kode (C#) =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography.X509Certificates;
using var ctx = PqCryptoContext.Initialize();
// Nalaganje certifikatov
var serverCert = ctx.LoadCertificate("server.crt.pem");
var intermediate = ctx.LoadCertificate("intermediate-ca.crt.pem");
var root = ctx.LoadCertificate("root-ca.crt.pem");
// Definicija zahtevane politike
var requiredPolicy = new Oid("1.3.6.1.4.1.99999.1.1"); // Primer OID
// Veriga s preverjanjem politik
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(intermediate);
chain.ChainPolicy.ExtraStore.Add(root);
// Dodajanje politik certifikatov
chain.ChainPolicy.CertificatePolicy.Add(requiredPolicy);
// Gradnja in validacija verige
bool isValid = chain.Build(serverCert);
// Preverjanje napak politik
var policyErrors = chain.ChainElements
.SelectMany(e => e.ChainElementStatus)
.Where(s => s.Status == X509ChainStatusFlags.InvalidPolicyConstraints ||
s.Status == X509ChainStatusFlags.NoIssuanceChainPolicy)
.ToList();
if (policyErrors.Any())
{
Console.WriteLine("Validacija politik neuspešna:");
foreach (var error in policyErrors)
{
Console.WriteLine($" {error.StatusInformation}");
}
}
else
{
Console.WriteLine("Validacija politik uspešna");
}
----
===== Ekstrakcija politik iz certifikata =====
public class PolicyExtractor
{
public List ExtractPolicies(X509Certificate2 cert)
{
var policies = new List();
// Razširitev Certificate Policies (2.5.29.32)
var policyExt = cert.Extensions["2.5.29.32"];
if (policyExt == null) return policies;
// Razčlenjevanje ASN.1
var reader = new AsnReader(policyExt.RawData, AsnEncodingRules.DER);
var sequence = reader.ReadSequence();
while (sequence.HasData)
{
var policyInfo = sequence.ReadSequence();
var policyOid = policyInfo.ReadObjectIdentifier();
var policy = new CertificatePolicy
{
PolicyIdentifier = policyOid
};
// Opcijsko: Policy Qualifiers
if (policyInfo.HasData)
{
var qualifiers = policyInfo.ReadSequence();
while (qualifiers.HasData)
{
var qualifier = qualifiers.ReadSequence();
var qualifierId = qualifier.ReadObjectIdentifier();
// CPS URI (1.3.6.1.5.5.7.2.1)
if (qualifierId == "1.3.6.1.5.5.7.2.1")
{
policy.CpsUri = qualifier.ReadCharacterString(UniversalTagNumber.IA5String);
}
// User Notice (1.3.6.1.5.5.7.2.2)
else if (qualifierId == "1.3.6.1.5.5.7.2.2")
{
policy.UserNotice = ParseUserNotice(qualifier);
}
}
}
policies.Add(policy);
}
return policies;
}
}
----
===== Pomembni OID-ji politik =====
^ OID ^ Ime ^ Uporaba ^
| **2.5.29.32.0** | anyPolicy | Vse politike dovoljene |
| **2.16.840.1.101.3.2.1.3.13** | id-fpki-common-policy | US Federal PKI |
| **0.4.0.194121.1.2** | NCP | EU Natural Person |
| **0.4.0.194112.1.2** | QCP | EU Qualified Certificate |
| **2.23.140.1.2.1** | DV-SSL | Domain Validated |
| **2.23.140.1.2.2** | OV-SSL | Organization Validated |
| **2.23.140.1.1** | EV-SSL | Extended Validation |
----
===== Policy Mappings =====
public class PolicyMapper
{
// Ekstrakcija Policy Mappings iz CA certifikata
public Dictionary ExtractMappings(X509Certificate2 caCert)
{
var mappings = new Dictionary();
// Razširitev Policy Mappings (2.5.29.33)
var mappingExt = caCert.Extensions["2.5.29.33"];
if (mappingExt == null) return mappings;
var reader = new AsnReader(mappingExt.RawData, AsnEncodingRules.DER);
var sequence = reader.ReadSequence();
while (sequence.HasData)
{
var mapping = sequence.ReadSequence();
var issuerPolicy = mapping.ReadObjectIdentifier();
var subjectPolicy = mapping.ReadObjectIdentifier();
mappings[issuerPolicy] = subjectPolicy;
}
return mappings;
}
// Propagacija politike skozi verigo
public HashSet PropagatePolicy(
X509Certificate2[] chain,
string requiredPolicy)
{
var validPolicies = new HashSet { requiredPolicy };
// Od korenskega do končnega
for (int i = chain.Length - 1; i > 0; i--)
{
var ca = chain[i];
var mappings = ExtractMappings(ca);
var newPolicies = new HashSet();
foreach (var policy in validPolicies)
{
if (mappings.TryGetValue(policy, out var mapped))
{
newPolicies.Add(mapped);
}
else
{
newPolicies.Add(policy);
}
}
validPolicies = newPolicies;
}
return validPolicies;
}
}
----
===== Panožne politike =====
^ Panoga ^ Politika ^ OID obseg ^ Zahteve ^
| **eIDAS** | QCP-n, QCP-l | 0.4.0.194112.* | Kvalificirani certifikati |
| **PSD2** | PSD2-QWAC | 0.4.0.19495.* | Plačilne storitve |
| **US Federal** | FBCA | 2.16.840.1.101.3.* | Federal Bridge CA |
| **Zdravstvo DE** | gematik | 1.2.276.0.76.4.* | Telematična infrastruktura |
----
===== Nadzor dostopa na podlagi politik =====
public class PolicyBasedAccess
{
private readonly Dictionary _policyAccessMap = new()
{
["2.23.140.1.1"] = AccessLevel.HighSecurity, // EV
["2.23.140.1.2.2"] = AccessLevel.MediumSecurity, // OV
["2.23.140.1.2.1"] = AccessLevel.LowSecurity, // DV
["2.5.29.32.0"] = AccessLevel.Minimal // anyPolicy
};
public AccessLevel DetermineAccessLevel(X509Certificate2 cert)
{
var policies = new PolicyExtractor().ExtractPolicies(cert);
var highestLevel = AccessLevel.None;
foreach (var policy in policies)
{
if (_policyAccessMap.TryGetValue(policy.PolicyIdentifier, out var level))
{
if (level > highestLevel)
{
highestLevel = level;
}
}
}
return highestLevel;
}
}
public enum AccessLevel
{
None = 0,
Minimal = 1,
LowSecurity = 2,
MediumSecurity = 3,
HighSecurity = 4
}
----
===== Povezani scenariji =====
^ Povezava ^ Scenarij ^ Opis ^
| **Predpogoj** | [[.:chain_validation|5.2 Validacija verige]] | Validacija verige |
| **Naslednji korak** | [[.:name_constraints|5.5 Omejitve imen]] | Preverjanje imen |
| **Povezano** | [[sl:int:pqcrypt:szenarien:pki:certificate_policy_definieren|1.5 Politika certifikatov]] | Definicija politike |
----
<< [[.:revocation_check|← 5.3 Preverjanje preklica]] | [[.:start|↑ Pregled validacije]] | [[.:name_constraints|5.5 Omejitve imen →]] >>
{{tag>scenarij validacija politika x509 rfc5280}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//