Kategorie: Import/Export
Komplexität: ⭐⭐⭐⭐ (Hoch)
Voraussetzungen: Verschiedene Systeme/Plattformen
Geschätzte Zeit: 30-45 Minuten
Dieses Szenario beschreibt die plattformübergreifende Interoperabilität von Zertifikaten und Schlüsseln. Bei PQ-Kryptographie ist besondere Vorsicht geboten, da nicht alle Systeme bereits ML-DSA/ML-KEM unterstützen.
Interoperabilitäts-Herausforderungen:
| System | RSA | ECDSA | ML-DSA | ML-KEM | Hybrid |
|---|---|---|---|---|---|
| OpenSSL 3.6+ | ✅ | ✅ | ✅ | ✅ | ✅ |
| OpenSSL 3.0-3.5 | ✅ | ✅ | ❌ | ❌ | ❌ |
| .NET 9+ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Java 21+ | ✅ | ✅ | 🟡 (Bouncy Castle) | 🟡 | ❌ |
| Windows SChannel | ✅ | ✅ | ❌ | ❌ | ❌ |
| macOS Security | ✅ | ✅ | ❌ | ❌ | ❌ |
| Firefox/NSS | ✅ | ✅ | ❌ | 🟡 | ❌ |
| Chrome/BoringSSL | ✅ | ✅ | ❌ | 🟡 | ❌ |
🟡 = Experimentell/Preview-Support
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; public class CertificateConverter { public byte[] ConvertFormat( byte[] sourceData, CertificateFormat sourceFormat, CertificateFormat targetFormat, string password = null) { // 1. In .NET-Objekt laden var cert = LoadCertificate(sourceData, sourceFormat, password); // 2. Im Zielformat exportieren return ExportCertificate(cert, targetFormat, password); } private X509Certificate2 LoadCertificate( byte[] data, CertificateFormat format, string password) { return format switch { CertificateFormat.Der => new X509Certificate2(data), CertificateFormat.Pem => X509Certificate2.CreateFromPem(Encoding.UTF8.GetString(data)), CertificateFormat.Pfx => new X509Certificate2(data, password, X509KeyStorageFlags.Exportable), _ => throw new NotSupportedException($"Format {format} nicht unterstützt") }; } private byte[] ExportCertificate( X509Certificate2 cert, CertificateFormat format, string password) { return format switch { CertificateFormat.Der => cert.RawData, CertificateFormat.Pem => Encoding.UTF8.GetBytes(cert.ExportCertificatePem()), CertificateFormat.Pfx => cert.Export(X509ContentType.Pfx, password), _ => throw new NotSupportedException($"Format {format} nicht unterstützt") }; } } public enum CertificateFormat { Der, Pem, Pfx, P7b }
public class JavaKeystoreInterop { public void ExportForJava( X509Certificate2 certificate, X509Certificate2Collection chain, string jksPath, string storePassword, string keyPassword, string alias) { // PKCS#12 erstellen (Java kann dies importieren) var collection = new X509Certificate2Collection { certificate }; foreach (var ca in chain) { collection.Add(ca); } var pfxBytes = collection.Export(X509ContentType.Pfx, keyPassword); var pfxPath = Path.GetTempFileName(); File.WriteAllBytes(pfxPath, pfxBytes); try { // keytool aufrufen var process = Process.Start(new ProcessStartInfo { FileName = "keytool", Arguments = $"-importkeystore " + $"-srckeystore \"{pfxPath}\" " + $"-srcstoretype PKCS12 " + $"-srcstorepass \"{keyPassword}\" " + $"-destkeystore \"{jksPath}\" " + $"-deststoretype JKS " + $"-deststorepass \"{storePassword}\" " + $"-destkeypass \"{keyPassword}\" " + $"-alias \"{alias}\"", RedirectStandardOutput = true, RedirectStandardError = true, UseShellExecute = false }); process.WaitForExit(); if (process.ExitCode == 0) { Console.WriteLine($"JKS erstellt: {jksPath}"); } else { var error = process.StandardError.ReadToEnd(); throw new Exception($"keytool Fehler: {error}"); } } finally { File.Delete(pfxPath); } } public X509Certificate2 ImportFromJks( string jksPath, string storePassword, string keyPassword, string alias) { var pfxPath = Path.GetTempFileName(); try { // JKS zu PKCS#12 konvertieren var process = Process.Start(new ProcessStartInfo { FileName = "keytool", Arguments = $"-importkeystore " + $"-srckeystore \"{jksPath}\" " + $"-srcstoretype JKS " + $"-srcstorepass \"{storePassword}\" " + $"-srcalias \"{alias}\" " + $"-destkeystore \"{pfxPath}\" " + $"-deststoretype PKCS12 " + $"-deststorepass \"{keyPassword}\"", RedirectStandardOutput = true, RedirectStandardError = true, UseShellExecute = false }); process.WaitForExit(); if (process.ExitCode != 0) { throw new Exception(process.StandardError.ReadToEnd()); } // PKCS#12 laden return new X509Certificate2(pfxPath, keyPassword, X509KeyStorageFlags.Exportable); } finally { if (File.Exists(pfxPath)) File.Delete(pfxPath); } } }
public class HybridCertificateFallback { public X509Certificate2 GetCompatibleCertificate( X509Certificate2 hybridCert, PlatformCapabilities targetCapabilities) { using var ctx = PqCryptoContext.Initialize(); // Prüfen ob Hybrid-Zertifikat var algorithm = hybridCert.GetKeyAlgorithm(); if (!IsHybridAlgorithm(algorithm)) { // Kein Hybrid - direkt zurückgeben return hybridCert; } // Ziel unterstützt PQ? if (targetCapabilities.SupportsPqAlgorithms) { return hybridCert; } // Fallback: Klassischen Teil extrahieren Console.WriteLine("Ziel unterstützt kein PQ - verwende klassischen Fallback"); // Alternative Zertifikat-Kette laden (falls vorhanden) var classicalCert = FindClassicalAlternative(hybridCert); if (classicalCert != null) { return classicalCert; } throw new NotSupportedException( "Ziel-System unterstützt weder PQ noch ist ein klassisches Fallback verfügbar" ); } private bool IsHybridAlgorithm(string algorithm) { return algorithm.Contains("ML-DSA") || algorithm.Contains("ML-KEM") || algorithm.Contains("DILITHIUM") || algorithm.Contains("KYBER"); } private X509Certificate2 FindClassicalAlternative(X509Certificate2 hybridCert) { // Suche nach Zertifikat mit gleichem Subject aber klassischem Algorithmus // Dies erfordert eine entsprechende Infrastruktur (Dual-Certificates) using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); var alternatives = store.Certificates .Find(X509FindType.FindBySubjectDistinguishedName, hybridCert.Subject, validOnly: true) .Where(c => !IsHybridAlgorithm(c.GetKeyAlgorithm())) .OrderByDescending(c => c.NotAfter) .FirstOrDefault(); return alternatives; } } public class PlatformCapabilities { public bool SupportsPqAlgorithms { get; set; } public bool SupportsTls13 { get; set; } public string[] SupportedKeyExchanges { get; set; } public string[] SupportedSignatures { get; set; } public static PlatformCapabilities Detect() { return new PlatformCapabilities { SupportsPqAlgorithms = CheckPqSupport(), SupportsTls13 = CheckTls13Support(), SupportedKeyExchanges = GetSupportedKeyExchanges(), SupportedSignatures = GetSupportedSignatures() }; } private static bool CheckPqSupport() { try { // Prüfen ob OpenSSL 3.6+ mit PQ-Provider verfügbar return OpenSslInterop.IsOpenSsl36OrNewer(); } catch { return false; } } private static bool CheckTls13Support() { return Environment.OSVersion.Platform == PlatformID.Win32NT ? Environment.OSVersion.Version >= new Version(10, 0, 17763) // Windows 1809+ : true; // Linux/macOS haben TLS 1.3 } private static string[] GetSupportedKeyExchanges() => new[] { "X25519", "secp384r1", "secp256r1" }; private static string[] GetSupportedSignatures() => new[] { "RSA", "ECDSA", "Ed25519" }; }
public class CrossPlatformChainValidator { public ValidationResult ValidateForPlatform( X509Certificate2 certificate, TargetPlatform platform) { var result = new ValidationResult { Platform = platform }; // 1. Algorithmus-Kompatibilität prüfen var algorithm = certificate.GetKeyAlgorithm(); result.AlgorithmSupported = IsAlgorithmSupported(algorithm, platform); if (!result.AlgorithmSupported) { result.Errors.Add($"Algorithmus {algorithm} nicht unterstützt auf {platform}"); } // 2. Key-Größe prüfen var keySize = certificate.GetRSAPublicKey()?.KeySize ?? certificate.GetECDsaPublicKey()?.KeySize ?? 0; result.KeySizeSupported = IsKeySizeSupported(keySize, platform); // 3. Extensions prüfen foreach (var ext in certificate.Extensions) { if (!IsExtensionSupported(ext.Oid.Value, platform)) { result.Warnings.Add($"Extension {ext.Oid.FriendlyName} möglicherweise nicht unterstützt"); } } // 4. Chain validieren using var chain = new X509Chain(); result.ChainValid = chain.Build(certificate); result.IsValid = result.AlgorithmSupported && result.KeySizeSupported && result.ChainValid && !result.Errors.Any(); return result; } private bool IsAlgorithmSupported(string algorithm, TargetPlatform platform) { var pqAlgorithms = new[] { "ML-DSA", "ML-KEM", "DILITHIUM", "KYBER" }; var isPq = pqAlgorithms.Any(pq => algorithm.Contains(pq)); if (!isPq) return true; // Klassisch = überall unterstützt return platform switch { TargetPlatform.DotNet9 => true, TargetPlatform.OpenSsl36 => true, TargetPlatform.Java21BouncyCastle => true, _ => false }; } private bool IsKeySizeSupported(int keySize, TargetPlatform platform) { // Die meisten Plattformen unterstützen RSA 2048-4096, ECDSA P-256/P-384 return keySize >= 2048; } private bool IsExtensionSupported(string oid, TargetPlatform platform) { // Standard-Extensions sind überall unterstützt var standardOids = new[] { "2.5.29.15", // Key Usage "2.5.29.17", // SAN "2.5.29.19", // Basic Constraints "2.5.29.37" // Extended Key Usage }; return standardOids.Contains(oid); } } public enum TargetPlatform { Windows, Linux, MacOS, Java21BouncyCastle, DotNet9, OpenSsl36, Browser } public class ValidationResult { public TargetPlatform Platform { get; set; } public bool IsValid { get; set; } public bool AlgorithmSupported { get; set; } public bool KeySizeSupported { get; set; } public bool ChainValid { get; set; } public List<string> Errors { get; set; } = new(); public List<string> Warnings { get; set; } = new(); }
| Branche | Haupt-Plattformen | Format | Besonderheit |
|---|---|---|---|
| Banking | Java + .NET | JKS, PFX | FIPS-Compliance |
| Healthcare | Windows + Linux | PFX, PEM | HL7/FHIR Integration |
| IoT | Embedded Linux | DER | Ressourcen-Limitiert |
| Cloud | Multi-Platform | PEM | Container/Kubernetes |
| Beziehung | Szenario | Beschreibung |
|---|---|---|
| Grundlage | 12.1 PEM Export | Linux-Format |
| Grundlage | 12.2 PFX Export | Windows-Format |
| Verwandt | 10.4 Hybrid TLS | PQ-TLS Kompatibilität |
| Verwandt | Algorithmen | PQ-Grundlagen |
« ← 12.3 PKCS#7 Chain | ↑ Import/Export | → Alle Szenarien »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional