Categoria: Validazione e fiducia
Complessità: Media
Prerequisiti: Certificato con CDP/OCSP
Tempo stimato: 10-15 minuti
Questo scenario descrive la verifica dello stato di revoca di un certificato tramite CRL (Certificate Revocation List) o OCSP (Online Certificate Status Protocol).
Metodi:
| Metodo | Vantaggi | Svantaggi |
|---|---|---|
| CRL | Funziona offline, batch | File grandi, ritardo |
| OCSP | Tempo reale, risposte piccole | Dipendenza online |
| OCSP Stapling | Privacy, performance | Configurazione server |
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using System.Security.Cryptography.X509Certificates; using var ctx = PqCryptoContext.Initialize(); // Caricare certificato var cert = ctx.LoadCertificate("server.crt.pem"); var issuer = ctx.LoadCertificate("intermediate-ca.crt.pem"); // Estrarre URL OCSP dal certificato var ocspUrl = ctx.GetOcspUrl(cert); if (!string.IsNullOrEmpty(ocspUrl)) { // Creare richiesta OCSP var ocspRequest = ctx.CreateOcspRequest(cert, issuer); // Inviare richiesta OCSP using var http = new HttpClient(); http.DefaultRequestHeaders.Add("Content-Type", "application/ocsp-request"); var response = await http.PostAsync(ocspUrl, new ByteArrayContent(ocspRequest)); var ocspResponseBytes = await response.Content.ReadAsByteArrayAsync(); // Parsare risposta OCSP var status = ctx.ParseOcspResponse(ocspResponseBytes, cert, issuer); Console.WriteLine($"Stato OCSP: {status.Status}"); Console.WriteLine($" Prodotto: {status.ProducedAt}"); Console.WriteLine($" Valido fino a: {status.NextUpdate}"); if (status.Status == OcspStatus.Revoked) { Console.WriteLine($" Revocato: {status.RevocationTime}"); Console.WriteLine($" Motivo: {status.RevocationReason}"); } }
public class CrlChecker { private readonly Dictionary<string, CrlCache> _crlCache = new(); public async Task<RevocationStatus> CheckCrl(X509Certificate2 cert, X509Certificate2 issuer) { using var ctx = PqCryptoContext.Initialize(); // Estrarre URL CDP dal certificato var cdpUrl = ctx.GetCrlDistributionPoint(cert); if (string.IsNullOrEmpty(cdpUrl)) { return new RevocationStatus { Status = RevocationStatusCode.Unknown }; } // CRL dalla cache o scaricare var crl = await GetOrDownloadCrl(cdpUrl, issuer); // Cercare Serial Number nella CRL var serialNumber = cert.SerialNumber; var entry = crl.Entries.FirstOrDefault(e => e.SerialNumber.Equals(serialNumber, StringComparison.OrdinalIgnoreCase)); if (entry != null) { return new RevocationStatus { Status = RevocationStatusCode.Revoked, RevocationTime = entry.RevocationDate, Reason = entry.Reason }; } return new RevocationStatus { Status = RevocationStatusCode.Good, NextUpdate = crl.NextUpdate }; } private async Task<ParsedCrl> GetOrDownloadCrl(string cdpUrl, X509Certificate2 issuer) { // Verificare cache if (_crlCache.TryGetValue(cdpUrl, out var cached)) { if (cached.NextUpdate > DateTime.UtcNow) { return cached.Crl; } } // Scaricare CRL using var http = new HttpClient(); var crlBytes = await http.GetByteArrayAsync(cdpUrl); // Parsare e verificare CRL using var ctx = PqCryptoContext.Initialize(); var crl = ctx.ParseCrl(crlBytes); // Verificare firma if (!ctx.VerifyCrlSignature(crl, issuer)) { throw new CryptographicException("Firma CRL non valida"); } // Aggiornare cache _crlCache[cdpUrl] = new CrlCache { Crl = crl, NextUpdate = crl.NextUpdate }; return crl; } }
public class OcspStapling { // Lato server: ottenere risposta OCSP in anticipo public async Task<byte[]> GetStapledOcspResponse( X509Certificate2 serverCert, X509Certificate2 issuer) { using var ctx = PqCryptoContext.Initialize(); var ocspUrl = ctx.GetOcspUrl(serverCert); var request = ctx.CreateOcspRequest(serverCert, issuer); using var http = new HttpClient(); var response = await http.PostAsync(ocspUrl, new ByteArrayContent(request)); return await response.Content.ReadAsByteArrayAsync(); } // Lato client: verificare risposta stapled public OcspStatus ValidateStapledResponse( byte[] stapledResponse, X509Certificate2 serverCert, X509Certificate2 issuer) { using var ctx = PqCryptoContext.Initialize(); var status = ctx.ParseOcspResponse(stapledResponse, serverCert, issuer); // Verificare freschezza if (status.ProducedAt < DateTime.UtcNow.AddHours(-24)) { throw new CryptographicException("Risposta OCSP troppo vecchia"); } return status; } }
// Metodo più semplice: usare X509Chain var chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(15); // Opzionale: solo CRL o solo OCSP // chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; // Solo CRL in cache bool isValid = chain.Build(cert); // Estrarre stato revoca dalla chain var revocationErrors = chain.ChainElements .SelectMany(e => e.ChainElementStatus) .Where(s => s.Status.HasFlag(X509ChainStatusFlags.Revoked) || s.Status.HasFlag(X509ChainStatusFlags.RevocationStatusUnknown)) .ToList(); if (revocationErrors.Any()) { foreach (var error in revocationErrors) { Console.WriteLine($"Problema revoca: {error.StatusInformation}"); } }
| Settore | Metodo | Max. ritardo | Fallback |
|---|---|---|---|
| WebPKI | OCSP Must-Staple | Tempo reale | Soft-Fail |
| Settore finanziario | OCSP + CRL | 4 ore | Hard-Fail |
| Sanità | CRL | 24 ore | Soft-Fail |
| Energia/SCADA | CRL (Offline) | 7 giorni | Hard-Fail |
Soft-Fail vs Hard-Fail:
| Relazione | Scenario | Descrizione |
|---|---|---|
| Prerequisito | 5.2 Validazione Chain | Costruire chain |
| Correlato | 6.1 Creare CRL | Generare CRL |
| Correlato | 6.2 OCSP Responder | Gestire OCSP |
« ← 5.2 Validazione Chain | ↑ Panoramica validazione | 5.4 Validazione Policy → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional