Scenario 12.4: Interoperability
Category: Import/Export
Complexity: (High)
Prerequisites: Various systems/platforms
Estimated Time: 30-45 minutes
Description
This scenario describes cross-platform interoperability of certificates and keys. With PQ cryptography, special care is required as not all systems yet support ML-DSA/ML-KEM.
Interoperability Challenges:
- Format differences - PEM vs. DER vs. PFX
- Algorithm support - Classical vs. PQ vs. Hybrid
- Platform specifics - Windows, Linux, macOS, Java
- Version differences - OpenSSL 1.x vs. 3.x
Compatibility Matrix
| System | RSA | ECDSA | ML-DSA | ML-KEM | Hybrid |
|---|---|---|---|---|---|
| OpenSSL 3.6+ | Yes | Yes | Yes | Yes | Yes |
| OpenSSL 3.0-3.5 | Yes | Yes | No | No | No |
| .NET 9+ | Yes | Yes | Yes | Yes | Yes |
| Java 21+ | Yes | Yes | Partial (Bouncy Castle) | Partial | No |
| Windows SChannel | Yes | Yes | No | No | No |
| macOS Security | Yes | Yes | No | No | No |
| Firefox/NSS | Yes | Yes | No | Partial | No |
| Chrome/BoringSSL | Yes | Yes | No | Partial | No |
Partial = Experimental/Preview support
Workflow
flowchart TD
SOURCE[Source System] --> DETECT{Algorithm?}
DETECT -->|Classical| DIRECT[Direct Export]
DETECT -->|PQ| CHECK{Target supports PQ?}
CHECK -->|Yes| PQEXPORT[PQ Export]
CHECK -->|No| HYBRID{Hybrid available?}
HYBRID -->|Yes| CLASSICAL[Extract classical part]
HYBRID -->|No| FAIL[Not compatible]
DIRECT --> FORMAT[Convert format]
PQEXPORT --> FORMAT
CLASSICAL --> FORMAT
FORMAT --> TARGET[Target System]
style FAIL fill:#ffebee
style TARGET fill:#e8f5e9
Code Example: Format Conversion
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; public class CertificateConverter { public byte[] ConvertFormat( byte[] sourceData, CertificateFormat sourceFormat, CertificateFormat targetFormat, string password = null) { // 1. Load into .NET object var cert = LoadCertificate(sourceData, sourceFormat, password); // 2. Export in target format return ExportCertificate(cert, targetFormat, password); } private X509Certificate2 LoadCertificate( byte[] data, CertificateFormat format, string password) { return format switch { CertificateFormat.Der => new X509Certificate2(data), CertificateFormat.Pem => X509Certificate2.CreateFromPem(Encoding.UTF8.GetString(data)), CertificateFormat.Pfx => new X509Certificate2(data, password, X509KeyStorageFlags.Exportable), _ => throw new NotSupportedException($"Format {format} not supported") }; } private byte[] ExportCertificate( X509Certificate2 cert, CertificateFormat format, string password) { return format switch { CertificateFormat.Der => cert.RawData, CertificateFormat.Pem => Encoding.UTF8.GetBytes(cert.ExportCertificatePem()), CertificateFormat.Pfx => cert.Export(X509ContentType.Pfx, password), _ => throw new NotSupportedException($"Format {format} not supported") }; } } public enum CertificateFormat { Der, Pem, Pfx, P7b }
Code Example: Java KeyStore (JKS) Integration
public class JavaKeystoreInterop { public void ExportForJava( X509Certificate2 certificate, X509Certificate2Collection chain, string jksPath, string storePassword, string keyPassword, string alias) { // Create PKCS#12 (Java can import this) var collection = new X509Certificate2Collection { certificate }; foreach (var ca in chain) { collection.Add(ca); } var pfxBytes = collection.Export(X509ContentType.Pfx, keyPassword); var pfxPath = Path.GetTempFileName(); File.WriteAllBytes(pfxPath, pfxBytes); try { // Call keytool var process = Process.Start(new ProcessStartInfo { FileName = "keytool", Arguments = $"-importkeystore " + $"-srckeystore \"{pfxPath}\" " + $"-srcstoretype PKCS12 " + $"-srcstorepass \"{keyPassword}\" " + $"-destkeystore \"{jksPath}\" " + $"-deststoretype JKS " + $"-deststorepass \"{storePassword}\" " + $"-destkeypass \"{keyPassword}\" " + $"-alias \"{alias}\"", RedirectStandardOutput = true, RedirectStandardError = true, UseShellExecute = false }); process.WaitForExit(); if (process.ExitCode == 0) { Console.WriteLine($"JKS created: {jksPath}"); } else { var error = process.StandardError.ReadToEnd(); throw new Exception($"keytool error: {error}"); } } finally { File.Delete(pfxPath); } } public X509Certificate2 ImportFromJks( string jksPath, string storePassword, string keyPassword, string alias) { var pfxPath = Path.GetTempFileName(); try { // Convert JKS to PKCS#12 var process = Process.Start(new ProcessStartInfo { FileName = "keytool", Arguments = $"-importkeystore " + $"-srckeystore \"{jksPath}\" " + $"-srcstoretype JKS " + $"-srcstorepass \"{storePassword}\" " + $"-srcalias \"{alias}\" " + $"-destkeystore \"{pfxPath}\" " + $"-deststoretype PKCS12 " + $"-deststorepass \"{keyPassword}\"", RedirectStandardOutput = true, RedirectStandardError = true, UseShellExecute = false }); process.WaitForExit(); if (process.ExitCode != 0) { throw new Exception(process.StandardError.ReadToEnd()); } // Load PKCS#12 return new X509Certificate2(pfxPath, keyPassword, X509KeyStorageFlags.Exportable); } finally { if (File.Exists(pfxPath)) File.Delete(pfxPath); } } }
Code Example: Hybrid Certificate Fallback
public class HybridCertificateFallback { public X509Certificate2 GetCompatibleCertificate( X509Certificate2 hybridCert, PlatformCapabilities targetCapabilities) { using var ctx = PqCryptoContext.Initialize(); // Check if hybrid certificate var algorithm = hybridCert.GetKeyAlgorithm(); if (!IsHybridAlgorithm(algorithm)) { // Not hybrid - return directly return hybridCert; } // Target supports PQ? if (targetCapabilities.SupportsPqAlgorithms) { return hybridCert; } // Fallback: Extract classical part Console.WriteLine("Target does not support PQ - using classical fallback"); // Load alternative certificate chain (if available) var classicalCert = FindClassicalAlternative(hybridCert); if (classicalCert != null) { return classicalCert; } throw new NotSupportedException( "Target system supports neither PQ nor is a classical fallback available" ); } private bool IsHybridAlgorithm(string algorithm) { return algorithm.Contains("ML-DSA") || algorithm.Contains("ML-KEM") || algorithm.Contains("DILITHIUM") || algorithm.Contains("KYBER"); } private X509Certificate2 FindClassicalAlternative(X509Certificate2 hybridCert) { // Search for certificate with same subject but classical algorithm // This requires corresponding infrastructure (Dual-Certificates) using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); var alternatives = store.Certificates .Find(X509FindType.FindBySubjectDistinguishedName, hybridCert.Subject, validOnly: true) .Where(c => !IsHybridAlgorithm(c.GetKeyAlgorithm())) .OrderByDescending(c => c.NotAfter) .FirstOrDefault(); return alternatives; } } public class PlatformCapabilities { public bool SupportsPqAlgorithms { get; set; } public bool SupportsTls13 { get; set; } public string[] SupportedKeyExchanges { get; set; } public string[] SupportedSignatures { get; set; } public static PlatformCapabilities Detect() { return new PlatformCapabilities { SupportsPqAlgorithms = CheckPqSupport(), SupportsTls13 = CheckTls13Support(), SupportedKeyExchanges = GetSupportedKeyExchanges(), SupportedSignatures = GetSupportedSignatures() }; } private static bool CheckPqSupport() { try { // Check if OpenSSL 3.6+ with PQ provider is available return OpenSslInterop.IsOpenSsl36OrNewer(); } catch { return false; } } private static bool CheckTls13Support() { return Environment.OSVersion.Platform == PlatformID.Win32NT ? Environment.OSVersion.Version >= new Version(10, 0, 17763) // Windows 1809+ : true; // Linux/macOS have TLS 1.3 } private static string[] GetSupportedKeyExchanges() => new[] { "X25519", "secp384r1", "secp256r1" }; private static string[] GetSupportedSignatures() => new[] { "RSA", "ECDSA", "Ed25519" }; }
Code Example: Cross-Platform Chain Validation
public class CrossPlatformChainValidator { public ValidationResult ValidateForPlatform( X509Certificate2 certificate, TargetPlatform platform) { var result = new ValidationResult { Platform = platform }; // 1. Check algorithm compatibility var algorithm = certificate.GetKeyAlgorithm(); result.AlgorithmSupported = IsAlgorithmSupported(algorithm, platform); if (!result.AlgorithmSupported) { result.Errors.Add($"Algorithm {algorithm} not supported on {platform}"); } // 2. Check key size var keySize = certificate.GetRSAPublicKey()?.KeySize ?? certificate.GetECDsaPublicKey()?.KeySize ?? 0; result.KeySizeSupported = IsKeySizeSupported(keySize, platform); // 3. Check extensions foreach (var ext in certificate.Extensions) { if (!IsExtensionSupported(ext.Oid.Value, platform)) { result.Warnings.Add($"Extension {ext.Oid.FriendlyName} may not be supported"); } } // 4. Validate chain using var chain = new X509Chain(); result.ChainValid = chain.Build(certificate); result.IsValid = result.AlgorithmSupported && result.KeySizeSupported && result.ChainValid && !result.Errors.Any(); return result; } private bool IsAlgorithmSupported(string algorithm, TargetPlatform platform) { var pqAlgorithms = new[] { "ML-DSA", "ML-KEM", "DILITHIUM", "KYBER" }; var isPq = pqAlgorithms.Any(pq => algorithm.Contains(pq)); if (!isPq) return true; // Classical = supported everywhere return platform switch { TargetPlatform.DotNet9 => true, TargetPlatform.OpenSsl36 => true, TargetPlatform.Java21BouncyCastle => true, _ => false }; } private bool IsKeySizeSupported(int keySize, TargetPlatform platform) { // Most platforms support RSA 2048-4096, ECDSA P-256/P-384 return keySize >= 2048; } private bool IsExtensionSupported(string oid, TargetPlatform platform) { // Standard extensions are supported everywhere var standardOids = new[] { "2.5.29.15", // Key Usage "2.5.29.17", // SAN "2.5.29.19", // Basic Constraints "2.5.29.37" // Extended Key Usage }; return standardOids.Contains(oid); } } public enum TargetPlatform { Windows, Linux, MacOS, Java21BouncyCastle, DotNet9, OpenSsl36, Browser } public class ValidationResult { public TargetPlatform Platform { get; set; } public bool IsValid { get; set; } public bool AlgorithmSupported { get; set; } public bool KeySizeSupported { get; set; } public bool ChainValid { get; set; } public List<string> Errors { get; set; } = new(); public List<string> Warnings { get; set; } = new(); }
Industry-Specific Interoperability
| Industry | Main Platforms | Format | Specifics |
|---|---|---|---|
| Banking | Java + .NET | JKS, PFX | FIPS Compliance |
| Healthcare | Windows + Linux | PFX, PEM | HL7/FHIR Integration |
| IoT | Embedded Linux | DER | Resource-Limited |
| Cloud | Multi-Platform | PEM | Container/Kubernetes |
Related Scenarios
| Relationship | Scenario | Description |
|---|---|---|
| Foundation | 12.1 PEM Export | Linux format |
| Foundation | 12.2 PFX Export | Windows format |
| Related | 10.4 Hybrid TLS | PQ-TLS Compatibility |
| Related | Algorithms | PQ Fundamentals |
« <- 12.3 PKCS#7 Chain | ^ Import/Export | -> All Scenarios »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 12:29 AM
