Scenarij 12.4: Interoperabilnost
Kategorija: Uvoz/Izvoz
Složenost: ⭐⭐⭐⭐ (Visoka)
Preduvjeti: Različiti sustavi/platforme
Procijenjeno vrijeme: 30-45 minuta
Opis
Ovaj scenarij opisuje međuplatformsku interoperabilnost certifikata i ključeva. Kod PQ-kriptografije potreban je poseban oprez jer ne podržavaju svi sustavi ML-DSA/ML-KEM.
Izazovi interoperabilnosti:
- Razlike u formatima - PEM vs. DER vs. PFX
- Podrška algoritama - Klasični vs. PQ vs. Hibridni
- Posebnosti platformi - Windows, Linux, macOS, Java
- Razlike u verzijama - OpenSSL 1.x vs. 3.x
Matrica kompatibilnosti
| Sustav | RSA | ECDSA | ML-DSA | ML-KEM | Hibridni |
|---|---|---|---|---|---|
| OpenSSL 3.6+ | ✅ | ✅ | ✅ | ✅ | ✅ |
| OpenSSL 3.0-3.5 | ✅ | ✅ | ❌ | ❌ | ❌ |
| .NET 9+ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Java 21+ | ✅ | ✅ | 🟡 (Bouncy Castle) | 🟡 | ❌ |
| Windows SChannel | ✅ | ✅ | ❌ | ❌ | ❌ |
| macOS Security | ✅ | ✅ | ❌ | ❌ | ❌ |
| Firefox/NSS | ✅ | ✅ | ❌ | 🟡 | ❌ |
| Chrome/BoringSSL | ✅ | ✅ | ❌ | 🟡 | ❌ |
🟡 = Eksperimentalna/Preview podrška
Tijek rada
flowchart TD
SOURCE[Izvorni sustav] --> DETECT{Algoritam?}
DETECT -->|Klasični| DIRECT[Direktan izvoz]
DETECT -->|PQ| CHECK{Cilj podržava PQ?}
CHECK -->|Da| PQEXPORT[PQ izvoz]
CHECK -->|Ne| HYBRID{Hibrid dostupan?}
HYBRID -->|Da| CLASSICAL[Ekstrakcija klasičnog dijela]
HYBRID -->|Ne| FAIL[Nije kompatibilno]
DIRECT --> FORMAT[Konverzija formata]
PQEXPORT --> FORMAT
CLASSICAL --> FORMAT
FORMAT --> TARGET[Ciljni sustav]
style FAIL fill:#ffebee
style TARGET fill:#e8f5e9
Primjer koda: Konverzija formata
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; public class CertificateConverter { public byte[] ConvertFormat( byte[] sourceData, CertificateFormat sourceFormat, CertificateFormat targetFormat, string password = null) { // 1. Učitavanje u .NET objekt var cert = LoadCertificate(sourceData, sourceFormat, password); // 2. Izvoz u ciljni format return ExportCertificate(cert, targetFormat, password); } private X509Certificate2 LoadCertificate( byte[] data, CertificateFormat format, string password) { return format switch { CertificateFormat.Der => new X509Certificate2(data), CertificateFormat.Pem => X509Certificate2.CreateFromPem(Encoding.UTF8.GetString(data)), CertificateFormat.Pfx => new X509Certificate2(data, password, X509KeyStorageFlags.Exportable), _ => throw new NotSupportedException($"Format {format} nije podržan") }; } private byte[] ExportCertificate( X509Certificate2 cert, CertificateFormat format, string password) { return format switch { CertificateFormat.Der => cert.RawData, CertificateFormat.Pem => Encoding.UTF8.GetBytes(cert.ExportCertificatePem()), CertificateFormat.Pfx => cert.Export(X509ContentType.Pfx, password), _ => throw new NotSupportedException($"Format {format} nije podržan") }; } } public enum CertificateFormat { Der, Pem, Pfx, P7b }
Primjer koda: Java KeyStore (JKS) integracija
public class JavaKeystoreInterop { public void ExportForJava( X509Certificate2 certificate, X509Certificate2Collection chain, string jksPath, string storePassword, string keyPassword, string alias) { // Kreiranje PKCS#12 (Java može ovo uvesti) var collection = new X509Certificate2Collection { certificate }; foreach (var ca in chain) { collection.Add(ca); } var pfxBytes = collection.Export(X509ContentType.Pfx, keyPassword); var pfxPath = Path.GetTempFileName(); File.WriteAllBytes(pfxPath, pfxBytes); try { // Poziv keytool var process = Process.Start(new ProcessStartInfo { FileName = "keytool", Arguments = $"-importkeystore " + $"-srckeystore \"{pfxPath}\" " + $"-srcstoretype PKCS12 " + $"-srcstorepass \"{keyPassword}\" " + $"-destkeystore \"{jksPath}\" " + $"-deststoretype JKS " + $"-deststorepass \"{storePassword}\" " + $"-destkeypass \"{keyPassword}\" " + $"-alias \"{alias}\"", RedirectStandardOutput = true, RedirectStandardError = true, UseShellExecute = false }); process.WaitForExit(); if (process.ExitCode == 0) { Console.WriteLine($"JKS kreiran: {jksPath}"); } else { var error = process.StandardError.ReadToEnd(); throw new Exception($"keytool greška: {error}"); } } finally { File.Delete(pfxPath); } } public X509Certificate2 ImportFromJks( string jksPath, string storePassword, string keyPassword, string alias) { var pfxPath = Path.GetTempFileName(); try { // Konverzija JKS u PKCS#12 var process = Process.Start(new ProcessStartInfo { FileName = "keytool", Arguments = $"-importkeystore " + $"-srckeystore \"{jksPath}\" " + $"-srcstoretype JKS " + $"-srcstorepass \"{storePassword}\" " + $"-srcalias \"{alias}\" " + $"-destkeystore \"{pfxPath}\" " + $"-deststoretype PKCS12 " + $"-deststorepass \"{keyPassword}\"", RedirectStandardOutput = true, RedirectStandardError = true, UseShellExecute = false }); process.WaitForExit(); if (process.ExitCode != 0) { throw new Exception(process.StandardError.ReadToEnd()); } // Učitavanje PKCS#12 return new X509Certificate2(pfxPath, keyPassword, X509KeyStorageFlags.Exportable); } finally { if (File.Exists(pfxPath)) File.Delete(pfxPath); } } }
Primjer koda: Hibridni certifikat Fallback
public class HybridCertificateFallback { public X509Certificate2 GetCompatibleCertificate( X509Certificate2 hybridCert, PlatformCapabilities targetCapabilities) { using var ctx = PqCryptoContext.Initialize(); // Provjera je li hibridni certifikat var algorithm = hybridCert.GetKeyAlgorithm(); if (!IsHybridAlgorithm(algorithm)) { // Nije hibrid - vrati direktno return hybridCert; } // Cilj podržava PQ? if (targetCapabilities.SupportsPqAlgorithms) { return hybridCert; } // Fallback: Ekstrakcija klasičnog dijela Console.WriteLine("Cilj ne podržava PQ - koristi se klasični fallback"); // Učitavanje alternativnog lanca certifikata (ako postoji) var classicalCert = FindClassicalAlternative(hybridCert); if (classicalCert != null) { return classicalCert; } throw new NotSupportedException( "Ciljni sustav ne podržava PQ niti je dostupan klasični fallback" ); } private bool IsHybridAlgorithm(string algorithm) { return algorithm.Contains("ML-DSA") || algorithm.Contains("ML-KEM") || algorithm.Contains("DILITHIUM") || algorithm.Contains("KYBER"); } private X509Certificate2 FindClassicalAlternative(X509Certificate2 hybridCert) { // Traženje certifikata s istim Subject ali klasičnim algoritmom // Ovo zahtijeva odgovarajuću infrastrukturu (Dual-Certificates) using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); var alternatives = store.Certificates .Find(X509FindType.FindBySubjectDistinguishedName, hybridCert.Subject, validOnly: true) .Where(c => !IsHybridAlgorithm(c.GetKeyAlgorithm())) .OrderByDescending(c => c.NotAfter) .FirstOrDefault(); return alternatives; } } public class PlatformCapabilities { public bool SupportsPqAlgorithms { get; set; } public bool SupportsTls13 { get; set; } public string[] SupportedKeyExchanges { get; set; } public string[] SupportedSignatures { get; set; } public static PlatformCapabilities Detect() { return new PlatformCapabilities { SupportsPqAlgorithms = CheckPqSupport(), SupportsTls13 = CheckTls13Support(), SupportedKeyExchanges = GetSupportedKeyExchanges(), SupportedSignatures = GetSupportedSignatures() }; } private static bool CheckPqSupport() { try { // Provjera je li OpenSSL 3.6+ s PQ providerom dostupan return OpenSslInterop.IsOpenSsl36OrNewer(); } catch { return false; } } private static bool CheckTls13Support() { return Environment.OSVersion.Platform == PlatformID.Win32NT ? Environment.OSVersion.Version >= new Version(10, 0, 17763) // Windows 1809+ : true; // Linux/macOS imaju TLS 1.3 } private static string[] GetSupportedKeyExchanges() => new[] { "X25519", "secp384r1", "secp256r1" }; private static string[] GetSupportedSignatures() => new[] { "RSA", "ECDSA", "Ed25519" }; }
Primjer koda: Cross-Platform validacija lanca
public class CrossPlatformChainValidator { public ValidationResult ValidateForPlatform( X509Certificate2 certificate, TargetPlatform platform) { var result = new ValidationResult { Platform = platform }; // 1. Provjera kompatibilnosti algoritma var algorithm = certificate.GetKeyAlgorithm(); result.AlgorithmSupported = IsAlgorithmSupported(algorithm, platform); if (!result.AlgorithmSupported) { result.Errors.Add($"Algoritam {algorithm} nije podržan na {platform}"); } // 2. Provjera veličine ključa var keySize = certificate.GetRSAPublicKey()?.KeySize ?? certificate.GetECDsaPublicKey()?.KeySize ?? 0; result.KeySizeSupported = IsKeySizeSupported(keySize, platform); // 3. Provjera ekstenzija foreach (var ext in certificate.Extensions) { if (!IsExtensionSupported(ext.Oid.Value, platform)) { result.Warnings.Add($"Ekstenzija {ext.Oid.FriendlyName} možda nije podržana"); } } // 4. Validacija lanca using var chain = new X509Chain(); result.ChainValid = chain.Build(certificate); result.IsValid = result.AlgorithmSupported && result.KeySizeSupported && result.ChainValid && !result.Errors.Any(); return result; } private bool IsAlgorithmSupported(string algorithm, TargetPlatform platform) { var pqAlgorithms = new[] { "ML-DSA", "ML-KEM", "DILITHIUM", "KYBER" }; var isPq = pqAlgorithms.Any(pq => algorithm.Contains(pq)); if (!isPq) return true; // Klasični = podržano svuda return platform switch { TargetPlatform.DotNet9 => true, TargetPlatform.OpenSsl36 => true, TargetPlatform.Java21BouncyCastle => true, _ => false }; } private bool IsKeySizeSupported(int keySize, TargetPlatform platform) { // Većina platformi podržava RSA 2048-4096, ECDSA P-256/P-384 return keySize >= 2048; } private bool IsExtensionSupported(string oid, TargetPlatform platform) { // Standardne ekstenzije podržane su svuda var standardOids = new[] { "2.5.29.15", // Key Usage "2.5.29.17", // SAN "2.5.29.19", // Basic Constraints "2.5.29.37" // Extended Key Usage }; return standardOids.Contains(oid); } } public enum TargetPlatform { Windows, Linux, MacOS, Java21BouncyCastle, DotNet9, OpenSsl36, Browser } public class ValidationResult { public TargetPlatform Platform { get; set; } public bool IsValid { get; set; } public bool AlgorithmSupported { get; set; } public bool KeySizeSupported { get; set; } public bool ChainValid { get; set; } public List<string> Errors { get; set; } = new(); public List<string> Warnings { get; set; } = new(); }
Interoperabilnost specifična za industriju
| Industrija | Glavne platforme | Format | Posebnost |
|---|---|---|---|
| Bankarstvo | Java + .NET | JKS, PFX | FIPS usklađenost |
| Zdravstvo | Windows + Linux | PFX, PEM | HL7/FHIR integracija |
| IoT | Embedded Linux | DER | Ograničeni resursi |
| Cloud | Multi-Platform | PEM | Container/Kubernetes |
Povezani scenariji
| Povezanost | Scenarij | Opis |
|---|---|---|
| Osnova | 12.1 PEM izvoz | Linux format |
| Osnova | 12.2 PFX izvoz | Windows format |
| Povezano | 10.4 Hibridni TLS | PQ-TLS kompatibilnost |
| Povezano | Algoritmi | PQ osnove |
« ← 12.3 PKCS#7 lanac | ↑ Uvoz/Izvoz | → Svi scenariji »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: 30.01.2026. u 00:24
