Scenarij 5.4: Validacija politika

Kategorija: Validacija i povjerenje
Složenost: ⭐⭐⭐⭐ (Visoka)
Preduvjeti: Lanac certifikata s Policy ekstenzijama
Procijenjeno vrijeme: 15-20 minuta

Opis

Ovaj scenarij opisuje validaciju politika certifikata prema RFC 5280. Validacija politika osigurava da certifikati odgovaraju organizacijskim zahtjevima:

Certificate Policies (OID 2.5.29.32) - Koje politike vrijede?
Policy Mappings (OID 2.5.29.33) - Prijevodi politika između CA
Policy Constraints (OID 2.5.29.36) - Ograničenja nasljeđivanja politika
Inhibit anyPolicy (OID 2.5.29.54) - Deaktivacija anyPolicy

Tijek rada

flowchart TD CHAIN[Lanac certifikata] --> EXTRACT[Ekstrakcija politika] EXTRACT --> MAP[Primjena Policy Mappinga] MAP --> INHERIT[Provjera nasljeđivanja politika] INHERIT --> CONSTRAINT[Provjera ograničenja] CONSTRAINT --> ANY{anyPolicy dopušteno?} ANY -->|Da| MATCH[Provjera podudaranja politika] ANY -->|Ne| EXPLICIT[Potrebna eksplicitna politika] MATCH --> OK{Politika ispunjena?} EXPLICIT --> OK OK -->|Da| VALID[Politika valjana] OK -->|Ne| INVALID[Politika prekršena] style VALID fill:#e8f5e9 style INVALID fill:#ffebee

Primjer koda (C#)

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography.X509Certificates;
 
using var ctx = PqCryptoContext.Initialize();
 
// Učitavanje certifikata
var serverCert = ctx.LoadCertificate("server.crt.pem");
var intermediate = ctx.LoadCertificate("intermediate-ca.crt.pem");
var root = ctx.LoadCertificate("root-ca.crt.pem");
 
// Definiranje potrebne politike
var requiredPolicy = new Oid("1.3.6.1.4.1.99999.1.1");  // Primjer OID
 
// Lanac s provjerom politika
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(intermediate);
chain.ChainPolicy.ExtraStore.Add(root);
 
// Dodavanje Certificate Policies
chain.ChainPolicy.CertificatePolicy.Add(requiredPolicy);
 
// Izgradnja i validacija lanca
bool isValid = chain.Build(serverCert);
 
// Provjera grešaka politika
var policyErrors = chain.ChainElements
    .SelectMany(e => e.ChainElementStatus)
    .Where(s => s.Status == X509ChainStatusFlags.InvalidPolicyConstraints ||
                s.Status == X509ChainStatusFlags.NoIssuanceChainPolicy)
    .ToList();
 
if (policyErrors.Any())
{
    Console.WriteLine("Validacija politika neuspješna:");
    foreach (var error in policyErrors)
    {
        Console.WriteLine($"  {error.StatusInformation}");
    }
}
else
{
    Console.WriteLine("Validacija politika uspješna");
}

Ekstrakcija politika iz certifikata

public class PolicyExtractor
{
    public List<CertificatePolicy> ExtractPolicies(X509Certificate2 cert)
    {
        var policies = new List<CertificatePolicy>();
 
        // Certificate Policies Extension (2.5.29.32)
        var policyExt = cert.Extensions["2.5.29.32"];
        if (policyExt == null) return policies;
 
        // ASN.1 parsiranje
        var reader = new AsnReader(policyExt.RawData, AsnEncodingRules.DER);
        var sequence = reader.ReadSequence();
 
        while (sequence.HasData)
        {
            var policyInfo = sequence.ReadSequence();
            var policyOid = policyInfo.ReadObjectIdentifier();
 
            var policy = new CertificatePolicy
            {
                PolicyIdentifier = policyOid
            };
 
            // Opcionalno: Policy Qualifiers
            if (policyInfo.HasData)
            {
                var qualifiers = policyInfo.ReadSequence();
                while (qualifiers.HasData)
                {
                    var qualifier = qualifiers.ReadSequence();
                    var qualifierId = qualifier.ReadObjectIdentifier();
 
                    // CPS URI (1.3.6.1.5.5.7.2.1)
                    if (qualifierId == "1.3.6.1.5.5.7.2.1")
                    {
                        policy.CpsUri = qualifier.ReadCharacterString(UniversalTagNumber.IA5String);
                    }
                    // User Notice (1.3.6.1.5.5.7.2.2)
                    else if (qualifierId == "1.3.6.1.5.5.7.2.2")
                    {
                        policy.UserNotice = ParseUserNotice(qualifier);
                    }
                }
            }
 
            policies.Add(policy);
        }
 
        return policies;
    }
}

Važni Policy OID-ovi

OID	Naziv	Korištenje
2.5.29.32.0	anyPolicy	Sve politike dopuštene
2.16.840.1.101.3.2.1.3.13	id-fpki-common-policy	US Federal PKI
0.4.0.194121.1.2	NCP	EU Fizička osoba
0.4.0.194112.1.2	QCP	EU Kvalificirani certifikat
2.23.140.1.2.1	DV-SSL	Domain Validated
2.23.140.1.2.2	OV-SSL	Organization Validated
2.23.140.1.1	EV-SSL	Extended Validation

Policy Mappings

public class PolicyMapper
{
    // Ekstrakcija Policy Mappinga iz CA certifikata
    public Dictionary<string, string> ExtractMappings(X509Certificate2 caCert)
    {
        var mappings = new Dictionary<string, string>();
 
        // Policy Mappings Extension (2.5.29.33)
        var mappingExt = caCert.Extensions["2.5.29.33"];
        if (mappingExt == null) return mappings;
 
        var reader = new AsnReader(mappingExt.RawData, AsnEncodingRules.DER);
        var sequence = reader.ReadSequence();
 
        while (sequence.HasData)
        {
            var mapping = sequence.ReadSequence();
            var issuerPolicy = mapping.ReadObjectIdentifier();
            var subjectPolicy = mapping.ReadObjectIdentifier();
 
            mappings[issuerPolicy] = subjectPolicy;
        }
 
        return mappings;
    }
 
    // Propagacija politike kroz lanac
    public HashSet<string> PropagatePolicy(
        X509Certificate2[] chain,
        string requiredPolicy)
    {
        var validPolicies = new HashSet<string> { requiredPolicy };
 
        // Od Root-a do End-Entity
        for (int i = chain.Length - 1; i > 0; i--)
        {
            var ca = chain[i];
            var mappings = ExtractMappings(ca);
 
            var newPolicies = new HashSet<string>();
            foreach (var policy in validPolicies)
            {
                if (mappings.TryGetValue(policy, out var mapped))
                {
                    newPolicies.Add(mapped);
                }
                else
                {
                    newPolicies.Add(policy);
                }
            }
            validPolicies = newPolicies;
        }
 
        return validPolicies;
    }
}

Politike po industrijama

Industrija	Politika	OID raspon	Zahtjevi
eIDAS	QCP-n, QCP-l	0.4.0.194112.*	Kvalificirani certifikati
PSD2	PSD2-QWAC	0.4.0.19495.*	Payment Services
US Federal	FBCA	2.16.840.1.101.3.*	Federal Bridge CA
Zdravstvo DE	gematik	1.2.276.0.76.4.*	Telematik infrastruktura

Kontrola pristupa temeljena na politikama

public class PolicyBasedAccess
{
    private readonly Dictionary<string, AccessLevel> _policyAccessMap = new()
    {
        ["2.23.140.1.1"] = AccessLevel.HighSecurity,      // EV
        ["2.23.140.1.2.2"] = AccessLevel.MediumSecurity,  // OV
        ["2.23.140.1.2.1"] = AccessLevel.LowSecurity,     // DV
        ["2.5.29.32.0"] = AccessLevel.Minimal             // anyPolicy
    };
 
    public AccessLevel DetermineAccessLevel(X509Certificate2 cert)
    {
        var policies = new PolicyExtractor().ExtractPolicies(cert);
 
        var highestLevel = AccessLevel.None;
 
        foreach (var policy in policies)
        {
            if (_policyAccessMap.TryGetValue(policy.PolicyIdentifier, out var level))
            {
                if (level > highestLevel)
                {
                    highestLevel = level;
                }
            }
        }
 
        return highestLevel;
    }
}
 
public enum AccessLevel
{
    None = 0,
    Minimal = 1,
    LowSecurity = 2,
    MediumSecurity = 3,
    HighSecurity = 4
}

Povezani scenariji

Odnos	Scenarij	Opis
Preduvjet	5.2 Validacija lanca	Validirati lanac
Sljedeći korak	5.5 Ograničenja imena	Provjera imena
Povezano	1.5 Certificate Policy	Definiranje politika

« ← 5.3 Provjera opoziva | ↑ Pregled validacije | 5.5 Ograničenja imena → »

scenarij, validacija, politika, x509, rfc5280

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional