Operativne naloge za infrastrukturo PQ-kriptografije.

Te preglede izvajajte redno:

# Ali je OpenSSL na voljo?
openssl version
# Pričakovano: OpenSSL 3.6.0 ali novejši
 
# Ali so PQ-algoritmi aktivni?
openssl list -signature-algorithms | grep -i "ml-dsa" | head -1
# Pričakovano: ML-DSA-44, ML-DSA-65 ali ML-DSA-87

Linux/macOS:

#!/bin/bash
echo "=== WvdS PQ Crypto Health Check ==="
 
# 1. OpenSSL
echo -n "OpenSSL: "
openssl version | grep -q "3\.[6-9]\|[4-9]\." && echo "OK" || echo "NAPAKA (Različica prestara)"
 
# 2. Podpora ML-DSA
echo -n "ML-DSA: "
openssl list -signature-algorithms 2>/dev/null | grep -qi "ml-dsa" && echo "OK" || echo "NAPAKA"
 
# 3. Podpora ML-KEM
echo -n "ML-KEM: "
openssl list -kem-algorithms 2>/dev/null | grep -qi "ml-kem" && echo "OK" || echo "NAPAKA"
 
# 4. Ponudnik
echo -n "Ponudnik: "
openssl list -providers | grep -q "default" && echo "OK" || echo "NAPAKA"
 
# 5. FIPS (opcijsko)
echo -n "FIPS: "
openssl list -providers | grep -qi "fips" && echo "OK" || echo "Ni konfigurirano"
 
# 6. .NET Runtime
echo -n ".NET 8: "
dotnet --list-runtimes 2>/dev/null | grep -q "NETCore.App 8" && echo "OK" || echo "NAPAKA"
 
echo "=== Zdravstveni pregled končan ==="

Windows (PowerShell):

Write-Host "=== WvdS PQ Crypto Health Check ===" -ForegroundColor Cyan
 
# 1. OpenSSL
$opensslVersion = & openssl version 2>$null
if ($opensslVersion -match "3\.[6-9]") {
    Write-Host "OpenSSL: OK ($opensslVersion)" -ForegroundColor Green
} else {
    Write-Host "OpenSSL: NAPAKA" -ForegroundColor Red
}
 
# 2. ML-DSA
$mldsa = & openssl list -signature-algorithms 2>$null | Select-String "ML-DSA"
if ($mldsa) {
    Write-Host "ML-DSA: OK" -ForegroundColor Green
} else {
    Write-Host "ML-DSA: NAPAKA" -ForegroundColor Red
}
 
# 3. ML-KEM
$mlkem = & openssl list -kem-algorithms 2>$null | Select-String "ML-KEM"
if ($mlkem) {
    Write-Host "ML-KEM: OK" -ForegroundColor Green
} else {
    Write-Host "ML-KEM: NAPAKA" -ForegroundColor Red
}
 
# 4. .NET
$dotnet = & dotnet --list-runtimes 2>$null | Select-String "NETCore.App 8"
if ($dotnet) {
    Write-Host ".NET 8: OK" -ForegroundColor Green
} else {
    Write-Host ".NET 8: NAPAKA" -ForegroundColor Red
}
 
Write-Host "=== Zdravstveni pregled končan ===" -ForegroundColor Cyan

Klasično (RSA 4096):

# 1. Generiraj zasebni ključ
openssl genpkey -algorithm RSA -out root-ca.key -pkeyopt rsa_keygen_bits:4096
 
# 2. Ustvari samopodpisani korenski CA
openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 \
    -subj "/C=SI/O=Organizacija/CN=Korenski CA"
 
# 3. Prikaži certifikat
openssl x509 -in root-ca.crt -text -noout

Post-kvantni (ML-DSA-65):

# 1. Generiraj zasebni ključ ML-DSA
openssl genpkey -algorithm ML-DSA-65 -out root-ca-pq.key
 
# 2. Ustvari samopodpisani PQ korenski CA
openssl req -new -x509 -key root-ca-pq.key -out root-ca-pq.crt -days 3650 \
    -subj "/C=SI/O=Organizacija/CN=PQ Korenski CA"
 
# 3. Prikaži certifikat
openssl x509 -in root-ca-pq.crt -text -noout

# 1. Zasebni ključ za vmesni CA
openssl genpkey -algorithm RSA -out intermediate.key -pkeyopt rsa_keygen_bits:4096
 
# 2. Ustvari CSR
openssl req -new -key intermediate.key -out intermediate.csr \
    -subj "/C=SI/O=Organizacija/CN=Vmesni CA"
 
# 3. Podpiši s korenskim CA (z razširitvami CA)
openssl x509 -req -in intermediate.csr -CA root-ca.crt -CAkey root-ca.key \
    -CAcreateserial -out intermediate.crt -days 1825 \
    -extfile <(echo "basicConstraints=critical,CA:TRUE,pathlen:0
keyUsage=critical,keyCertSign,cRLSign")
 
# 4. Preveri verigo
openssl verify -CAfile root-ca.crt intermediate.crt

# 1. Zasebni ključ
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048
 
# 2. CSR s SAN (Subject Alternative Name)
openssl req -new -key server.key -out server.csr \
    -subj "/C=SI/O=Organizacija/CN=server.example.com" \
    -addext "subjectAltName=DNS:server.example.com,DNS:www.example.com"
 
# 3. Podpiši z vmesnim CA
openssl x509 -req -in server.csr -CA intermediate.crt -CAkey intermediate.key \
    -CAcreateserial -out server.crt -days 365 \
    -extfile <(echo "basicConstraints=CA:FALSE
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=DNS:server.example.com,DNS:www.example.com")
 
# 4. Preveri celotno verigo
openssl verify -CAfile root-ca.crt -untrusted intermediate.crt server.crt

# Prikaži podrobnosti certifikata
openssl x509 -in cert.crt -text -noout
 
# Samo Subject in Issuer
openssl x509 -in cert.crt -subject -issuer -noout
 
# Obdobje veljavnosti
openssl x509 -in cert.crt -dates -noout
 
# Prstni odtis
openssl x509 -in cert.crt -fingerprint -sha256 -noout
 
# Izvleci javni ključ
openssl x509 -in cert.crt -pubkey -noout
 
# Algoritem podpisa
openssl x509 -in cert.crt -text -noout | grep "Signature Algorithm"

# PEM v DER
openssl x509 -in cert.pem -outform DER -out cert.der
 
# DER v PEM
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem
 
# PEM v PKCS#12 (PFX)
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca-chain.crt
 
# PKCS#12 v PEM (certifikat + ključ)
openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes

Uvoz CA certifikata (PowerShell kot administrator):

# Korenski CA v Trusted Root Certification Authorities
Import-Certificate -FilePath "root-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root
 
# Vmesni CA v Intermediate Certification Authorities
Import-Certificate -FilePath "intermediate.crt" -CertStoreLocation Cert:\LocalMachine\CA
 
# Preveri
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Root CA*"}

Seznam certifikatov:

# Vsi korenski CA
Get-ChildItem Cert:\LocalMachine\Root | Format-Table Subject, Thumbprint, NotAfter
 
# Certifikati, ki potečejo (< 30 dni)
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.NotAfter -lt (Get-Date).AddDays(30)} | Format-Table Subject, NotAfter

Odstranitev certifikata:

# Po prstnem odtisu
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "ABC123..."} | Remove-Item

Debian/Ubuntu:

# Dodaj CA certifikat
sudo cp root-ca.crt /usr/local/share/ca-certificates/wvds-root-ca.crt
sudo update-ca-certificates
 
# Preveri
ls /etc/ssl/certs/ | grep wvds
 
# Odstrani certifikat
sudo rm /usr/local/share/ca-certificates/wvds-root-ca.crt
sudo update-ca-certificates --fresh

RHEL/CentOS:

# Dodaj CA certifikat
sudo cp root-ca.crt /etc/pki/ca-trust/source/anchors/wvds-root-ca.crt
sudo update-ca-trust
 
# Preveri
trust list | grep -A2 "WvdS"

# Dodaj CA v sistemski Keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root-ca.crt
 
# Preveri
security find-certificate -a -c "Root CA" /Library/Keychains/System.keychain

Komponente za varnostno kopiranje:

Skript za varnostno kopiranje (Linux):

#!/bin/bash
BACKUP_DIR="/backup/pq-crypto/$(date +%Y%m%d)"
mkdir -p "$BACKUP_DIR"
 
# Shramba PQ-ključev
cp -r ~/.local/share/wvds-crypto/pqkeys/ "$BACKUP_DIR/"
 
# Certifikati
cp /etc/ssl/certs/wvds-*.crt "$BACKUP_DIR/"
 
# Zavaruj dovoljenja
chmod 700 "$BACKUP_DIR"
chmod 600 "$BACKUP_DIR"/*
 
echo "Varnostna kopija ustvarjena: $BACKUP_DIR"

Nadzor poteka certifikatov:

# Vsi certifikati z datumom poteka < 30 dni
for cert in /etc/ssl/certs/*.crt; do
    expiry=$(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2)
    if [ -n "$expiry" ]; then
        expiry_epoch=$(date -d "$expiry" +%s 2>/dev/null)
        now_epoch=$(date +%s)
        days_left=$(( (expiry_epoch - now_epoch) / 86400 ))
        if [ "$days_left" -lt 30 ]; then
            echo "OPOZORILO: $cert poteče čez $days_left dni"
        fi
    fi
done

Roki za obnovitev:

• Odpravljanje napak – Reševanje operativnih težav
• Varnost – Najboljše prakse
• Konfiguracija – Aktivacija FIPS-načina

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional