Scenarij 12.4: Interoperabilnost
Kategorija: Uvoz/Izvoz
Kompleksnost: ⭐⭐⭐⭐ (Visoka)
Predpogoji: Različni sistemi/platforme
Predviden čas: 30-45 minut
Opis
Ta scenarij opisuje medplatformsko interoperabilnost certifikatov in ključev. Pri PQ kriptografiji je potrebna posebna previdnost, saj še vsi sistemi ne podpirajo ML-DSA/ML-KEM.
Izzivi interoperabilnosti:
- Razlike v formatih - PEM vs. DER vs. PFX
- Podpora algoritmov - Klasični vs. PQ vs. Hibridni
- Posebnosti platform - Windows, Linux, macOS, Java
- Razlike verzij - OpenSSL 1.x vs. 3.x
Matrika združljivosti
| Sistem | RSA | ECDSA | ML-DSA | ML-KEM | Hibridni |
|---|---|---|---|---|---|
| OpenSSL 3.6+ | ✅ | ✅ | ✅ | ✅ | ✅ |
| OpenSSL 3.0-3.5 | ✅ | ✅ | ❌ | ❌ | ❌ |
| .NET 9+ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Java 21+ | ✅ | ✅ | 🟡 (Bouncy Castle) | 🟡 | ❌ |
| Windows SChannel | ✅ | ✅ | ❌ | ❌ | ❌ |
| macOS Security | ✅ | ✅ | ❌ | ❌ | ❌ |
| Firefox/NSS | ✅ | ✅ | ❌ | 🟡 | ❌ |
| Chrome/BoringSSL | ✅ | ✅ | ❌ | 🟡 | ❌ |
🟡 = Eksperimentalna/Predogledna podpora
Potek dela
flowchart TD
SOURCE[Izvorni sistem] --> DETECT{Algoritem?}
DETECT -->|Klasični| DIRECT[Neposredni izvoz]
DETECT -->|PQ| CHECK{Cilj podpira PQ?}
CHECK -->|Da| PQEXPORT[PQ izvoz]
CHECK -->|Ne| HYBRID{Hibridni na voljo?}
HYBRID -->|Da| CLASSICAL[Ekstrakcija klasičnega dela]
HYBRID -->|Ne| FAIL[Ni združljivo]
DIRECT --> FORMAT[Pretvorba formata]
PQEXPORT --> FORMAT
CLASSICAL --> FORMAT
FORMAT --> TARGET[Ciljni sistem]
style FAIL fill:#ffebee
style TARGET fill:#e8f5e9
Primer kode: Pretvorba formata
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; public class CertificateConverter { public byte[] ConvertFormat( byte[] sourceData, CertificateFormat sourceFormat, CertificateFormat targetFormat, string password = null) { // 1. Nalaganje v .NET objekt var cert = LoadCertificate(sourceData, sourceFormat, password); // 2. Izvoz v ciljnem formatu return ExportCertificate(cert, targetFormat, password); } private X509Certificate2 LoadCertificate( byte[] data, CertificateFormat format, string password) { return format switch { CertificateFormat.Der => new X509Certificate2(data), CertificateFormat.Pem => X509Certificate2.CreateFromPem(Encoding.UTF8.GetString(data)), CertificateFormat.Pfx => new X509Certificate2(data, password, X509KeyStorageFlags.Exportable), _ => throw new NotSupportedException($"Format {format} ni podprt") }; } private byte[] ExportCertificate( X509Certificate2 cert, CertificateFormat format, string password) { return format switch { CertificateFormat.Der => cert.RawData, CertificateFormat.Pem => Encoding.UTF8.GetBytes(cert.ExportCertificatePem()), CertificateFormat.Pfx => cert.Export(X509ContentType.Pfx, password), _ => throw new NotSupportedException($"Format {format} ni podprt") }; } } public enum CertificateFormat { Der, Pem, Pfx, P7b }
Primer kode: Integracija Java KeyStore (JKS)
public class JavaKeystoreInterop { public void ExportForJava( X509Certificate2 certificate, X509Certificate2Collection chain, string jksPath, string storePassword, string keyPassword, string alias) { // Ustvarjanje PKCS#12 (Java lahko to uvozi) var collection = new X509Certificate2Collection { certificate }; foreach (var ca in chain) { collection.Add(ca); } var pfxBytes = collection.Export(X509ContentType.Pfx, keyPassword); var pfxPath = Path.GetTempFileName(); File.WriteAllBytes(pfxPath, pfxBytes); try { // Klic keytool var process = Process.Start(new ProcessStartInfo { FileName = "keytool", Arguments = $"-importkeystore " + $"-srckeystore \"{pfxPath}\" " + $"-srcstoretype PKCS12 " + $"-srcstorepass \"{keyPassword}\" " + $"-destkeystore \"{jksPath}\" " + $"-deststoretype JKS " + $"-deststorepass \"{storePassword}\" " + $"-destkeypass \"{keyPassword}\" " + $"-alias \"{alias}\"", RedirectStandardOutput = true, RedirectStandardError = true, UseShellExecute = false }); process.WaitForExit(); if (process.ExitCode == 0) { Console.WriteLine($"JKS ustvarjen: {jksPath}"); } else { var error = process.StandardError.ReadToEnd(); throw new Exception($"Napaka keytool: {error}"); } } finally { File.Delete(pfxPath); } } public X509Certificate2 ImportFromJks( string jksPath, string storePassword, string keyPassword, string alias) { var pfxPath = Path.GetTempFileName(); try { // Pretvorba JKS v PKCS#12 var process = Process.Start(new ProcessStartInfo { FileName = "keytool", Arguments = $"-importkeystore " + $"-srckeystore \"{jksPath}\" " + $"-srcstoretype JKS " + $"-srcstorepass \"{storePassword}\" " + $"-srcalias \"{alias}\" " + $"-destkeystore \"{pfxPath}\" " + $"-deststoretype PKCS12 " + $"-deststorepass \"{keyPassword}\"", RedirectStandardOutput = true, RedirectStandardError = true, UseShellExecute = false }); process.WaitForExit(); if (process.ExitCode != 0) { throw new Exception(process.StandardError.ReadToEnd()); } // Nalaganje PKCS#12 return new X509Certificate2(pfxPath, keyPassword, X509KeyStorageFlags.Exportable); } finally { if (File.Exists(pfxPath)) File.Delete(pfxPath); } } }
Primer kode: Nadomestni mehanizem za hibridne certifikate
public class HybridCertificateFallback { public X509Certificate2 GetCompatibleCertificate( X509Certificate2 hybridCert, PlatformCapabilities targetCapabilities) { using var ctx = PqCryptoContext.Initialize(); // Preverjanje ali je hibridni certifikat var algorithm = hybridCert.GetKeyAlgorithm(); if (!IsHybridAlgorithm(algorithm)) { // Ni hibridni - neposredna vrnitev return hybridCert; } // Ali cilj podpira PQ? if (targetCapabilities.SupportsPqAlgorithms) { return hybridCert; } // Nadomestni mehanizem: Ekstrakcija klasičnega dela Console.WriteLine("Cilj ne podpira PQ - uporaba klasičnega nadomestnega mehanizma"); // Nalaganje alternativne certifikatne verige (če je na voljo) var classicalCert = FindClassicalAlternative(hybridCert); if (classicalCert != null) { return classicalCert; } throw new NotSupportedException( "Ciljni sistem ne podpira niti PQ niti klasičnega nadomestnega mehanizma" ); } private bool IsHybridAlgorithm(string algorithm) { return algorithm.Contains("ML-DSA") || algorithm.Contains("ML-KEM") || algorithm.Contains("DILITHIUM") || algorithm.Contains("KYBER"); } private X509Certificate2 FindClassicalAlternative(X509Certificate2 hybridCert) { // Iskanje certifikata z enakim Subject a klasičnim algoritmom // To zahteva ustrezno infrastrukturo (dvojni certifikati) using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); var alternatives = store.Certificates .Find(X509FindType.FindBySubjectDistinguishedName, hybridCert.Subject, validOnly: true) .Where(c => !IsHybridAlgorithm(c.GetKeyAlgorithm())) .OrderByDescending(c => c.NotAfter) .FirstOrDefault(); return alternatives; } } public class PlatformCapabilities { public bool SupportsPqAlgorithms { get; set; } public bool SupportsTls13 { get; set; } public string[] SupportedKeyExchanges { get; set; } public string[] SupportedSignatures { get; set; } public static PlatformCapabilities Detect() { return new PlatformCapabilities { SupportsPqAlgorithms = CheckPqSupport(), SupportsTls13 = CheckTls13Support(), SupportedKeyExchanges = GetSupportedKeyExchanges(), SupportedSignatures = GetSupportedSignatures() }; } private static bool CheckPqSupport() { try { // Preverjanje ali je OpenSSL 3.6+ s PQ ponudnikom na voljo return OpenSslInterop.IsOpenSsl36OrNewer(); } catch { return false; } } private static bool CheckTls13Support() { return Environment.OSVersion.Platform == PlatformID.Win32NT ? Environment.OSVersion.Version >= new Version(10, 0, 17763) // Windows 1809+ : true; // Linux/macOS imata TLS 1.3 } private static string[] GetSupportedKeyExchanges() => new[] { "X25519", "secp384r1", "secp256r1" }; private static string[] GetSupportedSignatures() => new[] { "RSA", "ECDSA", "Ed25519" }; }
Primer kode: Medplatformska validacija verige
public class CrossPlatformChainValidator { public ValidationResult ValidateForPlatform( X509Certificate2 certificate, TargetPlatform platform) { var result = new ValidationResult { Platform = platform }; // 1. Preverjanje združljivosti algoritma var algorithm = certificate.GetKeyAlgorithm(); result.AlgorithmSupported = IsAlgorithmSupported(algorithm, platform); if (!result.AlgorithmSupported) { result.Errors.Add($"Algoritem {algorithm} ni podprt na {platform}"); } // 2. Preverjanje velikosti ključa var keySize = certificate.GetRSAPublicKey()?.KeySize ?? certificate.GetECDsaPublicKey()?.KeySize ?? 0; result.KeySizeSupported = IsKeySizeSupported(keySize, platform); // 3. Preverjanje razširitev foreach (var ext in certificate.Extensions) { if (!IsExtensionSupported(ext.Oid.Value, platform)) { result.Warnings.Add($"Razširitev {ext.Oid.FriendlyName} morda ni podprta"); } } // 4. Validacija verige using var chain = new X509Chain(); result.ChainValid = chain.Build(certificate); result.IsValid = result.AlgorithmSupported && result.KeySizeSupported && result.ChainValid && !result.Errors.Any(); return result; } private bool IsAlgorithmSupported(string algorithm, TargetPlatform platform) { var pqAlgorithms = new[] { "ML-DSA", "ML-KEM", "DILITHIUM", "KYBER" }; var isPq = pqAlgorithms.Any(pq => algorithm.Contains(pq)); if (!isPq) return true; // Klasični = povsod podprti return platform switch { TargetPlatform.DotNet9 => true, TargetPlatform.OpenSsl36 => true, TargetPlatform.Java21BouncyCastle => true, _ => false }; } private bool IsKeySizeSupported(int keySize, TargetPlatform platform) { // Večina platform podpira RSA 2048-4096, ECDSA P-256/P-384 return keySize >= 2048; } private bool IsExtensionSupported(string oid, TargetPlatform platform) { // Standardne razširitve so podprte povsod var standardOids = new[] { "2.5.29.15", // Key Usage "2.5.29.17", // SAN "2.5.29.19", // Basic Constraints "2.5.29.37" // Extended Key Usage }; return standardOids.Contains(oid); } } public enum TargetPlatform { Windows, Linux, MacOS, Java21BouncyCastle, DotNet9, OpenSsl36, Browser } public class ValidationResult { public TargetPlatform Platform { get; set; } public bool IsValid { get; set; } public bool AlgorithmSupported { get; set; } public bool KeySizeSupported { get; set; } public bool ChainValid { get; set; } public List<string> Errors { get; set; } = new(); public List<string> Warnings { get; set; } = new(); }
Panožna interoperabilnost
| Panoga | Glavne platforme | Format | Posebnost |
|---|---|---|---|
| Bančništvo | Java + .NET | JKS, PFX | FIPS skladnost |
| Zdravstvo | Windows + Linux | PFX, PEM | HL7/FHIR integracija |
| IoT | Vdelani Linux | DER | Omejeni viri |
| Oblak | Več platform | PEM | Vsebniki/Kubernetes |
Povezani scenariji
| Povezava | Scenarij | Opis |
|---|---|---|
| Osnova | 12.1 PEM izvoz | Linux format |
| Osnova | 12.2 PFX izvoz | Windows format |
| Povezano | 10.4 Hibridni TLS | PQ-TLS združljivost |
| Povezano | Algoritmi | PQ osnove |
« ← 12.3 PKCS#7 veriga | ↑ Uvoz/Izvoz | → Vsi scenariji »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: dne 30.01.2026 ob 06:28
