Scenarij 5.4: Validacija politik

Kategorija: Validacija in zaupanje
Kompleksnost: ⭐⭐⭐⭐ (Visoka)
Predpogoji: Veriga certifikatov z razširitvami politik
Predviden čas: 15-20 minut

Opis

Ta scenarij opisuje validacijo politik certifikatov po RFC 5280. Validacija politik zagotavlja, da certifikati ustrezajo organizacijskim zahtevam:

Certificate Policies (OID 2.5.29.32) - Katere politike veljajo?
Policy Mappings (OID 2.5.29.33) - Prevodi politik med CA-ji
Policy Constraints (OID 2.5.29.36) - Omejitve dedovanja politik
Inhibit anyPolicy (OID 2.5.29.54) - Deaktivacija anyPolicy

Potek dela

flowchart TD CHAIN[Veriga certifikatov] --> EXTRACT[Ekstrakcija politik] EXTRACT --> MAP[Uporaba Policy Mappings] MAP --> INHERIT[Preverjanje dedovanja politik] INHERIT --> CONSTRAINT[Preverjanje omejitev] CONSTRAINT --> ANY{anyPolicy dovoljen?} ANY -->|Da| MATCH[Preverjanje ujemanja politik] ANY -->|Ne| EXPLICIT[Potrebna eksplicitna politika] MATCH --> OK{Politika izpolnjena?} EXPLICIT --> OK OK -->|Da| VALID[Politika veljavna] OK -->|Ne| INVALID[Politika kršena] style VALID fill:#e8f5e9 style INVALID fill:#ffebee

Primer kode (C#)

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography.X509Certificates;
 
using var ctx = PqCryptoContext.Initialize();
 
// Nalaganje certifikatov
var serverCert = ctx.LoadCertificate("server.crt.pem");
var intermediate = ctx.LoadCertificate("intermediate-ca.crt.pem");
var root = ctx.LoadCertificate("root-ca.crt.pem");
 
// Definicija zahtevane politike
var requiredPolicy = new Oid("1.3.6.1.4.1.99999.1.1");  // Primer OID
 
// Veriga s preverjanjem politik
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(intermediate);
chain.ChainPolicy.ExtraStore.Add(root);
 
// Dodajanje politik certifikatov
chain.ChainPolicy.CertificatePolicy.Add(requiredPolicy);
 
// Gradnja in validacija verige
bool isValid = chain.Build(serverCert);
 
// Preverjanje napak politik
var policyErrors = chain.ChainElements
    .SelectMany(e => e.ChainElementStatus)
    .Where(s => s.Status == X509ChainStatusFlags.InvalidPolicyConstraints ||
                s.Status == X509ChainStatusFlags.NoIssuanceChainPolicy)
    .ToList();
 
if (policyErrors.Any())
{
    Console.WriteLine("Validacija politik neuspešna:");
    foreach (var error in policyErrors)
    {
        Console.WriteLine($"  {error.StatusInformation}");
    }
}
else
{
    Console.WriteLine("Validacija politik uspešna");
}

Ekstrakcija politik iz certifikata

public class PolicyExtractor
{
    public List<CertificatePolicy> ExtractPolicies(X509Certificate2 cert)
    {
        var policies = new List<CertificatePolicy>();
 
        // Razširitev Certificate Policies (2.5.29.32)
        var policyExt = cert.Extensions["2.5.29.32"];
        if (policyExt == null) return policies;
 
        // Razčlenjevanje ASN.1
        var reader = new AsnReader(policyExt.RawData, AsnEncodingRules.DER);
        var sequence = reader.ReadSequence();
 
        while (sequence.HasData)
        {
            var policyInfo = sequence.ReadSequence();
            var policyOid = policyInfo.ReadObjectIdentifier();
 
            var policy = new CertificatePolicy
            {
                PolicyIdentifier = policyOid
            };
 
            // Opcijsko: Policy Qualifiers
            if (policyInfo.HasData)
            {
                var qualifiers = policyInfo.ReadSequence();
                while (qualifiers.HasData)
                {
                    var qualifier = qualifiers.ReadSequence();
                    var qualifierId = qualifier.ReadObjectIdentifier();
 
                    // CPS URI (1.3.6.1.5.5.7.2.1)
                    if (qualifierId == "1.3.6.1.5.5.7.2.1")
                    {
                        policy.CpsUri = qualifier.ReadCharacterString(UniversalTagNumber.IA5String);
                    }
                    // User Notice (1.3.6.1.5.5.7.2.2)
                    else if (qualifierId == "1.3.6.1.5.5.7.2.2")
                    {
                        policy.UserNotice = ParseUserNotice(qualifier);
                    }
                }
            }
 
            policies.Add(policy);
        }
 
        return policies;
    }
}

Pomembni OID-ji politik

OID	Ime	Uporaba
2.5.29.32.0	anyPolicy	Vse politike dovoljene
2.16.840.1.101.3.2.1.3.13	id-fpki-common-policy	US Federal PKI
0.4.0.194121.1.2	NCP	EU Natural Person
0.4.0.194112.1.2	QCP	EU Qualified Certificate
2.23.140.1.2.1	DV-SSL	Domain Validated
2.23.140.1.2.2	OV-SSL	Organization Validated
2.23.140.1.1	EV-SSL	Extended Validation

Policy Mappings

public class PolicyMapper
{
    // Ekstrakcija Policy Mappings iz CA certifikata
    public Dictionary<string, string> ExtractMappings(X509Certificate2 caCert)
    {
        var mappings = new Dictionary<string, string>();
 
        // Razširitev Policy Mappings (2.5.29.33)
        var mappingExt = caCert.Extensions["2.5.29.33"];
        if (mappingExt == null) return mappings;
 
        var reader = new AsnReader(mappingExt.RawData, AsnEncodingRules.DER);
        var sequence = reader.ReadSequence();
 
        while (sequence.HasData)
        {
            var mapping = sequence.ReadSequence();
            var issuerPolicy = mapping.ReadObjectIdentifier();
            var subjectPolicy = mapping.ReadObjectIdentifier();
 
            mappings[issuerPolicy] = subjectPolicy;
        }
 
        return mappings;
    }
 
    // Propagacija politike skozi verigo
    public HashSet<string> PropagatePolicy(
        X509Certificate2[] chain,
        string requiredPolicy)
    {
        var validPolicies = new HashSet<string> { requiredPolicy };
 
        // Od korenskega do končnega
        for (int i = chain.Length - 1; i > 0; i--)
        {
            var ca = chain[i];
            var mappings = ExtractMappings(ca);
 
            var newPolicies = new HashSet<string>();
            foreach (var policy in validPolicies)
            {
                if (mappings.TryGetValue(policy, out var mapped))
                {
                    newPolicies.Add(mapped);
                }
                else
                {
                    newPolicies.Add(policy);
                }
            }
            validPolicies = newPolicies;
        }
 
        return validPolicies;
    }
}

Panožne politike

Panoga	Politika	OID obseg	Zahteve
eIDAS	QCP-n, QCP-l	0.4.0.194112.*	Kvalificirani certifikati
PSD2	PSD2-QWAC	0.4.0.19495.*	Plačilne storitve
US Federal	FBCA	2.16.840.1.101.3.*	Federal Bridge CA
Zdravstvo DE	gematik	1.2.276.0.76.4.*	Telematična infrastruktura

Nadzor dostopa na podlagi politik

public class PolicyBasedAccess
{
    private readonly Dictionary<string, AccessLevel> _policyAccessMap = new()
    {
        ["2.23.140.1.1"] = AccessLevel.HighSecurity,      // EV
        ["2.23.140.1.2.2"] = AccessLevel.MediumSecurity,  // OV
        ["2.23.140.1.2.1"] = AccessLevel.LowSecurity,     // DV
        ["2.5.29.32.0"] = AccessLevel.Minimal             // anyPolicy
    };
 
    public AccessLevel DetermineAccessLevel(X509Certificate2 cert)
    {
        var policies = new PolicyExtractor().ExtractPolicies(cert);
 
        var highestLevel = AccessLevel.None;
 
        foreach (var policy in policies)
        {
            if (_policyAccessMap.TryGetValue(policy.PolicyIdentifier, out var level))
            {
                if (level > highestLevel)
                {
                    highestLevel = level;
                }
            }
        }
 
        return highestLevel;
    }
}
 
public enum AccessLevel
{
    None = 0,
    Minimal = 1,
    LowSecurity = 2,
    MediumSecurity = 3,
    HighSecurity = 4
}

Povezani scenariji

Povezava	Scenarij	Opis
Predpogoj	5.2 Validacija verige	Validacija verige
Naslednji korak	5.5 Omejitve imen	Preverjanje imen
Povezano	1.5 Politika certifikatov	Definicija politike

« ← 5.3 Preverjanje preklica | ↑ Pregled validacije | 5.5 Omejitve imen → »

scenarij, validacija, politika, x509, rfc5280

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional