stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
docs/features/unchecked/cryptography/hardware-backed-org-key-kms-signing.md Normal file
View File

@@ -0,0 +1,30 @@
# Hardware-Backed Org Key / KMS Signing
## Module
Cryptography
## Status
IMPLEMENTED
## Description
HSM and KMS key support via pluggable cryptography module with dedicated plugins for hardware-backed signing.
## Implementation Details
- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- PKCS#11 HSM integration supporting RSA (SHA-256/384/512, PSS-SHA256), ECDSA (P-256, P-384), and AES-GCM (128/256) operations; ConnectAsync/DisconnectAsync for HSM session management; simulation mode for testing without hardware
- **Pkcs11HsmClientImpl**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/Pkcs11HsmClientImpl.cs` -- production PKCS#11 native library wrapper for hardware key operations
- **CryptoPluginBase**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` -- base class providing plugin lifecycle + ICryptoCapability interface with Sign/Verify/Encrypt/Decrypt/Hash operations
- **MultiProfileSigner**: `src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs` -- orchestrates concurrent signing with multiple profiles (e.g., HSM-backed + software EdDSA dual-stack)
- **IContentSigner**: `src/Cryptography/StellaOps.Cryptography/IContentSigner.cs` -- abstraction: SignAsync, Profile, Algorithm, KeyId
- **DefaultSigningKeyResolver**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs` -- resolves signing keys from trust anchors and key management
- **CryptoDsseSigner**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/CryptoDsseSigner.cs` -- DSSE signer using crypto plugin infrastructure
- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Hsm/Pkcs11HsmClientIntegrationTests.cs`, `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Integration/CryptoDsseSignerIntegrationTests.cs`, `MultiPluginSignVerifyIntegrationTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify HSM-backed signing via PKCS#11 produces valid signatures verifiable with the corresponding public key
- [ ] Verify HSM key operations work through the CryptoPluginBase plugin interface
- [ ] Test multi-profile signing with HSM + software key profiles combined
- [ ] Verify signing key resolution from trust anchors routes to HSM plugin for HSM-prefixed algorithms
- [ ] Test CryptoDsseSigner produces valid DSSE envelopes when backed by HSM keys
- [ ] Verify HSM disconnect and reconnect behavior during key operations
- [ ] Test simulation mode provides functional signing for development/testing environments