stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-26 07:47:08 +02:00
parent 56e2f64d07
commit 1c782897f7
184 changed files with 8991 additions and 649 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
docs/security/rootpack_ru_crypto_fork.md Normal file
View File

@@ -0,0 +1,46 @@
# RootPack_RU Crypto Fork Notes (CryptoPro / GOST) · 2025-11-25
## Why
- We need a patchable, source-controlled CryptoPro/GOST stack to ship RootPack_RU without relying on the vulnerable `IT.GostCryptography` 6.0.0.1 package.
- The fork lives at `third_party/forks/AlexMAS.GostCryptography` and is now wired into `StellaOps.Cryptography.Plugin.CryptoPro`.
## Fork specifics
- Upstream: https://github.com/AlexMAS/GostCryptography @ commit `31413f6`.
- Retargeted to `net10.0`; packaging-on-build disabled to avoid accidental nuget pushes.
- Added deps: `System.Security.Cryptography.Xml` 8.0.1, `System.Security.Permissions` 8.0.0, warning suppressions (CA1416, SYSLIB0004) for Windows-only CSP APIs.
- Build entrypoint: `third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj`.
## How we consume it
- `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro` now project-references the fork (removed `IT.GostCryptography` nuget).
- Runtime still Windows-only; plugin uses CSP (`CspParameters`) for key material when available.
- Tests are opt-in and Windows/CSP only: set `STELLAOPS_CRYPTO_PRO_ENABLED=1` and run `scripts/crypto/run-cryptopro-tests.ps1`.
## How to sync the fork
- Track the pinned upstream commit in `third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md` (currently `31413f6`).
- To refresh:
1. `git clone https://github.com/AlexMAS/GostCryptography.git /tmp/gost && cd /tmp/gost && git checkout <commit-or-tag>`
2. `rsync -a --delete --exclude .git /tmp/gost/ third_party/forks/AlexMAS.GostCryptography/`
3. Update `STELLA_NOTES.md` with the new commit hash and any upstream changes that matter for CSP/Magma/Kuznyechik.
4. Run `dotnet build third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj -c Release` plus `dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro -c Release` to confirm the fork still compiles inside the monorepo.
- Keep the folder free of binary outputs (no `.nupkg` or `bin/obj` committed) so RootPack stays reproducible.
## Build & test quickstart (Windows runner with CryptoPro CSP installed)
```powershell
dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/StellaOps.Cryptography.Plugin.CryptoPro.csproj -c Release
scripts/crypto/run-cryptopro-tests.ps1 -Configuration Release
```
### CI (opt-in)
- Workflow: `.gitea/workflows/cryptopro-optin.yml`
- Trigger: `workflow_dispatch` only; assumes runner already has CryptoPro CSP installed/licensed.
- Env guard: `STELLAOPS_CRYPTO_PRO_ENABLED=1` set in workflow to enable CryptoPro tests.
## What remains (tracked in SEC-CRYPTO-90-019/020)
- Run the fork + plugin tests on a Windows+CSP agent.
- Wire an opt-in CI lane for CryptoPro so default pipelines stay green.
- Add platform-aware smoke tests for signer/verify with real CSP key.
## Licensing & distro notes
- Upstream license: MIT; keep `LICENSE` + `NOTICE` from the fork inside RootPack bundles and in third-party notices.
- Plugin remains AGPL-3.0-or-later; ensure fork sources stay vendored (no binary-only blobs).
- Do **not** publish the fork to public feeds; only build from source inside RootPack bundles.