stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/__Libraries/StellaOps.Configuration/StellaOps.Configuration.csproj
View File

@@ -20,6 +20,9 @@
<ItemGroup>
<ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/StellaOps.Authority.Plugins.Abstractions.csproj" />
<ProjectReference Include="..\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
<ProjectReference Include="..\StellaOps.Cryptography.Plugin.CryptoPro\StellaOps.Cryptography.Plugin.CryptoPro.csproj" />
<ProjectReference Include="..\StellaOps.Cryptography.Plugin.Pkcs11Gost\StellaOps.Cryptography.Plugin.Pkcs11Gost.csproj" />
<ProjectReference Include="..\StellaOps.Cryptography.DependencyInjection\StellaOps.Cryptography.DependencyInjection.csproj" />
</ItemGroup>
</Project>
</Project>

5
src/__Libraries/StellaOps.Configuration/StellaOpsAuthorityOptions.cs
View File

@@ -84,6 +84,11 @@ public sealed class StellaOpsAuthorityOptions
/// </summary>
public AuthorityPluginSettings Plugins { get; } = new();
/// <summary>
/// Sovereign cryptography configuration (provider registry + plugins).
/// </summary>
public StellaOpsCryptoOptions Crypto { get; } = new();
/// <summary>
/// Security-related configuration for the Authority host.
/// </summary>

20
src/__Libraries/StellaOps.Configuration/StellaOpsCryptoOptions.cs Normal file
View File

@@ -0,0 +1,20 @@
using StellaOps.Cryptography;
using StellaOps.Cryptography.DependencyInjection;
using StellaOps.Cryptography.Plugin.CryptoPro;
using StellaOps.Cryptography.Plugin.Pkcs11Gost;
namespace StellaOps.Configuration;
/// <summary>
/// Shared crypto configuration (registry ordering + provider settings) consumed by hosts and tooling.
/// </summary>
public sealed class StellaOpsCryptoOptions
{
public CryptoProviderRegistryOptions Registry { get; } = new();
public Pkcs11GostProviderOptions Pkcs11 { get; } = new();
public CryptoProGostProviderOptions CryptoPro { get; } = new();
public string DefaultHashAlgorithm { get; set; } = HashAlgorithms.Sha256;
}

101
src/__Libraries/StellaOps.Configuration/StellaOpsCryptoServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,101 @@
using System;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.Extensions.Options;
using StellaOps.Cryptography;
using StellaOps.Cryptography.DependencyInjection;
using StellaOps.Cryptography.Plugin.CryptoPro;
using StellaOps.Cryptography.Plugin.Pkcs11Gost;
namespace StellaOps.Configuration;
public static class StellaOpsCryptoServiceCollectionExtensions
{
public static IServiceCollection AddStellaOpsCrypto(
this IServiceCollection services,
StellaOpsCryptoOptions? options)
{
ArgumentNullException.ThrowIfNull(services);
var resolved = options ?? new StellaOpsCryptoOptions();
services.AddStellaOpsCrypto(registryOptions =>
{
ApplyRegistry(registryOptions, resolved.Registry);
});
services.AddPkcs11GostProvider();
services.Configure<Pkcs11GostProviderOptions>(target =>
{
CopyPkcs11Options(target, resolved.Pkcs11);
});
services.AddCryptoProGostProvider();
services.Configure<CryptoProGostProviderOptions>(target =>
{
CopyCryptoProOptions(target, resolved.CryptoPro);
});
services.Configure<CryptoHashOptions>(hash =>
{
hash.DefaultAlgorithm = string.IsNullOrWhiteSpace(resolved.DefaultHashAlgorithm)
? HashAlgorithms.Sha256
: resolved.DefaultHashAlgorithm.Trim();
});
return services;
}
private static void ApplyRegistry(
CryptoProviderRegistryOptions target,
CryptoProviderRegistryOptions source)
{
target.ActiveProfile = source.ActiveProfile;
target.PreferredProviders.Clear();
foreach (var provider in source.PreferredProviders)
{
if (!string.IsNullOrWhiteSpace(provider))
{
target.PreferredProviders.Add(provider.Trim());
}
}
target.Profiles.Clear();
foreach (var kvp in source.Profiles)
{
if (kvp.Value is null)
{
continue;
}
var profile = new CryptoProviderProfileOptions();
foreach (var provider in kvp.Value.PreferredProviders)
{
if (!string.IsNullOrWhiteSpace(provider))
{
profile.PreferredProviders.Add(provider.Trim());
}
}
target.Profiles[kvp.Key] = profile;
}
}
private static void CopyPkcs11Options(Pkcs11GostProviderOptions target, Pkcs11GostProviderOptions source)
{
target.Keys.Clear();
foreach (var key in source.Keys)
{
target.Keys.Add(key.Clone());
}
}
private static void CopyCryptoProOptions(CryptoProGostProviderOptions target, CryptoProGostProviderOptions source)
{
target.Keys.Clear();
foreach (var key in source.Keys)
{
target.Keys.Add(key.Clone());
}
}
}

47
src/__Libraries/StellaOps.Cryptography.DependencyInjection/CryptoProviderRegistryOptions.cs
View File

@@ -1,4 +1,7 @@
using System;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Linq;
namespace StellaOps.Cryptography.DependencyInjection;
@@ -7,8 +10,52 @@ namespace StellaOps.Cryptography.DependencyInjection;
/// </summary>
public sealed class CryptoProviderRegistryOptions
{
private readonly Dictionary<string, CryptoProviderProfileOptions> profiles =
new(StringComparer.OrdinalIgnoreCase);
/// <summary>
/// Ordered list of preferred provider names. Providers appearing here are consulted first.
/// </summary>
public IList<string> PreferredProviders { get; } = new List<string>();
/// <summary>
/// Optional active profile name (e.g. "ru-offline") that overrides <see cref="PreferredProviders"/>.
/// </summary>
public string? ActiveProfile { get; set; }
/// <summary>
/// Regional or environment-specific provider preference profiles.
/// </summary>
public IDictionary<string, CryptoProviderProfileOptions> Profiles => profiles;
public IReadOnlyList<string> ResolvePreferredProviders()
{
static IReadOnlyList<string> Normalise(IEnumerable<string> items)
=> new ReadOnlyCollection<string>(
items.Where(static value => !string.IsNullOrWhiteSpace(value))
.Select(static value => value.Trim())
.ToArray());
if (!string.IsNullOrWhiteSpace(ActiveProfile) &&
profiles.TryGetValue(ActiveProfile, out var profile) &&
profile.PreferredProviders.Count > 0)
{
return Normalise(profile.PreferredProviders);
}
if (PreferredProviders.Count > 0)
{
return Normalise(PreferredProviders);
}
return Array.Empty<string>();
}
}
public sealed class CryptoProviderProfileOptions
{
/// <summary>
/// Ordered list of preferred provider names for the profile.
/// </summary>
public IList<string> PreferredProviders { get; } = new List<string>();
}

6
src/__Libraries/StellaOps.Cryptography.DependencyInjection/CryptoServiceCollectionExtensions.cs
View File

@@ -45,11 +45,13 @@ public static class CryptoServiceCollectionExtensions
services.TryAddEnumerable(ServiceDescriptor.Singleton<ICryptoProvider, LibsodiumCryptoProvider>());
#endif
services.TryAddSingleton<ICryptoHash, DefaultCryptoHash>();
services.TryAddSingleton<ICryptoProviderRegistry>(sp =>
{
var providers = sp.GetServices<ICryptoProvider>();
var options = sp.GetService<IOptions<CryptoProviderRegistryOptions>>();
IEnumerable<string>? preferred = options?.Value?.PreferredProviders;
var options = sp.GetService<IOptionsMonitor<CryptoProviderRegistryOptions>>();
IEnumerable<string>? preferred = options?.CurrentValue?.ResolvePreferredProviders();
return new CryptoProviderRegistry(providers, preferred);
});

4
src/__Libraries/StellaOps.Cryptography.Kms/StellaOps.Cryptography.Kms.csproj
View File

@@ -5,8 +5,8 @@
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.0" />
<PackageReference Include="Microsoft.Extensions.Options" Version="9.0.0" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="AWSSDK.KeyManagementService" Version="4.0.6" />
<PackageReference Include="Google.Cloud.Kms.V1" Version="3.19.0" />
<PackageReference Include="Pkcs11Interop" Version="4.1.0" />

25
src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/CryptoProCryptoServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,25 @@
using System;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
namespace StellaOps.Cryptography.Plugin.CryptoPro;
public static class CryptoProCryptoServiceCollectionExtensions
{
public static IServiceCollection AddCryptoProGostProvider(
this IServiceCollection services,
Action<CryptoProGostProviderOptions>? configure = null)
{
ArgumentNullException.ThrowIfNull(services);
if (configure is not null)
{
services.Configure(configure);
}
services.TryAddEnumerable(
ServiceDescriptor.Singleton<StellaOps.Cryptography.ICryptoProvider, CryptoProGostCryptoProvider>());
return services;
}
}

87
src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/CryptoProGostCryptoProvider.cs Normal file
View File

@@ -0,0 +1,87 @@
using System;
using System.Collections.Generic;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Cryptography;
using StellaOps.Cryptography.Plugin.Pkcs11Gost;
namespace StellaOps.Cryptography.Plugin.CryptoPro;
public sealed class CryptoProGostCryptoProvider : ICryptoProvider, ICryptoProviderDiagnostics
{
private readonly Pkcs11GostProviderCore core;
public CryptoProGostCryptoProvider(
IOptions<CryptoProGostProviderOptions>? optionsAccessor = null,
ILogger<CryptoProGostCryptoProvider>? logger = null)
{
var options = optionsAccessor?.Value ?? new CryptoProGostProviderOptions();
var mappedKeys = new List<Pkcs11GostKeyOptions>(options.Keys.Count);
foreach (var key in options.Keys)
{
mappedKeys.Add(MapToPkcs11Options(key));
}
core = new Pkcs11GostProviderCore("ru.cryptopro.csp", mappedKeys, logger);
}
public string Name => core.ProviderName;
public bool Supports(CryptoCapability capability, string algorithmId)
{
if (capability is CryptoCapability.Signing or CryptoCapability.Verification)
{
return core.SupportsAlgorithm(algorithmId);
}
return false;
}
public IPasswordHasher GetPasswordHasher(string algorithmId)
=> throw new NotSupportedException("CryptoPro provider does not expose password hashing.");
public ICryptoSigner GetSigner(string algorithmId, CryptoKeyReference keyReference)
{
ArgumentNullException.ThrowIfNull(keyReference);
var entry = core.Resolve(keyReference.KeyId);
if (!string.Equals(entry.AlgorithmId, algorithmId, StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException(
$"Signing key '{keyReference.KeyId}' is registered for algorithm '{entry.AlgorithmId}', not '{algorithmId}'.");
}
return new Pkcs11GostSigner(entry);
}
public void UpsertSigningKey(CryptoSigningKey signingKey)
=> throw new NotSupportedException("CryptoPro keys are managed externally.");
public bool RemoveSigningKey(string keyId) => false;
public IReadOnlyCollection<CryptoSigningKey> GetSigningKeys()
=> Array.Empty<CryptoSigningKey>();
public IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys()
=> core.DescribeKeys(Name);
private static Pkcs11GostKeyOptions MapToPkcs11Options(CryptoProGostKeyOptions source)
{
ArgumentNullException.ThrowIfNull(source);
return new Pkcs11GostKeyOptions
{
KeyId = source.KeyId,
Algorithm = source.Algorithm,
LibraryPath = source.LibraryPath,
SlotId = source.SlotId,
TokenLabel = source.TokenLabel,
PrivateKeyLabel = source.ContainerLabel,
UserPin = source.UserPin,
UserPinEnvironmentVariable = source.UserPinEnvironmentVariable,
SignMechanismId = source.SignMechanismId,
CertificateThumbprint = source.CertificateThumbprint,
CertificateStoreLocation = source.CertificateStoreLocation.ToString(),
CertificateStoreName = source.CertificateStoreName.ToString()
};
}
}

54
src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/CryptoProGostKeyOptions.cs Normal file
View File

@@ -0,0 +1,54 @@
using System.ComponentModel.DataAnnotations;
using System.Security.Cryptography.X509Certificates;
using StellaOps.Cryptography;
namespace StellaOps.Cryptography.Plugin.CryptoPro;
public sealed class CryptoProGostKeyOptions
{
[Required]
public string KeyId { get; set; } = string.Empty;
public string Algorithm { get; set; } = SignatureAlgorithms.GostR3410_2012_256;
/// <summary>
/// PKCS#11 library path (typically cprocsp-pkcs11*.dll/so).
/// </summary>
[Required]
public string LibraryPath { get; set; } = string.Empty;
public string? SlotId { get; set; }
public string? TokenLabel { get; set; }
public string? ContainerLabel { get; set; }
public string? UserPin { get; set; }
public string? UserPinEnvironmentVariable { get; set; }
public uint? SignMechanismId { get; set; }
public string CertificateThumbprint { get; set; } = string.Empty;
public StoreLocation CertificateStoreLocation { get; set; } = StoreLocation.CurrentUser;
public StoreName CertificateStoreName { get; set; } = StoreName.My;
public CryptoProGostKeyOptions Clone()
=> new()
{
KeyId = KeyId,
Algorithm = Algorithm,
LibraryPath = LibraryPath,
SlotId = SlotId,
TokenLabel = TokenLabel,
ContainerLabel = ContainerLabel,
UserPin = UserPin,
UserPinEnvironmentVariable = UserPinEnvironmentVariable,
SignMechanismId = SignMechanismId,
CertificateThumbprint = CertificateThumbprint,
CertificateStoreLocation = CertificateStoreLocation,
CertificateStoreName = CertificateStoreName
};
}

24
src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/CryptoProGostProviderOptions.cs Normal file
View File

@@ -0,0 +1,24 @@
using System.Collections.Generic;
namespace StellaOps.Cryptography.Plugin.CryptoPro;
public sealed class CryptoProGostProviderOptions
{
private readonly IList<CryptoProGostKeyOptions> keys = new List<CryptoProGostKeyOptions>();
/// <summary>
/// CryptoPro-backed keys managed by the provider.
/// </summary>
public IList<CryptoProGostKeyOptions> Keys => keys;
public CryptoProGostProviderOptions Clone()
{
var clone = new CryptoProGostProviderOptions();
foreach (var key in keys)
{
clone.Keys.Add(key.Clone());
}
return clone;
}
}

21
src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/StellaOps.Cryptography.Plugin.CryptoPro.csproj Normal file
View File

@@ -0,0 +1,21 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0-rc.2.25502.107" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\\StellaOps.Cryptography.Plugin.Pkcs11Gost\\StellaOps.Cryptography.Plugin.Pkcs11Gost.csproj" />
</ItemGroup>
</Project>

4
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/InternalsVisibleTo.cs Normal file
View File

@@ -0,0 +1,4 @@
using System.Runtime.CompilerServices;
[assembly: InternalsVisibleTo("StellaOps.Cryptography.Plugin.CryptoPro")]

29
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/PemUtilities.cs Normal file
View File

@@ -0,0 +1,29 @@
using System;
using System.Text;
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
internal static class PemUtilities
{
public static string ExtractBody(string pem)
{
if (string.IsNullOrWhiteSpace(pem))
{
throw new ArgumentException("PEM content is empty.", nameof(pem));
}
var builder = new StringBuilder();
foreach (var line in pem.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries))
{
if (line.StartsWith("-----", StringComparison.Ordinal))
{
continue;
}
builder.Append(line.Trim());
}
return builder.ToString();
}
}

25
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11CryptoServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,25 @@
using System;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
public static class Pkcs11CryptoServiceCollectionExtensions
{
public static IServiceCollection AddPkcs11GostProvider(
this IServiceCollection services,
Action<Pkcs11GostProviderOptions>? configure = null)
{
ArgumentNullException.ThrowIfNull(services);
if (configure is not null)
{
services.Configure(configure);
}
services.TryAddEnumerable(
ServiceDescriptor.Singleton<StellaOps.Cryptography.ICryptoProvider, Pkcs11GostCryptoProvider>());
return services;
}
}

59
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11GostCryptoProvider.cs Normal file
View File

@@ -0,0 +1,59 @@
using System;
using System.Collections.Generic;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Cryptography;
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
public sealed class Pkcs11GostCryptoProvider : ICryptoProvider, ICryptoProviderDiagnostics
{
private readonly Pkcs11GostProviderCore core;
public Pkcs11GostCryptoProvider(
IOptions<Pkcs11GostProviderOptions>? optionsAccessor = null,
ILogger<Pkcs11GostCryptoProvider>? logger = null)
{
var options = optionsAccessor?.Value ?? new Pkcs11GostProviderOptions();
core = new Pkcs11GostProviderCore("ru.pkcs11", options.Keys, logger);
}
public string Name => core.ProviderName;
public bool Supports(CryptoCapability capability, string algorithmId)
{
if (capability is CryptoCapability.Signing or CryptoCapability.Verification)
{
return core.SupportsAlgorithm(algorithmId);
}
return false;
}
public IPasswordHasher GetPasswordHasher(string algorithmId)
=> throw new NotSupportedException("PKCS#11 provider does not expose password hashing.");
public ICryptoSigner GetSigner(string algorithmId, CryptoKeyReference keyReference)
{
ArgumentNullException.ThrowIfNull(keyReference);
var entry = core.Resolve(keyReference.KeyId);
if (!string.Equals(entry.AlgorithmId, algorithmId, StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException(
$"Signing key '{keyReference.KeyId}' is registered for algorithm '{entry.AlgorithmId}', not '{algorithmId}'.");
}
return new Pkcs11GostSigner(entry);
}
public void UpsertSigningKey(CryptoSigningKey signingKey)
=> throw new NotSupportedException("PKCS#11 keys are managed externally.");
public bool RemoveSigningKey(string keyId) => false;
public IReadOnlyCollection<CryptoSigningKey> GetSigningKeys()
=> Array.Empty<CryptoSigningKey>();
public IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys()
=> core.DescribeKeys(Name);
}

42
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11GostKeyEntry.cs Normal file
View File

@@ -0,0 +1,42 @@
using System;
using System.Globalization;
using System.Security.Cryptography.X509Certificates;
using Org.BouncyCastle.Security;
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
internal sealed class Pkcs11GostKeyEntry
{
public Pkcs11GostKeyEntry(
string keyId,
string algorithmId,
Pkcs11SessionOptions session,
X509Certificate2 certificate,
uint signMechanismId)
{
KeyId = keyId ?? throw new ArgumentNullException(nameof(keyId));
AlgorithmId = algorithmId ?? throw new ArgumentNullException(nameof(algorithmId));
Session = session ?? throw new ArgumentNullException(nameof(session));
Certificate = certificate ?? throw new ArgumentNullException(nameof(certificate));
SignMechanismId = signMechanismId;
var bcCertificate = DotNetUtilities.FromX509Certificate(Certificate);
PublicKeyParameters = bcCertificate.GetPublicKey();
}
public string KeyId { get; }
public string AlgorithmId { get; }
public Pkcs11SessionOptions Session { get; }
public X509Certificate2 Certificate { get; }
public Org.BouncyCastle.Crypto.AsymmetricKeyParameter PublicKeyParameters { get; }
public uint SignMechanismId { get; }
public bool Is256 => string.Equals(
AlgorithmId,
StellaOps.Cryptography.SignatureAlgorithms.GostR3410_2012_256,
StringComparison.OrdinalIgnoreCase);
}

107
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11GostKeyOptions.cs Normal file
View File

@@ -0,0 +1,107 @@
using System.ComponentModel.DataAnnotations;
using StellaOps.Cryptography;
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
/// <summary>
/// Describes a PKCS#11-backed signing key.
/// </summary>
public sealed class Pkcs11GostKeyOptions
{
/// <summary>
/// Logical identifier for the key (used as kid).
/// </summary>
[Required]
public string KeyId { get; set; } = string.Empty;
/// <summary>
/// Signing algorithm identifier.
/// </summary>
public string Algorithm { get; set; } = SignatureAlgorithms.GostR3410_2012_256;
/// <summary>
/// Absolute path to the PKCS#11 library (e.g. /usr/local/lib/librutokenecp.so).
/// </summary>
[Required]
public string LibraryPath { get; set; } = string.Empty;
/// <summary>
/// Optional slot identifier (decimal or hexadecimal). Mutually exclusive with <see cref="TokenLabel"/>.
/// </summary>
public string? SlotId { get; set; }
/// <summary>
/// Optional token label to locate the slot. Mutually exclusive with <see cref="SlotId"/>.
/// </summary>
public string? TokenLabel { get; set; }
/// <summary>
/// Label identifying the private key object.
/// </summary>
public string? PrivateKeyLabel { get; set; }
/// <summary>
/// Optional label for the certificate or public key object.
/// </summary>
public string? PublicKeyLabel { get; set; }
/// <summary>
/// User PIN supplied inline (discouraged for production).
/// </summary>
public string? UserPin { get; set; }
/// <summary>
/// Name of the environment variable containing the PIN (preferred).
/// </summary>
public string? UserPinEnvironmentVariable { get; set; }
/// <summary>
/// Mechanism identifier used for signature operations (e.g. 0x00001255 for GOST12-256).
/// </summary>
public uint? SignMechanismId { get; set; }
/// <summary>
/// Optional PEM/DER path for the X.509 certificate corresponding to the private key.
/// </summary>
public string? CertificatePath { get; set; }
/// <summary>
/// Optional inline PEM certificate.
/// </summary>
public string? CertificatePem { get; set; }
/// <summary>
/// Optional Windows/Linux store thumbprint identifier (when CertificatePath is not provided).
/// </summary>
public string? CertificateThumbprint { get; set; }
/// <summary>
/// Optional store location (CurrentUser/LocalMachine). Defaults to CurrentUser.
/// </summary>
public string CertificateStoreLocation { get; set; } = "CurrentUser";
/// <summary>
/// Optional store name (My/Root/etc). Defaults to My.
/// </summary>
public string CertificateStoreName { get; set; } = "My";
public Pkcs11GostKeyOptions Clone()
=> new()
{
KeyId = KeyId,
Algorithm = Algorithm,
LibraryPath = LibraryPath,
SlotId = SlotId,
TokenLabel = TokenLabel,
PrivateKeyLabel = PrivateKeyLabel,
PublicKeyLabel = PublicKeyLabel,
UserPin = UserPin,
UserPinEnvironmentVariable = UserPinEnvironmentVariable,
SignMechanismId = SignMechanismId,
CertificatePath = CertificatePath,
CertificatePem = CertificatePem,
CertificateThumbprint = CertificateThumbprint,
CertificateStoreLocation = CertificateStoreLocation,
CertificateStoreName = CertificateStoreName
};
}

186
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11GostProviderCore.cs Normal file
View File

@@ -0,0 +1,186 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Security.Cryptography.X509Certificates;
using Microsoft.Extensions.Logging;
using StellaOps.Cryptography;
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
internal sealed class Pkcs11GostProviderCore
{
private readonly Dictionary<string, Pkcs11GostKeyEntry> entries;
private readonly ILogger? logger;
private readonly string providerName;
public Pkcs11GostProviderCore(
string providerName,
IEnumerable<Pkcs11GostKeyOptions> options,
ILogger? logger = null)
{
this.providerName = providerName;
this.logger = logger;
entries = new Dictionary<string, Pkcs11GostKeyEntry>(StringComparer.Ordinal);
foreach (var keyOptions in options ?? Array.Empty<Pkcs11GostKeyOptions>())
{
var entry = BuildEntry(keyOptions);
if (!entries.TryAdd(entry.KeyId, entry))
{
throw new InvalidOperationException(
$"Duplicate PKCS#11 key identifier '{entry.KeyId}' configured for provider '{providerName}'.");
}
}
}
public string ProviderName => providerName;
public IReadOnlyDictionary<string, Pkcs11GostKeyEntry> Entries => entries;
public bool SupportsAlgorithm(string algorithmId)
{
foreach (var entry in entries.Values)
{
if (string.Equals(entry.AlgorithmId, algorithmId, StringComparison.OrdinalIgnoreCase))
{
return true;
}
}
return false;
}
public Pkcs11GostKeyEntry Resolve(string keyId)
{
if (!entries.TryGetValue(keyId, out var entry))
{
throw new KeyNotFoundException(
$"Signing key '{keyId}' is not registered with provider '{providerName}'.");
}
return entry;
}
private Pkcs11GostKeyEntry BuildEntry(Pkcs11GostKeyOptions options)
{
if (options is null)
{
throw new ArgumentNullException(nameof(options));
}
if (string.IsNullOrWhiteSpace(options.KeyId))
{
throw new InvalidOperationException("PKCS#11 key options require a non-empty keyId.");
}
if (string.IsNullOrWhiteSpace(options.LibraryPath))
{
throw new InvalidOperationException($"PKCS#11 key '{options.KeyId}' requires libraryPath.");
}
var mechanism = options.SignMechanismId ??
(string.Equals(options.Algorithm, SignatureAlgorithms.GostR3410_2012_512, StringComparison.OrdinalIgnoreCase)
? Pkcs11Mechanisms.DefaultGost12_512Signature
: Pkcs11Mechanisms.DefaultGost12_256Signature);
var session = new Pkcs11SessionOptions
{
LibraryPath = options.LibraryPath,
SlotId = options.SlotId,
TokenLabel = options.TokenLabel,
PrivateKeyLabel = options.PrivateKeyLabel,
PublicKeyLabel = options.PublicKeyLabel,
UserPin = options.UserPin,
UserPinEnvironmentVariable = options.UserPinEnvironmentVariable
};
var certificate = LoadCertificate(options);
logger?.LogInformation(
"PKCS#11 key {KeyId} (algorithm {Algorithm}) registered for provider {Provider}",
options.KeyId,
options.Algorithm,
providerName);
return new Pkcs11GostKeyEntry(
options.KeyId,
options.Algorithm,
session,
certificate,
mechanism);
}
private static X509Certificate2 LoadCertificate(Pkcs11GostKeyOptions options)
{
if (!string.IsNullOrWhiteSpace(options.CertificatePem))
{
var rawBytes = Convert.FromBase64String(PemUtilities.ExtractBody(options.CertificatePem));
return X509CertificateLoader.LoadCertificate(rawBytes);
}
if (!string.IsNullOrWhiteSpace(options.CertificatePath))
{
if (!File.Exists(options.CertificatePath))
{
throw new FileNotFoundException($"Certificate file '{options.CertificatePath}' was not found.", options.CertificatePath);
}
return X509CertificateLoader.LoadCertificateFromFile(options.CertificatePath);
}
if (!string.IsNullOrWhiteSpace(options.CertificateThumbprint))
{
var location = Enum.TryParse(options.CertificateStoreLocation, ignoreCase: true, out StoreLocation parsedLocation)
? parsedLocation
: StoreLocation.CurrentUser;
var storeName = Enum.TryParse(options.CertificateStoreName, ignoreCase: true, out StoreName parsedStore)
? parsedStore
: StoreName.My;
using var store = new X509Store(storeName, location);
store.Open(OpenFlags.ReadOnly);
var thumbprint = options.CertificateThumbprint.Replace(" ", string.Empty, StringComparison.OrdinalIgnoreCase)
.ToUpperInvariant();
var matches = store.Certificates.Find(
X509FindType.FindByThumbprint,
thumbprint,
validOnly: false);
if (matches.Count == 0)
{
throw new InvalidOperationException(
$"Certificate with thumbprint '{thumbprint}' was not found in {location}/{storeName}.");
}
return X509CertificateLoader.LoadCertificate(matches[0].RawData);
}
throw new InvalidOperationException(
$"PKCS#11 key '{options.KeyId}' requires either certificatePath, certificatePem, or certificateThumbprint.");
}
public IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys(string provider)
{
foreach (var entry in entries.Values)
{
yield return CreateDescriptor(provider, entry);
}
}
private static CryptoProviderKeyDescriptor CreateDescriptor(string providerName, Pkcs11GostKeyEntry entry)
{
var metadata = new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase)
{
["subject"] = entry.Certificate.Subject,
["issuer"] = entry.Certificate.Issuer,
["thumbprint"] = entry.Certificate.Thumbprint,
["library"] = entry.Session.LibraryPath,
["slotId"] = entry.Session.SlotId,
["tokenLabel"] = entry.Session.TokenLabel,
["privateKeyLabel"] = entry.Session.PrivateKeyLabel,
["publicKeyLabel"] = entry.Session.PublicKeyLabel,
["mechanismId"] = $"0x{entry.SignMechanismId:X}",
["bitStrength"] = entry.Is256 ? "256" : "512"
};
return new CryptoProviderKeyDescriptor(providerName, entry.KeyId, entry.AlgorithmId, metadata);
}
}

27
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11GostProviderOptions.cs Normal file
View File

@@ -0,0 +1,27 @@
using System.Collections.Generic;
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
/// <summary>
/// Configuration surface for the PKCS#11-based GOST provider.
/// </summary>
public sealed class Pkcs11GostProviderOptions
{
private readonly IList<Pkcs11GostKeyOptions> keys = new List<Pkcs11GostKeyOptions>();
/// <summary>
/// Key descriptors managed by the provider.
/// </summary>
public IList<Pkcs11GostKeyOptions> Keys => keys;
public Pkcs11GostProviderOptions Clone()
{
var clone = new Pkcs11GostProviderOptions();
foreach (var key in keys)
{
clone.Keys.Add(key.Clone());
}
return clone;
}
}

71
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11GostSigner.cs Normal file
View File

@@ -0,0 +1,71 @@
using System;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.IdentityModel.Tokens;
using Org.BouncyCastle.Crypto.Signers;
using Org.BouncyCastle.Security;
using StellaOps.Cryptography;
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
internal sealed class Pkcs11GostSigner : ICryptoSigner
{
private static readonly string[] DefaultKeyOps = { "sign", "verify" };
private readonly Pkcs11GostKeyEntry entry;
public Pkcs11GostSigner(Pkcs11GostKeyEntry entry)
{
this.entry = entry ?? throw new ArgumentNullException(nameof(entry));
}
public string KeyId => entry.KeyId;
public string AlgorithmId => entry.AlgorithmId;
public ValueTask<byte[]> SignAsync(ReadOnlyMemory<byte> data, CancellationToken cancellationToken = default)
{
cancellationToken.ThrowIfCancellationRequested();
var digest = GostDigestUtilities.ComputeDigest(data.Span, entry.Is256);
var signature = Pkcs11SignerUtilities.SignDigest(entry, digest);
return ValueTask.FromResult(signature);
}
public ValueTask<bool> VerifyAsync(
ReadOnlyMemory<byte> data,
ReadOnlyMemory<byte> signature,
CancellationToken cancellationToken = default)
{
cancellationToken.ThrowIfCancellationRequested();
var digestSigner = new Gost3410DigestSigner(
new Gost3410Signer(),
GostDigestUtilities.CreateDigest(entry.Is256));
digestSigner.Init(false, entry.PublicKeyParameters);
var buffer = data.ToArray();
digestSigner.BlockUpdate(buffer, 0, buffer.Length);
var verified = digestSigner.VerifySignature(signature.ToArray());
return ValueTask.FromResult(verified);
}
public JsonWebKey ExportPublicJsonWebKey()
{
var jwk = new JsonWebKey
{
Kid = KeyId,
Alg = AlgorithmId,
Kty = "EC",
Crv = entry.Is256 ? "GOST3410-2012-256" : "GOST3410-2012-512",
Use = JsonWebKeyUseNames.Sig
};
foreach (var op in DefaultKeyOps)
{
jwk.KeyOps.Add(op);
}
jwk.X5c.Add(Convert.ToBase64String(entry.Certificate.RawData));
return jwk;
}
}

9
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11Mechanisms.cs Normal file
View File

@@ -0,0 +1,9 @@
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
internal static class Pkcs11Mechanisms
{
// Default values sourced from PKCS#11 v2.40 (TC26 extensions). Deployments can override via configuration.
public const uint DefaultGost12_256Signature = 0x00001255;
public const uint DefaultGost12_512Signature = 0x00001256;
}

19
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11SessionOptions.cs Normal file
View File

@@ -0,0 +1,19 @@
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
internal sealed class Pkcs11SessionOptions
{
public string LibraryPath { get; init; } = string.Empty;
public string? SlotId { get; init; }
public string? TokenLabel { get; init; }
public string? UserPin { get; init; }
public string? UserPinEnvironmentVariable { get; init; }
public string? PrivateKeyLabel { get; init; }
public string? PublicKeyLabel { get; init; }
}

107
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/Pkcs11SignerUtilities.cs Normal file
View File

@@ -0,0 +1,107 @@
using System;
using System.Collections.Generic;
using System.Linq;
using Net.Pkcs11Interop.Common;
using Net.Pkcs11Interop.HighLevelAPI;
using StellaOps.Cryptography;
using ISession = Net.Pkcs11Interop.HighLevelAPI.Session;
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
internal static class Pkcs11SignerUtilities
{
public static byte[] SignDigest(Pkcs11GostKeyEntry entry, ReadOnlySpan<byte> digest)
{
using var pkcs11 = new Pkcs11(entry.Session.LibraryPath, AppType.MultiThreaded);
var slot = ResolveSlot(pkcs11, entry.Session);
if (slot is null)
{
throw new InvalidOperationException("No PKCS#11 slot/token matched the provided configuration.");
}
using var session = slot.OpenSession(SessionType.ReadWrite);
var loggedIn = false;
try
{
var pin = ResolvePin(entry.Session);
if (!string.IsNullOrWhiteSpace(pin))
{
session.Login(CKU.CKU_USER, pin);
loggedIn = true;
}
var privateHandle = FindObject(session, CKO.CKO_PRIVATE_KEY, entry.Session.PrivateKeyLabel);
if (privateHandle is null)
{
throw new InvalidOperationException($"Private key with label '{entry.Session.PrivateKeyLabel}' was not found.");
}
var mechanism = new Mechanism(entry.SignMechanismId);
return session.Sign(mechanism, privateHandle, digest.ToArray());
}
finally
{
if (loggedIn)
{
try { session.Logout(); } catch { /* ignored */ }
}
}
}
private static Slot? ResolveSlot(Pkcs11 pkcs11, Pkcs11SessionOptions options)
{
var slots = pkcs11.GetSlotList(SlotsType.WithTokenPresent);
if (slots.Count == 0)
{
return null;
}
if (!string.IsNullOrWhiteSpace(options.SlotId))
{
return slots.FirstOrDefault(slot =>
string.Equals(slot.SlotId.ToString(), options.SlotId, StringComparison.OrdinalIgnoreCase));
}
if (!string.IsNullOrWhiteSpace(options.TokenLabel))
{
return slots.FirstOrDefault(slot =>
{
var tokenInfo = slot.GetTokenInfo();
return string.Equals(tokenInfo.Label?.Trim(), options.TokenLabel?.Trim(), StringComparison.OrdinalIgnoreCase);
});
}
return slots[0];
}
private static ObjectHandle? FindObject(ISession session, CKO objectClass, string? label)
{
var template = new List<ObjectAttribute>
{
new(CKA.CKA_CLASS, (uint)objectClass)
};
if (!string.IsNullOrWhiteSpace(label))
{
template.Add(new ObjectAttribute(CKA.CKA_LABEL, label));
}
var handles = session.FindAllObjects(template);
return handles.FirstOrDefault();
}
private static string? ResolvePin(Pkcs11SessionOptions options)
{
if (!string.IsNullOrWhiteSpace(options.UserPin))
{
return options.UserPin;
}
if (!string.IsNullOrWhiteSpace(options.UserPinEnvironmentVariable))
{
return Environment.GetEnvironmentVariable(options.UserPinEnvironmentVariable);
}
return null;
}
}

24
src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/StellaOps.Cryptography.Plugin.Pkcs11Gost.csproj Normal file
View File

@@ -0,0 +1,24 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="BouncyCastle.Cryptography" Version="2.5.1" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.14.0" />
<PackageReference Include="Pkcs11Interop" Version="4.1.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\\StellaOps.Cryptography\\StellaOps.Cryptography.csproj" />
</ItemGroup>
</Project>

13
src/__Libraries/StellaOps.Cryptography/CryptoHashFactory.cs Normal file
View File

@@ -0,0 +1,13 @@
namespace StellaOps.Cryptography;
/// <summary>
/// Factory helpers for creating crypto hash implementations outside of dependency injection scenarios.
/// </summary>
public static class CryptoHashFactory
{
/// <summary>
/// Creates the default ICryptoHash implementation.
/// </summary>
public static ICryptoHash CreateDefault(CryptoHashOptions? options = null)
=> new DefaultCryptoHash(options);
}

6
src/__Libraries/StellaOps.Cryptography/CryptoHashOptions.cs Normal file
View File

@@ -0,0 +1,6 @@
namespace StellaOps.Cryptography;
public sealed class CryptoHashOptions
{
public string DefaultAlgorithm { get; set; } = HashAlgorithms.Sha256;
}

21
src/__Libraries/StellaOps.Cryptography/CryptoProviderDiagnostics.cs Normal file
View File

@@ -0,0 +1,21 @@
using System.Collections.Generic;
namespace StellaOps.Cryptography;
/// <summary>
/// Describes key material surfaced by crypto providers for diagnostics.
/// </summary>
public sealed record CryptoProviderKeyDescriptor(
string Provider,
string KeyId,
string AlgorithmId,
IReadOnlyDictionary<string, string?> Metadata);
/// <summary>
/// Optional interface for providers that can expose key metadata without revealing private material.
/// </summary>
public interface ICryptoProviderDiagnostics
{
IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys();
}

30
src/__Libraries/StellaOps.Cryptography/CryptoProviderMetrics.cs Normal file
View File

@@ -0,0 +1,30 @@
using System.Collections.Generic;
using System.Diagnostics.Metrics;
namespace StellaOps.Cryptography;
internal static class CryptoProviderMetrics
{
private static readonly Meter Meter = new("stellaops.crypto", "1.0.0");
private static readonly Counter<long> ProviderResolutionCounter =
Meter.CreateCounter<long>("crypto_provider_resolutions_total", description: "Count of successful provider resolutions.");
private static readonly Counter<long> ProviderResolutionFailureCounter =
Meter.CreateCounter<long>("crypto_provider_resolution_failures_total", description: "Count of failed provider resolutions.");
public static void RecordProviderResolution(string providerName, CryptoCapability capability, string algorithmId)
{
ProviderResolutionCounter.Add(1,
new KeyValuePair<string, object?>("provider", providerName),
new KeyValuePair<string, object?>("capability", capability.ToString()),
new KeyValuePair<string, object?>("algorithm", algorithmId));
}
public static void RecordProviderResolutionFailure(CryptoCapability capability, string algorithmId)
{
ProviderResolutionFailureCounter.Add(1,
new KeyValuePair<string, object?>("capability", capability.ToString()),
new KeyValuePair<string, object?>("algorithm", algorithmId));
}
}

4
src/__Libraries/StellaOps.Cryptography/CryptoProviderRegistry.cs
View File

@@ -64,10 +64,12 @@ public sealed class CryptoProviderRegistry : ICryptoProviderRegistry
{
if (provider.Supports(capability, algorithmId))
{
CryptoProviderMetrics.RecordProviderResolution(provider.Name, capability, algorithmId);
return provider;
}
}
CryptoProviderMetrics.RecordProviderResolutionFailure(capability, algorithmId);
throw new InvalidOperationException(
$"No crypto provider is registered for capability '{capability}' and algorithm '{algorithmId}'.");
}
@@ -88,11 +90,13 @@ public sealed class CryptoProviderRegistry : ICryptoProviderRegistry
}
var signer = hinted.GetSigner(algorithmId, keyReference);
CryptoProviderMetrics.RecordProviderResolution(hinted.Name, capability, algorithmId);
return new CryptoSignerResolution(signer, hinted.Name);
}
var provider = ResolveOrThrow(capability, algorithmId);
var resolved = provider.GetSigner(algorithmId, keyReference);
CryptoProviderMetrics.RecordProviderResolution(provider.Name, capability, algorithmId);
return new CryptoSignerResolution(resolved, provider.Name);
}

169
src/__Libraries/StellaOps.Cryptography/DefaultCryptoHash.cs Normal file
View File

@@ -0,0 +1,169 @@
using System;
using System.Buffers;
using System.IO;
using System.Security.Cryptography;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Org.BouncyCastle.Crypto;
namespace StellaOps.Cryptography;
public sealed class DefaultCryptoHash : ICryptoHash
{
private readonly IOptionsMonitor<CryptoHashOptions> options;
private readonly ILogger<DefaultCryptoHash> logger;
[ActivatorUtilitiesConstructor]
public DefaultCryptoHash(
IOptionsMonitor<CryptoHashOptions> options,
ILogger<DefaultCryptoHash>? logger = null)
{
this.options = options ?? throw new ArgumentNullException(nameof(options));
this.logger = logger ?? NullLogger<DefaultCryptoHash>.Instance;
}
internal DefaultCryptoHash(CryptoHashOptions? options = null)
: this(new StaticOptionsMonitor(options ?? new CryptoHashOptions()), NullLogger<DefaultCryptoHash>.Instance)
{
}
public byte[] ComputeHash(ReadOnlySpan<byte> data, string? algorithmId = null)
{
var algorithm = NormalizeAlgorithm(algorithmId);
return algorithm switch
{
HashAlgorithms.Sha256 => ComputeSha256(data),
HashAlgorithms.Sha512 => ComputeSha512(data),
HashAlgorithms.Gost3411_2012_256 => GostDigestUtilities.ComputeDigest(data, use256: true),
HashAlgorithms.Gost3411_2012_512 => GostDigestUtilities.ComputeDigest(data, use256: false),
_ => throw new InvalidOperationException($"Unsupported hash algorithm {algorithm}.")
};
}
public string ComputeHashHex(ReadOnlySpan<byte> data, string? algorithmId = null)
=> Convert.ToHexString(ComputeHash(data, algorithmId)).ToLowerInvariant();
public string ComputeHashBase64(ReadOnlySpan<byte> data, string? algorithmId = null)
=> Convert.ToBase64String(ComputeHash(data, algorithmId));
public async ValueTask<byte[]> ComputeHashAsync(Stream stream, string? algorithmId = null, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(stream);
cancellationToken.ThrowIfCancellationRequested();
var algorithm = NormalizeAlgorithm(algorithmId);
return algorithm switch
{
HashAlgorithms.Sha256 => await ComputeShaStreamAsync(HashAlgorithmName.SHA256, stream, cancellationToken).ConfigureAwait(false),
HashAlgorithms.Sha512 => await ComputeShaStreamAsync(HashAlgorithmName.SHA512, stream, cancellationToken).ConfigureAwait(false),
HashAlgorithms.Gost3411_2012_256 => await ComputeGostStreamAsync(use256: true, stream, cancellationToken).ConfigureAwait(false),
HashAlgorithms.Gost3411_2012_512 => await ComputeGostStreamAsync(use256: false, stream, cancellationToken).ConfigureAwait(false),
_ => throw new InvalidOperationException($"Unsupported hash algorithm {algorithm}.")
};
}
public async ValueTask<string> ComputeHashHexAsync(Stream stream, string? algorithmId = null, CancellationToken cancellationToken = default)
{
var bytes = await ComputeHashAsync(stream, algorithmId, cancellationToken).ConfigureAwait(false);
return Convert.ToHexString(bytes).ToLowerInvariant();
}
private static byte[] ComputeSha256(ReadOnlySpan<byte> data)
{
Span<byte> buffer = stackalloc byte[32];
SHA256.HashData(data, buffer);
return buffer.ToArray();
}
private static byte[] ComputeSha512(ReadOnlySpan<byte> data)
{
Span<byte> buffer = stackalloc byte[64];
SHA512.HashData(data, buffer);
return buffer.ToArray();
}
private static async ValueTask<byte[]> ComputeShaStreamAsync(HashAlgorithmName name, Stream stream, CancellationToken cancellationToken)
{
using var incremental = IncrementalHash.CreateHash(name);
var buffer = ArrayPool<byte>.Shared.Rent(128 * 1024);
try
{
int bytesRead;
while ((bytesRead = await stream.ReadAsync(buffer.AsMemory(0, buffer.Length), cancellationToken).ConfigureAwait(false)) > 0)
{
incremental.AppendData(buffer, 0, bytesRead);
}
return incremental.GetHashAndReset();
}
finally
{
ArrayPool<byte>.Shared.Return(buffer);
}
}
private static async ValueTask<byte[]> ComputeGostStreamAsync(bool use256, Stream stream, CancellationToken cancellationToken)
{
var digest = GostDigestUtilities.CreateDigest(use256);
var buffer = ArrayPool<byte>.Shared.Rent(128 * 1024);
try
{
int bytesRead;
while ((bytesRead = await stream.ReadAsync(buffer.AsMemory(0, buffer.Length), cancellationToken).ConfigureAwait(false)) > 0)
{
digest.BlockUpdate(buffer, 0, bytesRead);
}
var output = new byte[digest.GetDigestSize()];
digest.DoFinal(output, 0);
return output;
}
finally
{
ArrayPool<byte>.Shared.Return(buffer);
}
}
private string NormalizeAlgorithm(string? algorithmId)
{
var defaultAlgorithm = options.CurrentValue?.DefaultAlgorithm;
if (!string.IsNullOrWhiteSpace(algorithmId))
{
return algorithmId.Trim().ToUpperInvariant();
}
if (!string.IsNullOrWhiteSpace(defaultAlgorithm))
{
return defaultAlgorithm.Trim().ToUpperInvariant();
}
return HashAlgorithms.Sha256;
}
private sealed class StaticOptionsMonitor : IOptionsMonitor<CryptoHashOptions>
{
private readonly CryptoHashOptions options;
public StaticOptionsMonitor(CryptoHashOptions options)
=> this.options = options;
public CryptoHashOptions CurrentValue => options;
public CryptoHashOptions Get(string? name) => options;
public IDisposable OnChange(Action<CryptoHashOptions, string> listener)
=> NullDisposable.Instance;
private sealed class NullDisposable : IDisposable
{
public static readonly NullDisposable Instance = new();
public void Dispose()
{
}
}
}
}

38
src/__Libraries/StellaOps.Cryptography/DefaultCryptoProvider.cs
View File

@@ -9,8 +9,8 @@ namespace StellaOps.Cryptography;
/// <summary>
/// Default in-process crypto provider exposing password hashing capabilities.
/// </summary>
public sealed class DefaultCryptoProvider : ICryptoProvider
{
public sealed class DefaultCryptoProvider : ICryptoProvider, ICryptoProviderDiagnostics
{
private readonly ConcurrentDictionary<string, IPasswordHasher> passwordHashers;
private readonly ConcurrentDictionary<string, CryptoSigningKey> signingKeys;
private static readonly HashSet<string> SupportedSigningAlgorithms = new(StringComparer.OrdinalIgnoreCase)
@@ -105,8 +105,38 @@ public sealed class DefaultCryptoProvider : ICryptoProvider
return signingKeys.TryRemove(keyId, out _);
}
public IReadOnlyCollection<CryptoSigningKey> GetSigningKeys()
=> signingKeys.Values.ToArray();
public IReadOnlyCollection<CryptoSigningKey> GetSigningKeys()
=> signingKeys.Values.ToArray();
public IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys()
{
foreach (var key in signingKeys.Values)
{
var metadata = new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase)
{
["kind"] = key.Kind.ToString(),
["createdAt"] = key.CreatedAt.UtcDateTime.ToString("O"),
["providerHint"] = key.Reference.ProviderHint,
["provider"] = Name
};
if (key.ExpiresAt.HasValue)
{
metadata["expiresAt"] = key.ExpiresAt.Value.UtcDateTime.ToString("O");
}
foreach (var pair in key.Metadata)
{
metadata[$"meta.{pair.Key}"] = pair.Value;
}
yield return new CryptoProviderKeyDescriptor(
Name,
key.Reference.KeyId,
key.AlgorithmId,
metadata);
}
}
private static void EnsureSigningSupported(string algorithmId)
{

24
src/__Libraries/StellaOps.Cryptography/GostDigestUtilities.cs Normal file
View File

@@ -0,0 +1,24 @@
using System;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Digests;
namespace StellaOps.Cryptography;
public static class GostDigestUtilities
{
public static byte[] ComputeDigest(ReadOnlySpan<byte> data, bool use256)
{
IDigest digest = CreateDigestInstance(use256);
var buffer = data.ToArray();
digest.BlockUpdate(buffer, 0, buffer.Length);
var output = new byte[digest.GetDigestSize()];
digest.DoFinal(output, 0);
return output;
}
public static IDigest CreateDigest(bool use256)
=> CreateDigestInstance(use256);
private static IDigest CreateDigestInstance(bool use256)
=> use256 ? new Gost3411_2012_256Digest() : new Gost3411_2012_512Digest();
}

12
src/__Libraries/StellaOps.Cryptography/HashAlgorithms.cs Normal file
View File

@@ -0,0 +1,12 @@
namespace StellaOps.Cryptography;
/// <summary>
/// Well-known digest algorithm identifiers supported by <see cref="ICryptoHash"/>.
/// </summary>
public static class HashAlgorithms
{
public const string Sha256 = "SHA256";
public const string Sha512 = "SHA512";
public const string Gost3411_2012_256 = "GOST3411-2012-256";
public const string Gost3411_2012_512 = "GOST3411-2012-512";
}

19
src/__Libraries/StellaOps.Cryptography/ICryptoHash.cs Normal file
View File

@@ -0,0 +1,19 @@
using System;
using System.IO;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Cryptography;
public interface ICryptoHash
{
byte[] ComputeHash(ReadOnlySpan<byte> data, string? algorithmId = null);
string ComputeHashHex(ReadOnlySpan<byte> data, string? algorithmId = null);
string ComputeHashBase64(ReadOnlySpan<byte> data, string? algorithmId = null);
ValueTask<byte[]> ComputeHashAsync(Stream stream, string? algorithmId = null, CancellationToken cancellationToken = default);
ValueTask<string> ComputeHashHexAsync(Stream stream, string? algorithmId = null, CancellationToken cancellationToken = default);
}

29
src/__Libraries/StellaOps.Cryptography/SignatureAlgorithms.cs
View File

@@ -1,13 +1,16 @@
namespace StellaOps.Cryptography;
/// <summary>
/// Known signature algorithm identifiers.
/// </summary>
public static class SignatureAlgorithms
{
public const string Es256 = "ES256";
public const string Es384 = "ES384";
public const string Es512 = "ES512";
public const string Ed25519 = "ED25519";
public const string EdDsa = "EdDSA";
}
namespace StellaOps.Cryptography;
/// <summary>
/// Known signature algorithm identifiers.
/// </summary>
public static class SignatureAlgorithms
{
public const string Es256 = "ES256";
public const string Es384 = "ES384";
public const string Es512 = "ES512";
public const string Ed25519 = "ED25519";
public const string EdDsa = "EdDSA";
public const string GostR3410_2012_256 = "GOST12-256";
public const string GostR3410_2012_512 = "GOST12-512";
}

12
src/__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj
View File

@@ -9,8 +9,10 @@
<PropertyGroup Condition="'$(StellaOpsCryptoSodium)' == 'true'">
<DefineConstants>$(DefineConstants);STELLAOPS_CRYPTO_SODIUM</DefineConstants>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Konscious.Security.Cryptography.Argon2" Version="1.3.1" />
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.14.0" />
</ItemGroup>
</Project>
<ItemGroup>
<PackageReference Include="Konscious.Security.Cryptography.Argon2" Version="1.3.1" />
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.14.0" />
<PackageReference Include="BouncyCastle.Cryptography" Version="2.5.1" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0-rc.2.25502.107" />
</ItemGroup>
</Project>

8
src/__Libraries/StellaOps.Cryptography/TASKS.md
View File

@@ -2,6 +2,14 @@
| ID | Status | Owner | Description | Dependencies | Exit Criteria |
|----|--------|-------|-------------|--------------|---------------|
| SEC-CRYPTO-90-001 | DONE (2025-11-07) | Security Guild | Produce RootPack_RU sovereign crypto implementation plan, identify provider strategy (CryptoPro + PKCS#11), and slot work into Sprint 190 with task breakdown. | None | Plan captured in `SPRINT_190_ops_offline.md` + this board; risks/assumptions logged. |
| SEC-CRYPTO-90-002 | DONE (2025-11-07) | Security Guild | Extend signature/catalog constants and configuration schema to recognize `GOST12-256/512`, regional crypto profiles, and provider preference ordering. | SEC-CRYPTO-90-001 | New alg IDs wired, configs validated, docs updated. |
| SEC-CRYPTO-90-003 | DONE (2025-11-07) | Security Guild | Implement `StellaOps.Cryptography.Plugin.CryptoPro` provider (sign/verify/JWK export) using CryptoPro CSP/GostCryptography with deterministic logging + tests. | SEC-CRYPTO-90-002 | Provider registered, unit/integration tests (skippable if CSP absent) passing. |
| SEC-CRYPTO-90-004 | DONE (2025-11-07) | Security Guild | Implement `StellaOps.Cryptography.Plugin.Pkcs11Gost` provider (Rutoken/JaCarta) via Pkcs11Interop, configurable slot/pin/module management, and disposal safeguards. | SEC-CRYPTO-90-002 | Provider registered, token smoke tests + error handling documented. |
| SEC-CRYPTO-90-005 | DONE (2025-11-08) | Security Guild | Add configuration-driven provider selection (`crypto.regionalProfiles`), CLI/diagnostic verb to list providers/keys, and deterministic telemetry for usage. | SEC-CRYPTO-90-003, SEC-CRYPTO-90-004 | CLI lists providers, configs switch ordering without code changes, telemetry events emitted. |
| SEC-CRYPTO-90-006 | DONE (2025-11-08) | Security Guild | Build deterministic test harness (Streebog + signature vectors), manual runbooks for hardware validation, and capture RootPack audit metadata. | SEC-CRYPTO-90-003, SEC-CRYPTO-90-004 | `scripts/crypto/run-rootpack-ru-tests.sh` emits deterministic logs/TRX; validation runbook updated with harness + hardware guidance; audit metadata artifacts enumerated. |
| SEC-CRYPTO-90-007 | DONE (2025-11-08) | Security Guild | Package RootPack_RU artifacts (plugin binaries, config templates, trust anchors) and document deployment/install steps + compliance evidence. | SEC-CRYPTO-90-005, SEC-CRYPTO-90-006 | `scripts/crypto/package-rootpack-ru.sh` builds bundle with docs/config/trust anchors; `rootpack_ru_package.md` guides ops/air-gap workflows. |
| SEC-CRYPTO-90-008 | DONE (2025-11-08) | Security Guild | Audit repository for any cryptography usage bypassing `StellaOps.Cryptography` (direct libsodium/BouncyCastle callers, TLS custom code) and file remediation tasks to route via providers. | SEC-CRYPTO-90-002 | Audit report updated with remediation IDs; module TASKS boards now include `*-CRYPTO-90-001` follow-ups; backlog ready for implementation. |
> Remark (2025-10-14): Cleanup service wired to store; background sweep + invite audit tests added.
> Remark (2025-10-14): Token usage metadata persisted with replay audits + handler/unit coverage.
> Remark (2025-10-14): Analyzer surfaces warnings during CLI load; docs updated with mitigation steps.

199
src/__Libraries/StellaOps.Ingestion.Telemetry/IngestionTelemetry.cs Normal file
View File

@@ -0,0 +1,199 @@
using System.Diagnostics;
using System.Diagnostics.Metrics;
namespace StellaOps.Ingestion.Telemetry;
public static class IngestionTelemetry
{
public const string ActivitySourceName = "StellaOps.Ingestion";
public const string MeterName = "StellaOps.Ingestion";
public const string PhaseFetch = "fetch";
public const string PhaseTransform = "transform";
public const string PhaseWrite = "write";
public const string ResultOk = "ok";
public const string ResultReject = "reject";
public const string ResultNoop = "noop";
private const string WriteMetricName = "ingestion_write_total";
private const string ViolationMetricName = "aoc_violation_total";
private const string LatencyMetricName = "ingestion_latency_seconds";
private static readonly ActivitySource ActivitySource = new(ActivitySourceName);
private static readonly Meter Meter = new(MeterName);
private static readonly Counter<long> WriteCounter = Meter.CreateCounter<long>(
WriteMetricName,
unit: "count",
description: "Counts raw advisory ingestion attempts grouped by tenant, source, and outcome.");
private static readonly Counter<long> ViolationCounter = Meter.CreateCounter<long>(
ViolationMetricName,
unit: "count",
description: "Counts Aggregation-Only Contract violations raised during ingestion.");
private static readonly Histogram<double> LatencyHistogram = Meter.CreateHistogram<double>(
LatencyMetricName,
unit: "s",
description: "Ingestion stage latency measured in seconds.");
public static Activity? StartFetchActivity(
string tenant,
string source,
string? upstreamId,
string? contentHash,
string? uri = null)
=> StartActivity("ingest.fetch", tenant, source, upstreamId, contentHash, builder: activity =>
{
if (!string.IsNullOrWhiteSpace(uri))
{
activity.SetTag("uri", uri);
}
});
public static Activity? StartTransformActivity(
string tenant,
string source,
string? upstreamId,
string? contentHash,
string? documentType = null,
long? payloadBytes = null)
=> StartActivity("ingest.transform", tenant, source, upstreamId, contentHash, builder: activity =>
{
if (!string.IsNullOrWhiteSpace(documentType))
{
activity.SetTag("documentType", documentType);
}
if (payloadBytes.HasValue && payloadBytes.Value >= 0)
{
activity.SetTag("payloadBytes", payloadBytes.Value);
}
});
public static Activity? StartWriteActivity(
string tenant,
string source,
string? upstreamId,
string? contentHash,
string collection)
=> StartActivity("ingest.write", tenant, source, upstreamId, contentHash, builder: activity =>
{
activity.SetTag("collection", collection);
});
public static Activity? StartGuardActivity(
string tenant,
string source,
string? upstreamId,
string? contentHash,
string? supersedes)
=> StartActivity("aoc.guard", tenant, source, upstreamId, contentHash, builder: activity =>
{
if (!string.IsNullOrWhiteSpace(supersedes))
{
activity.SetTag("supersedes", supersedes);
}
});
public static void RecordWriteAttempt(string tenant, string source, string result)
{
if (string.IsNullOrWhiteSpace(tenant) || string.IsNullOrWhiteSpace(source) || string.IsNullOrWhiteSpace(result))
{
return;
}
var tags = new TagList
{
{ "tenant", tenant },
{ "source", source },
{ "result", result }
};
WriteCounter.Add(1, tags);
}
public static void RecordViolation(string tenant, string source, string code)
{
if (string.IsNullOrWhiteSpace(tenant) || string.IsNullOrWhiteSpace(source) || string.IsNullOrWhiteSpace(code))
{
return;
}
var tags = new TagList
{
{ "tenant", tenant },
{ "source", source },
{ "code", code }
};
ViolationCounter.Add(1, tags);
}
public static void RecordLatency(string tenant, string source, string phase, TimeSpan duration)
{
if (string.IsNullOrWhiteSpace(tenant) || string.IsNullOrWhiteSpace(source) || string.IsNullOrWhiteSpace(phase))
{
return;
}
var tags = new TagList
{
{ "tenant", tenant },
{ "source", source },
{ "phase", phase }
};
var seconds = duration.TotalSeconds;
if (double.IsNaN(seconds) || double.IsInfinity(seconds))
{
seconds = 0d;
}
if (seconds < 0)
{
seconds = 0d;
}
LatencyHistogram.Record(seconds, tags);
}
private static Activity? StartActivity(
string name,
string tenant,
string source,
string? upstreamId,
string? contentHash,
Action<Activity>? builder = null)
{
var activity = ActivitySource.StartActivity(name, ActivityKind.Internal);
if (activity is null)
{
return null;
}
if (!string.IsNullOrWhiteSpace(tenant))
{
activity.SetTag("tenant", tenant);
}
if (!string.IsNullOrWhiteSpace(source))
{
activity.SetTag("source", source);
}
if (!string.IsNullOrWhiteSpace(upstreamId))
{
activity.SetTag("upstream.id", upstreamId);
}
if (!string.IsNullOrWhiteSpace(contentHash))
{
activity.SetTag("contentHash", contentHash);
}
builder?.Invoke(activity);
return activity;
}
}

8
src/__Libraries/StellaOps.Ingestion.Telemetry/StellaOps.Ingestion.Telemetry.csproj Normal file
View File

@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
</Project>

1
src/__Libraries/StellaOps.Plugin/TASKS.md
View File

@@ -1,3 +1,4 @@
# TASKS
| Task | Owner(s) | Depends on | Notes |
|---|---|---|---|
| PLUGIN-DI-08-001 | DONE (2025-10-21) | Plugin Platform Guild | — | Scoped service support in plugin bootstrap ensure `[ServiceBinding]` metadata flows through hosts deterministically, add dynamic plugin tests, and document the attribute usage. |

69
src/__Libraries/StellaOps.Replay.Core/ReplayManifest.cs Normal file
View File

@@ -0,0 +1,69 @@
using System;
using System.Collections.Generic;
using System.Text.Json.Serialization;
namespace StellaOps.Replay.Core;
public sealed class ReplayManifest
{
[JsonPropertyName("schemaVersion")]
public string SchemaVersion { get; set; } = "1.0";
[JsonPropertyName("scan")]
public ReplayScanMetadata Scan { get; set; } = new();
[JsonPropertyName("reachability")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public ReplayReachabilitySection? Reachability { get; set; }
}
public sealed class ReplayScanMetadata
{
[JsonPropertyName("id")]
public string Id { get; set; } = string.Empty;
[JsonPropertyName("time")]
public DateTimeOffset Time { get; set; } = DateTimeOffset.UtcNow;
}
public sealed class ReplayReachabilitySection
{
[JsonPropertyName("graphs")]
public List<ReplayReachabilityGraphReference> Graphs { get; set; } = new();
[JsonPropertyName("runtimeTraces")]
public List<ReplayReachabilityTraceReference> RuntimeTraces { get; set; } = new();
}
public sealed class ReplayReachabilityGraphReference
{
[JsonPropertyName("kind")]
public string Kind { get; set; } = "static";
[JsonPropertyName("casUri")]
public string CasUri { get; set; } = string.Empty;
[JsonPropertyName("sha256")]
public string Sha256 { get; set; } = string.Empty;
[JsonPropertyName("analyzer")]
public string Analyzer { get; set; } = string.Empty;
[JsonPropertyName("version")]
public string Version { get; set; } = string.Empty;
}
public sealed class ReplayReachabilityTraceReference
{
[JsonPropertyName("source")]
public string Source { get; set; } = string.Empty;
[JsonPropertyName("casUri")]
public string CasUri { get; set; } = string.Empty;
[JsonPropertyName("sha256")]
public string Sha256 { get; set; } = string.Empty;
[JsonPropertyName("recordedAt")]
public DateTimeOffset RecordedAt { get; set; } = DateTimeOffset.UtcNow;
}

22
src/__Libraries/StellaOps.Replay.Core/ReplayManifestExtensions.cs Normal file
View File

@@ -0,0 +1,22 @@
using System;
namespace StellaOps.Replay.Core;
public static class ReplayManifestExtensions
{
public static void AddReachabilityGraph(this ReplayManifest manifest, ReplayReachabilityGraphReference graph)
{
ArgumentNullException.ThrowIfNull(manifest);
ArgumentNullException.ThrowIfNull(graph);
manifest.Reachability ??= new ReplayReachabilitySection();
manifest.Reachability.Graphs.Add(graph);
}
public static void AddReachabilityTrace(this ReplayManifest manifest, ReplayReachabilityTraceReference trace)
{
ArgumentNullException.ThrowIfNull(manifest);
ArgumentNullException.ThrowIfNull(trace);
manifest.Reachability ??= new ReplayReachabilitySection();
manifest.Reachability.RuntimeTraces.Add(trace);
}
}

10
src/__Libraries/StellaOps.Replay.Core/StellaOps.Replay.Core.csproj Normal file
View File

@@ -0,0 +1,10 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="System.Text.Json" Version="10.0.0-preview.7.25380.108" />
</ItemGroup>
</Project>

1
src/__Libraries/StellaOps.Replay.Core/TASKS.md
View File

@@ -4,3 +4,4 @@
|----|--------|-------------|--------------|---------------|
| REPLAY-CORE-185-001 | TODO | Scaffold replay core library (`StellaOps.Replay.Core`) with manifest schema types, canonical JSON utilities, Merkle helpers, DSSE payload builders, and module charter updates referencing `docs/replay/DETERMINISTIC_REPLAY.md`. | Sprint 185 replay planning | Library builds/tests succeed; AGENTS.md updated; integration notes cross-linked. |
| REPLAY-CORE-185-002 | TODO | Implement deterministic bundle writer (tar.zst, CAS naming) and hashing abstractions; extend `docs/modules/platform/architecture-overview.md` with “Replay CAS” section. | REPLAY-CORE-185-001 | Bundle writer unit tests pass; documentation merged with examples; CAS layout reproducible. |
| REPLAY-REACH-201-005 | DOING (2025-11-08) | Extend manifest schema + bundle writer to include reachability graphs, runtime traces, analyzer versions, and CAS URIs; update docs + serializers per `SPRINT_201_reachability_explainability`. | REPLAY-CORE-185-001, SIGNALS-REACH-201-003 | Manifest schema merged; unit tests cover new sections; docs + CAS layout references updated. |

16
src/__Libraries/__Tests/StellaOps.Cryptography.Tests/CryptoProviderRegistryTests.cs
View File

@@ -59,6 +59,22 @@ public class CryptoProviderRegistryTests
Assert.Equal("key-a", fallbackResolution.Signer.KeyId);
}
[Fact]
public void RegistryOptions_UsesActiveProfileOrder()
{
var options = new StellaOps.Cryptography.DependencyInjection.CryptoProviderRegistryOptions();
options.PreferredProviders.Add("default");
options.ActiveProfile = "ru-offline";
options.Profiles["ru-offline"] = new StellaOps.Cryptography.DependencyInjection.CryptoProviderProfileOptions
{
PreferredProviders = { "ru.cryptopro.csp", "ru.pkcs11" }
};
var resolved = options.ResolvePreferredProviders();
Assert.Equal(new[] { "ru.cryptopro.csp", "ru.pkcs11" }, resolved);
}
private sealed class FakeCryptoProvider : ICryptoProvider
{
private readonly Dictionary<string, FakeSigner> signers = new(StringComparer.Ordinal);

73
src/__Libraries/__Tests/StellaOps.Cryptography.Tests/DefaultCryptoHashTests.cs Normal file
View File

@@ -0,0 +1,73 @@
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Digests;
using StellaOps.Cryptography;
using Xunit;
namespace StellaOps.Cryptography.Tests;
public sealed class DefaultCryptoHashTests
{
private static readonly byte[] Sample = Encoding.UTF8.GetBytes("The quick brown fox jumps over the lazy dog");
[Fact]
public void ComputeHash_Sha256_MatchesBcl()
{
var hash = CryptoHashFactory.CreateDefault();
var expected = SHA256.HashData(Sample);
var actual = hash.ComputeHash(Sample, HashAlgorithms.Sha256);
Assert.Equal(Convert.ToHexString(expected).ToLowerInvariant(), Convert.ToHexString(actual).ToLowerInvariant());
}
[Fact]
public void ComputeHash_Sha512_MatchesBcl()
{
var hash = CryptoHashFactory.CreateDefault();
var expected = SHA512.HashData(Sample);
var actual = hash.ComputeHash(Sample, HashAlgorithms.Sha512);
Assert.Equal(Convert.ToHexString(expected).ToLowerInvariant(), Convert.ToHexString(actual).ToLowerInvariant());
}
[Fact]
public void ComputeHash_Gost256_MatchesBouncyCastle()
{
var hash = CryptoHashFactory.CreateDefault();
var expected = ComputeGostDigest(use256: true);
var actual = hash.ComputeHash(Sample, HashAlgorithms.Gost3411_2012_256);
Assert.Equal(Convert.ToHexString(expected).ToLowerInvariant(), Convert.ToHexString(actual).ToLowerInvariant());
}
[Fact]
public void ComputeHash_Gost512_MatchesBouncyCastle()
{
var hash = CryptoHashFactory.CreateDefault();
var expected = ComputeGostDigest(use256: false);
var actual = hash.ComputeHash(Sample, HashAlgorithms.Gost3411_2012_512);
Assert.Equal(Convert.ToHexString(expected).ToLowerInvariant(), Convert.ToHexString(actual).ToLowerInvariant());
}
[Fact]
public async Task ComputeHashAsync_Stream_MatchesBuffer()
{
var hash = CryptoHashFactory.CreateDefault();
await using var stream = new MemoryStream(Sample);
var streamDigest = await hash.ComputeHashAsync(stream, HashAlgorithms.Sha256);
var bufferDigest = hash.ComputeHash(Sample, HashAlgorithms.Sha256);
Assert.Equal(Convert.ToHexString(bufferDigest), Convert.ToHexString(streamDigest));
}
private static byte[] ComputeGostDigest(bool use256)
{
Org.BouncyCastle.Crypto.IDigest digest = use256
? new Gost3411_2012_256Digest()
: new Gost3411_2012_512Digest();
digest.BlockUpdate(Sample, 0, Sample.Length);
var output = new byte[digest.GetDigestSize()];
digest.DoFinal(output, 0);
return output;
}
}