Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
@@ -0,0 +1,4 @@
|
||||
using System.Runtime.CompilerServices;
|
||||
|
||||
[assembly: InternalsVisibleTo("StellaOps.Cryptography.Plugin.CryptoPro")]
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
using System;
|
||||
using System.Text;
|
||||
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
internal static class PemUtilities
|
||||
{
|
||||
public static string ExtractBody(string pem)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(pem))
|
||||
{
|
||||
throw new ArgumentException("PEM content is empty.", nameof(pem));
|
||||
}
|
||||
|
||||
var builder = new StringBuilder();
|
||||
foreach (var line in pem.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries))
|
||||
{
|
||||
if (line.StartsWith("-----", StringComparison.Ordinal))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
builder.Append(line.Trim());
|
||||
}
|
||||
|
||||
return builder.ToString();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,25 @@
|
||||
using System;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.Extensions.DependencyInjection.Extensions;
|
||||
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
public static class Pkcs11CryptoServiceCollectionExtensions
|
||||
{
|
||||
public static IServiceCollection AddPkcs11GostProvider(
|
||||
this IServiceCollection services,
|
||||
Action<Pkcs11GostProviderOptions>? configure = null)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(services);
|
||||
|
||||
if (configure is not null)
|
||||
{
|
||||
services.Configure(configure);
|
||||
}
|
||||
|
||||
services.TryAddEnumerable(
|
||||
ServiceDescriptor.Singleton<StellaOps.Cryptography.ICryptoProvider, Pkcs11GostCryptoProvider>());
|
||||
return services;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
using StellaOps.Cryptography;
|
||||
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
public sealed class Pkcs11GostCryptoProvider : ICryptoProvider, ICryptoProviderDiagnostics
|
||||
{
|
||||
private readonly Pkcs11GostProviderCore core;
|
||||
|
||||
public Pkcs11GostCryptoProvider(
|
||||
IOptions<Pkcs11GostProviderOptions>? optionsAccessor = null,
|
||||
ILogger<Pkcs11GostCryptoProvider>? logger = null)
|
||||
{
|
||||
var options = optionsAccessor?.Value ?? new Pkcs11GostProviderOptions();
|
||||
core = new Pkcs11GostProviderCore("ru.pkcs11", options.Keys, logger);
|
||||
}
|
||||
|
||||
public string Name => core.ProviderName;
|
||||
|
||||
public bool Supports(CryptoCapability capability, string algorithmId)
|
||||
{
|
||||
if (capability is CryptoCapability.Signing or CryptoCapability.Verification)
|
||||
{
|
||||
return core.SupportsAlgorithm(algorithmId);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public IPasswordHasher GetPasswordHasher(string algorithmId)
|
||||
=> throw new NotSupportedException("PKCS#11 provider does not expose password hashing.");
|
||||
|
||||
public ICryptoSigner GetSigner(string algorithmId, CryptoKeyReference keyReference)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(keyReference);
|
||||
var entry = core.Resolve(keyReference.KeyId);
|
||||
if (!string.Equals(entry.AlgorithmId, algorithmId, StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
throw new InvalidOperationException(
|
||||
$"Signing key '{keyReference.KeyId}' is registered for algorithm '{entry.AlgorithmId}', not '{algorithmId}'.");
|
||||
}
|
||||
|
||||
return new Pkcs11GostSigner(entry);
|
||||
}
|
||||
|
||||
public void UpsertSigningKey(CryptoSigningKey signingKey)
|
||||
=> throw new NotSupportedException("PKCS#11 keys are managed externally.");
|
||||
|
||||
public bool RemoveSigningKey(string keyId) => false;
|
||||
|
||||
public IReadOnlyCollection<CryptoSigningKey> GetSigningKeys()
|
||||
=> Array.Empty<CryptoSigningKey>();
|
||||
|
||||
public IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys()
|
||||
=> core.DescribeKeys(Name);
|
||||
}
|
||||
@@ -0,0 +1,42 @@
|
||||
using System;
|
||||
using System.Globalization;
|
||||
using System.Security.Cryptography.X509Certificates;
|
||||
using Org.BouncyCastle.Security;
|
||||
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
internal sealed class Pkcs11GostKeyEntry
|
||||
{
|
||||
public Pkcs11GostKeyEntry(
|
||||
string keyId,
|
||||
string algorithmId,
|
||||
Pkcs11SessionOptions session,
|
||||
X509Certificate2 certificate,
|
||||
uint signMechanismId)
|
||||
{
|
||||
KeyId = keyId ?? throw new ArgumentNullException(nameof(keyId));
|
||||
AlgorithmId = algorithmId ?? throw new ArgumentNullException(nameof(algorithmId));
|
||||
Session = session ?? throw new ArgumentNullException(nameof(session));
|
||||
Certificate = certificate ?? throw new ArgumentNullException(nameof(certificate));
|
||||
SignMechanismId = signMechanismId;
|
||||
var bcCertificate = DotNetUtilities.FromX509Certificate(Certificate);
|
||||
PublicKeyParameters = bcCertificate.GetPublicKey();
|
||||
}
|
||||
|
||||
public string KeyId { get; }
|
||||
|
||||
public string AlgorithmId { get; }
|
||||
|
||||
public Pkcs11SessionOptions Session { get; }
|
||||
|
||||
public X509Certificate2 Certificate { get; }
|
||||
|
||||
public Org.BouncyCastle.Crypto.AsymmetricKeyParameter PublicKeyParameters { get; }
|
||||
|
||||
public uint SignMechanismId { get; }
|
||||
|
||||
public bool Is256 => string.Equals(
|
||||
AlgorithmId,
|
||||
StellaOps.Cryptography.SignatureAlgorithms.GostR3410_2012_256,
|
||||
StringComparison.OrdinalIgnoreCase);
|
||||
}
|
||||
@@ -0,0 +1,107 @@
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
using StellaOps.Cryptography;
|
||||
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
/// <summary>
|
||||
/// Describes a PKCS#11-backed signing key.
|
||||
/// </summary>
|
||||
public sealed class Pkcs11GostKeyOptions
|
||||
{
|
||||
/// <summary>
|
||||
/// Logical identifier for the key (used as kid).
|
||||
/// </summary>
|
||||
[Required]
|
||||
public string KeyId { get; set; } = string.Empty;
|
||||
|
||||
/// <summary>
|
||||
/// Signing algorithm identifier.
|
||||
/// </summary>
|
||||
public string Algorithm { get; set; } = SignatureAlgorithms.GostR3410_2012_256;
|
||||
|
||||
/// <summary>
|
||||
/// Absolute path to the PKCS#11 library (e.g. /usr/local/lib/librutokenecp.so).
|
||||
/// </summary>
|
||||
[Required]
|
||||
public string LibraryPath { get; set; } = string.Empty;
|
||||
|
||||
/// <summary>
|
||||
/// Optional slot identifier (decimal or hexadecimal). Mutually exclusive with <see cref="TokenLabel"/>.
|
||||
/// </summary>
|
||||
public string? SlotId { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Optional token label to locate the slot. Mutually exclusive with <see cref="SlotId"/>.
|
||||
/// </summary>
|
||||
public string? TokenLabel { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Label identifying the private key object.
|
||||
/// </summary>
|
||||
public string? PrivateKeyLabel { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Optional label for the certificate or public key object.
|
||||
/// </summary>
|
||||
public string? PublicKeyLabel { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// User PIN supplied inline (discouraged for production).
|
||||
/// </summary>
|
||||
public string? UserPin { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Name of the environment variable containing the PIN (preferred).
|
||||
/// </summary>
|
||||
public string? UserPinEnvironmentVariable { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Mechanism identifier used for signature operations (e.g. 0x00001255 for GOST12-256).
|
||||
/// </summary>
|
||||
public uint? SignMechanismId { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Optional PEM/DER path for the X.509 certificate corresponding to the private key.
|
||||
/// </summary>
|
||||
public string? CertificatePath { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Optional inline PEM certificate.
|
||||
/// </summary>
|
||||
public string? CertificatePem { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Optional Windows/Linux store thumbprint identifier (when CertificatePath is not provided).
|
||||
/// </summary>
|
||||
public string? CertificateThumbprint { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Optional store location (CurrentUser/LocalMachine). Defaults to CurrentUser.
|
||||
/// </summary>
|
||||
public string CertificateStoreLocation { get; set; } = "CurrentUser";
|
||||
|
||||
/// <summary>
|
||||
/// Optional store name (My/Root/etc). Defaults to My.
|
||||
/// </summary>
|
||||
public string CertificateStoreName { get; set; } = "My";
|
||||
|
||||
public Pkcs11GostKeyOptions Clone()
|
||||
=> new()
|
||||
{
|
||||
KeyId = KeyId,
|
||||
Algorithm = Algorithm,
|
||||
LibraryPath = LibraryPath,
|
||||
SlotId = SlotId,
|
||||
TokenLabel = TokenLabel,
|
||||
PrivateKeyLabel = PrivateKeyLabel,
|
||||
PublicKeyLabel = PublicKeyLabel,
|
||||
UserPin = UserPin,
|
||||
UserPinEnvironmentVariable = UserPinEnvironmentVariable,
|
||||
SignMechanismId = SignMechanismId,
|
||||
CertificatePath = CertificatePath,
|
||||
CertificatePem = CertificatePem,
|
||||
CertificateThumbprint = CertificateThumbprint,
|
||||
CertificateStoreLocation = CertificateStoreLocation,
|
||||
CertificateStoreName = CertificateStoreName
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,186 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Security.Cryptography.X509Certificates;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using StellaOps.Cryptography;
|
||||
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
internal sealed class Pkcs11GostProviderCore
|
||||
{
|
||||
private readonly Dictionary<string, Pkcs11GostKeyEntry> entries;
|
||||
private readonly ILogger? logger;
|
||||
private readonly string providerName;
|
||||
|
||||
public Pkcs11GostProviderCore(
|
||||
string providerName,
|
||||
IEnumerable<Pkcs11GostKeyOptions> options,
|
||||
ILogger? logger = null)
|
||||
{
|
||||
this.providerName = providerName;
|
||||
this.logger = logger;
|
||||
entries = new Dictionary<string, Pkcs11GostKeyEntry>(StringComparer.Ordinal);
|
||||
|
||||
foreach (var keyOptions in options ?? Array.Empty<Pkcs11GostKeyOptions>())
|
||||
{
|
||||
var entry = BuildEntry(keyOptions);
|
||||
if (!entries.TryAdd(entry.KeyId, entry))
|
||||
{
|
||||
throw new InvalidOperationException(
|
||||
$"Duplicate PKCS#11 key identifier '{entry.KeyId}' configured for provider '{providerName}'.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public string ProviderName => providerName;
|
||||
|
||||
public IReadOnlyDictionary<string, Pkcs11GostKeyEntry> Entries => entries;
|
||||
|
||||
public bool SupportsAlgorithm(string algorithmId)
|
||||
{
|
||||
foreach (var entry in entries.Values)
|
||||
{
|
||||
if (string.Equals(entry.AlgorithmId, algorithmId, StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public Pkcs11GostKeyEntry Resolve(string keyId)
|
||||
{
|
||||
if (!entries.TryGetValue(keyId, out var entry))
|
||||
{
|
||||
throw new KeyNotFoundException(
|
||||
$"Signing key '{keyId}' is not registered with provider '{providerName}'.");
|
||||
}
|
||||
|
||||
return entry;
|
||||
}
|
||||
|
||||
private Pkcs11GostKeyEntry BuildEntry(Pkcs11GostKeyOptions options)
|
||||
{
|
||||
if (options is null)
|
||||
{
|
||||
throw new ArgumentNullException(nameof(options));
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(options.KeyId))
|
||||
{
|
||||
throw new InvalidOperationException("PKCS#11 key options require a non-empty keyId.");
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(options.LibraryPath))
|
||||
{
|
||||
throw new InvalidOperationException($"PKCS#11 key '{options.KeyId}' requires libraryPath.");
|
||||
}
|
||||
|
||||
var mechanism = options.SignMechanismId ??
|
||||
(string.Equals(options.Algorithm, SignatureAlgorithms.GostR3410_2012_512, StringComparison.OrdinalIgnoreCase)
|
||||
? Pkcs11Mechanisms.DefaultGost12_512Signature
|
||||
: Pkcs11Mechanisms.DefaultGost12_256Signature);
|
||||
|
||||
var session = new Pkcs11SessionOptions
|
||||
{
|
||||
LibraryPath = options.LibraryPath,
|
||||
SlotId = options.SlotId,
|
||||
TokenLabel = options.TokenLabel,
|
||||
PrivateKeyLabel = options.PrivateKeyLabel,
|
||||
PublicKeyLabel = options.PublicKeyLabel,
|
||||
UserPin = options.UserPin,
|
||||
UserPinEnvironmentVariable = options.UserPinEnvironmentVariable
|
||||
};
|
||||
|
||||
var certificate = LoadCertificate(options);
|
||||
|
||||
logger?.LogInformation(
|
||||
"PKCS#11 key {KeyId} (algorithm {Algorithm}) registered for provider {Provider}",
|
||||
options.KeyId,
|
||||
options.Algorithm,
|
||||
providerName);
|
||||
|
||||
return new Pkcs11GostKeyEntry(
|
||||
options.KeyId,
|
||||
options.Algorithm,
|
||||
session,
|
||||
certificate,
|
||||
mechanism);
|
||||
}
|
||||
|
||||
private static X509Certificate2 LoadCertificate(Pkcs11GostKeyOptions options)
|
||||
{
|
||||
if (!string.IsNullOrWhiteSpace(options.CertificatePem))
|
||||
{
|
||||
var rawBytes = Convert.FromBase64String(PemUtilities.ExtractBody(options.CertificatePem));
|
||||
return X509CertificateLoader.LoadCertificate(rawBytes);
|
||||
}
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(options.CertificatePath))
|
||||
{
|
||||
if (!File.Exists(options.CertificatePath))
|
||||
{
|
||||
throw new FileNotFoundException($"Certificate file '{options.CertificatePath}' was not found.", options.CertificatePath);
|
||||
}
|
||||
|
||||
return X509CertificateLoader.LoadCertificateFromFile(options.CertificatePath);
|
||||
}
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(options.CertificateThumbprint))
|
||||
{
|
||||
var location = Enum.TryParse(options.CertificateStoreLocation, ignoreCase: true, out StoreLocation parsedLocation)
|
||||
? parsedLocation
|
||||
: StoreLocation.CurrentUser;
|
||||
var storeName = Enum.TryParse(options.CertificateStoreName, ignoreCase: true, out StoreName parsedStore)
|
||||
? parsedStore
|
||||
: StoreName.My;
|
||||
using var store = new X509Store(storeName, location);
|
||||
store.Open(OpenFlags.ReadOnly);
|
||||
var thumbprint = options.CertificateThumbprint.Replace(" ", string.Empty, StringComparison.OrdinalIgnoreCase)
|
||||
.ToUpperInvariant();
|
||||
var matches = store.Certificates.Find(
|
||||
X509FindType.FindByThumbprint,
|
||||
thumbprint,
|
||||
validOnly: false);
|
||||
if (matches.Count == 0)
|
||||
{
|
||||
throw new InvalidOperationException(
|
||||
$"Certificate with thumbprint '{thumbprint}' was not found in {location}/{storeName}.");
|
||||
}
|
||||
|
||||
return X509CertificateLoader.LoadCertificate(matches[0].RawData);
|
||||
}
|
||||
|
||||
throw new InvalidOperationException(
|
||||
$"PKCS#11 key '{options.KeyId}' requires either certificatePath, certificatePem, or certificateThumbprint.");
|
||||
}
|
||||
|
||||
public IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys(string provider)
|
||||
{
|
||||
foreach (var entry in entries.Values)
|
||||
{
|
||||
yield return CreateDescriptor(provider, entry);
|
||||
}
|
||||
}
|
||||
|
||||
private static CryptoProviderKeyDescriptor CreateDescriptor(string providerName, Pkcs11GostKeyEntry entry)
|
||||
{
|
||||
var metadata = new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase)
|
||||
{
|
||||
["subject"] = entry.Certificate.Subject,
|
||||
["issuer"] = entry.Certificate.Issuer,
|
||||
["thumbprint"] = entry.Certificate.Thumbprint,
|
||||
["library"] = entry.Session.LibraryPath,
|
||||
["slotId"] = entry.Session.SlotId,
|
||||
["tokenLabel"] = entry.Session.TokenLabel,
|
||||
["privateKeyLabel"] = entry.Session.PrivateKeyLabel,
|
||||
["publicKeyLabel"] = entry.Session.PublicKeyLabel,
|
||||
["mechanismId"] = $"0x{entry.SignMechanismId:X}",
|
||||
["bitStrength"] = entry.Is256 ? "256" : "512"
|
||||
};
|
||||
|
||||
return new CryptoProviderKeyDescriptor(providerName, entry.KeyId, entry.AlgorithmId, metadata);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
using System.Collections.Generic;
|
||||
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
/// <summary>
|
||||
/// Configuration surface for the PKCS#11-based GOST provider.
|
||||
/// </summary>
|
||||
public sealed class Pkcs11GostProviderOptions
|
||||
{
|
||||
private readonly IList<Pkcs11GostKeyOptions> keys = new List<Pkcs11GostKeyOptions>();
|
||||
|
||||
/// <summary>
|
||||
/// Key descriptors managed by the provider.
|
||||
/// </summary>
|
||||
public IList<Pkcs11GostKeyOptions> Keys => keys;
|
||||
|
||||
public Pkcs11GostProviderOptions Clone()
|
||||
{
|
||||
var clone = new Pkcs11GostProviderOptions();
|
||||
foreach (var key in keys)
|
||||
{
|
||||
clone.Keys.Add(key.Clone());
|
||||
}
|
||||
|
||||
return clone;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,71 @@
|
||||
using System;
|
||||
using System.Threading;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.IdentityModel.Tokens;
|
||||
using Org.BouncyCastle.Crypto.Signers;
|
||||
using Org.BouncyCastle.Security;
|
||||
using StellaOps.Cryptography;
|
||||
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
internal sealed class Pkcs11GostSigner : ICryptoSigner
|
||||
{
|
||||
private static readonly string[] DefaultKeyOps = { "sign", "verify" };
|
||||
|
||||
private readonly Pkcs11GostKeyEntry entry;
|
||||
|
||||
public Pkcs11GostSigner(Pkcs11GostKeyEntry entry)
|
||||
{
|
||||
this.entry = entry ?? throw new ArgumentNullException(nameof(entry));
|
||||
}
|
||||
|
||||
public string KeyId => entry.KeyId;
|
||||
|
||||
public string AlgorithmId => entry.AlgorithmId;
|
||||
|
||||
public ValueTask<byte[]> SignAsync(ReadOnlyMemory<byte> data, CancellationToken cancellationToken = default)
|
||||
{
|
||||
cancellationToken.ThrowIfCancellationRequested();
|
||||
var digest = GostDigestUtilities.ComputeDigest(data.Span, entry.Is256);
|
||||
var signature = Pkcs11SignerUtilities.SignDigest(entry, digest);
|
||||
return ValueTask.FromResult(signature);
|
||||
}
|
||||
|
||||
public ValueTask<bool> VerifyAsync(
|
||||
ReadOnlyMemory<byte> data,
|
||||
ReadOnlyMemory<byte> signature,
|
||||
CancellationToken cancellationToken = default)
|
||||
{
|
||||
cancellationToken.ThrowIfCancellationRequested();
|
||||
|
||||
var digestSigner = new Gost3410DigestSigner(
|
||||
new Gost3410Signer(),
|
||||
GostDigestUtilities.CreateDigest(entry.Is256));
|
||||
digestSigner.Init(false, entry.PublicKeyParameters);
|
||||
var buffer = data.ToArray();
|
||||
digestSigner.BlockUpdate(buffer, 0, buffer.Length);
|
||||
var verified = digestSigner.VerifySignature(signature.ToArray());
|
||||
return ValueTask.FromResult(verified);
|
||||
}
|
||||
|
||||
public JsonWebKey ExportPublicJsonWebKey()
|
||||
{
|
||||
var jwk = new JsonWebKey
|
||||
{
|
||||
Kid = KeyId,
|
||||
Alg = AlgorithmId,
|
||||
Kty = "EC",
|
||||
Crv = entry.Is256 ? "GOST3410-2012-256" : "GOST3410-2012-512",
|
||||
Use = JsonWebKeyUseNames.Sig
|
||||
};
|
||||
|
||||
foreach (var op in DefaultKeyOps)
|
||||
{
|
||||
jwk.KeyOps.Add(op);
|
||||
}
|
||||
|
||||
jwk.X5c.Add(Convert.ToBase64String(entry.Certificate.RawData));
|
||||
return jwk;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
internal static class Pkcs11Mechanisms
|
||||
{
|
||||
// Default values sourced from PKCS#11 v2.40 (TC26 extensions). Deployments can override via configuration.
|
||||
public const uint DefaultGost12_256Signature = 0x00001255;
|
||||
public const uint DefaultGost12_512Signature = 0x00001256;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
internal sealed class Pkcs11SessionOptions
|
||||
{
|
||||
public string LibraryPath { get; init; } = string.Empty;
|
||||
|
||||
public string? SlotId { get; init; }
|
||||
|
||||
public string? TokenLabel { get; init; }
|
||||
|
||||
public string? UserPin { get; init; }
|
||||
|
||||
public string? UserPinEnvironmentVariable { get; init; }
|
||||
|
||||
public string? PrivateKeyLabel { get; init; }
|
||||
|
||||
public string? PublicKeyLabel { get; init; }
|
||||
}
|
||||
|
||||
@@ -0,0 +1,107 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using Net.Pkcs11Interop.Common;
|
||||
using Net.Pkcs11Interop.HighLevelAPI;
|
||||
using StellaOps.Cryptography;
|
||||
using ISession = Net.Pkcs11Interop.HighLevelAPI.Session;
|
||||
|
||||
namespace StellaOps.Cryptography.Plugin.Pkcs11Gost;
|
||||
|
||||
internal static class Pkcs11SignerUtilities
|
||||
{
|
||||
public static byte[] SignDigest(Pkcs11GostKeyEntry entry, ReadOnlySpan<byte> digest)
|
||||
{
|
||||
using var pkcs11 = new Pkcs11(entry.Session.LibraryPath, AppType.MultiThreaded);
|
||||
var slot = ResolveSlot(pkcs11, entry.Session);
|
||||
if (slot is null)
|
||||
{
|
||||
throw new InvalidOperationException("No PKCS#11 slot/token matched the provided configuration.");
|
||||
}
|
||||
|
||||
using var session = slot.OpenSession(SessionType.ReadWrite);
|
||||
var loggedIn = false;
|
||||
try
|
||||
{
|
||||
var pin = ResolvePin(entry.Session);
|
||||
if (!string.IsNullOrWhiteSpace(pin))
|
||||
{
|
||||
session.Login(CKU.CKU_USER, pin);
|
||||
loggedIn = true;
|
||||
}
|
||||
|
||||
var privateHandle = FindObject(session, CKO.CKO_PRIVATE_KEY, entry.Session.PrivateKeyLabel);
|
||||
if (privateHandle is null)
|
||||
{
|
||||
throw new InvalidOperationException($"Private key with label '{entry.Session.PrivateKeyLabel}' was not found.");
|
||||
}
|
||||
|
||||
var mechanism = new Mechanism(entry.SignMechanismId);
|
||||
return session.Sign(mechanism, privateHandle, digest.ToArray());
|
||||
}
|
||||
finally
|
||||
{
|
||||
if (loggedIn)
|
||||
{
|
||||
try { session.Logout(); } catch { /* ignored */ }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static Slot? ResolveSlot(Pkcs11 pkcs11, Pkcs11SessionOptions options)
|
||||
{
|
||||
var slots = pkcs11.GetSlotList(SlotsType.WithTokenPresent);
|
||||
if (slots.Count == 0)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(options.SlotId))
|
||||
{
|
||||
return slots.FirstOrDefault(slot =>
|
||||
string.Equals(slot.SlotId.ToString(), options.SlotId, StringComparison.OrdinalIgnoreCase));
|
||||
}
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(options.TokenLabel))
|
||||
{
|
||||
return slots.FirstOrDefault(slot =>
|
||||
{
|
||||
var tokenInfo = slot.GetTokenInfo();
|
||||
return string.Equals(tokenInfo.Label?.Trim(), options.TokenLabel?.Trim(), StringComparison.OrdinalIgnoreCase);
|
||||
});
|
||||
}
|
||||
|
||||
return slots[0];
|
||||
}
|
||||
|
||||
private static ObjectHandle? FindObject(ISession session, CKO objectClass, string? label)
|
||||
{
|
||||
var template = new List<ObjectAttribute>
|
||||
{
|
||||
new(CKA.CKA_CLASS, (uint)objectClass)
|
||||
};
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(label))
|
||||
{
|
||||
template.Add(new ObjectAttribute(CKA.CKA_LABEL, label));
|
||||
}
|
||||
|
||||
var handles = session.FindAllObjects(template);
|
||||
return handles.FirstOrDefault();
|
||||
}
|
||||
|
||||
private static string? ResolvePin(Pkcs11SessionOptions options)
|
||||
{
|
||||
if (!string.IsNullOrWhiteSpace(options.UserPin))
|
||||
{
|
||||
return options.UserPin;
|
||||
}
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(options.UserPinEnvironmentVariable))
|
||||
{
|
||||
return Environment.GetEnvironmentVariable(options.UserPinEnvironmentVariable);
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,24 @@
|
||||
<Project Sdk="Microsoft.NET.Sdk">
|
||||
|
||||
<PropertyGroup>
|
||||
<TargetFramework>net10.0</TargetFramework>
|
||||
<LangVersion>preview</LangVersion>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<Nullable>enable</Nullable>
|
||||
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<PackageReference Include="BouncyCastle.Cryptography" Version="2.5.1" />
|
||||
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0-rc.2.25502.107" />
|
||||
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0-rc.2.25502.107" />
|
||||
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0-rc.2.25502.107" />
|
||||
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.14.0" />
|
||||
<PackageReference Include="Pkcs11Interop" Version="4.1.0" />
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\\StellaOps.Cryptography\\StellaOps.Cryptography.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
Reference in New Issue
Block a user