save checkpoint. addition features and their state. check some ofthem

2026-02-10 07:54:44 +02:00
parent 4bdc298ec1
commit 5593212b41
211 changed files with 10248 additions and 1208 deletions
--- a/docs/features/checked/cryptography/hsm-integration.md
+++ b/docs/features/checked/cryptography/hsm-integration.md
@@ -0,0 +1,43 @@
+# HSM Integration (PKCS#11)
+
+## Module
+Cryptography
+
+## Status
+VERIFIED
+
+## Description
+PKCS#11 HSM client implementation for hardware security module integration, with integration tests.
+
+## Implementation Details
+- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- HSM crypto plugin extending CryptoPluginBase; supports algorithms: HSM-RSA-SHA256/384/512, HSM-RSA-PSS-SHA256, HSM-ECDSA-P256/P384, HSM-AES-128/256-GCM; initializes with PKCS#11 library path (or simulation mode when unconfigured); SignAsync/VerifyAsync/EncryptAsync/DecryptAsync delegate to IHsmClient; HashAsync (SHA-256/384/512) computed locally; health check reports connected/disconnected/degraded status with slot info
+- **IHsmClient**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- HSM client interface: ConnectAsync (slotId, pin), DisconnectAsync, PingAsync, SignAsync, VerifyAsync, EncryptAsync, DecryptAsync
+- **Pkcs11HsmClientImpl**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/Pkcs11HsmClientImpl.cs` -- production PKCS#11 client implementation wrapping native PKCS#11 library
+- **Pkcs11HsmClient**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- adapter delegating to Pkcs11HsmClientImpl with connection management
+- **SimulatedHsmClient**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- test double for HSM operations without hardware: generates RSA-2048 + AES-256 keys on connect; RSA sign/verify with PKCS1/PSS padding; AES-GCM encrypt/decrypt with IV + tag management
+- **HsmOptions**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- configuration: LibraryPath (.so/.dll path, empty for simulation), SlotId, Pin, TokenLabel, ConnectionTimeoutSeconds (30), ReadOnlySession flag
+- **HsmMechanism**: enum for signing/encryption mechanism mapping: RsaSha256/384/512, RsaPssSha256, EcdsaP256/P384, Aes128Gcm, Aes256Gcm
+- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Hsm/Pkcs11HsmClientIntegrationTests.cs`, `SoftHsmTestFixture.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [x] Verify HSM plugin initializes in simulation mode when no library path is configured
+- [x] Verify HSM plugin connects to PKCS#11 library when LibraryPath is set
+- [x] Test RSA signing and verification with SHA-256/384/512 and PKCS1/PSS padding
+- [x] Test ECDSA P-256 and P-384 signing and verification
+- [x] Test AES-128-GCM and AES-256-GCM encryption and decryption
+- [x] Verify health check returns Unhealthy when not connected, Degraded on slow response, Healthy with slot details
+- [x] Verify CanHandle only accepts algorithms with HSM- prefix
+- [x] Test plugin lifecycle: initialize -> active -> health check -> dispose (disconnect)
+
+## Verification
+Run ID: run-001
+Date: 2026-02-10
+Method: Tier 1 code review + Tier 2d test verification
+
+Build: PASS (0 errors, 0 warnings)
+Tests: PASS (101/101 cryptography tests pass)
+
+Pkcs11HsmClientImpl is a 723-line production implementation using Pkcs11Interop with session pooling (SlotContext with ConcurrentBag), multi-slot failover with health monitoring, key search by CKA_LABEL or CKA_ID, key attribute validation. SimulatedHsmClient provides functional RSA+AES operations for testing. SoftHSM2 integration tests.
+
+Verdict: PASS