Add post-quantum cryptography support with PqSoftCryptoProvider

- Implemented PqSoftCryptoProvider for software-only post-quantum algorithms (Dilithium3, Falcon512) using BouncyCastle. - Added PqSoftProviderOptions and PqSoftKeyOptions for configuration. - Created unit tests for Dilithium3 and Falcon512 signing and verification. - Introduced EcdsaPolicyCryptoProvider for compliance profiles (FIPS/eIDAS) with explicit allow-lists. - Added KcmvpHashOnlyProvider for KCMVP baseline compliance. - Updated project files and dependencies for new libraries and testing frameworks.
2025-12-07 15:04:19 +02:00
parent 862bb6ed80
commit 98e6b76584
119 changed files with 11436 additions and 1732 deletions
--- a/ops/devops/findings-ledger/offline-kit/manifest.yaml
+++ b/ops/devops/findings-ledger/offline-kit/manifest.yaml
@@ -0,0 +1,106 @@
+# Findings Ledger Offline Kit Manifest
+# Version: 2025.11.0
+# Generated: 2025-12-07
+
+apiVersion: stellaops.io/v1
+kind: OfflineKitManifest
+metadata:
+  name: findings-ledger
+  version: "2025.11.0"
+  description: Findings Ledger service for event-sourced findings storage with Merkle anchoring
+
+spec:
+  components:
+    - name: findings-ledger
+      type: service
+      image: stellaops/findings-ledger:2025.11.0
+      digest: "" # Populated at build time
+
+    - name: findings-ledger-migrations
+      type: job
+      image: stellaops/findings-ledger-migrations:2025.11.0
+      digest: "" # Populated at build time
+
+  dependencies:
+    - name: postgresql
+      version: ">=14.0"
+      type: database
+      required: true
+
+    - name: otel-collector
+      version: ">=0.80.0"
+      type: service
+      required: false
+      description: Optional for telemetry export
+
+  migrations:
+    - version: "001"
+      file: migrations/001_initial_schema.sql
+      checksum: "" # Populated at build time
+    - version: "002"
+      file: migrations/002_merkle_tables.sql
+      checksum: ""
+    - version: "003"
+      file: migrations/003_attachments.sql
+      checksum: ""
+    - version: "004"
+      file: migrations/004_projections.sql
+      checksum: ""
+    - version: "005"
+      file: migrations/005_airgap_imports.sql
+      checksum: ""
+    - version: "006"
+      file: migrations/006_evidence_snapshots.sql
+      checksum: ""
+    - version: "007"
+      file: migrations/007_timeline_events.sql
+      checksum: ""
+    - version: "008"
+      file: migrations/008_attestation_pointers.sql
+      checksum: ""
+
+  dashboards:
+    - name: findings-ledger
+      file: dashboards/findings-ledger.json
+      checksum: ""
+
+  alerts:
+    - name: findings-ledger-alerts
+      file: alerts/findings-ledger-alerts.yaml
+      checksum: ""
+
+  configuration:
+    required:
+      - key: LEDGER__DB__CONNECTIONSTRING
+        description: PostgreSQL connection string
+        secret: true
+      - key: LEDGER__ATTACHMENTS__ENCRYPTIONKEY
+        description: AES-256 encryption key for attachments (base64)
+        secret: true
+
+    optional:
+      - key: LEDGER__MERKLE__SIGNINGKEY
+        description: Signing key for Merkle root attestations
+        secret: true
+      - key: LEDGER__OBSERVABILITY__OTLPENDPOINT
+        description: OpenTelemetry collector endpoint
+        default: http://otel-collector:4317
+      - key: LEDGER__MERKLE__ANCHORINTERVAL
+        description: Merkle anchor interval (TimeSpan)
+        default: "00:05:00"
+      - key: LEDGER__AIRGAP__ADVISORYSTALETHRESHOLD
+        description: Advisory staleness threshold in seconds
+        default: "604800"
+
+  verification:
+    healthEndpoint: /health/ready
+    metricsEndpoint: /metrics
+    expectedMetrics:
+      - ledger_write_latency_seconds
+      - ledger_projection_lag_seconds
+      - ledger_merkle_anchor_duration_seconds
+      - ledger_events_total
+
+  checksums:
+    algorithm: sha256
+    manifest: "" # Populated at build time