stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

up

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-09 00:20:52 +02:00
parent 3d01bf9edc
commit bc0762e97d
261 changed files with 14033 additions and 4427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docs/security/rootpack_ru_validation.md
View File

@@ -29,6 +29,20 @@ This runbook documents the repeatable steps for validating the Russian sovereign
1. Install OpenSSL with the `gost` engine (or vendor equivalent) on the validation host and import the PEM key/cert that will back `StellaOps:Crypto:OpenSsl:Keys`.
2. Configure the `OpenSsl` section (PEM path plus `PrivateKeyPassphraseEnvVar`), keep `StellaOps:Crypto:Registry:ActiveProfile=ru-offline`, and restart the services.
3. Execute a signing workflow and confirm `CryptoProviderMetrics` records `ru.openssl.gost` activity. Linux nodes should no longer attempt to load `ru.cryptopro.csp`.
4. **2025-12-07 validation evidence (Linux, containerised OpenSSL GOST engine):**
- Ran `scripts/crypto/validate-openssl-gost.sh` (uses `rnix/openssl-gost:latest`) to generate deterministic digests and two md_gost12_256 signatures over a fixed message. Output folder: `logs/openssl_gost_validation_<timestamp>/`.
- Summary from the run at `20251207T220926Z`:
- Message SHA256: `e858745af13089d06e74022a75abfee7390aefe7635b15c80fe7d038f58ae6c6`
- md_gost12_256 digest: `01ddd6399e694bb23227925cb6b12e8c25f2f1303644ffbd267da8a68554a2cb`
- Signature SHA256 (run 1): `02321c5564ae902de77a12c8cc2876f0374d4225e52077ecd28876fbd0110b01`
- Signature SHA256 (run 2): `6564c7e0953dda7d40054ef46633c833eec5ee13d4ab8dd0557f2aed1b8d76c4`
- Determinism note: digests are stable; signatures vary per run (nonce-driven) but verify cleanly against the emitted public key.
5. **Host defaults and toggles:** Authority/Signer/Attestor now bind `StellaOps:Crypto` via `AddStellaOpsCryptoRu` and fail-closed on Linux if `ru.openssl.gost`/`ru.pkcs11` are missing. Environment overrides:
- `STELLAOPS_CRYPTO_ENABLE_RU_OPENSSL` (default: on for Linux)
- `STELLAOPS_CRYPTO_ENABLE_RU_PKCS11` (default: on)
- `STELLAOPS_CRYPTO_ENABLE_RU_WINECSP` (default: off)
- `STELLAOPS_CRYPTO_ENABLE_RU_CSP` (Windows only; default on)
Disable both OpenSSL and PKCS#11 only when an alternate provider is configured; otherwise startup will fail.
## 3. Hardware Validation (PKCS#11 Tokens)