stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add support for ГОСТ Р 34.10 digital signatures

Browse Source 
- Implemented the GostKeyValue class for handling public key parameters in ГОСТ Р 34.10 digital signatures.
- Created the GostSignedXml class to manage XML signatures using ГОСТ 34.10, including methods for computing and checking signatures.
- Developed the GostSignedXmlImpl class to encapsulate the signature computation logic and public key retrieval.
- Added specific key value classes for ГОСТ Р 34.10-2001, ГОСТ Р 34.10-2012/256, and ГОСТ Р 34.10-2012/512 to support different signature algorithms.
- Ensured compatibility with existing XML signature standards while integrating ГОСТ cryptography.
This commit is contained in:
master
2025-11-09 21:59:57 +02:00
parent 75c2bcafce
commit cef4cb2c5a
486 changed files with 32952 additions and 801 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/security/pack-signing-and-rbac.md
View File

@@ -73,12 +73,13 @@ Roles are tenant-scoped; cross-tenant access requires explicit addition.
- `stella pack push``packs.write`.
- `stella pack approve``packs.approve`.
- Offline tokens must include same scopes; CLI warns if missing.
- Approval flows must also pass `pack_run_id`, `pack_gate_id`, and `pack_plan_hash` when requesting `packs.approve`. The CLI exposes these via `stella pack approve --pack-run-id ... --pack-gate-id ... --pack-plan-hash ...` (see `docs/task-packs/runbook.md#4-approvals-workflow` for the full procedure). Authority rejects approval grants that omit or truncate any of these fields and tags the audit record with `pack.*` metadata for replay audits.
---
## 4·Approvals & Fresh Auth
- Approval commands require recent fresh-auth (<5minutes). CLI prompts automatically; Console enforces via Authority.
- Approval commands require recent fresh-auth (<5minutes). CLI prompts automatically; Console enforces via Authority. When the `packs.approve` scope is present, `/token` demands `pack_run_id`, `pack_gate_id`, and `pack_plan_hash`, and the resource-layer scope handler verifies the metadata is present plus the `auth_time` timestamp falls within the five-minute window. Missing metadata or stale authentication produce `authority.pack_scope_violation` audit events with the offending field noted.
- Approval payload includes:
- `runId`
- `gateId`