Add support for ГОСТ Р 34.10 digital signatures

- Implemented the GostKeyValue class for handling public key parameters in ГОСТ Р 34.10 digital signatures. - Created the GostSignedXml class to manage XML signatures using ГОСТ 34.10, including methods for computing and checking signatures. - Developed the GostSignedXmlImpl class to encapsulate the signature computation logic and public key retrieval. - Added specific key value classes for ГОСТ Р 34.10-2001, ГОСТ Р 34.10-2012/256, and ГОСТ Р 34.10-2012/512 to support different signature algorithms. - Ensured compatibility with existing XML signature standards while integrating ГОСТ cryptography.
2025-11-09 21:59:57 +02:00
parent 75c2bcafce
commit cef4cb2c5a
486 changed files with 32952 additions and 801 deletions
--- a/etc/authority.plugins/ldap.yaml
+++ b/etc/authority.plugins/ldap.yaml
@@ -64,6 +64,22 @@ clientProvisioning:
    enabled: true
    collectionName: "ldap_client_provisioning" # Mongo mirror ships inside the Offline Kit for auditors

+bootstrap:
+  enabled: false
+  containerDn: "ou=people,dc=example,dc=internal"
+  rdnAttribute: "uid"
+  usernameAttribute: "uid"
+  displayNameAttribute: "displayName"
+  givenNameAttribute: "givenName"
+  surnameAttribute: "sn"
+  emailAttribute: "mail"
+  secretAttribute: "userPassword"
+  staticAttributes:
+    description: "StellaOps bootstrap user for {username}"
+  auditMirror:
+    enabled: true
+    collectionName: "ldap_bootstrap_audit"
+
 health:
  probeIntervalSeconds: 60
  timeoutSeconds: 5
--- a/etc/authority.yaml.sample
+++ b/etc/authority.yaml.sample
@@ -328,6 +328,7 @@ clients:
    grantTypes: [ "client_credentials" ]
    audiences: [ "api://task-runner" ]
    scopes: [ "packs.approve", "packs.read" ]
+    # Tokens minted with packs.approve must include pack_run_id, pack_gate_id, and pack_plan_hash parameters per docs/task-packs/runbook.md.
    tenant: "tenant-default"
    senderConstraint: "dpop"
    auth:
--- a/etc/rootpack/ru/crypto.profile.yaml
+++ b/etc/rootpack/ru/crypto.profile.yaml
@@ -8,6 +8,7 @@ StellaOps:
        ru-offline:
          PreferredProviders:
            - ru.cryptopro.csp
+            - ru.openssl.gost
            - ru.pkcs11
    CryptoPro:
      Keys:
@@ -27,6 +28,14 @@ StellaOps:
          Pin: "${PKCS11_PIN}"
          PrivateKeyLabel: rootpack-signing
          CertificateThumbprint: "<thumbprint>"
+    OpenSsl:
+      Keys:
+        - KeyId: ru-openssl-default
+          Algorithm: GOST12-256
+          PrivateKeyPath: /opt/stellaops/keys/ru_openssl_priv.pem
+          PrivateKeyPassphraseEnvVar: RU_OPENSSL_PRIV_PASS
+          CertificatePath: /opt/stellaops/certs/ru_openssl_cert.pem
+          SignatureFormat: Der
    Diagnostics:
      Providers:
        Enabled: true