feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

## Summary This commit completes Phase 2 of the configuration-driven crypto architecture, achieving 100% crypto compliance by eliminating all hardcoded cryptographic implementations. ## Key Changes ### Phase 1: Plugin Loader Infrastructure - **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading - **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support - **Dependency Injection**: Extended DI to support plugin-based crypto provider registration - **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml - **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement ### Phase 2: Code Refactoring - **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios - **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support - Supports ES256/384/512, RS256/384/512, PS256/384/512 - SubjectPublicKeyInfo (SPKI) public key format - **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage - **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests - **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md - **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis ### Testing Infrastructure (TestKit) - **Determinism Gate**: Created DeterminismGate for reproducibility validation - **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers - **Traits System**: Implemented test lane attributes for parallel CI execution - **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons - **Test Lanes**: Created test-lanes.yml workflow for parallel test execution ### Documentation - **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan - **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE) - **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md - **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_* ## Compliance & Testing - ✅ Zero direct System.Security.Cryptography usage in production code - ✅ All crypto operations go through ICryptoProvider abstraction - ✅ 39/39 unit tests passing for OfflineVerificationCryptoProvider - ✅ Build successful (AirGap, Crypto plugin, DI infrastructure) - ✅ Audit script validates crypto boundaries ## Files Modified **Core Crypto Infrastructure:** - src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension) - src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor) - src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier) **Plugin Implementation:** - src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new) - src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new) **Production Code Refactoring:** - src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant) **Tests:** - src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests) - src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new) **Configuration:** - etc/crypto-plugins-manifest.json (plugin registry) - etc/appsettings.crypto.*.yaml (regional profiles) **Documentation:** - docs/security/offline-verification-crypto-provider.md (600+ lines) - docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan) - docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete) ## Next Steps Phase 3: Docker & CI/CD Integration - Create multi-stage Dockerfiles with all plugins - Build regional Docker Compose files - Implement runtime configuration selection - Add deployment validation scripts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 18:20:00 +02:00
parent b444284be5
commit dac8e10e36
241 changed files with 22567 additions and 307 deletions
--- a/etc/appsettings.crypto.russia.yaml
+++ b/etc/appsettings.crypto.russia.yaml
@@ -0,0 +1,129 @@
+# StellaOps Cryptography Configuration - Russia (GOST) Profile
+# This configuration enforces GOST R 34.10-2012 and GOST R 34.11-2012 (Streebog) compliance
+# for Russian Federation deployments requiring FSB certification.
+#
+# IMPORTANT: This profile DISABLES all non-GOST algorithms for strict compliance.
+# Only GOST-approved cryptographic providers are enabled.
+
+StellaOps:
+  Crypto:
+    Plugins:
+      # Path to the plugin manifest JSON file
+      ManifestPath: "/etc/stellaops/crypto-plugins-manifest.json"
+
+      # Discovery mode: "explicit" for strict control
+      DiscoveryMode: "explicit"
+
+      # Enabled GOST providers (in priority order)
+      Enabled:
+        # Primary: OpenSSL GOST engine (recommended for Linux)
+        - Id: "openssl.gost"
+          Priority: 100
+          Options:
+            enginePath: "/usr/lib/x86_64-linux-gnu/engines-3/gost.so"
+            # Alternate paths for different architectures:
+            # ARM64: "/usr/lib/aarch64-linux-gnu/engines-3/gost.so"
+
+        # Secondary: PKCS#11 provider for hardware security modules (Rutoken, JaCarta, etc.)
+        - Id: "pkcs11.gost"
+          Priority: 95
+          Options:
+            libraryPath: "/usr/lib/x86_64-linux-gnu/pkcs11/librtpkcs11ecp.so"
+            # Alternative paths:
+            # - "/usr/lib/librtpkcs11ecp.so" (older installations)
+            # - "/usr/lib/pkcs11/libccpkcs11.so" (CryptoPro PKCS#11)
+            # PIN can be provided via environment variable: STELLAOPS_PKCS11_PIN
+            pin: "${PKCS11_PIN}"  # Use environment variable
+            slotId: 0
+
+        # Tertiary: Wine CSP provider (for running Windows CryptoPro CSP on Linux)
+        - Id: "wine.csp"
+          Priority: 90
+          Options:
+            winePrefix: "/opt/stellaops/wine"
+            cspName: "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider"
+
+        # Fallback: CryptoPro native provider (Windows only)
+        # This will only load on Windows platforms due to platform filtering
+        - Id: "cryptopro.gost"
+          Priority: 110
+          Options: {}
+
+      # CRITICAL: Disable ALL non-GOST providers
+      Disabled:
+        - "default"           # Standard .NET crypto (SHA-256, ECDSA)
+        - "libsodium"         # Ed25519, XChaCha20-Poly1305
+        - "bouncycastle.*"    # BouncyCastle providers
+        - "sm.*"              # Chinese SM2/SM3/SM4
+        - "eidas.*"           # European eIDAS
+        - "fips.*"            # FIPS 140-3
+        - "pq.*"              # Post-quantum
+        - "sim.*"             # Simulation providers
+
+      # Fail immediately if GOST provider cannot be loaded
+      FailOnMissingPlugin: true
+
+      # Require at least one GOST provider
+      RequireAtLeastOne: true
+
+    Compliance:
+      # Compliance profile: GOST R (Russia)
+      ProfileId: "gost"
+
+      # CRITICAL: Enable strict validation
+      # This will REJECT any signature/hash algorithm that is not GOST-compliant
+      StrictValidation: true
+
+      # Enforce jurisdiction filtering
+      EnforceJurisdiction: true
+
+      # Only allow Russian jurisdiction plugins
+      AllowedJurisdictions:
+        - "russia"
+
+      # Canonical algorithms (GOST R 34.10-2012 / GOST R 34.11-2012)
+      HashAlgorithm: "GOST-R-34.11-2012-256"
+      SignatureAlgorithm: "GOST-R-34.10-2012-256"
+
+      # Enable warnings for any non-GOST algorithm attempts
+      WarnOnWeakAlgorithms: true
+
+# OpenSSL GOST engine configuration
+#   Crypto:
+#     OpenSsl:
+#       # Path to GOST engine shared library
+#       EnginePath: "/usr/lib/x86_64-linux-gnu/engines-3/gost.so"
+#       # Enable engine auto-loading
+#       AutoLoadEngine: true
+
+# PKCS#11 configuration
+#   Crypto:
+#     Pkcs11:
+#       # PKCS#11 library path
+#       LibraryPath: "/usr/lib/librtpkcs11ecp.so"
+#       # Token PIN (prefer environment variable for security)
+#       Pin: "${PKCS11_PIN}"
+#       # Slot ID (usually 0 for single-token systems)
+#       SlotId: 0
+#       # Enable token login
+#       RequireLogin: true
+
+# Wine CSP configuration (for Linux deployments requiring Windows CryptoPro CSP)
+#   Crypto:
+#     WineCsp:
+#       # Wine prefix directory
+#       WinePrefix: "/opt/stellaops/wine"
+#       # Wine executable path
+#       WineExecutable: "/opt/wine-stable/bin/wine64"
+#       # CryptoPro CSP name
+#       CspName: "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider"
+
+# CryptoPro configuration (Windows only)
+#   Crypto:
+#     CryptoPro:
+#       # Container name
+#       ContainerName: "stellaops-gost-signing"
+#       # Use machine key store
+#       UseMachineKeyStore: true
+#       # Provider type
+#       ProviderType: 80  # PROV_GOST_2012_256