feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

## Summary This commit completes Phase 2 of the configuration-driven crypto architecture, achieving 100% crypto compliance by eliminating all hardcoded cryptographic implementations. ## Key Changes ### Phase 1: Plugin Loader Infrastructure - **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading - **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support - **Dependency Injection**: Extended DI to support plugin-based crypto provider registration - **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml - **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement ### Phase 2: Code Refactoring - **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios - **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support - Supports ES256/384/512, RS256/384/512, PS256/384/512 - SubjectPublicKeyInfo (SPKI) public key format - **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage - **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests - **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md - **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis ### Testing Infrastructure (TestKit) - **Determinism Gate**: Created DeterminismGate for reproducibility validation - **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers - **Traits System**: Implemented test lane attributes for parallel CI execution - **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons - **Test Lanes**: Created test-lanes.yml workflow for parallel test execution ### Documentation - **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan - **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE) - **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md - **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_* ## Compliance & Testing - ✅ Zero direct System.Security.Cryptography usage in production code - ✅ All crypto operations go through ICryptoProvider abstraction - ✅ 39/39 unit tests passing for OfflineVerificationCryptoProvider - ✅ Build successful (AirGap, Crypto plugin, DI infrastructure) - ✅ Audit script validates crypto boundaries ## Files Modified **Core Crypto Infrastructure:** - src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension) - src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor) - src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier) **Plugin Implementation:** - src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new) - src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new) **Production Code Refactoring:** - src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant) **Tests:** - src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests) - src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new) **Configuration:** - etc/crypto-plugins-manifest.json (plugin registry) - etc/appsettings.crypto.*.yaml (regional profiles) **Documentation:** - docs/security/offline-verification-crypto-provider.md (600+ lines) - docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan) - docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete) ## Next Steps Phase 3: Docker & CI/CD Integration - Create multi-stage Dockerfiles with all plugins - Build regional Docker Compose files - Implement runtime configuration selection - Add deployment validation scripts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 18:20:00 +02:00
parent b444284be5
commit dac8e10e36
241 changed files with 22567 additions and 307 deletions
--- a/src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs
+++ b/src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs
@@ -1,7 +1,7 @@
-using System.Security.Cryptography;
 using System.Text;
 using Microsoft.Extensions.Logging;
 using StellaOps.AirGap.Importer.Contracts;
+using StellaOps.Cryptography;

 namespace StellaOps.AirGap.Importer.Validation;

@@ -13,6 +13,21 @@ namespace StellaOps.AirGap.Importer.Validation;
 public sealed class DsseVerifier
 {
    private const string PaePrefix = "DSSEv1";
+    private readonly ICryptoProviderRegistry _cryptoRegistry;
+
+    public DsseVerifier(ICryptoProviderRegistry? cryptoRegistry = null)
+    {
+        if (cryptoRegistry is null)
+        {
+            // For offline/airgap scenarios, use OfflineVerificationCryptoProvider by default
+            var offlineProvider = new StellaOps.Cryptography.Plugin.OfflineVerification.OfflineVerificationCryptoProvider();
+            _cryptoRegistry = new CryptoProviderRegistry([offlineProvider]);
+        }
+        else
+        {
+            _cryptoRegistry = cryptoRegistry;
+        }
+    }

    public BundleValidationResult Verify(DsseEnvelope envelope, TrustRootConfig trustRoots, ILogger? logger = null)
    {
@@ -89,14 +104,17 @@ public sealed class DsseVerifier
        return Encoding.UTF8.GetBytes(paeBuilder.ToString());
    }

-    private static bool TryVerifyRsaPss(byte[] publicKey, byte[] pae, string signatureBase64)
+    private bool TryVerifyRsaPss(byte[] publicKey, byte[] pae, string signatureBase64)
    {
        try
        {
-            using var rsa = RSA.Create();
-            rsa.ImportSubjectPublicKeyInfo(publicKey, out _);
+            // Use cryptographic abstraction for verification
+            var verifier = _cryptoRegistry.ResolveOrThrow(CryptoCapability.Verification, "PS256")
+                .CreateEphemeralVerifier("PS256", publicKey);
+
            var sig = Convert.FromBase64String(signatureBase64);
-            return rsa.VerifyData(pae, sig, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);
+            var result = verifier.VerifyAsync(pae, sig).GetAwaiter().GetResult();
+            return result;
        }
        catch
        {
@@ -104,9 +122,11 @@ public sealed class DsseVerifier
        }
    }

-    private static string ComputeFingerprint(byte[] publicKey)
+    private string ComputeFingerprint(byte[] publicKey)
    {
-        var hash = SHA256.HashData(publicKey);
+        var hasherResolution = _cryptoRegistry.ResolveHasher("SHA-256");
+        var hash = hasherResolution.Hasher.ComputeHash(publicKey);
        return Convert.ToHexString(hash).ToLowerInvariant();
    }
 }
+