stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

Browse Source 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
2025-12-23 18:20:00 +02:00
parent b444284be5
commit dac8e10e36
241 changed files with 22567 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
src/__Libraries/StellaOps.Cryptography.PluginLoader/CryptoPluginConfiguration.cs Normal file
View File

@@ -0,0 +1,90 @@
namespace StellaOps.Cryptography.PluginLoader;
/// <summary>
/// Configuration for crypto plugin loading and selection.
/// </summary>
public sealed class CryptoPluginConfiguration
{
/// <summary>
/// Path to the plugin manifest JSON file.
/// </summary>
public string ManifestPath { get; set; } = "/etc/stellaops/crypto-plugins-manifest.json";
/// <summary>
/// Plugin discovery mode: "explicit" (only load configured plugins) or "auto" (load all compatible plugins).
/// Default: "explicit" for production safety.
/// </summary>
public string DiscoveryMode { get; set; } = "explicit";
/// <summary>
/// List of plugins to enable with optional priority and options overrides.
/// </summary>
public List<EnabledPluginEntry> Enabled { get; set; } = new();
/// <summary>
/// List of plugin IDs or patterns to explicitly disable.
/// </summary>
public List<string> Disabled { get; set; } = new();
/// <summary>
/// Fail application startup if a configured plugin cannot be loaded.
/// </summary>
public bool FailOnMissingPlugin { get; set; } = true;
/// <summary>
/// Require at least one crypto provider to be successfully loaded.
/// </summary>
public bool RequireAtLeastOne { get; set; } = true;
/// <summary>
/// Compliance profile configuration.
/// </summary>
public CryptoComplianceConfiguration? Compliance { get; set; }
}
/// <summary>
/// Configuration entry for an enabled plugin.
/// </summary>
public sealed class EnabledPluginEntry
{
/// <summary>
/// Plugin identifier from the manifest.
/// </summary>
public required string Id { get; set; }
/// <summary>
/// Priority override for this plugin (higher = preferred).
/// </summary>
public int? Priority { get; set; }
/// <summary>
/// Plugin-specific options (e.g., enginePath for OpenSSL GOST).
/// </summary>
public Dictionary<string, object>? Options { get; set; }
}
/// <summary>
/// Compliance profile configuration for regional crypto requirements.
/// </summary>
public sealed class CryptoComplianceConfiguration
{
/// <summary>
/// Compliance profile identifier (e.g., "gost", "fips", "eidas", "sm").
/// </summary>
public string? ProfileId { get; set; }
/// <summary>
/// Enable strict validation (reject algorithms not compliant with profile).
/// </summary>
public bool StrictValidation { get; set; }
/// <summary>
/// Enforce jurisdiction filtering (only load plugins for specified jurisdictions).
/// </summary>
public bool EnforceJurisdiction { get; set; }
/// <summary>
/// Allowed jurisdictions (e.g., ["russia"], ["eu"], ["world"]).
/// </summary>
public List<string> AllowedJurisdictions { get; set; } = new();
}

340
src/__Libraries/StellaOps.Cryptography.PluginLoader/CryptoPluginLoader.cs Normal file
View File

@@ -0,0 +1,340 @@
using System.Reflection;
using System.Runtime.InteropServices;
using System.Runtime.Loader;
using System.Text.Json;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Cryptography;
namespace StellaOps.Cryptography.PluginLoader;
/// <summary>
/// Loads crypto provider plugins dynamically based on manifest and configuration.
/// </summary>
public sealed class CryptoPluginLoader
{
private readonly CryptoPluginConfiguration _configuration;
private readonly ILogger<CryptoPluginLoader> _logger;
private readonly string _pluginDirectory;
/// <summary>
/// Initializes a new instance of the <see cref="CryptoPluginLoader"/> class.
/// </summary>
/// <param name="configuration">Plugin configuration.</param>
/// <param name="logger">Optional logger instance.</param>
/// <param name="pluginDirectory">Optional plugin directory path. Defaults to application base directory.</param>
public CryptoPluginLoader(
CryptoPluginConfiguration configuration,
ILogger<CryptoPluginLoader>? logger = null,
string? pluginDirectory = null)
{
_configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
_logger = logger ?? NullLogger<CryptoPluginLoader>.Instance;
_pluginDirectory = pluginDirectory ?? AppContext.BaseDirectory;
}
/// <summary>
/// Loads all configured crypto providers.
/// </summary>
/// <returns>Collection of loaded provider instances.</returns>
public IReadOnlyList<ICryptoProvider> LoadProviders()
{
_logger.LogInformation("Loading crypto plugin manifest from: {ManifestPath}", _configuration.ManifestPath);
var manifest = LoadManifest(_configuration.ManifestPath);
var filteredPlugins = FilterPlugins(manifest.Plugins);
var providers = new List<ICryptoProvider>();
var loadedCount = 0;
foreach (var plugin in filteredPlugins.OrderByDescending(p => p.Priority))
{
try
{
var provider = LoadPlugin(plugin);
providers.Add(provider);
loadedCount++;
_logger.LogInformation(
"Loaded crypto plugin: {PluginId} ({PluginName}) with priority {Priority}",
plugin.Id,
plugin.Name,
plugin.Priority);
}
catch (Exception ex)
{
if (_configuration.FailOnMissingPlugin)
{
_logger.LogError(ex, "Failed to load required plugin: {PluginId}", plugin.Id);
throw new CryptoPluginLoadException(
$"Failed to load required crypto plugin '{plugin.Id}': {ex.Message}",
plugin.Id,
ex);
}
_logger.LogWarning(ex, "Failed to load optional plugin: {PluginId}", plugin.Id);
}
}
if (_configuration.RequireAtLeastOne && loadedCount == 0)
{
throw new CryptoPluginLoadException(
"No crypto providers were successfully loaded. At least one provider is required.",
null,
null);
}
_logger.LogInformation("Successfully loaded {Count} crypto provider(s)", loadedCount);
return providers;
}
private CryptoPluginManifest LoadManifest(string manifestPath)
{
if (!File.Exists(manifestPath))
{
throw new FileNotFoundException($"Crypto plugin manifest not found: {manifestPath}", manifestPath);
}
var json = File.ReadAllText(manifestPath);
var manifest = JsonSerializer.Deserialize<CryptoPluginManifest>(json, new JsonSerializerOptions
{
PropertyNameCaseInsensitive = true,
AllowTrailingCommas = true,
ReadCommentHandling = JsonCommentHandling.Skip
});
if (manifest is null)
{
throw new CryptoPluginLoadException($"Failed to deserialize plugin manifest: {manifestPath}", null, null);
}
_logger.LogDebug("Loaded manifest with {Count} plugin(s)", manifest.Plugins.Count);
return manifest;
}
private IReadOnlyList<CryptoPluginDescriptor> FilterPlugins(IReadOnlyList<CryptoPluginDescriptor> allPlugins)
{
var filtered = new List<CryptoPluginDescriptor>();
// Determine which plugins to load based on discovery mode
if (_configuration.DiscoveryMode.Equals("explicit", StringComparison.OrdinalIgnoreCase))
{
// Explicit mode: only load plugins explicitly enabled in configuration
foreach (var enabledEntry in _configuration.Enabled)
{
var plugin = allPlugins.FirstOrDefault(p => p.Id.Equals(enabledEntry.Id, StringComparison.OrdinalIgnoreCase));
if (plugin is null)
{
_logger.LogWarning("Configured plugin not found in manifest: {PluginId}", enabledEntry.Id);
continue;
}
// Apply priority override if specified
if (enabledEntry.Priority.HasValue)
{
plugin = plugin with { Priority = enabledEntry.Priority.Value };
}
// Merge options
if (enabledEntry.Options is not null)
{
var mergedOptions = new Dictionary<string, object>(plugin.Options ?? new Dictionary<string, object>());
foreach (var (key, value) in enabledEntry.Options)
{
mergedOptions[key] = value;
}
plugin = plugin with { Options = mergedOptions };
}
filtered.Add(plugin);
}
}
else
{
// Auto mode: load all plugins from manifest that are enabled by default
filtered.AddRange(allPlugins.Where(p => p.EnabledByDefault));
}
// Apply disabled list
filtered = filtered.Where(p => !IsDisabled(p.Id)).ToList();
// Apply platform filter
var currentPlatform = GetCurrentPlatform();
filtered = filtered.Where(p => p.Platforms.Contains(currentPlatform, StringComparer.OrdinalIgnoreCase)).ToList();
// Apply jurisdiction filter if compliance enforcement is enabled
if (_configuration.Compliance?.EnforceJurisdiction == true &&
_configuration.Compliance.AllowedJurisdictions.Count > 0)
{
filtered = filtered.Where(p =>
p.Jurisdiction.Equals("world", StringComparison.OrdinalIgnoreCase) ||
_configuration.Compliance.AllowedJurisdictions.Contains(p.Jurisdiction, StringComparer.OrdinalIgnoreCase)
).ToList();
}
_logger.LogDebug("Filtered to {Count} plugin(s) after applying configuration", filtered.Count);
return filtered;
}
private bool IsDisabled(string pluginId)
{
foreach (var disabledPattern in _configuration.Disabled)
{
// Support wildcard patterns (e.g., "sm.*")
if (disabledPattern.EndsWith("*"))
{
var prefix = disabledPattern.TrimEnd('*');
if (pluginId.StartsWith(prefix, StringComparison.OrdinalIgnoreCase))
{
return true;
}
}
else if (pluginId.Equals(disabledPattern, StringComparison.OrdinalIgnoreCase))
{
return true;
}
}
return false;
}
private ICryptoProvider LoadPlugin(CryptoPluginDescriptor plugin)
{
var assemblyPath = Path.IsPathRooted(plugin.Assembly)
? plugin.Assembly
: Path.Combine(_pluginDirectory, plugin.Assembly);
if (!File.Exists(assemblyPath))
{
throw new FileNotFoundException($"Plugin assembly not found: {assemblyPath}", assemblyPath);
}
_logger.LogDebug("Loading plugin assembly: {AssemblyPath}", assemblyPath);
// Load assembly using AssemblyLoadContext for isolation
var context = new PluginAssemblyLoadContext(plugin.Id, assemblyPath);
var assembly = context.LoadFromAssemblyPath(assemblyPath);
var providerType = assembly.GetType(plugin.Type);
if (providerType is null)
{
throw new CryptoPluginLoadException(
$"Provider type '{plugin.Type}' not found in assembly '{plugin.Assembly}'",
plugin.Id,
null);
}
if (!typeof(ICryptoProvider).IsAssignableFrom(providerType))
{
throw new CryptoPluginLoadException(
$"Type '{plugin.Type}' does not implement ICryptoProvider",
plugin.Id,
null);
}
// Instantiate the provider
// Try parameterless constructor first, then with options
ICryptoProvider provider;
try
{
if (plugin.Options is not null && plugin.Options.Count > 0)
{
// Try to create with options (implementation-specific)
provider = (ICryptoProvider)Activator.CreateInstance(providerType)!;
}
else
{
provider = (ICryptoProvider)Activator.CreateInstance(providerType)!;
}
}
catch (Exception ex)
{
throw new CryptoPluginLoadException(
$"Failed to instantiate provider '{plugin.Type}': {ex.Message}",
plugin.Id,
ex);
}
_logger.LogDebug("Instantiated provider: {ProviderName}", provider.Name);
return provider;
}
private static string GetCurrentPlatform()
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
return "linux";
}
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
return "windows";
}
if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
{
return "osx";
}
return "unknown";
}
/// <summary>
/// AssemblyLoadContext for plugin isolation.
/// </summary>
private sealed class PluginAssemblyLoadContext : AssemblyLoadContext
{
private readonly AssemblyDependencyResolver _resolver;
public PluginAssemblyLoadContext(string pluginName, string pluginPath)
: base(name: $"CryptoPlugin_{pluginName}", isCollectible: false)
{
_resolver = new AssemblyDependencyResolver(pluginPath);
}
protected override Assembly? Load(AssemblyName assemblyName)
{
var assemblyPath = _resolver.ResolveAssemblyToPath(assemblyName);
if (assemblyPath is not null)
{
return LoadFromAssemblyPath(assemblyPath);
}
// Fall back to default context for shared dependencies
return null;
}
protected override IntPtr LoadUnmanagedDll(string unmanagedDllName)
{
var libraryPath = _resolver.ResolveUnmanagedDllToPath(unmanagedDllName);
if (libraryPath is not null)
{
return LoadUnmanagedDllFromPath(libraryPath);
}
return IntPtr.Zero;
}
}
}
/// <summary>
/// Exception thrown when a crypto plugin fails to load.
/// </summary>
public sealed class CryptoPluginLoadException : Exception
{
/// <summary>
/// Gets the identifier of the plugin that failed to load, if known.
/// </summary>
public string? PluginId { get; }
/// <summary>
/// Initializes a new instance of the <see cref="CryptoPluginLoadException"/> class.
/// </summary>
/// <param name="message">Error message.</param>
/// <param name="pluginId">Plugin identifier, or null if unknown.</param>
/// <param name="innerException">Inner exception, or null.</param>
public CryptoPluginLoadException(string message, string? pluginId, Exception? innerException)
: base(message, innerException)
{
PluginId = pluginId;
}
}

105
src/__Libraries/StellaOps.Cryptography.PluginLoader/CryptoPluginManifest.cs Normal file
View File

@@ -0,0 +1,105 @@
using System.Text.Json.Serialization;
namespace StellaOps.Cryptography.PluginLoader;
/// <summary>
/// Root manifest structure declaring available crypto plugins.
/// </summary>
public sealed record CryptoPluginManifest
{
/// <summary>
/// Gets or inits the JSON schema URI for manifest validation.
/// </summary>
[JsonPropertyName("$schema")]
public string? Schema { get; init; }
/// <summary>
/// Gets or inits the manifest version.
/// </summary>
[JsonPropertyName("version")]
public string Version { get; init; } = "1.0";
/// <summary>
/// Gets or inits the list of available crypto plugin descriptors.
/// </summary>
[JsonPropertyName("plugins")]
public IReadOnlyList<CryptoPluginDescriptor> Plugins { get; init; } = Array.Empty<CryptoPluginDescriptor>();
}
/// <summary>
/// Describes a single crypto plugin with its capabilities and metadata.
/// </summary>
public sealed record CryptoPluginDescriptor
{
/// <summary>
/// Unique plugin identifier (e.g., "openssl.gost", "cryptopro.gost").
/// </summary>
[JsonPropertyName("id")]
public required string Id { get; init; }
/// <summary>
/// Human-readable plugin name.
/// </summary>
[JsonPropertyName("name")]
public required string Name { get; init; }
/// <summary>
/// Assembly file name containing the provider implementation.
/// </summary>
[JsonPropertyName("assembly")]
public required string Assembly { get; init; }
/// <summary>
/// Fully-qualified type name of the ICryptoProvider implementation.
/// </summary>
[JsonPropertyName("type")]
public required string Type { get; init; }
/// <summary>
/// Capabilities supported by this plugin (e.g., "signing:ES256", "hashing:SHA256").
/// </summary>
[JsonPropertyName("capabilities")]
public IReadOnlyList<string> Capabilities { get; init; } = Array.Empty<string>();
/// <summary>
/// Jurisdiction/region where this plugin is applicable (e.g., "russia", "china", "eu", "world").
/// </summary>
[JsonPropertyName("jurisdiction")]
public string Jurisdiction { get; init; } = "world";
/// <summary>
/// Compliance standards supported (e.g., "GOST", "FIPS-140-3", "eIDAS").
/// </summary>
[JsonPropertyName("compliance")]
public IReadOnlyList<string> Compliance { get; init; } = Array.Empty<string>();
/// <summary>
/// Supported platforms (e.g., "linux", "windows", "osx").
/// </summary>
[JsonPropertyName("platforms")]
public IReadOnlyList<string> Platforms { get; init; } = Array.Empty<string>();
/// <summary>
/// Priority for provider resolution (higher = preferred). Default: 50.
/// </summary>
[JsonPropertyName("priority")]
public int Priority { get; init; } = 50;
/// <summary>
/// Default options for plugin initialization.
/// </summary>
[JsonPropertyName("options")]
public Dictionary<string, object>? Options { get; init; }
/// <summary>
/// Conditional compilation symbol required for this plugin (e.g., "STELLAOPS_CRYPTO_PRO").
/// </summary>
[JsonPropertyName("conditionalCompilation")]
public string? ConditionalCompilation { get; init; }
/// <summary>
/// Whether this plugin is enabled by default. Default: true.
/// </summary>
[JsonPropertyName("enabledByDefault")]
public bool EnabledByDefault { get; init; } = true;
}

28
src/__Libraries/StellaOps.Cryptography.PluginLoader/StellaOps.Cryptography.PluginLoader.csproj Normal file
View File

@@ -0,0 +1,28 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<GenerateDocumentationFile>true</GenerateDocumentationFile>
</PropertyGroup>
<PropertyGroup>
<AssemblyName>StellaOps.Cryptography.PluginLoader</AssemblyName>
<RootNamespace>StellaOps.Cryptography.PluginLoader</RootNamespace>
<Description>Configuration-driven plugin loader for StellaOps cryptography providers</Description>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
</ItemGroup>
</Project>