feat: Implement DefaultCryptoHmac for compliance-aware HMAC operations

- Added DefaultCryptoHmac class implementing ICryptoHmac interface. - Introduced purpose-based HMAC computation methods. - Implemented verification methods for HMACs with constant-time comparison. - Created HmacAlgorithms and HmacPurpose classes for well-known identifiers. - Added compliance profile support for HMAC algorithms. - Included asynchronous methods for HMAC computation from streams.
2025-12-06 00:41:04 +02:00
parent 43c281a8b2
commit f0662dd45f
362 changed files with 8441 additions and 22338 deletions
--- a/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/StellaOps.Signer.Core.csproj
+++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/StellaOps.Signer.Core.csproj
@@ -1,12 +1,12 @@
-<Project Sdk="Microsoft.NET.Sdk">
-  <PropertyGroup>
-    <TargetFramework>net10.0</TargetFramework>
-    <LangVersion>preview</LangVersion>
-    <Nullable>enable</Nullable>
-    <ImplicitUsings>enable</ImplicitUsings>
-    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-  </PropertyGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\Provenance\StellaOps.Provenance.Attestation\StellaOps.Provenance.Attestation.csproj" />
-  </ItemGroup>
-</Project>
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <LangVersion>preview</LangVersion>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+  </PropertyGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\..\..\Provenance\StellaOps.Provenance.Attestation\StellaOps.Provenance.Attestation.csproj" />
+  </ItemGroup>
+</Project>
--- a/src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/HmacDsseSigner.cs
+++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/HmacDsseSigner.cs
@@ -1,10 +1,10 @@
 using System;
 using System.Collections.Generic;
-using System.Security.Cryptography;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Options;
+using StellaOps.Cryptography;
 using StellaOps.Signer.Core;
 using StellaOps.Signer.Infrastructure.Options;

@@ -13,11 +13,16 @@ namespace StellaOps.Signer.Infrastructure.Signing;
 public sealed class HmacDsseSigner : IDsseSigner
 {
    private readonly IOptionsMonitor<SignerCryptoOptions> _options;
+    private readonly ICryptoHmac _cryptoHmac;
    private readonly TimeProvider _timeProvider;

-    public HmacDsseSigner(IOptionsMonitor<SignerCryptoOptions> options, TimeProvider timeProvider)
+    public HmacDsseSigner(
+        IOptionsMonitor<SignerCryptoOptions> options,
+        ICryptoHmac cryptoHmac,
+        TimeProvider timeProvider)
    {
        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _cryptoHmac = cryptoHmac ?? throw new ArgumentNullException(nameof(cryptoHmac));
        _timeProvider = timeProvider ?? TimeProvider.System;
    }

@@ -35,9 +40,7 @@ public sealed class HmacDsseSigner : IDsseSigner
        var payloadBytes = SignerStatementBuilder.BuildStatementPayload(request);

        var secretBytes = Convert.FromBase64String(options.Secret);
-        using var hmac = new HMACSHA256(secretBytes);
-        var signatureBytes = hmac.ComputeHash(payloadBytes);
-        var signature = Convert.ToBase64String(signatureBytes);
+        var signature = _cryptoHmac.ComputeHmacBase64ForPurpose(secretBytes, payloadBytes, HmacPurpose.Signing);
        var payloadBase64 = Convert.ToBase64String(payloadBytes);

        var envelope = new DsseEnvelope(
--- a/src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/StellaOps.Signer.Infrastructure.csproj
+++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/StellaOps.Signer.Infrastructure.csproj
@@ -1,21 +1,21 @@
-<Project Sdk="Microsoft.NET.Sdk">
-  <PropertyGroup>
-    <TargetFramework>net10.0</TargetFramework>
-    <LangVersion>preview</LangVersion>
-    <Nullable>enable</Nullable>
-    <ImplicitUsings>enable</ImplicitUsings>
-    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-  </PropertyGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\StellaOps.Signer.Core\StellaOps.Signer.Core.csproj" />
-    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
-  </ItemGroup>
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0-rc.2.25502.107" />
-    <PackageReference Include="Microsoft.Extensions.Http" Version="10.0.0-rc.2.25502.107" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0-rc.2.25502.107" />
-    <PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0-rc.2.25502.107" />
-    <PackageReference Include="MongoDB.Driver" Version="3.5.0" />
-    <PackageReference Include="StackExchange.Redis" Version="2.8.24" />
-  </ItemGroup>
-</Project>
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <LangVersion>preview</LangVersion>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+  </PropertyGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\StellaOps.Signer.Core\StellaOps.Signer.Core.csproj" />
+    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
+  </ItemGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Http" Version="10.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0" />
+    <PackageReference Include="MongoDB.Driver" Version="3.5.0" />
+    <PackageReference Include="StackExchange.Redis" Version="2.8.24" />
+  </ItemGroup>
+</Project>
--- a/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj
+++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj
@@ -9,7 +9,7 @@
    <UseConcelierTestInfra>false</UseConcelierTestInfra>
  </PropertyGroup>
  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.0-rc.2.25502.107" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.0" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.0" />
    <PackageReference Include="Mongo2Go" Version="3.1.3" />
    <PackageReference Include="xunit" Version="2.9.2" />
--- a/src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/StellaOps.Signer.WebService.csproj
+++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/StellaOps.Signer.WebService.csproj
@@ -8,7 +8,7 @@
    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
  </PropertyGroup>
  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0-rc.2.25502.107" />
+    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0" />
    <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.12.0" />
    <PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.12.0" />
    <PackageReference Include="OpenTelemetry.Instrumentation.Http" Version="1.12.0" />