# RootPack_RU Crypto Fork Notes (CryptoPro / GOST) ยท 2025-11-25 ## Why - We need a patchable, source-controlled CryptoPro/GOST stack to ship RootPack_RU without relying on the vulnerable `IT.GostCryptography` 6.0.0.1 package. - The fork lives at `third_party/forks/AlexMAS.GostCryptography` and is now wired into `StellaOps.Cryptography.Plugin.CryptoPro`. ## Fork specifics - Upstream: https://github.com/AlexMAS/GostCryptography @ commit `31413f6`. - Retargeted to `net10.0`; packaging-on-build disabled to avoid accidental nuget pushes. - Added deps: `System.Security.Cryptography.Xml` 8.0.1, `System.Security.Permissions` 8.0.0, warning suppressions (CA1416, SYSLIB0004) for Windows-only CSP APIs. - Build entrypoint: `third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj`. ## How we consume it - `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro` now project-references the fork (removed `IT.GostCryptography` nuget). - Runtime still Windows-only; plugin uses CSP (`CspParameters`) for key material when available. - Tests are opt-in and Windows/CSP only: set `STELLAOPS_CRYPTO_PRO_ENABLED=1` and run `scripts/crypto/run-cryptopro-tests.ps1`. ## How to sync the fork - Track the pinned upstream commit in `third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md` (currently `31413f6`). - To refresh: 1. `git clone https://github.com/AlexMAS/GostCryptography.git /tmp/gost && cd /tmp/gost && git checkout ` 2. `rsync -a --delete --exclude .git /tmp/gost/ third_party/forks/AlexMAS.GostCryptography/` 3. Update `STELLA_NOTES.md` with the new commit hash and any upstream changes that matter for CSP/Magma/Kuznyechik. 4. Run `dotnet build third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj -c Release` plus `dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro -c Release` to confirm the fork still compiles inside the monorepo. - Keep the folder free of binary outputs (no `.nupkg` or `bin/obj` committed) so RootPack stays reproducible. ## Build & test quickstart (Windows runner with CryptoPro CSP installed) ```powershell dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/StellaOps.Cryptography.Plugin.CryptoPro.csproj -c Release scripts/crypto/run-cryptopro-tests.ps1 -Configuration Release ``` ### CI (opt-in) - Workflow: `.gitea/workflows/cryptopro-optin.yml` - Trigger: `workflow_dispatch` only; assumes runner already has CryptoPro CSP installed/licensed. - Env guard: `STELLAOPS_CRYPTO_PRO_ENABLED=1` set in workflow to enable CryptoPro tests. ## What remains (tracked in SEC-CRYPTO-90-019/020) - Run the fork + plugin tests on a Windows+CSP agent. - Wire an opt-in CI lane for CryptoPro so default pipelines stay green. - Add platform-aware smoke tests for signer/verify with real CSP key. ## Licensing & distro notes - Upstream license: MIT; keep `LICENSE` + `NOTICE` from the fork inside RootPack bundles and in third-party notices. - Plugin remains AGPL-3.0-or-later; ensure fork sources stay vendored (no binary-only blobs). - Do **not** publish the fork to public feeds; only build from source inside RootPack bundles.