stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
1c782897f762f04b9ed69aed534a03dbe2893039
git.stella-ops.org/docs/security/rootpack_ru_crypto_fork.md
StellaOps Bot 1c782897f7
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
up
2025-11-26 07:47:08 +02:00

3.1 KiB
Raw Blame History

RootPack_RU Crypto Fork Notes (CryptoPro / GOST) · 2025-11-25

Why

  • We need a patchable, source-controlled CryptoPro/GOST stack to ship RootPack_RU without relying on the vulnerable IT.GostCryptography 6.0.0.1 package.
  • The fork lives at third_party/forks/AlexMAS.GostCryptography and is now wired into StellaOps.Cryptography.Plugin.CryptoPro.

Fork specifics

  • Upstream: https://github.com/AlexMAS/GostCryptography @ commit 31413f6.
  • Retargeted to net10.0; packaging-on-build disabled to avoid accidental nuget pushes.
  • Added deps: System.Security.Cryptography.Xml 8.0.1, System.Security.Permissions 8.0.0, warning suppressions (CA1416, SYSLIB0004) for Windows-only CSP APIs.
  • Build entrypoint: third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj.

How we consume it

  • src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro now project-references the fork (removed IT.GostCryptography nuget).
  • Runtime still Windows-only; plugin uses CSP (CspParameters) for key material when available.
  • Tests are opt-in and Windows/CSP only: set STELLAOPS_CRYPTO_PRO_ENABLED=1 and run scripts/crypto/run-cryptopro-tests.ps1.

How to sync the fork

  • Track the pinned upstream commit in third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md (currently 31413f6).
  • To refresh:
    1. git clone https://github.com/AlexMAS/GostCryptography.git /tmp/gost && cd /tmp/gost && git checkout <commit-or-tag>
    2. rsync -a --delete --exclude .git /tmp/gost/ third_party/forks/AlexMAS.GostCryptography/
    3. Update STELLA_NOTES.md with the new commit hash and any upstream changes that matter for CSP/Magma/Kuznyechik.
    4. Run dotnet build third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj -c Release plus dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro -c Release to confirm the fork still compiles inside the monorepo.
  • Keep the folder free of binary outputs (no .nupkg or bin/obj committed) so RootPack stays reproducible.

Build & test quickstart (Windows runner with CryptoPro CSP installed)

dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/StellaOps.Cryptography.Plugin.CryptoPro.csproj -c Release
scripts/crypto/run-cryptopro-tests.ps1 -Configuration Release

CI (opt-in)

  • Workflow: .gitea/workflows/cryptopro-optin.yml
  • Trigger: workflow_dispatch only; assumes runner already has CryptoPro CSP installed/licensed.
  • Env guard: STELLAOPS_CRYPTO_PRO_ENABLED=1 set in workflow to enable CryptoPro tests.

What remains (tracked in SEC-CRYPTO-90-019/020)

  • Run the fork + plugin tests on a Windows+CSP agent.
  • Wire an opt-in CI lane for CryptoPro so default pipelines stay green.
  • Add platform-aware smoke tests for signer/verify with real CSP key.

Licensing & distro notes

  • Upstream license: MIT; keep LICENSE + NOTICE from the fork inside RootPack bundles and in third-party notices.
  • Plugin remains AGPL-3.0-or-later; ensure fork sources stay vendored (no binary-only blobs).
  • Do not publish the fork to public feeds; only build from source inside RootPack bundles.