stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5593212b414864ab213082c8945a267451b99901
git.stella-ops.org/docs/features/checked/cryptography/hardware-backed-org-key-kms-signing.md

3.0 KiB
Raw Blame History

Hardware-Backed Org Key / KMS Signing

Module

Cryptography

Status

VERIFIED

Description

HSM and KMS key support via pluggable cryptography module with dedicated plugins for hardware-backed signing.

Implementation Details

  • HsmPlugin: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs -- PKCS#11 HSM integration supporting RSA (SHA-256/384/512, PSS-SHA256), ECDSA (P-256, P-384), and AES-GCM (128/256) operations; ConnectAsync/DisconnectAsync for HSM session management; simulation mode for testing without hardware
  • Pkcs11HsmClientImpl: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/Pkcs11HsmClientImpl.cs -- production PKCS#11 native library wrapper for hardware key operations
  • CryptoPluginBase: src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs -- base class providing plugin lifecycle + ICryptoCapability interface with Sign/Verify/Encrypt/Decrypt/Hash operations
  • MultiProfileSigner: src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs -- orchestrates concurrent signing with multiple profiles (e.g., HSM-backed + software EdDSA dual-stack)
  • IContentSigner: src/Cryptography/StellaOps.Cryptography/IContentSigner.cs -- abstraction: SignAsync, Profile, Algorithm, KeyId
  • DefaultSigningKeyResolver: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs -- resolves signing keys from trust anchors and key management
  • CryptoDsseSigner: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/CryptoDsseSigner.cs -- DSSE signer using crypto plugin infrastructure
  • Tests: src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Hsm/Pkcs11HsmClientIntegrationTests.cs, src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Integration/CryptoDsseSignerIntegrationTests.cs, MultiPluginSignVerifyIntegrationTests.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify HSM-backed signing via PKCS#11 produces valid signatures verifiable with the corresponding public key
  • Verify HSM key operations work through the CryptoPluginBase plugin interface
  • Test multi-profile signing with HSM + software key profiles combined
  • Verify signing key resolution from trust anchors routes to HSM plugin for HSM-prefixed algorithms
  • Test CryptoDsseSigner produces valid DSSE envelopes when backed by HSM keys
  • Verify HSM disconnect and reconnect behavior during key operations
  • Test simulation mode provides functional signing for development/testing environments

Verification

Run ID: run-001 Date: 2026-02-10 Method: Tier 1 code review + Tier 2d test verification

Build: PASS (0 errors, 0 warnings) Tests: PASS (101/101 cryptography tests pass)

HSM plugin fully implemented with PKCS#11 support (session pooling, multi-slot failover, key attribute validation). Simulation mode for development. Integration tests use SoftHSM2 when available. Signer infrastructure connects crypto plugins to DSSE signing pipeline.

Verdict: PASS