stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
75c2bcafced8b7a9e4e442cd10af3972f5788d35
git.stella-ops.org/docs/security/crypto-routing-audit-2025-11-07.md
master 75c2bcafce
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add LDAP Distinguished Name Helper and Credential Audit Context 
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.
2025-11-09 12:21:38 +02:00

8.4 KiB
Raw Blame History

Crypto Routing Audit — 07 Nov 2025

Scope. Inventory direct uses of System.Security.Cryptography (and related primitives) outside the StellaOps.Cryptography* stack to identify callers that must be routed through sovereign-aware providers (default, PKCS#11, CryptoPro, future PQC).

Method. rg -l "using System.Security.Cryptography" src | grep -Ev "__Tests|\.Tests/" (filtered for runtime code). Counts reflect unique files per top-level module.

Summary (runtime files by module)

Module/Area Files bypassing shared crypto
Concelier 34
Scanner 31
Authority 20
Excititor 18
Attestor 18
EvidenceLocker 10
Findings / Vuln Explorer 7
Zastava 6
ExportCenter 6
Policy 4
Scheduler 3
CLI 3
Bench 3
AdvisoryAI 3
Other (Notify, Registry, Signals, etc.) 11 combined

Configuring crypto.regionalProfiles

All hosts can now express provider ordering and profile overrides via configuration:

StellaOps:
  Crypto:
    Registry:
      PreferredProviders:
        - default
        - ru.pkcs11
      ActiveProfile: ru-offline
      Profiles:
        ru-offline:
          PreferredProviders:
            - ru.cryptopro.csp
            - ru.pkcs11
    Pkcs11:
      Keys:
        - KeyId: ru-slot-token
          LibraryPath: /usr/local/lib/librutokenecp.so
          SlotId: "0x1"
          PrivateKeyLabel: signing-key
          CertificateThumbprint: "<thumbprint>"
    CryptoPro:
      Keys:
        - KeyId: ru-csp-token
          ProviderName: "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider"
          CertificateThumbprint: "<thumbprint>"
          CertificateStoreLocation: LocalMachine
          CertificateStoreName: My

Call builder.Services.AddStellaOpsCryptoRu(builder.Configuration) to bind this configuration and register the RU providers with the correct preferred order.

Each deployment picks a profile (activeProfile) that resolves to a deterministic provider order, and individual services call into ICryptoProviderRegistry rather than new-ing crypto stacks directly.

Known gaps (2025-11-09)

Even after the initial plug-ins landed, several sovereign-crypto deliverables remain outstanding. These items must be addressed before RootPack_RU can be treated as GA:

  1. CryptoPro CSP integration StellaOps.Cryptography.Plugin.CryptoPro currently reuses the PKCS#11 core and never talks to CryptoPro CSP / GostCryptography. Replace it with a real CSP-backed signer, including certificate-store lookup and DER/raw normalization.
  2. Ops CLI The promised StellaOps.CryptoRu.Cli (list keys, try-sign, emit determinism records) has not been implemented; operators are blind when staging PKCS#11/CryptoPro keys.
  3. Integration tests There are zero CryptoPro/PKCS#11 tests in src/__Libraries/__Tests/StellaOps.Cryptography.Tests/. The RootPack validation script cannot validate hardware paths today.
  4. Symmetric GOST Magma/Kuznyechik (RFC 5830 / RFC 7801) support is missing, so RU deployments cannot request sovereign symmetric encryption for exports/data-at-rest.
  5. Host adoption Authority, Scanner, Concelier, etc. register only the default providers; none call the RU DI helpers or set ActiveProfile = ru-offline, leaving sovereign bundles inert.
  6. Docs/runbooks RootPack docs reference the CLI/config/test harnesses, but they do not yet exist; we need explicit TODOs (see rootpack docs) and follow-up edits once tooling ships.

Inspecting providers from the CLI

stellaops crypto providers now lists the registered providers, signing algorithms, certificate metadata, and the current preferred order. Use --json for machine-readable output or --profile <name> to preview another profile (e.g., ru-offline) before flipping configuration.

High-priority hotspots

Concelier (ingestion + mirror connectors)

  • src/Concelier/StellaOps.Concelier.WebService/Services/OpenApiDiscoveryDocumentProvider.cs builds SHA256 hashes for discovery docs inline.
  • src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/Security/MirrorSignatureVerifier.cs performs RSA verification directly.
  • src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/RuNkckiConnector.cs and .Ru.Bdu local hash/signature handling for regional advisories.

Action: Introduce ICryptoProviderRegistry consumption inside connector/lib assemblies (probably through lightweight adapter service). File follow-up tasks in src/Concelier/StellaOps.Concelier.WebService/TASKS.md and connector TASK boards to migrate hashing/signing to the new PKCS#11/CryptoPro providers (priority for RU feeds to unblock RootPack_RU).

Update (2025-11-08). OpenAPI discovery, advisory chunk IDs, SourceFetchService/SourceStateSeedProcessor, OSV/NVD + RU connectors, and the JSON exporter/mirror bundle writers now route hashing/signing through ICryptoHash + StellaOpsCryptoOptions. Remaining Concelier hotspots should now only appear inside the shared StellaOps.Cryptography* assemblies.

Scanner (web service, worker, Sbomer plug-ins)

  • src/Scanner/StellaOps.Scanner.WebService/Utilities/ScanIdGenerator.cs direct SHA256 for id derivation.
  • src/Scanner/StellaOps.Scanner.WebService/Services/ReportSigner.cs uses ECDsa.Create() directly for DSSE hand-off.
  • src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestPublisher.cs manual digesting before CAS writes.

Action: Create shared IScanCryptoService backed by ICryptoProviderRegistry so both web service and worker reuse sovereign providers. Add tasks under src/Scanner/StellaOps.Scanner.WebService/TASKS.md and src/Scanner/StellaOps.Scanner.Worker/TASKS.md.

Authority (plugins + signing host)

  • StellaOps.Authority/Signing/* classes still load PEM/PKCS#12 directly via X509Certificate2 and RSA.
  • AuthoritySecretHasher and AuthorityClientCertificateValidator maintain custom hashing.

Action: Wire Authority signing/loading paths to ICryptoProviderRegistry so active keys can point to ru.cryptopro.csp or ru.pkcs11. Open tasks in src/Authority/StellaOps.Authority/TASKS.md covering: signing key loading, JWKS generation, secret hashing migration.

Excititor / Attestor

  • Excititor connectors (e.g., src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ghsa/GhsaConnector.cs) re-hash payloads in place.
  • Attestor submission cache uses SHA256 for bundle ids.

Action: Introduce shared hashing helper that internally calls ICryptoProviderRegistry.ResolveOrThrow(CryptoCapability.Signing, SignatureAlgorithms.GostR3410_2012_256) for digest+sign combos; log follow-ups in respective TASK boards.

Evidence Locker / Export Center

  • Export packaging code manually builds SHA/V1 digests before signing manifests.

Action: Add backlog tasks for both modules to replace SHA256.Create() usage with provider-backed hashing (especially for offline bundle sealing).

Next steps

  1. Open remediation tasks per module referencing this audit (minimum: Concelier, Scanner, Authority, Excititor, Attestor, Evidence Locker, Export Center). Each task should specify which files to migrate and target provider (default vs sovereign).
  2. Provide shared helpers (e.g., ICryptoDigestService, ICasSigner) in StellaOps.Cryptography to ease adoption and avoid each module talking to the registry manually.
  3. Follow-up audit once migrations land; rerun the command and ensure only StellaOps.Cryptography* and vetted crypto libraries contain direct System.Security.Cryptography usage.
  4. RootPack validation runbook — see docs/security/rootpack_ru_validation.md for deterministic tests, hardware validation, and required audit artifacts before shipping RootPack_RU.

Remediation tracking snapshot (2025-11-08)

  • Authority: AUTH-CRYPTO-90-001 (Authority TASKS board)
  • Scanner: SCANNER-CRYPTO-90-001 (WebService TASKS board)
  • Concelier: CONCELIER-CRYPTO-90-001 (WebService TASKS board)
  • Excititor: EXCITITOR-CRYPTO-90-001 (WebService TASKS board)
  • Attestor: ATTESTOR-CRYPTO-90-001 (Attestor TASKS board)
  • Evidence Locker: EVID-CRYPTO-90-001 (Evidence Locker TASKS board)
  • Export Center: EXPORT-CRYPTO-90-001 (Exporter Service TASKS board)

Stored query artifacts: /tmp/crypto_runtime_non_tests.txt (157 runtime files) and aggregated counts above prepared on 2025-11-07.