79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced `SbomService` tasks documentation. - Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`. - Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace. - Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories. - Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests. - Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace. - Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
1.1 KiB
1.1 KiB
ICryptoProviderRegistry Prep — PREP-EVID-CRYPTO-90-001 (Draft)
Status: Draft (2025-11-20) Owners: Evidence Locker Guild · Security Guild Scope: Capture requirements for crypto provider registry readiness to support sovereign/region-specific profiles.
Required capabilities
- Registry interface to resolve crypto providers by profile ID (e.g.,
default,ru-offline,fips140,eidass). - Provider metadata:
{algorithms[], key_formats[], offline_supported, hsm_supported, oq_ready}. - Deterministic selection rules: prefer tenant-scoped overrides, fall back to platform defaults; no network fetch.
Integration points
- Evidence Locker signing pipeline to request provider by profile when sealing bundles.
- Replay validation to know which algorithms/hashes are acceptable for DSSE verification.
Dependencies
- Final list of sovereign profiles from Security Guild.
- Key storage/backing (KMS/HSM) availability per profile.
Handoff
Use this as the prep artefact for PREP-EVID-CRYPTO-90-001; update once profile list and key storage rules are confirmed.