536f6249a6
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
3.6 KiB
3.6 KiB
RootPack_RU Crypto Validation Runbook
Purpose
This runbook documents the repeatable steps for validating the Russian sovereign crypto profile (CryptoPro + PKCS#11) prior to publishing a RootPack bundle. It supplements the crypto routing audit by covering deterministic tests, hardware validation, and the audit metadata artifacts that must be attached to each release.
1. Deterministic Test Harness
- Run
scripts/crypto/run-rootpack-ru-tests.sh(optionalROOTPACK_LOG_DIR=/tmp/rootpack_ru_logsto override the output path). The script executes:src/__Libraries/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests.csprojsrc/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csprojsrc/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csprojand emits.log+.trxpairs plusREADME.testsunderlogs/rootpack_ru_<timestamp>/.
- For ad-hoc runs (CI or IDE) ensure the same three projects succeed; the cryptography tests validate SHA-256/SHA-512 against BCL implementations and both Streebog variants against BouncyCastle digests.
- Archive the generated log directory (
logs/rootpack_ru_<timestamp>/) along with any additional test outputs inside the RootPack evidence bundle.
2. Hardware Validation (CryptoPro CSP)
- Install CryptoPro CSP (v5.0 or later) on the validation host and import the qualified certificate configured for the deployment.
- Configure
StellaOps:Crypto:CryptoPro:Keyswith the container handle and certificate thumbprint and setStellaOps:Crypto:Registry:ActiveProfile=ru-offline. - Run the provider diagnostics to confirm the key material is visible:
stellaops crypto providers --profile ru-offline --json > logs/ru_cryptopro_providers.json
- Issue a JWKS fetch (
curl https://authority.local/.well-known/jwks) and verify thekidandcrvvalues match the CryptoPro-backed key. - Capture the Authority logs showing
AuthoritySecretHasherInitializerstartup and theCryptoProviderMetricscounters forru.cryptopro.cspusage.
3. Hardware Validation (PKCS#11 Tokens)
- Install the vendor PKCS#11 library (e.g., Rutoken
rtPKCS11ECP.dllor JaCarta) and configure the slot/PIN insideStellaOps:Crypto:Pkcs11:Keys. - Switch the registry profile to prioritize
ru.pkcs11and rerunstellaops crypto providers --profile ru-offline --json > logs/ru_pkcs11_providers.json. - Execute a signing workflow (Authority JWKS refresh or Scanner manifest publish) and confirm the
CryptoProviderMetricscounters recordru.pkcs11activity. - Export the token audit logs (if available) and store them with the RootPack evidence bundle.
4. RootPack Audit Metadata
Create a metadata bundle per validation run and store it under logs/rootpack_ru_<timestamp>/ containing:
providers_ru_offline.json– output fromstellaops crypto providers --profile ru-offline --json.crypto_tests.txt– snippets from the unit-test executions listed above.hardware_notes.md– human-readable notes describing token serials, firmware, and operator initials.jwks_snapshot.json– raw JWKS response captured after sovereign providers are active.metrics_snapshot.json– scrape ofCryptoProviderMetricsPrometheus samples for both providers.
Attach this directory to the RootPack artifact and reference it from the release checklist.
Refer back to docs/security/crypto-routing-audit-2025-11-07.md for the full inventory of components that must consume the shared cryptography stack, and docs/security/rootpack_ru_package.md for packaging/attachment steps.