stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cef4cb2c5a2d29b5b40a4a25cd7f8426c8c5dd4f
git.stella-ops.org/docs/implplan/archived/SPRINT_100_identity_signing.md
master cef4cb2c5a Add support for ГОСТ Р 34.10 digital signatures 
- Implemented the GostKeyValue class for handling public key parameters in ГОСТ Р 34.10 digital signatures.
- Created the GostSignedXml class to manage XML signatures using ГОСТ 34.10, including methods for computing and checking signatures.
- Developed the GostSignedXmlImpl class to encapsulate the signature computation logic and public key retrieval.
- Added specific key value classes for ГОСТ Р 34.10-2001, ГОСТ Р 34.10-2012/256, and ГОСТ Р 34.10-2012/512 to support different signature algorithms.
- Ensured compatibility with existing XML signature standards while integrating ГОСТ cryptography.
2025-11-09 21:59:57 +02:00

7.5 KiB
Raw Blame History

Sprint 100 - Identity & Signing

Last updated: November 9, 2025. Implementation order is DOING → TODO → BLOCKED.

Active items are mirrored to docs/implplan/archived/tasks.md (refreshed 2025-11-09) now that Sprint 100 is closed.

Sprint 100 tracks Identity & Signing readiness; sections below list only in-flight tasks.

100.B) Authority.I

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on Authority (phase I).

# Task ID & handle State Key dependency / next step Owners
1 AUTH-AIRGAP-57-001 DONE (2025-11-08) Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority)
2 AUTH-PACKS-43-001 DONE (2025-11-09) Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) Authority Core & Security Guild (src/Authority/StellaOps.Authority)

100.B) Authority.II

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on Authority (phase II).

# Task ID & handle State Key dependency / next step Owners
1 AUTH-DPOP-11-001 DONE (2025-11-08) DPoP validation now runs for every /token grant, interactive tokens inherit cnf.jkt/sender claims, and docs/tests document the expanded coverage. (Deps: AUTH-AOC-19-002.) Authority Core & Security Guild (src/Authority/StellaOps.Authority)
2 AUTH-MTLS-11-002 DONE (2025-11-08) Refresh grants now enforce the original client certificate, tokens persist x5t#S256/hex metadata via shared helper, and docs/JWKS guidance call out the mTLS binding expectations. (Deps: AUTH-DPOP-11-001.) Authority Core & Security Guild (src/Authority/StellaOps.Authority)
3 PLG4-6.CAPABILITIES DONE (2025-11-08) Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
4 PLG6.DIAGRAM DONE (2025-11-03) Component + sequence diagrams rendered (Mermaid + SVG) and offline assets published under docs/assets/authority; dev guide now references final exports. Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
5 PLG7.RFC DONE (2025-11-03) LDAP plugin RFC reviewed; guild sign-off captured and follow-up implementation issues filed per review notes. BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
6 SEC2.PLG DONE (2025-11-09) StandardCredentialAuditLogger now pushes authority.plugin.standard.password_verification events via IAuthEventSink, pulling client/tenant/network metadata from AuthorityCredentialAuditContextAccessor; success/failure/lockout scenarios are covered by new unit tests. Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
7 SEC3.PLG DONE (2025-11-09) Lockout/rate-limit telemetry emits deterministic plugin.retry_after_seconds + plugin.lockout_until properties, maps failure codes to the extended AuthEventOutcome set, and is validated by updated credential store/audit logger tests. Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
8 SEC5.PLG DONE (2025-11-09) Plugin guide + threat model document bootstrap safeguards, Argon2 password policy expectations, and the credential audit contract (plugin.* properties) so SOC/offline reviewers can trace mitigations end-to-end. Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
9 PLG7.IMPL-003 DONE (2025-11-09) Claims enricher ships with DN map + regex substitutions, Mongo claims cache (TTL + capacity enforcement) wired through DI, plus unit tests covering enrichment + cache eviction. BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
10 PLG7.IMPL-004 DONE (2025-11-09) LDAP plug-in now ships clientProvisioning.* options, a Mongo-audited LdapClientProvisioningStore, capability gating, and docs/tests covering LDAP writes + cache shims. BE-Auth Plugin, DevOps Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap)
11 PLG7.IMPL-005 DONE (2025-11-09) LDAP plug-in docs refreshed (mutual TLS, regex mappings, cache/audit mirror guidance), sample manifest updated, Offline Kit + release notes now reference the bundled plug-in assets. BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
12 PLG7.IMPL-006 DONE (2025-11-09) LDAP bootstrap provisioning added (write probe, Mongo audit mirror, capability downgrade + health status) with docs/tests + sample manifest updates. BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap)
  • 2025-11-08: PLG4-6.CAPABILITIES marked DONE bootstrap capability surfaced in code/docs, registry logs updated, and bootstrap APIs now gate on providers that advertise it (dotnet test across plugins + Authority core).
  • 2025-11-08: AUTH-AIRGAP-57-001 landed — new airGap.sealedMode options, file-backed evidence ingestion, client metadata gating, docs/tests, and audit telemetry ensure sealed tenants cannot mint tokens until authority-sealed-ci.json passes.
  • 2025-11-09: PLG7.IMPL-003 + PLG7.IMPL-004 complete — LDAP claims enricher/cache + client provisioning store with audit mirror, LDAP DN escapes, DI wiring, and plugin docs/tests refreshed.
  • 2025-11-09: PLG7.IMPL-003 complete — LDAP claims enricher + Mongo cache wired (DI + tests), regex placeholder compatibility finalised, sample config/docs updated, and plugin tests green (StellaOps.Authority.Plugin.Ldap.Tests).
  • 2025-11-09: PLG7.IMPL-005 complete — Developer guide, sample manifest, Offline Kit notes, and release updates now cover LDAP mutual TLS, regex mappings, caching, and the audit mirror workflow.
  • 2025-11-09: PLG7.IMPL-006 complete — LDAP plug-in now provisions bootstrap users with hashed audit mirrors, capability probes that prove write access before advertising clientProvisioning/bootstrap, degraded health signalling when directories are read-only, updated docs, and passing targeted tests.
  • 2025-11-09: AUTH-PACKS-43-001 complete — Authority /token now requires pack_run_id/pack_gate_id/pack_plan_hash for packs.approve, scope handler enforces a 5minute fresh-auth window, docs (docs/security/pack-signing-and-rbac.md, docs/task-packs/runbook.md) describe the procedure, and CLI/tests cover the new claims.

100.D) __Libraries

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on __Libraries.

# Task ID & handle State Key dependency / next step Owners
1 KMS-73-001 DONE (2025-11-03) AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms)
2 KMS-73-002 DONE (2025-11-03) PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms)