stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/checked/cryptography/hardware-backed-org-key-kms-signing.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

7.4 KiB
Raw Blame History

Hardware-Backed Org Key / KMS Signing

Module

Cryptography

Status

VERIFIED

Description

HSM and KMS key support via pluggable cryptography module with dedicated plugins for hardware-backed signing.

Implementation Details

  • HsmPlugin: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs -- PKCS#11 HSM integration supporting RSA (SHA-256/384/512, PSS-SHA256), ECDSA (P-256, P-384), and AES-GCM (128/256) operations; ConnectAsync/DisconnectAsync for HSM session management; simulation mode for testing without hardware
  • Pkcs11HsmClientImpl: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/Pkcs11HsmClientImpl.cs -- production PKCS#11 native library wrapper for hardware key operations
  • CryptoPluginBase: src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs -- base class providing plugin lifecycle + ICryptoCapability interface with Sign/Verify/Encrypt/Decrypt/Hash operations
  • MultiProfileSigner: src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs -- orchestrates concurrent signing with multiple profiles (e.g., HSM-backed + software EdDSA dual-stack)
  • IContentSigner: src/Cryptography/StellaOps.Cryptography/IContentSigner.cs -- abstraction: SignAsync, Profile, Algorithm, KeyId
  • DefaultSigningKeyResolver: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs -- resolves signing keys from trust anchors and key management
  • CryptoDsseSigner: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/CryptoDsseSigner.cs -- DSSE signer using crypto plugin infrastructure
  • Tests: src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Hsm/Pkcs11HsmClientIntegrationTests.cs, src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Integration/CryptoDsseSignerIntegrationTests.cs, MultiPluginSignVerifyIntegrationTests.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify HSM-backed signing via PKCS#11 produces valid signatures verifiable with the corresponding public key
  • Verify HSM key operations work through the CryptoPluginBase plugin interface
  • Test multi-profile signing with HSM + software key profiles combined
  • Verify signing key resolution from trust anchors routes to HSM plugin for HSM-prefixed algorithms
  • Test CryptoDsseSigner produces valid DSSE envelopes when backed by HSM keys
  • Verify HSM disconnect and reconnect behavior during key operations
  • Test simulation mode provides functional signing for development/testing environments

Verification

Run ID: run-001 Date: 2026-02-10 Method: Tier 1 code review + Tier 2d test verification

Build: PASS (0 errors, 0 warnings) Tests: PASS (101/101 cryptography tests pass)

HSM plugin fully implemented with PKCS#11 support (session pooling, multi-slot failover, key attribute validation). Simulation mode for development. Integration tests use SoftHSM2 when available. Signer infrastructure connects crypto plugins to DSSE signing pipeline.

Verdict: PASS

Recheck (Run-002)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-002/tier2-integration-check.json
  • Outcome: Hardware-backed profile behavior remains stable in current test matrix.

Recheck (Run-003)

  • Verified: 2026-02-10
  • Method: Tier 2 follow-up deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-003/tier2-integration-check.json
  • Outcome: Hardware-backed org-key profile behavior remains stable in follow-up replay.

Recheck (Run-004)

  • Verified: 2026-02-10
  • Method: Tier 2 deterministic integration replay + full cryptography suite replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-004/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains stable; PQC caveat remains unchanged.

Recheck (Run-005)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-005/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in follow-up replay.

Recheck (Run-006)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-006/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-007)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-007/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-008)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-008/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-009)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-009/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-010)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-010/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-011)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-011/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-012)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic cryptography suite replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-012/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.