stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/checked/cryptography/hsm-integration.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

7.5 KiB
Raw Blame History

HSM Integration (PKCS#11)

Module

Cryptography

Status

VERIFIED

Description

PKCS#11 HSM client implementation for hardware security module integration, with integration tests.

Implementation Details

  • HsmPlugin: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs -- HSM crypto plugin extending CryptoPluginBase; supports algorithms: HSM-RSA-SHA256/384/512, HSM-RSA-PSS-SHA256, HSM-ECDSA-P256/P384, HSM-AES-128/256-GCM; initializes with PKCS#11 library path (or simulation mode when unconfigured); SignAsync/VerifyAsync/EncryptAsync/DecryptAsync delegate to IHsmClient; HashAsync (SHA-256/384/512) computed locally; health check reports connected/disconnected/degraded status with slot info
  • IHsmClient: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs -- HSM client interface: ConnectAsync (slotId, pin), DisconnectAsync, PingAsync, SignAsync, VerifyAsync, EncryptAsync, DecryptAsync
  • Pkcs11HsmClientImpl: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/Pkcs11HsmClientImpl.cs -- production PKCS#11 client implementation wrapping native PKCS#11 library
  • Pkcs11HsmClient: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs -- adapter delegating to Pkcs11HsmClientImpl with connection management
  • SimulatedHsmClient: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs -- test double for HSM operations without hardware: generates RSA-2048 + AES-256 keys on connect; RSA sign/verify with PKCS1/PSS padding; AES-GCM encrypt/decrypt with IV + tag management
  • HsmOptions: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs -- configuration: LibraryPath (.so/.dll path, empty for simulation), SlotId, Pin, TokenLabel, ConnectionTimeoutSeconds (30), ReadOnlySession flag
  • HsmMechanism: enum for signing/encryption mechanism mapping: RsaSha256/384/512, RsaPssSha256, EcdsaP256/P384, Aes128Gcm, Aes256Gcm
  • Tests: src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Hsm/Pkcs11HsmClientIntegrationTests.cs, SoftHsmTestFixture.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify HSM plugin initializes in simulation mode when no library path is configured
  • Verify HSM plugin connects to PKCS#11 library when LibraryPath is set
  • Test RSA signing and verification with SHA-256/384/512 and PKCS1/PSS padding
  • Test ECDSA P-256 and P-384 signing and verification
  • Test AES-128-GCM and AES-256-GCM encryption and decryption
  • Verify health check returns Unhealthy when not connected, Degraded on slow response, Healthy with slot details
  • Verify CanHandle only accepts algorithms with HSM- prefix
  • Test plugin lifecycle: initialize -> active -> health check -> dispose (disconnect)

Verification

Run ID: run-001 Date: 2026-02-10 Method: Tier 1 code review + Tier 2d test verification

Build: PASS (0 errors, 0 warnings) Tests: PASS (101/101 cryptography tests pass)

Pkcs11HsmClientImpl is a 723-line production implementation using Pkcs11Interop with session pooling (SlotContext with ConcurrentBag), multi-slot failover with health monitoring, key search by CKA_LABEL or CKA_ID, key attribute validation. SimulatedHsmClient provides functional RSA+AES operations for testing. SoftHSM2 integration tests.

Verdict: PASS

Recheck (Run-002)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-002/tier2-integration-check.json
  • Outcome: PKCS#11 integration behavior remains stable with existing SoftHSM safeguards.

Recheck (Run-003)

  • Verified: 2026-02-10
  • Method: Tier 2 follow-up deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-003/tier2-integration-check.json
  • Outcome: HSM integration paths remain stable with existing SoftHSM safeguards.

Recheck (Run-004)

  • Verified: 2026-02-10
  • Method: Tier 2 deterministic integration replay + full cryptography suite replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-004/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains stable; PQC caveat remains unchanged.

Recheck (Run-005)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-005/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in follow-up replay.

Recheck (Run-006)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-006/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-007)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-007/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-008)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-008/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-009)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-009/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-010)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-010/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-011)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-011/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-012)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic cryptography suite replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-012/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.