stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
d2ac60c0e6854c9e066d2e506a3d0590c949196e
git.stella-ops.org/src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs
master 491e883653 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-24 00:36:14 +02:00

136 lines
4.9 KiB
C#
Raw Blame History

using System.Collections.Generic;
namespace StellaOps.Cryptography;
/// <summary>
/// High-level cryptographic capabilities supported by StellaOps providers.
/// </summary>
public enum CryptoCapability
{
PasswordHashing,
Signing,
Verification,
SymmetricEncryption,
KeyDerivation,
ContentHashing
}
/// <summary>
/// Identifies a stored key or certificate handle.
/// </summary>
public sealed record CryptoKeyReference(string KeyId, string? ProviderHint = null);
/// <summary>
/// Contract implemented by crypto providers (BCL, CryptoPro, OpenSSL, etc.).
/// </summary>
public interface ICryptoProvider
{
string Name { get; }
bool Supports(CryptoCapability capability, string algorithmId);
IPasswordHasher GetPasswordHasher(string algorithmId);
/// <summary>
/// Retrieves a content hasher for the supplied algorithm.
/// </summary>
/// <param name="algorithmId">Hash algorithm identifier (e.g., SHA-256, GOST-R-34.11-2012-256).</param>
/// <returns>Hasher instance.</returns>
ICryptoHasher GetHasher(string algorithmId);
/// <summary>
/// Retrieves a signer for the supplied algorithm and key reference.
/// </summary>
/// <param name="algorithmId">Signing algorithm identifier (e.g., ES256).</param>
/// <param name="keyReference">Key reference.</param>
/// <returns>Signer instance.</returns>
ICryptoSigner GetSigner(string algorithmId, CryptoKeyReference keyReference);
/// <summary>
/// Creates an ephemeral verifier from raw public key bytes (verification-only, no key persistence).
/// Used for scenarios like DSSE verification where public keys are provided inline.
/// </summary>
/// <param name="algorithmId">Signing algorithm identifier (e.g., RS256, ES256).</param>
/// <param name="publicKeyBytes">Public key in SubjectPublicKeyInfo format (DER-encoded).</param>
/// <returns>Ephemeral signer instance (supports VerifyAsync only).</returns>
ICryptoSigner CreateEphemeralVerifier(string algorithmId, ReadOnlySpan<byte> publicKeyBytes)
=> throw new NotSupportedException($"Provider '{Name}' does not support ephemeral verification.");
/// <summary>
/// Adds or replaces signing key material managed by this provider.
/// </summary>
/// <param name="signingKey">Key material descriptor.</param>
void UpsertSigningKey(CryptoSigningKey signingKey);
/// <summary>
/// Removes signing key material by key identifier.
/// </summary>
/// <param name="keyId">Identifier to remove.</param>
/// <returns><c>true</c> if the key was removed.</returns>
bool RemoveSigningKey(string keyId);
/// <summary>
/// Lists signing key descriptors managed by this provider.
/// </summary>
IReadOnlyCollection<CryptoSigningKey> GetSigningKeys();
}
/// <summary>
/// Registry managing provider discovery and policy selection.
/// </summary>
public interface ICryptoProviderRegistry
{
IReadOnlyCollection<ICryptoProvider> Providers { get; }
bool TryResolve(string preferredProvider, out ICryptoProvider provider);
ICryptoProvider ResolveOrThrow(CryptoCapability capability, string algorithmId);
/// <summary>
/// Resolves a signer for the supplied algorithm and key reference using registry policy.
/// </summary>
/// <param name="capability">Capability required (typically <see cref="CryptoCapability.Signing"/>).</param>
/// <param name="algorithmId">Algorithm identifier.</param>
/// <param name="keyReference">Key reference.</param>
/// <param name="preferredProvider">Optional provider hint.</param>
/// <returns>Resolved signer.</returns>
CryptoSignerResolution ResolveSigner(
CryptoCapability capability,
string algorithmId,
CryptoKeyReference keyReference,
string? preferredProvider = null);
/// <summary>
/// Resolves a content hasher for the supplied algorithm using registry policy.
/// </summary>
/// <param name="algorithmId">Hash algorithm identifier (e.g., SHA-256, GOST-R-34.11-2012-256).</param>
/// <param name="preferredProvider">Optional provider hint.</param>
/// <returns>Resolved hasher with provider name.</returns>
CryptoHasherResolution ResolveHasher(string algorithmId, string? preferredProvider = null);
}
public sealed record CryptoSignerResolution(ICryptoSigner Signer, string ProviderName);
public sealed record CryptoHasherResolution(ICryptoHasher Hasher, string ProviderName);
/// <summary>
/// Content hasher for computing cryptographic digests.
/// </summary>
public interface ICryptoHasher
{
/// <summary>
/// Algorithm identifier (e.g., SHA-256, GOST-R-34.11-2012-256).
/// </summary>
string AlgorithmId { get; }
/// <summary>
/// Computes the hash of the given data.
/// </summary>
byte[] ComputeHash(ReadOnlySpan<byte> data);
/// <summary>
/// Computes the hash and returns it as a lowercase hex string.
/// </summary>
string ComputeHashHex(ReadOnlySpan<byte> data);
}
Reference in New Issue View Git Blame Copy Permalink