Files

Docs CI / lint-and-preview (push) Has been cancelled

Details

Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

2025-11-08 20:53:45 +02:00

3.4 KiB

Raw Blame History

RootPack_RU Packaging Guide

This guide describes the reproducible process for assembling the sovereign cryptography bundle that backs RootPack_RU deployments.

1. What the bundle contains

Directory	Purpose
`artifacts/`	Published binaries for `StellaOps.Cryptography.Plugin.CryptoPro` and `StellaOps.Cryptography.Plugin.Pkcs11Gost` (targeting `net10.0`).
`config/rootpack_ru.crypto.yaml`	Opinionated configuration template that enables the `ru-offline` crypto profile and defines CryptoPro + PKCS#11 keys.
`docs/`	Validation runbook, audit report, and this packaging guide.
`trust/`	Russian trust-anchor PEM files copied from `certificates/russian_trusted_*`.
`README.txt`	High-level summary plus operator checklist.

2. Build the bundle

# from repository root
scripts/crypto/package-rootpack-ru.sh
# optionally specify destination
scripts/crypto/package-rootpack-ru.sh /tmp/rootpack_ru_$(date -u +%Y%m%dT%H%M%SZ)

The script performs the following steps:

dotnet publish for the CryptoPro + PKCS#11 plug-ins (Release configuration).
Copies the relevant documentation (docs/security/rootpack_ru_validation.md, docs/security/crypto-routing-audit-2025-11-07.md, and this guide).
Includes the example configuration found at etc/rootpack/ru/crypto.profile.yaml.
Adds the Russian trust anchors from certificates/russian_trusted_*.
Emits README.txt and optionally creates a *.tar.gz archive (set PACKAGE_TAR=0 to skip the tarball).

3. Attach deterministic test evidence

After running scripts/crypto/package-rootpack-ru.sh, execute the deterministic harness to capture logs:

scripts/crypto/run-rootpack-ru-tests.sh
# or specify ROOTPACK_LOG_DIR=/tmp/rootpack_ru_tests scripts/crypto/run-rootpack-ru-tests.sh

Copy the resulting logs/rootpack_ru_<timestamp>/ directory into the bundle before distributing it (or store it alongside the tarball in your evidence store).

Each harness run produces a README.tests file plus matching .log/.trx pairs for every project. Move the entire directory under an evidence folder inside the bundle (for example evidence/validation/<timestamp>/) so operators can quickly locate the README, raw logs, and provider JSON snapshots when assembling compliance paperwork:

dest="${1:-out/rootpack_ru}"
ts="$(ls logs | grep rootpack_ru_ | sort | tail -n1)"
mkdir -p "${dest}/evidence/validation"
cp -a "logs/${ts}" "${dest}/evidence/validation/${ts}"

4. Hardware validation + audit metadata

Follow docs/security/rootpack_ru_validation.md to:

Validate CryptoPro CSP and PKCS#11 tokens.
Capture stellaops crypto providers --profile ru-offline --json output.
Archive JWKS snapshots and CryptoProviderMetrics samples.
Document hardware serials and operator initials in hardware_notes.md.

Store these artifacts under logs/rootpack_ru_<timestamp>/ (same directory as the test harness outputs) and reference them in release paperwork.

5. Deployment summary

Import the bundled trust anchors into the target installation (Authority + Scanner).
Apply config/rootpack_ru.crypto.yaml, update certificate thumbprints, slots, and container labels to match the operator tokens.
Restart the services so ICryptoProviderRegistry reloads the ru-offline profile.
Re-run the validation runbook to confirm JWKS, telemetry, and RootPack evidence are aligned with the shipping bundle.

3.4 KiB Raw Blame History