stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e69b57d467ffe665754fa93f5a0853e6e96bd526
git.stella-ops.org/docs/implplan/SPRINT_514_sovereign_crypto_enablement.md
master cef4cb2c5a Add support for ГОСТ Р 34.10 digital signatures 
- Implemented the GostKeyValue class for handling public key parameters in ГОСТ Р 34.10 digital signatures.
- Created the GostSignedXml class to manage XML signatures using ГОСТ 34.10, including methods for computing and checking signatures.
- Developed the GostSignedXmlImpl class to encapsulate the signature computation logic and public key retrieval.
- Added specific key value classes for ГОСТ Р 34.10-2001, ГОСТ Р 34.10-2012/256, and ГОСТ Р 34.10-2012/512 to support different signature algorithms.
- Ensured compatibility with existing XML signature standards while integrating ГОСТ cryptography.
2025-11-09 21:59:57 +02:00

8.8 KiB
Raw Blame History

Sprint 514 - Ops & Offline · 190.K) Sovereign Crypto Enablement

Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

[Ops & Offline] 190.K) Sovereign Crypto Enablement

Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli

Summary: Deliver RootPack_RU-ready sovereign crypto providers (CryptoPro + PKCS#11), configuration knobs, deterministic tests, and repo-wide crypto routing audit.

Fork status: third_party/forks/AlexMAS.GostCryptography tracks upstream commit 31413f6 (2024-07-01) so we can patch/build the CryptoPro plug-in without pulling the vulnerable IT.GostCryptography binary.

Task ID State Task description Owners (Source)
SEC-CRYPTO-90-017 TODO Vendor third_party/forks/AlexMAS.GostCryptography into the solution build (solution filters, Directory.Build props, CI) so the library compiles with the rest of the repo and publishes artifacts for downstream consumers. Security Guild (third_party/forks + src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro)
SEC-CRYPTO-90-018 TODO Update developer/RootPack documentation to describe the new fork, sync steps, and licensing so operators know where the CryptoPro sources live and how to refresh them. Security & Docs Guilds (docs/security/rootpack_ru_*.md, docs/dev/crypto.md)
SEC-CRYPTO-90-019 TODO Patch the fork to drop vulnerable System.Security.Cryptography.{Pkcs,Xml} 6.0.0 dependencies (target .NET 8+, adopt fixed BCL packages, re-run tests). Security Guild (third_party/forks/AlexMAS.GostCryptography)
SEC-CRYPTO-90-020 TODO Re-point StellaOps.Cryptography.Plugin.CryptoPro to the forked sources (replace NuGet package references, adjust DI wiring) and prove the plugin works end-to-end. Security Guild (src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro)
SEC-CRYPTO-90-021 TODO Validate the forked library + plugin on both Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback) builds/tests; document any platform-specific prerequisites. Security & QA Guilds (scripts/crypto/**, docs/security/rootpack_ru_validation.md)
SEC-CRYPTO-90-001 DONE (2025-11-07) Produce the RootPack_RU implementation plan, provider strategy (CryptoPro + PKCS#11), and backlog split for sovereign crypto work. Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-002 DONE (2025-11-07) Extend signature/catalog constants and configuration schema to recognize GOST12-256/512, regional crypto profiles, and provider preference ordering. Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-003 DONE (2025-11-07) Implement StellaOps.Cryptography.Plugin.CryptoPro provider (sign/verify/JWK export) using CryptoPro CSP with deterministic logging/tests. Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-004 DONE (2025-11-07) Implement StellaOps.Cryptography.Plugin.Pkcs11Gost provider (Rutoken/JaCarta) via Pkcs11Interop with configurable slot/pin/module handling. Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-005 DONE (2025-11-08) Add configuration-driven provider selection (crypto.regionalProfiles), CLI diagnostics, and telemetry. Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-006 DONE (2025-11-08) Build deterministic Streebog/signature harnesses and RootPack audit metadata/runbooks. Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-007 DONE (2025-11-08) Package RootPack_RU artifacts (plugins, trust anchors, configs) with deployment documentation. Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-008 DONE (2025-11-08) Audit repository for direct crypto usage bypassing the new abstractions and file remediation tasks. Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-009 DONE (2025-11-09) Replace the placeholder CryptoPro plug-in with a true CryptoPro CSP implementation (GostCryptography, certificate-store lookup, DER/raw normalization) so RootPack_RU exposes a qualified-signature path. Security Guild (src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro)
SEC-CRYPTO-90-010 DONE (2025-11-09) Introduce StellaOpsCryptoOptions / configuration binding for registry profiles/keys and ship an AddStellaOpsCryptoRu(IConfiguration, …) helper so hosts can enable ru-offline via YAML without custom code. Security Guild (src/__Libraries/StellaOps.Cryptography + .DependencyInjection)
SEC-CRYPTO-90-011 DONE (2025-11-09) Build the sovereign crypto CLI (StellaOps.CryptoRu.Cli) to list keys, perform test-sign operations, and emit determinism/audit snapshots referenced in the RootPack docs. Security & Ops Guilds (src/Tools/StellaOps.CryptoRu.Cli)
SEC-CRYPTO-90-012 TODO Add CryptoPro + PKCS#11 integration tests (env/pin gated) and wire them into scripts/crypto/run-rootpack-ru-tests.sh, covering Streebog vectors and DER/raw signatures. Security Guild (src/__Libraries/__Tests/StellaOps.Cryptography.Tests)
SEC-CRYPTO-90-013 TODO Extend the shared crypto stack with sovereign symmetric algorithms (Magma/Kuznyechik) so exports/data-at-rest can request Russian ciphers via the provider registry. Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-014 TODO Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register the RU providers, bind StellaOps:Crypto profiles, and expose configuration toggles per the new options model. Security Guild + Service Guilds (multi-module)
SEC-CRYPTO-90-015 TODO Refresh RootPack/validation documentation once the CLI/config/tests exist (remove TODO callouts, document final workflows). Security Guild & Docs Guild (docs/security/rootpack_ru_*.md)
SEC-CRYPTO-90-016 DONE (2025-11-09) Quarantine CryptoPro dependencies by default until IT.GostCryptography is patched; add MSBuild flag StellaOpsEnableCryptoPro and follow-up plan to re-enable the plug-in once a safe package exists. Security Guild (src/__Libraries/StellaOps.Cryptography.DependencyInjection + .Plugin.CryptoPro)
AUTH-CRYPTO-90-001 DOING (2025-11-08) Migrate Authority signing/key-loading paths (provider registry + crypto hash) so regional bundles can select sovereign providers per docs/security/crypto-routing-audit-2025-11-07.md. Authority Core & Security Guild (src/Authority/StellaOps.Authority)

CONCELIER-WEB-AOC-19-005 | DOING (2025-11-08) | Fix /advisories/{key}/chunks seeded fixtures so AdvisoryChunksEndpoint tests stop returning 404/not-found when raw documents are pre-populated; ensure Mongo migrations no longer emit “Unable to locate advisory_raw documents” during test boot. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) CONCELIER-WEB-AOC-19-006 | DOING (2025-11-08) | Align WebService auth defaults with the test tokens so the allowlisted tenant can create an advisory before forbidden tenants are rejected in AdvisoryIngestEndpoint_RejectsTenantOutsideAllowlist. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) CONCELIER-WEB-AOC-19-007 | DOING (2025-11-08) | Update AOC verify logic/fixtures so guard failures produce the expected ERR_AOC_001 payload while keeping mapper/guard parity covered by tests. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) SCANNER-CRYPTO-90-001 | TODO | Route hashing/signing flows (ScanIdGenerator, ReportSigner, Sbomer BuildX plugin) through ICryptoProviderRegistry so sovereign deployments can select RU providers per the crypto routing audit. | Scanner WebService Guild, Security Guild (src/Scanner/StellaOps.Scanner.WebService) SCANNER-WORKER-CRYPTO-90-001 | TODO | Wire Scanner Worker and BuildX analyzers to the crypto provider registry/hash abstractions, ensuring replay/report parity for sovereign bundles. | Scanner Worker Guild, Security Guild (src/Scanner/StellaOps.Scanner.Worker) SCANNER-CRYPTO-90-002 | TODO | Enable PQ-friendly DSSE (Dilithium/Falcon) for fragment signing + _composition.json attestations via crypto provider options; ship configuration docs and fixture coverage. | Scanner WebService Guild, Security Guild (src/Scanner/StellaOps.Scanner.WebService) | SCANNER-CRYPTO-90-003 | TODO | Add regression tests that rerun deterministic composition with RU/PQ profiles and validate Merkle roots + DSSE chains (hooked into docs/replay/DETERMINISTIC_REPLAY.md). Dependencies: SCANNER-CRYPTO-90-002. | Scanner Worker Guild, QA Guild (src/Scanner/__Tests) | ATTESTOR-CRYPTO-90-001 | TODO | Migrate attestation bundle hashing/witness flows to the registry + hash abstractions, enabling CryptoPro/PKCS#11 deployments. | Attestor Service Guild, Security Guild (src/Attestor/StellaOps.Attestor)