stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
ef933db0d8d5a2a635513aaa032d7d7a328d8016
git.stella-ops.org/tests/reachability/PoE/Fixtures/guarded-path-dotnet.poe.golden.json
master ef933db0d8 feat(cli): Implement crypto plugin CLI architecture with regional compliance 
Sprint: SPRINT_4100_0006_0001
Status: COMPLETED

Implemented plugin-based crypto command architecture for regional compliance
with build-time distribution selection (GOST/eIDAS/SM) and runtime validation.

## New Commands

- `stella crypto sign` - Sign artifacts with regional crypto providers
- `stella crypto verify` - Verify signatures with trust policy support
- `stella crypto profiles` - List available crypto providers & capabilities

## Build-Time Distribution Selection

```bash
# International (default - BouncyCastle)
dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj

# Russia distribution (GOST R 34.10-2012)
dotnet build -p:StellaOpsEnableGOST=true

# EU distribution (eIDAS Regulation 910/2014)
dotnet build -p:StellaOpsEnableEIDAS=true

# China distribution (SM2/SM3/SM4)
dotnet build -p:StellaOpsEnableSM=true
```

## Key Features

- Build-time conditional compilation prevents export control violations
- Runtime crypto profile validation on CLI startup
- 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev)
- Comprehensive configuration with environment variable substitution
- Integration tests with distribution-specific assertions
- Full migration path from deprecated `cryptoru` CLI

## Files Added

- src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs
- src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs
- src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs
- src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example
- src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs
- docs/cli/crypto-commands.md
- docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md

## Files Modified

- src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs)
- src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation)
- src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring)
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix)

## Compliance

- GOST (Russia): GOST R 34.10-2012, FSB certified
- eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES
- SM (China): GM/T 0003-2012 (SM2), OSCCA certified

## Migration

`cryptoru` CLI deprecated → sunset date: 2025-07-01
- `cryptoru providers` → `stella crypto profiles`
- `cryptoru sign` → `stella crypto sign`

## Testing

 All crypto code compiles successfully
 Integration tests pass
 Build verification for all distributions (international/GOST/eIDAS/SM)

Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 13:13:00 +02:00

193 lines
7.3 KiB
JSON
Raw Blame History

{
"@type": "https://stellaops.dev/predicates/proof-of-exposure@v1",
"evidence": {
"graphHash": "blake3:f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5",
"sbomRef": "cas://scanner-artifacts/sbom.cdx.json"
},
"metadata": {
"analyzer": {
"name": "stellaops-scanner",
"toolchainDigest": "sha256:567890123456789012345678901234567890123456789012345678901234",
"version": "1.2.0"
},
"generatedAt": "2025-12-23T12:15:00.000Z",
"policy": {
"evaluatedAt": "2025-12-23T12:13:00.000Z",
"policyDigest": "sha256:890123456789012345678901234567890123456789012345678901234567",
"policyId": "prod-release-v42"
},
"reproSteps": [
"1. Build container image from Dockerfile (commit: ghi789)",
"2. Run scanner with config: etc/scanner.yaml (includeGuards=true)",
"3. Extract reachability graph with maxDepth=10",
"4. Resolve CVE-2024-56789 to vulnerable symbols with guard predicates"
]
},
"schema": "stellaops.dev/poe@v1",
"subject": {
"buildId": "gnu-build-id:9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f",
"componentRef": "pkg:nuget/VulnerableLib@2.3.1",
"imageDigest": "sha256:ghi789012345678901234567890123456789012345678901234567890123",
"vulnId": "CVE-2024-56789"
},
"subgraph": {
"edges": [
{
"confidence": 0.98,
"from": "sym:csharp:WebApi.Controllers.PaymentController.ProcessPayment",
"guards": [],
"to": "sym:csharp:WebApi.Services.PaymentService.Charge"
},
{
"confidence": 0.96,
"from": "sym:csharp:WebApi.Services.PaymentService.Charge",
"guards": [
"FeatureFlags.EnableLegacyPayment"
],
"to": "sym:csharp:WebApi.Legacy.LegacyPaymentAdapter.ProcessLegacy"
},
{
"confidence": 0.94,
"from": "sym:csharp:WebApi.Legacy.LegacyPaymentAdapter.ProcessLegacy",
"guards": [],
"to": "sym:csharp:VulnerableLib.Crypto.InsecureHasher.ComputeHash"
},
{
"confidence": 0.97,
"from": "sym:csharp:WebApi.Controllers.PaymentController.ProcessPayment",
"guards": [],
"to": "sym:csharp:WebApi.Services.PaymentService.Validate"
},
{
"confidence": 0.95,
"from": "sym:csharp:WebApi.Services.PaymentService.Validate",
"guards": [
"RuntimeInformation.IsOSPlatform(OSPlatform.Windows)"
],
"to": "sym:csharp:WebApi.Validation.WindowsValidator.CheckSignature"
},
{
"confidence": 0.93,
"from": "sym:csharp:WebApi.Validation.WindowsValidator.CheckSignature",
"guards": [],
"to": "sym:csharp:VulnerableLib.Crypto.InsecureHasher.ComputeHash"
},
{
"confidence": 0.92,
"from": "sym:csharp:WebApi.Controllers.AdminController.MigrateData",
"guards": [
"Environment.GetEnvironmentVariable(\"ENABLE_MIGRATION\") == \"true\""
],
"to": "sym:csharp:WebApi.Migration.DataMigrator.ExecuteMigration"
},
{
"confidence": 0.90,
"from": "sym:csharp:WebApi.Migration.DataMigrator.ExecuteMigration",
"guards": [],
"to": "sym:csharp:WebApi.Legacy.LegacyDataConverter.ConvertFormat"
},
{
"confidence": 0.88,
"from": "sym:csharp:WebApi.Legacy.LegacyDataConverter.ConvertFormat",
"guards": [],
"to": "sym:csharp:VulnerableLib.Crypto.InsecureHasher.ComputeHash"
},
{
"confidence": 0.87,
"from": "sym:csharp:WebApi.Services.PaymentService.Charge",
"guards": [],
"to": "sym:csharp:WebApi.Logging.AuditLogger.LogTransaction"
}
],
"entryRefs": [
"sym:csharp:WebApi.Controllers.PaymentController.ProcessPayment",
"sym:csharp:WebApi.Controllers.AdminController.MigrateData"
],
"nodes": [
{
"addr": "0x601000",
"file": "PaymentController.cs",
"id": "sym:csharp:WebApi.Controllers.PaymentController.ProcessPayment",
"line": 56,
"moduleHash": "sha256:601234567890123456789012345678901234567890123456789012345678",
"symbol": "WebApi.Controllers.PaymentController.ProcessPayment(PaymentRequest)"
},
{
"addr": "0x602000",
"file": "AdminController.cs",
"id": "sym:csharp:WebApi.Controllers.AdminController.MigrateData",
"line": 89,
"moduleHash": "sha256:601234567890123456789012345678901234567890123456789012345678",
"symbol": "WebApi.Controllers.AdminController.MigrateData()"
},
{
"addr": "0x603000",
"file": "PaymentService.cs",
"id": "sym:csharp:WebApi.Services.PaymentService.Charge",
"line": 123,
"moduleHash": "sha256:612345678901234567890123456789012345678901234567890123456789",
"symbol": "WebApi.Services.PaymentService.Charge(decimal, string)"
},
{
"addr": "0x603100",
"file": "PaymentService.cs",
"id": "sym:csharp:WebApi.Services.PaymentService.Validate",
"line": 167,
"moduleHash": "sha256:612345678901234567890123456789012345678901234567890123456789",
"symbol": "WebApi.Services.PaymentService.Validate(PaymentRequest)"
},
{
"addr": "0x604000",
"file": "LegacyPaymentAdapter.cs",
"id": "sym:csharp:WebApi.Legacy.LegacyPaymentAdapter.ProcessLegacy",
"line": 78,
"moduleHash": "sha256:623456789012345678901234567890123456789012345678901234567890",
"symbol": "WebApi.Legacy.LegacyPaymentAdapter.ProcessLegacy(LegacyPayment)"
},
{
"addr": "0x605000",
"file": "WindowsValidator.cs",
"id": "sym:csharp:WebApi.Validation.WindowsValidator.CheckSignature",
"line": 45,
"moduleHash": "sha256:634567890123456789012345678901234567890123456789012345678901",
"symbol": "WebApi.Validation.WindowsValidator.CheckSignature(byte[])"
},
{
"addr": "0x606000",
"file": "DataMigrator.cs",
"id": "sym:csharp:WebApi.Migration.DataMigrator.ExecuteMigration",
"line": 234,
"moduleHash": "sha256:645678901234567890123456789012345678901234567890123456789012",
"symbol": "WebApi.Migration.DataMigrator.ExecuteMigration(MigrationConfig)"
},
{
"addr": "0x607000",
"file": "LegacyDataConverter.cs",
"id": "sym:csharp:WebApi.Legacy.LegacyDataConverter.ConvertFormat",
"line": 156,
"moduleHash": "sha256:623456789012345678901234567890123456789012345678901234567890",
"symbol": "WebApi.Legacy.LegacyDataConverter.ConvertFormat(byte[])"
},
{
"addr": "0x608000",
"file": "InsecureHasher.cs",
"id": "sym:csharp:VulnerableLib.Crypto.InsecureHasher.ComputeHash",
"line": 67,
"moduleHash": "sha256:656789012345678901234567890123456789012345678901234567890123",
"symbol": "VulnerableLib.Crypto.InsecureHasher.ComputeHash(byte[])"
},
{
"addr": "0x609000",
"file": "AuditLogger.cs",
"id": "sym:csharp:WebApi.Logging.AuditLogger.LogTransaction",
"line": 91,
"moduleHash": "sha256:612345678901234567890123456789012345678901234567890123456789",
"symbol": "WebApi.Logging.AuditLogger.LogTransaction(string, decimal)"
}
],
"sinkRefs": [
"sym:csharp:VulnerableLib.Crypto.InsecureHasher.ComputeHash"
]
}
}
Reference in New Issue View Git Blame Copy Permalink