stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
ef933db0d8d5a2a635513aaa032d7d7a328d8016
git.stella-ops.org/tests/reachability/PoE/Fixtures/stripped-binary-c.poe.golden.json
master ef933db0d8 feat(cli): Implement crypto plugin CLI architecture with regional compliance 
Sprint: SPRINT_4100_0006_0001
Status: COMPLETED

Implemented plugin-based crypto command architecture for regional compliance
with build-time distribution selection (GOST/eIDAS/SM) and runtime validation.

## New Commands

- `stella crypto sign` - Sign artifacts with regional crypto providers
- `stella crypto verify` - Verify signatures with trust policy support
- `stella crypto profiles` - List available crypto providers & capabilities

## Build-Time Distribution Selection

```bash
# International (default - BouncyCastle)
dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj

# Russia distribution (GOST R 34.10-2012)
dotnet build -p:StellaOpsEnableGOST=true

# EU distribution (eIDAS Regulation 910/2014)
dotnet build -p:StellaOpsEnableEIDAS=true

# China distribution (SM2/SM3/SM4)
dotnet build -p:StellaOpsEnableSM=true
```

## Key Features

- Build-time conditional compilation prevents export control violations
- Runtime crypto profile validation on CLI startup
- 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev)
- Comprehensive configuration with environment variable substitution
- Integration tests with distribution-specific assertions
- Full migration path from deprecated `cryptoru` CLI

## Files Added

- src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs
- src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs
- src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs
- src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example
- src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs
- docs/cli/crypto-commands.md
- docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md

## Files Modified

- src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs)
- src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation)
- src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring)
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix)

## Compliance

- GOST (Russia): GOST R 34.10-2012, FSB certified
- eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES
- SM (China): GM/T 0003-2012 (SM2), OSCCA certified

## Migration

`cryptoru` CLI deprecated → sunset date: 2025-07-01
- `cryptoru providers` → `stella crypto profiles`
- `cryptoru sign` → `stella crypto sign`

## Testing

 All crypto code compiles successfully
 Integration tests pass
 Build verification for all distributions (international/GOST/eIDAS/SM)

Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 13:13:00 +02:00

107 lines
3.2 KiB
JSON
Raw Blame History

{
"@type": "https://stellaops.dev/predicates/proof-of-exposure@v1",
"evidence": {
"graphHash": "blake3:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0",
"sbomRef": "cas://scanner-artifacts/sbom.cdx.json"
},
"metadata": {
"analyzer": {
"name": "stellaops-scanner",
"toolchainDigest": "sha256:678901234567890123456789012345678901234567890123456789012345",
"version": "1.2.0"
},
"generatedAt": "2025-12-23T13:00:00.000Z",
"policy": {
"evaluatedAt": "2025-12-23T12:58:00.000Z",
"policyDigest": "sha256:901234567890123456789012345678901234567890123456789012345678",
"policyId": "prod-release-v42"
},
"reproSteps": [
"1. Build container image from Dockerfile (commit: jkl012)",
"2. Run scanner with config: etc/scanner.yaml",
"3. Extract reachability graph with maxDepth=10 (stripped binary)",
"4. Resolve CVE-2024-99999 to vulnerable code addresses via binary diffing"
]
},
"schema": "stellaops.dev/poe@v1",
"subject": {
"buildId": "gnu-build-id:c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9",
"componentRef": "pkg:generic/libcrypto.so.1.1@1.1.1k",
"imageDigest": "sha256:jkl012345678901234567890123456789012345678901234567890123456",
"vulnId": "CVE-2024-99999"
},
"subgraph": {
"edges": [
{
"confidence": 0.94,
"from": "code_id:0x401530",
"to": "code_id:0x402140"
},
{
"confidence": 0.91,
"from": "code_id:0x402140",
"to": "code_id:0x403880"
},
{
"confidence": 0.89,
"from": "code_id:0x403880",
"to": "code_id:0x405220"
},
{
"confidence": 0.87,
"from": "code_id:0x405220",
"to": "code_id:0x407b40"
},
{
"confidence": 0.85,
"from": "code_id:0x407b40",
"to": "code_id:0x409c60"
}
],
"entryRefs": [
"code_id:0x401530"
],
"nodes": [
{
"addr": "0x401530",
"id": "code_id:0x401530",
"moduleHash": "sha256:701234567890123456789012345678901234567890123456789012345678",
"symbol": "<stripped>"
},
{
"addr": "0x402140",
"id": "code_id:0x402140",
"moduleHash": "sha256:701234567890123456789012345678901234567890123456789012345678",
"symbol": "<stripped>"
},
{
"addr": "0x403880",
"id": "code_id:0x403880",
"moduleHash": "sha256:701234567890123456789012345678901234567890123456789012345678",
"symbol": "<stripped>"
},
{
"addr": "0x405220",
"id": "code_id:0x405220",
"moduleHash": "sha256:712345678901234567890123456789012345678901234567890123456789",
"symbol": "<stripped>"
},
{
"addr": "0x407b40",
"id": "code_id:0x407b40",
"moduleHash": "sha256:712345678901234567890123456789012345678901234567890123456789",
"symbol": "<stripped>"
},
{
"addr": "0x409c60",
"id": "code_id:0x409c60",
"moduleHash": "sha256:723456789012345678901234567890123456789012345678901234567890",
"symbol": "<stripped>"
}
],
"sinkRefs": [
"code_id:0x409c60"
]
}
}
Reference in New Issue View Git Blame Copy Permalink