Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-7361

Cryptographic Operations Inventory on Pipelines

XMLWordPrintable

      Story (Required)

      As a Developer I want to conduct an inventory of cryptographic operations across all Tekton projects So that we can assess and prepare for potential quantum computing vulnerabilities

      Background (Required)

      The Tekton ecosystem comprises multiple projects with critical CI/CD infrastructure. Recent advancements in quantum computing pose significant risks to traditional cryptographic methods. This analysis is crucial to:

      • Understand existing cryptographic vulnerabilities
      • Prepare for potential quantum computing attacks
      • Proactively protect software supply chain security
      • Ensure long-term resilience of Tekton projects

      Out of scope

      • Immediate implementation of quantum-resistant algorithms
      • Comprehensive code refactoring
      • Replacing all existing cryptographic implementations
      • Performing actual exploits or penetration testing

      Approach (Required)

      • Examine and report the use of these potential packages (imports, functions used, features and context of implementation){}
        • golang.org/x/crypto
        • github.com/sigstore/*
        • github.com/ProtonMail/go-crypto
        • github.com/spiffe/go-spiffe/v2
      • Examine the use of signature algorithm(Key lengths, Hashing algorithms used, Signature generation and verification methods, Certificate chain validation processes)
        • RSA
        • ECDSA
        • EdDSA
        • PGP signatures
        • X.509 certificate signatures
      • Examine and report the use of KMS management system (KMS connection methods, Key rotation mechanisms, Encryption key storage, Key lifecycle management, Integration points with cryptographic operations)
      • Examine and report SSL/TLS API calls(Transport layer security implementations, API endpoint encryption, Certificate management, Secure connection establishment)
        • Trace SSL/TLS configuration methods
        • Identify cipher suite selections
        • Examine certificate validation processes

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      • Create a consolidated report documenting cryptographic operations for each project
      • Catalog all cryptographic libraries and dependencies across projects
      • Identify and list all current signature algorithms in use

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

              jkhelil abdeljawed khelil
              jkhelil abdeljawed khelil
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: