partly or unimplemented features - now implemented
This commit is contained in:
master
44
docs/features/unchecked/attestor/crypto-sovereign-design.md
Normal file
44
docs/features/unchecked/attestor/crypto-sovereign-design.md
Normal file
@@ -0,0 +1,44 @@
|
||||
# Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)
|
||||
|
||||
## Module
|
||||
Attestor
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
SigningKeyProfile supports crypto-sovereign configurations. SM2 tests exist for Chinese crypto support. The signing key registry supports multiple profiles. Full eIDAS/GOST/PQC implementations appear to be partially supported through the profile system but not all crypto backends are fully implemented.
|
||||
|
||||
## What's Implemented
|
||||
- **Signing Key Profile**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs` -- key profile supporting multiple algorithm families and sovereign configurations.
|
||||
- **ProofChain Signer**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- signing with algorithm-agnostic interface.
|
||||
- **IProofChainKeyStore**: `Signing/IProofChainKeyStore.cs` -- key store interface supporting multiple key types.
|
||||
- **DSSE Signing**: `Signing/DsseEnvelope.cs`, `DsseSignature.cs`, `DssePreAuthenticationEncoding.cs` -- DSSE envelope signing.
|
||||
- **Attestor Signing Key Registry**: `StellaOps.Attestor.Infrastructure/Signing/AttestorSigningKeyRegistry.cs` -- registry for multiple signing key profiles.
|
||||
- **DSSE SPDX3 Signer**: `__Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Signer.cs` -- SPDX3-specific signing.
|
||||
- **DSSE Signing Provider**: `Spdx3/IDsseSigningProvider.cs` -- provider interface for crypto operations.
|
||||
|
||||
## Additional Implementation Found (Cryptography Plugins)
|
||||
The following crypto plugins exist under `src/Cryptography/` with a plugin architecture (`CryptoPluginBase.cs`, `MultiProfileSigner.cs`, `SignatureProfile.cs`):
|
||||
- **GOST**: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs` -- GOST R 34.10-2012 support
|
||||
- **eIDAS**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- includes ETSI conformance test vectors
|
||||
- **SM2/SM3**: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/` -- SM2/SM3 support
|
||||
- **FIPS**: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/` -- FIPS 140 compliance plugin
|
||||
- **HSM**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/` -- HSM integration plugin
|
||||
- **Tests**: `src/Cryptography/__Tests/` and `src/__Libraries/__Tests/StellaOps.Cryptography.Tests/`
|
||||
|
||||
## What's Missing
|
||||
- **Post-Quantum Cryptography (PQC)**: No CRYSTALS-Dilithium, SPHINCS+, or other PQC algorithm support. The profile system can model PQC keys but no backend implements them. This is the only major crypto profile gap.
|
||||
- **eIDAS qualified signature validation**: Plugin exists but validation that timestamps meet eIDAS Article 42 qualified timestamp requirements may not be complete.
|
||||
- **Crypto provider integration with Attestor SigningKeyProfile**: The Cryptography plugin system and the Attestor `SigningKeyProfile` are not fully bridged -- Attestor signing uses its own key profiles rather than the Cryptography plugin registry.
|
||||
- **Algorithm negotiation**: No cross-sovereign algorithm negotiation for interoperability between different crypto profiles.
|
||||
|
||||
## Implementation Plan
|
||||
- Implement PQC plugin (CRYSTALS-Dilithium, SPHINCS+) following the existing CryptoPluginBase pattern
|
||||
- Bridge Cryptography plugin registry with Attestor SigningKeyProfile for unified key management
|
||||
- Add eIDAS Article 42 qualified timestamp validation
|
||||
- Add algorithm negotiation for cross-sovereign interoperability
|
||||
- Verify ETSI conformance test vectors pass end-to-end for eIDAS plugin
|
||||
|
||||
## Related Documentation
|
||||
- Source: See feature catalog
|
||||
Reference in New Issue
Block a user