stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories

Browse Source
This commit is contained in:
master
2026-01-07 18:49:59 +02:00
parent 04ec098046
commit 608a7f85c0
866 changed files with 56323 additions and 6231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/security/crypto-profile-configuration.md
View File

@@ -57,14 +57,43 @@ How to pick regional crypto profiles, choose between free/paid providers, and en
- OpenSSL GOST remote signer (OSS baseline) in `docs/security/openssl-gost-remote.md`.
## Simulation guidance
- Default simulator: `ops/crypto/sim-crypto-service` + provider `sim.crypto.remote` (see `docs/security/crypto-simulation-services.md`).
- Use the simulator to close sprints until certified evidence is available; keep "non-certified" labels in RootPack manifests.
- Quick simulation steps:
1) `docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service`
2) `docker run --rm -p 8080:8080 sim-crypto`
3) Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` and `STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080`
4) Keep `sim.crypto.remote` first in `PreferredProviders` for the target profile.
5) Optional smoke harness (no VSTest): `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release` with `SIM_PROFILE=ru-free|ru-paid|sm|eidas|fips|kcmvp|pq` and optional `SIM_MESSAGE`/`SIM_ALGORITHMS`.
Use simulation paths when licensed hardware or certified modules are unavailable. They keep the registry/profile contracts stable while waiting for customer licenses (CryptoPro), QSCD devices (eIDAS), KCMVP modules, or SM PKCS#11 tokens.
### Unified simulator (sim-crypto-service)
- **Location:** `ops/crypto/sim-crypto-service/`
- **Provider ID:** `sim.crypto.remote`
- **Algorithms covered:**
- GOST: `GOST12-256`, `GOST12-512`, `ru.magma.sim`, `ru.kuznyechik.sim` (deterministic HMAC-SHA256)
- SM: `SM2`, `sm.sim`, `sm2.sim` (deterministic HMAC-SHA256)
- PQ: `DILITHIUM3`, `FALCON512`, `pq.sim` (deterministic HMAC-SHA256)
- FIPS/eIDAS/KCMVP/world: `ES256`, `ES384`, `ES512`, `fips.sim`, `eidas.sim`, `kcmvp.sim`, `world.sim` (ECDSA P-256 with static key)
- The `SimRemoteProviderOptions.Algorithms` default list includes the IDs above; extend if you add new aliases.
### Quick simulation steps
1. Build and run:
```bash
docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service
docker run --rm -p 8080:8080 sim-crypto
```
2. Configure environment:
- Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` to append `sim.crypto.remote` to registry ordering.
- Point the client: `STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080` or bind `StellaOps:Crypto:Sim:BaseAddress`.
- Keep `sim.crypto.remote` first in `PreferredProviders` for the target profile.
3. Quick check (curl):
```bash
curl -s -X POST http://localhost:8080/sign -d '{"message":"stellaops-sim-check","algorithm":"SM2"}'
```
4. Smoke harnesses (no VSTest):
- **PowerShell:** `ops/crypto/run-sim-smoke.ps1` (args: `-BaseUrl http://localhost:5000 -SimProfile sm|ru-free|ru-paid|eidas|fips|kcmvp|pq`)
- **Headless:** `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release` with `SIM_PROFILE=ru-free|ru-paid|sm|eidas|fips|kcmvp|pq` and optional `SIM_MESSAGE`/`SIM_ALGORITHMS=SM2,pq.sim,ES256`.
Use the simulator to close sprints until certified evidence is available; keep "non-certified" labels in RootPack manifests.
## Evidence expectations
- JWKS export from Authority/Signer for the active profile.