Add post-quantum cryptography support with PqSoftCryptoProvider

- Implemented PqSoftCryptoProvider for software-only post-quantum algorithms (Dilithium3, Falcon512) using BouncyCastle. - Added PqSoftProviderOptions and PqSoftKeyOptions for configuration. - Created unit tests for Dilithium3 and Falcon512 signing and verification. - Introduced EcdsaPolicyCryptoProvider for compliance profiles (FIPS/eIDAS) with explicit allow-lists. - Added KcmvpHashOnlyProvider for KCMVP baseline compliance. - Updated project files and dependencies for new libraries and testing frameworks.
2025-12-07 15:04:19 +02:00
parent 862bb6ed80
commit 98e6b76584
119 changed files with 11436 additions and 1732 deletions
--- a/etc/rootpack/eu/crypto.profile.yaml
+++ b/etc/rootpack/eu/crypto.profile.yaml
@@ -0,0 +1,21 @@
+StellaOps:
+  Crypto:
+    Registry:
+      ActiveProfile: eu-eidas-soft
+      PreferredProviders:
+        - eu.eidas.soft
+        - pq.soft
+        - default
+      Profiles:
+        eu-eidas-soft:
+          PreferredProviders:
+            - eu.eidas.soft
+            - pq.soft
+            - default
+    Diagnostics:
+      Providers:
+        Enabled: true
+        Metrics:
+          LogLevel: Information
+    Notes:
+      Certification: "software-only; QSCD not enforced. Set EIDAS_SOFT_ALLOWED=1 to enable profile."
--- a/etc/rootpack/kr/crypto.profile.yaml
+++ b/etc/rootpack/kr/crypto.profile.yaml
@@ -0,0 +1,19 @@
+StellaOps:
+  Crypto:
+    Registry:
+      ActiveProfile: kr-kcmvp-hash
+      PreferredProviders:
+        - kr.kcmvp.hash
+        - default
+      Profiles:
+        kr-kcmvp-hash:
+          PreferredProviders:
+            - kr.kcmvp.hash
+            - default
+    Diagnostics:
+      Providers:
+        Enabled: true
+        Metrics:
+          LogLevel: Information
+    Notes:
+      Certification: "hash-only baseline (SHA-256). Set KCMVP_HASH_ALLOWED=1 to enable."
--- a/etc/rootpack/ru/crypto.profile.yaml
+++ b/etc/rootpack/ru/crypto.profile.yaml
@@ -1,13 +1,21 @@
 StellaOps:
  Crypto:
    Registry:
-      ActiveProfile: ru-offline
+      ActiveProfile: ru-linux-soft
      PreferredProviders:
-        - default
+        - ru.openssl.gost
+        - ru.winecsp.http
+        - ru.pkcs11
      Profiles:
-        ru-offline:
+        ru-linux-soft:
+          PreferredProviders:
+            - ru.openssl.gost
+            - ru.winecsp.http
+            - ru.pkcs11
+        ru-csp:
          PreferredProviders:
            - ru.cryptopro.csp
+            - ru.winecsp.http
            - ru.openssl.gost
            - ru.pkcs11
    CryptoPro:
@@ -28,6 +36,13 @@ StellaOps:
          Pin: "${PKCS11_PIN}"
          PrivateKeyLabel: rootpack-signing
          CertificateThumbprint: "<thumbprint>"
+    WineCsp:
+      ServiceUrl: http://localhost:5099
+      Keys:
+        - KeyId: ru-wine-default
+          Algorithm: GOST12-256
+          RemoteKeyId: ru-csp-default
+          Description: Wine CSP sidecar (CryptoPro via Wine)
    OpenSsl:
      Keys:
        - KeyId: ru-openssl-default
--- a/etc/rootpack/us-fips/crypto.profile.yaml
+++ b/etc/rootpack/us-fips/crypto.profile.yaml
@@ -0,0 +1,21 @@
+StellaOps:
+  Crypto:
+    Registry:
+      ActiveProfile: us-fips-soft
+      PreferredProviders:
+        - fips.ecdsa.soft
+        - pq.soft
+        - default
+      Profiles:
+        us-fips-soft:
+          PreferredProviders:
+            - fips.ecdsa.soft
+            - pq.soft
+            - default
+    Diagnostics:
+      Providers:
+        Enabled: true
+        Metrics:
+          LogLevel: Information
+    Notes:
+      Certification: "non-certified software baseline; enable FIPS_SOFT_ALLOWED=1 to activate"