stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

up

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-11 08:20:04 +02:00
parent 49922dff5a
commit b8b493913a
82 changed files with 14053 additions and 1705 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/security/crypto-profile-configuration.md
View File

@@ -12,11 +12,11 @@ How to pick regional crypto profiles, choose between free/paid providers, and en
2) Set `StellaOps:Crypto:Registry:ActiveProfile` to the region (see table below) and order the `PreferredProviders`.
3) Decide on provider type:
- Free/OSS: OpenSSL GOST (RU), SM soft, PQ soft, FIPS/eIDAS/KCMVP soft baselines.
- Paid/licensed: CryptoPro (RU), QSCD (eIDAS), certified FIPS/KCMVP modules when available.
- Paid/licensed: CryptoPro (RU), QSCD (eIDAS), certified FIPS/KCMVP modules when available. See `docs/legal/crypto-compliance-review.md` for licensing/export notes.
- Simulation: enable `STELLAOPS_CRYPTO_ENABLE_SIM=1` and point `STELLAOPS_CRYPTO_SIM_URL` to `sim-crypto-service`.
4) Apply any provider-specific env (e.g., `CRYPTOPRO_ACCEPT_EULA=1`, `SM_SOFT_ALLOWED=1`, `PQ_SOFT_ALLOWED=1`, PKCS#11 PINs).
5) Capture evidence: JWKS export + `CryptoProviderMetrics` + fixed-message sign/verify logs.
6) If you only need a smoke check without full tests, run `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj` against a running simulator.
6) If you only need a smoke check without full tests, run `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj` against a running simulator (see `SIM_PROFILE`/`SIM_ALGORITHMS` below).
## Choosing a region
| Region | Compliance profile | Registry profile / providers | Free vs paid | Simulation |
@@ -58,12 +58,13 @@ How to pick regional crypto profiles, choose between free/paid providers, and en
## Simulation guidance
- Default simulator: `ops/crypto/sim-crypto-service` + provider `sim.crypto.remote` (see `docs/security/crypto-simulation-services.md`).
- Use the simulator to close sprints until certified evidence is available; keep non-certified labels in RootPack manifests.
- Use the simulator to close sprints until certified evidence is available; keep "non-certified" labels in RootPack manifests.
- Quick simulation steps:
1) `docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service`
2) `docker run --rm -p 8080:8080 sim-crypto`
3) Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` and `STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080`
4) Keep `sim.crypto.remote` first in `PreferredProviders` for the target profile.
5) Optional smoke harness (no VSTest): `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release` with `SIM_PROFILE=ru-free|ru-paid|sm|eidas|fips|kcmvp|pq` and optional `SIM_MESSAGE`/`SIM_ALGORITHMS`.
## Evidence expectations
- JWKS export from Authority/Signer for the active profile.