stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

Browse Source 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
2025-12-23 18:20:00 +02:00
parent b444284be5
commit dac8e10e36
241 changed files with 22567 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
etc/appsettings.crypto.china.yaml Normal file
View File

@@ -0,0 +1,105 @@
# StellaOps Cryptography Configuration - China Profile (SM)
# This configuration enforces SM2/SM3/SM4 (ShangMi) cryptographic standards
# for People's Republic of China deployments requiring OSCCA compliance.
StellaOps:
Crypto:
Plugins:
# Path to the plugin manifest JSON file
ManifestPath: "/etc/stellaops/crypto-plugins-manifest.json"
# Discovery mode: "explicit" (only load configured plugins) or "auto" (load all compatible)
# Production deployments should use "explicit" for security
DiscoveryMode: "explicit"
# List of enabled plugins with optional priority and configuration overrides
Enabled:
# SM software provider (primary)
- Id: "sm.soft"
Priority: 100
Options: {}
# SM remote HSM provider (for hardware-backed operations)
- Id: "sm.remote"
Priority: 90
Options:
baseAddress: "http://sm-hsm.internal:8900"
timeout: 30000
retryCount: 3
# CRITICAL: Disable ALL non-SM providers
Disabled:
- "default" # Standard .NET crypto (SHA-256, ECDSA)
- "libsodium" # Ed25519, XChaCha20-Poly1305
- "openssl.gost" # Russian GOST
- "pkcs11.gost"
- "cryptopro.gost"
- "wine.csp"
- "eidas.*" # European eIDAS
- "fips.*" # FIPS 140-3
- "pq.*" # Post-quantum
- "sim.*" # Simulation providers
# Fail application startup if SM provider cannot be loaded
FailOnMissingPlugin: true
# Require at least one SM provider
RequireAtLeastOne: true
Compliance:
# Compliance profile: SM (ShangMi - Commercial Cipher)
ProfileId: "sm"
# CRITICAL: Enable strict validation
# This will REJECT any signature/hash algorithm that is not SM-compliant
StrictValidation: true
# Enforce jurisdiction filtering
EnforceJurisdiction: true
# Only allow Chinese jurisdiction plugins
AllowedJurisdictions:
- "china"
# Canonical algorithms (SM2 signature, SM3 hash, SM4 encryption)
HashAlgorithm: "SM3"
SignatureAlgorithm: "SM2"
SymmetricAlgorithm: "SM4"
# Enable warnings for any non-SM algorithm attempts
WarnOnWeakAlgorithms: true
# SM Algorithm Overview (GM/T standards):
# - SM2: Public key cryptography (similar to ECDSA, uses 256-bit curve)
# Standard: GM/T 0003-2012
# - SM3: Cryptographic hash function (256-bit output, similar to SHA-256)
# Standard: GM/T 0004-2012
# - SM4: Block cipher (128-bit key, 128-bit block, similar to AES)
# Standard: GM/T 0002-2012
# - SM9: Identity-based cryptography
# Standard: GM/T 0044-2016
# OSCCA (Office of State Commercial Cryptography Administration) Compliance:
# - All cryptographic operations MUST use SM algorithms
# - Hardware Security Modules (HSMs) MUST be OSCCA-certified
# - Certificates MUST comply with GM/T 0015 (Certificate Profile)
# Optional: SM remote HSM configuration
# Crypto:
# SmRemote:
# # Base URL of SM-compliant HSM service
# BaseAddress: "https://sm-hsm.example.com:8900"
# # API authentication token
# ApiKey: "${SM_HSM_API_KEY}"
# # Connection timeout (ms)
# Timeout: 30000
# # Enable TLS client certificate authentication
# ClientCertificatePath: "/etc/stellaops/certs/sm-client.pfx"
# ClientCertificatePassword: "${SM_CLIENT_CERT_PASSWORD}"
# Optional: Override default provider preferences
# Crypto:
# Registry:
# PreferredProviders:
# - "sm.soft"
# - "sm.remote"

86
etc/appsettings.crypto.eu.yaml Normal file
View File

@@ -0,0 +1,86 @@
# StellaOps Cryptography Configuration - EU Profile (eIDAS)
# This configuration aligns with eIDAS (electronic IDentification, Authentication and trust Services)
# regulation (EU) No 910/2014 for European Union deployments.
StellaOps:
Crypto:
Plugins:
# Path to the plugin manifest JSON file
ManifestPath: "/etc/stellaops/crypto-plugins-manifest.json"
# Discovery mode: "explicit" (only load configured plugins) or "auto" (load all compatible)
# Production deployments should use "explicit" for security
DiscoveryMode: "explicit"
# List of enabled plugins with optional priority and configuration overrides
Enabled:
# eIDAS software provider (QSCD not enforced)
- Id: "eidas.soft"
Priority: 100
Options: {}
# Default provider for standard ECDSA/RSA
- Id: "default"
Priority: 90
Options: {}
# Libsodium for Ed25519 (permitted under eIDAS)
- Id: "libsodium"
Priority: 80
Options: {}
# FIPS provider for enhanced security
- Id: "fips.soft"
Priority: 85
Options: {}
# Disable non-eIDAS compliant providers
Disabled:
- "sm.*" # Chinese SM algorithms
- "openssl.gost" # Russian GOST
- "pkcs11.gost"
- "cryptopro.gost"
- "wine.csp"
- "pq.*" # Post-quantum (not yet eIDAS-qualified)
# Fail application startup if a configured plugin cannot be loaded
FailOnMissingPlugin: true
# Require at least one crypto provider to be successfully loaded
RequireAtLeastOne: true
Compliance:
# eIDAS compliance profile
ProfileId: "eidas"
# Enable strict validation (reject algorithms not approved by eIDAS)
StrictValidation: true
# Enforce jurisdiction filtering (only EU-compliant plugins)
EnforceJurisdiction: true
# Allowed jurisdictions
AllowedJurisdictions:
- "eu"
- "world"
# Canonical algorithm preferences (ETSI TS 119 312)
HashAlgorithm: "SHA-256"
SignatureAlgorithm: "ES256"
# Enable algorithm downgrade warnings
WarnOnWeakAlgorithms: true
# eIDAS certificate requirements (for reference):
# - Certificates must comply with ETSI EN 319 412-1 and 319 412-2
# - Minimum key lengths: RSA 2048-bit, ECDSA P-256
# - Qualified certificates require QSCD (e.g., smart card, HSM)
# - Advanced Electronic Signatures (AdES): XAdES, PAdES, CAdES formats
# Optional: Override default provider preferences
# Crypto:
# Registry:
# PreferredProviders:
# - "eidas.soft"
# - "default"
# - "libsodium"

69
etc/appsettings.crypto.international.yaml Normal file
View File

@@ -0,0 +1,69 @@
# StellaOps Cryptography Configuration - International Profile
# This configuration enables all standard cryptographic algorithms without regional restrictions.
# Use this profile for international deployments or development/testing environments.
StellaOps:
Crypto:
Plugins:
# Path to the plugin manifest JSON file
ManifestPath: "/etc/stellaops/crypto-plugins-manifest.json"
# Discovery mode: "explicit" (only load configured plugins) or "auto" (load all compatible)
# Production deployments should use "explicit" for security
DiscoveryMode: "explicit"
# List of enabled plugins with optional priority and configuration overrides
Enabled:
- Id: "default"
Priority: 100
Options: {}
- Id: "libsodium"
Priority: 90
Options: {}
- Id: "bouncycastle.ed25519"
Priority: 85
Options: {}
# Post-quantum cryptography (experimental)
- Id: "pq.soft"
Priority: 60
Options: {}
# Explicitly disabled plugins
Disabled: []
# Fail application startup if a configured plugin cannot be loaded
FailOnMissingPlugin: true
# Require at least one crypto provider to be successfully loaded
RequireAtLeastOne: true
Compliance:
# Compliance profile identifier
ProfileId: "world"
# Enable strict validation (reject algorithms not compliant with profile)
StrictValidation: false
# Enforce jurisdiction filtering (only load plugins for specified jurisdictions)
EnforceJurisdiction: false
# Allowed jurisdictions (empty = all allowed)
AllowedJurisdictions: []
# Canonical algorithm preferences by purpose
HashAlgorithm: "SHA-256"
SignatureAlgorithm: "ES256"
# Enable algorithm downgrade warnings
WarnOnWeakAlgorithms: true
# Optional: Override default provider preferences
# Crypto:
# Registry:
# PreferredProviders:
# - "default"
# - "libsodium"
# - "bouncycastle.ed25519"

129
etc/appsettings.crypto.russia.yaml Normal file
View File

@@ -0,0 +1,129 @@
# StellaOps Cryptography Configuration - Russia (GOST) Profile
# This configuration enforces GOST R 34.10-2012 and GOST R 34.11-2012 (Streebog) compliance
# for Russian Federation deployments requiring FSB certification.
#
# IMPORTANT: This profile DISABLES all non-GOST algorithms for strict compliance.
# Only GOST-approved cryptographic providers are enabled.
StellaOps:
Crypto:
Plugins:
# Path to the plugin manifest JSON file
ManifestPath: "/etc/stellaops/crypto-plugins-manifest.json"
# Discovery mode: "explicit" for strict control
DiscoveryMode: "explicit"
# Enabled GOST providers (in priority order)
Enabled:
# Primary: OpenSSL GOST engine (recommended for Linux)
- Id: "openssl.gost"
Priority: 100
Options:
enginePath: "/usr/lib/x86_64-linux-gnu/engines-3/gost.so"
# Alternate paths for different architectures:
# ARM64: "/usr/lib/aarch64-linux-gnu/engines-3/gost.so"
# Secondary: PKCS#11 provider for hardware security modules (Rutoken, JaCarta, etc.)
- Id: "pkcs11.gost"
Priority: 95
Options:
libraryPath: "/usr/lib/x86_64-linux-gnu/pkcs11/librtpkcs11ecp.so"
# Alternative paths:
# - "/usr/lib/librtpkcs11ecp.so" (older installations)
# - "/usr/lib/pkcs11/libccpkcs11.so" (CryptoPro PKCS#11)
# PIN can be provided via environment variable: STELLAOPS_PKCS11_PIN
pin: "${PKCS11_PIN}" # Use environment variable
slotId: 0
# Tertiary: Wine CSP provider (for running Windows CryptoPro CSP on Linux)
- Id: "wine.csp"
Priority: 90
Options:
winePrefix: "/opt/stellaops/wine"
cspName: "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider"
# Fallback: CryptoPro native provider (Windows only)
# This will only load on Windows platforms due to platform filtering
- Id: "cryptopro.gost"
Priority: 110
Options: {}
# CRITICAL: Disable ALL non-GOST providers
Disabled:
- "default" # Standard .NET crypto (SHA-256, ECDSA)
- "libsodium" # Ed25519, XChaCha20-Poly1305
- "bouncycastle.*" # BouncyCastle providers
- "sm.*" # Chinese SM2/SM3/SM4
- "eidas.*" # European eIDAS
- "fips.*" # FIPS 140-3
- "pq.*" # Post-quantum
- "sim.*" # Simulation providers
# Fail immediately if GOST provider cannot be loaded
FailOnMissingPlugin: true
# Require at least one GOST provider
RequireAtLeastOne: true
Compliance:
# Compliance profile: GOST R (Russia)
ProfileId: "gost"
# CRITICAL: Enable strict validation
# This will REJECT any signature/hash algorithm that is not GOST-compliant
StrictValidation: true
# Enforce jurisdiction filtering
EnforceJurisdiction: true
# Only allow Russian jurisdiction plugins
AllowedJurisdictions:
- "russia"
# Canonical algorithms (GOST R 34.10-2012 / GOST R 34.11-2012)
HashAlgorithm: "GOST-R-34.11-2012-256"
SignatureAlgorithm: "GOST-R-34.10-2012-256"
# Enable warnings for any non-GOST algorithm attempts
WarnOnWeakAlgorithms: true
# OpenSSL GOST engine configuration
# Crypto:
# OpenSsl:
# # Path to GOST engine shared library
# EnginePath: "/usr/lib/x86_64-linux-gnu/engines-3/gost.so"
# # Enable engine auto-loading
# AutoLoadEngine: true
# PKCS#11 configuration
# Crypto:
# Pkcs11:
# # PKCS#11 library path
# LibraryPath: "/usr/lib/librtpkcs11ecp.so"
# # Token PIN (prefer environment variable for security)
# Pin: "${PKCS11_PIN}"
# # Slot ID (usually 0 for single-token systems)
# SlotId: 0
# # Enable token login
# RequireLogin: true
# Wine CSP configuration (for Linux deployments requiring Windows CryptoPro CSP)
# Crypto:
# WineCsp:
# # Wine prefix directory
# WinePrefix: "/opt/stellaops/wine"
# # Wine executable path
# WineExecutable: "/opt/wine-stable/bin/wine64"
# # CryptoPro CSP name
# CspName: "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider"
# CryptoPro configuration (Windows only)
# Crypto:
# CryptoPro:
# # Container name
# ContainerName: "stellaops-gost-signing"
# # Use machine key store
# UseMachineKeyStore: true
# # Provider type
# ProviderType: 80 # PROV_GOST_2012_256

286
etc/crypto-plugins-manifest.json Normal file
View File

@@ -0,0 +1,286 @@
{
"$schema": "https://schema.stella-ops.org/crypto-plugins-manifest/v1.json",
"version": "1.0",
"plugins": [
{
"id": "default",
"name": "DefaultCryptoProvider",
"assembly": "StellaOps.Cryptography.dll",
"type": "StellaOps.Cryptography.DefaultCryptoProvider",
"capabilities": [
"signing:ES256",
"signing:ES384",
"signing:ES512",
"signing:RS256",
"signing:RS384",
"signing:RS512",
"signing:PS256",
"signing:PS384",
"signing:PS512",
"hashing:SHA256",
"hashing:SHA384",
"hashing:SHA512",
"password:PBKDF2",
"password:Argon2id"
],
"jurisdiction": "world",
"compliance": ["NIST", "FIPS-140-3-candidate"],
"platforms": ["linux", "windows", "osx"],
"priority": 50
},
{
"id": "libsodium",
"name": "LibsodiumCryptoProvider",
"assembly": "StellaOps.Cryptography.dll",
"type": "StellaOps.Cryptography.LibsodiumCryptoProvider",
"capabilities": [
"signing:Ed25519",
"hashing:Blake2b",
"symmetric:XSalsa20-Poly1305",
"password:Argon2id"
],
"jurisdiction": "world",
"compliance": ["NIST"],
"platforms": ["linux", "windows", "osx"],
"priority": 60,
"conditionalCompilation": "STELLAOPS_CRYPTO_SODIUM"
},
{
"id": "openssl.gost",
"name": "OpenSslGostProvider",
"assembly": "StellaOps.Cryptography.Plugin.OpenSslGost.dll",
"type": "StellaOps.Cryptography.Plugin.OpenSslGost.OpenSslGostProvider",
"capabilities": [
"signing:GOST-R-34.10-2012-256",
"signing:GOST-R-34.10-2012-512",
"hashing:GOST-R-34.11-2012-256",
"hashing:GOST-R-34.11-2012-512"
],
"jurisdiction": "russia",
"compliance": ["GOST", "FSB"],
"platforms": ["linux", "osx"],
"priority": 100,
"options": {
"enginePath": "/usr/lib/x86_64-linux-gnu/engines-3/gost.so"
}
},
{
"id": "cryptopro.gost",
"name": "CryptoProGostCryptoProvider",
"assembly": "StellaOps.Cryptography.Plugin.CryptoPro.dll",
"type": "StellaOps.Cryptography.Plugin.CryptoPro.CryptoProGostCryptoProvider",
"capabilities": [
"signing:GOST-R-34.10-2001",
"signing:GOST-R-34.10-2012-256",
"signing:GOST-R-34.10-2012-512",
"hashing:GOST-R-34.11-94",
"hashing:GOST-R-34.11-2012-256",
"hashing:GOST-R-34.11-2012-512"
],
"jurisdiction": "russia",
"compliance": ["GOST", "FSB", "ГосСОПКА"],
"platforms": ["windows"],
"priority": 110,
"conditionalCompilation": "STELLAOPS_CRYPTO_PRO"
},
{
"id": "pkcs11.gost",
"name": "Pkcs11GostCryptoProvider",
"assembly": "StellaOps.Cryptography.Plugin.Pkcs11Gost.dll",
"type": "StellaOps.Cryptography.Plugin.Pkcs11Gost.Pkcs11GostCryptoProvider",
"capabilities": [
"signing:GOST-R-34.10-2012-256",
"signing:GOST-R-34.10-2012-512",
"hashing:GOST-R-34.11-2012-256",
"hashing:GOST-R-34.11-2012-512"
],
"jurisdiction": "russia",
"compliance": ["GOST", "FSB", "PKCS#11"],
"platforms": ["linux", "windows"],
"priority": 105,
"options": {
"libraryPath": "/usr/lib/x86_64-linux-gnu/pkcs11/librtpkcs11ecp.so"
}
},
{
"id": "wine.csp",
"name": "WineCspProvider",
"assembly": "StellaOps.Cryptography.Plugin.WineCsp.dll",
"type": "StellaOps.Cryptography.Plugin.WineCsp.WineCspProvider",
"capabilities": [
"signing:GOST-R-34.10-2012-256",
"signing:GOST-R-34.10-2012-512",
"hashing:GOST-R-34.11-2012-256",
"hashing:GOST-R-34.11-2012-512"
],
"jurisdiction": "russia",
"compliance": ["GOST"],
"platforms": ["linux"],
"priority": 95,
"options": {
"winePrefix": "/opt/stellaops/wine"
}
},
{
"id": "sm.soft",
"name": "SmSoftCryptoProvider",
"assembly": "StellaOps.Cryptography.Plugin.SmSoft.dll",
"type": "StellaOps.Cryptography.Plugin.SmSoft.SmSoftCryptoProvider",
"capabilities": [
"signing:SM2",
"hashing:SM3",
"symmetric:SM4"
],
"jurisdiction": "china",
"compliance": ["GM/T", "OSCCA"],
"platforms": ["linux", "windows", "osx"],
"priority": 100
},
{
"id": "sm.remote",
"name": "SmRemoteHttpProvider",
"assembly": "StellaOps.Cryptography.Plugin.SmRemote.dll",
"type": "StellaOps.Cryptography.Plugin.SmRemote.SmRemoteHttpProvider",
"capabilities": [
"signing:SM2",
"hashing:SM3"
],
"jurisdiction": "china",
"compliance": ["GM/T", "OSCCA"],
"platforms": ["linux", "windows", "osx"],
"priority": 90,
"options": {
"baseAddress": "http://localhost:8900"
}
},
{
"id": "pq.soft",
"name": "PqSoftCryptoProvider",
"assembly": "StellaOps.Cryptography.Plugin.PqSoft.dll",
"type": "StellaOps.Cryptography.Plugin.PqSoft.PqSoftCryptoProvider",
"capabilities": [
"signing:ML-DSA-44",
"signing:ML-DSA-65",
"signing:ML-DSA-87",
"signing:SLH-DSA-SHA2-128s",
"signing:SLH-DSA-SHA2-128f",
"signing:SLH-DSA-SHAKE-128s",
"signing:SLH-DSA-SHAKE-128f",
"hashing:SHA3-256",
"hashing:SHA3-512",
"hashing:SHAKE256"
],
"jurisdiction": "world",
"compliance": ["NIST-PQC", "FIPS-203", "FIPS-205"],
"platforms": ["linux", "windows", "osx"],
"priority": 70
},
{
"id": "fips.soft",
"name": "FipsSoftCryptoProvider",
"assembly": "StellaOps.Cryptography.dll",
"type": "StellaOps.Cryptography.FipsSoftCryptoProvider",
"capabilities": [
"signing:ES256",
"signing:ES384",
"signing:ES512",
"signing:RS256",
"signing:RS384",
"signing:RS512",
"hashing:SHA256",
"hashing:SHA384",
"hashing:SHA512"
],
"jurisdiction": "world",
"compliance": ["FIPS-140-3"],
"platforms": ["linux", "windows"],
"priority": 80
},
{
"id": "eidas.soft",
"name": "EidasSoftCryptoProvider",
"assembly": "StellaOps.Cryptography.dll",
"type": "StellaOps.Cryptography.EidasSoftCryptoProvider",
"capabilities": [
"signing:ES256",
"signing:ES384",
"signing:ES512",
"signing:RS256",
"signing:RS384",
"signing:RS512",
"hashing:SHA256",
"hashing:SHA384",
"hashing:SHA512"
],
"jurisdiction": "eu",
"compliance": ["eIDAS", "ETSI-TS-119-312"],
"platforms": ["linux", "windows", "osx"],
"priority": 85
},
{
"id": "kcmvp.hash",
"name": "KcmvpHashOnlyProvider",
"assembly": "StellaOps.Cryptography.dll",
"type": "StellaOps.Cryptography.KcmvpHashOnlyProvider",
"capabilities": [
"hashing:SHA256",
"hashing:SHA384",
"hashing:SHA512"
],
"jurisdiction": "korea",
"compliance": ["KCMVP"],
"platforms": ["linux", "windows"],
"priority": 75
},
{
"id": "offline-verification",
"name": "OfflineVerificationCryptoProvider",
"assembly": "StellaOps.Cryptography.Plugin.OfflineVerification.dll",
"type": "StellaOps.Cryptography.Plugin.OfflineVerification.OfflineVerificationCryptoProvider",
"capabilities": [
"signing:ES256",
"signing:ES384",
"signing:ES512",
"signing:RS256",
"signing:RS384",
"signing:RS512",
"signing:PS256",
"signing:PS384",
"signing:PS512",
"hashing:SHA-256",
"hashing:SHA-384",
"hashing:SHA-512",
"verification:ES256",
"verification:ES384",
"verification:ES512",
"verification:RS256",
"verification:RS384",
"verification:RS512"
],
"jurisdiction": "world",
"compliance": ["NIST", "offline-airgap"],
"platforms": ["linux", "windows", "osx"],
"priority": 45,
"enabledByDefault": true
},
{
"id": "sim.crypto.remote",
"name": "SimRemoteProvider",
"assembly": "StellaOps.Cryptography.Plugin.SimRemote.dll",
"type": "StellaOps.Cryptography.Plugin.SimRemote.SimRemoteProvider",
"capabilities": [
"signing:*",
"hashing:*",
"verification:*"
],
"jurisdiction": "world",
"compliance": ["test-only"],
"platforms": ["linux", "windows", "osx"],
"priority": 10,
"options": {
"baseAddress": "http://localhost:8901"
},
"enabledByDefault": false
}
]
}