save checkpoint

docs/features/checked/attestor/crypto-sovereign-design.md

@@ -0,0 +1,54 @@
+# Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+SigningKeyProfile supports crypto-sovereign configurations. SM2 tests exist for Chinese crypto support. The signing key registry supports multiple profiles. Full eIDAS/GOST/PQC implementations appear to be partially supported through the profile system but not all crypto backends are fully implemented.
+
+## What's Implemented
+- **Signing Key Profile**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs` -- key profile supporting multiple algorithm families and sovereign configurations.
+- **ProofChain Signer**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- signing with algorithm-agnostic interface.
+- **IProofChainKeyStore**: `Signing/IProofChainKeyStore.cs` -- key store interface supporting multiple key types.
+- **DSSE Signing**: `Signing/DsseEnvelope.cs`, `DsseSignature.cs`, `DssePreAuthenticationEncoding.cs` -- DSSE envelope signing.
+- **Attestor Signing Key Registry**: `StellaOps.Attestor.Infrastructure/Signing/AttestorSigningKeyRegistry.cs` -- registry for multiple signing key profiles.
+- **DSSE SPDX3 Signer**: `__Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Signer.cs` -- SPDX3-specific signing.
+- **DSSE Signing Provider**: `Spdx3/IDsseSigningProvider.cs` -- provider interface for crypto operations.
+
+## Additional Implementation Found (Cryptography Plugins)
+The following crypto plugins exist under `src/Cryptography/` with a plugin architecture (`CryptoPluginBase.cs`, `MultiProfileSigner.cs`, `SignatureProfile.cs`):
+- **GOST**: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs` -- GOST R 34.10-2012 support
+- **eIDAS**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- includes ETSI conformance test vectors
+- **SM2/SM3**: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/` -- SM2/SM3 support
+- **FIPS**: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/` -- FIPS 140 compliance plugin
+- **HSM**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/` -- HSM integration plugin
+- **Tests**: `src/Cryptography/__Tests/` and `src/__Libraries/__Tests/StellaOps.Cryptography.Tests/`
+
+## What's Missing
+- **Post-Quantum Cryptography (PQC)**: No CRYSTALS-Dilithium, SPHINCS+, or other PQC algorithm support. The profile system can model PQC keys but no backend implements them. This is the only major crypto profile gap.
+- **eIDAS qualified signature validation**: Plugin exists but validation that timestamps meet eIDAS Article 42 qualified timestamp requirements may not be complete.
+- **Crypto provider integration with Attestor SigningKeyProfile**: The Cryptography plugin system and the Attestor `SigningKeyProfile` are not fully bridged -- Attestor signing uses its own key profiles rather than the Cryptography plugin registry.
+- **Algorithm negotiation**: No cross-sovereign algorithm negotiation for interoperability between different crypto profiles.
+
+## Implementation Plan
+- Implement PQC plugin (CRYSTALS-Dilithium, SPHINCS+) following the existing CryptoPluginBase pattern
+- Bridge Cryptography plugin registry with Attestor SigningKeyProfile for unified key management
+- Add eIDAS Article 42 qualified timestamp validation
+- Add algorithm negotiation for cross-sovereign interoperability
+- Verify ETSI conformance test vectors pass end-to-end for eIDAS plugin
+
+## Related Documentation
+- Source: See feature catalog
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |