# Sim Crypto Service · 2025-12-11

Minimal HTTP service to simulate sovereign crypto providers when licensed hardware or certified modules are unavailable.

## Endpoints
- `POST /sign` — body: `{"message":"<string>","algorithm":"<id>"}`; returns `{"signature_b64":"...","algorithm":"<id>"}`.
- `POST /verify` — body: `{"message":"<string>","algorithm":"<id>","signature_b64":"..."}`; returns `{"ok":true/false,"algorithm":"<id>"}`.
- `GET /keys` — returns public key info for simulated providers.

## Supported simulated provider IDs
- GOST: `GOST12-256`, `GOST12-512`, `ru.magma.sim`, `ru.kuznyechik.sim` — deterministic HMAC-SHA256.
- SM: `SM2`, `sm.sim`, `sm2.sim` — deterministic HMAC-SHA256.
- PQ: `DILITHIUM3`, `FALCON512`, `pq.sim` — deterministic HMAC-SHA256.
- FIPS/eIDAS/KCMVP/world: `ES256`, `ES384`, `ES512`, `fips.sim`, `eidas.sim`, `kcmvp.sim`, `world.sim` — ECDSA P-256 with a static key.

## Build & run
```bash
dotnet run -c Release --project ops/crypto/sim-crypto-service/SimCryptoService.csproj
# or
docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service
docker run --rm -p 8080:8080 sim-crypto
```

## Wiring
- Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` to append `sim.crypto.remote` to the registry preference order.
- Point the provider at the service: `STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080` (or bind `StellaOps:Crypto:Sim:BaseAddress` in config).
- `SimRemoteProviderOptions.Algorithms` already includes the IDs above; extend if you need extra aliases.

## Notes
- Replaces the legacy SM-only simulator; use this unified service for SM, PQ, GOST, and FIPS/eIDAS/KCMVP placeholders.
- Deterministic HMAC for SM/PQ/GOST; static ECDSA key for the rest. Not for production use.
- No licensed binaries are shipped; everything is BCL-only.