# Crypto Compliance Review · License & Export Analysis **Status:** DRAFT **Date:** 2025-12-07 **Owners:** Security Guild, Legal **Unblocks:** RU-CRYPTO-VAL-05, RU-CRYPTO-VAL-06 ## Overview This document captures the licensing, export controls, and distribution guidance for cryptographic components in StellaOps, specifically: 1. **GostCryptography Fork** (`third_party/forks/AlexMAS.GostCryptography`) 2. **CryptoPro Plugin** (`StellaOps.Cryptography.Plugin.CryptoPro`) 3. **Regional Crypto Providers** (GOST, SM2/SM3, eIDAS) ## 1. GostCryptography Fork ### 1.1 License | Attribute | Value | |-----------|-------| | Upstream | https://github.com/AlexMAS/GostCryptography | | License | MIT | | StellaOps Usage | Source-vendored in `third_party/forks/` | | Compatibility | MIT is compatible with AGPL-3.0-or-later | ### 1.2 Attribution Requirements The MIT license requires attribution in distributed software: ``` Copyright (c) 2014-2024 AlexMAS See third_party/forks/AlexMAS.GostCryptography/LICENSE ``` **Required Actions:** - [x] Keep `LICENSE` file in fork directory - [ ] Add attribution to `NOTICE.md` in repository root - [ ] Include attribution in RootPack_RU bundle documentation ### 1.3 Distribution Guidance | Distribution Channel | Allowed | Notes | |---------------------|---------|-------| | StellaOps Source | Yes | Fork stays vendored | | RootPack_RU Bundle | Yes | Source + binaries allowed | | Public NuGet | **No** | Do not publish as standalone package | | Container Images | Yes | With source attribution | ## 2. CryptoPro CSP Plugin ### 2.1 License | Attribute | Value | |-----------|-------| | Vendor | CryptoPro LLC (crypto-pro.ru) | | Product | CryptoPro CSP 5.0 | | License Type | Commercial (per-deployment) | | Cost | Varies by tier (~$50-200 USD per instance) | ### 2.2 Distribution Model CryptoPro CSP is **not redistributable** by StellaOps. The distribution model is: ``` ┌─────────────────────────────────────────────────────────────────┐ │ Distribution Model │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ StellaOps ships: │ │ ├── Plugin source code (AGPL-3.0-or-later) │ │ ├── Interface bindings to CryptoPro CSP │ │ └── Documentation for customer-provided CSP installation │ │ │ │ Customer provides: │ │ ├── CryptoPro CSP license │ │ ├── CSP binaries installed on target system │ │ └── PKCS#11 module path configuration │ │ │ └─────────────────────────────────────────────────────────────────┘ ``` ### 2.3 Configuration for Customer-Provided CSP ```yaml # etc/authority.yaml - Customer configures CSP path crypto: pkcs11: library_path: /opt/cprocsp/lib/amd64/libcapi20.so # Customer-provided slot_id: 0 pin_env: AUTHORITY_HSM_PIN ``` ### 2.4 Documentation Requirements - [ ] Document that CSP is "customer-provided" in installation guide - [ ] Add EULA notice that CSP licensing is customer responsibility - [ ] Include CSP version compatibility matrix (CSP 4.0/5.0) ## 3. Export Control Analysis ### 3.1 Applicable Regulations | Regulation | Jurisdiction | Relevance | |------------|--------------|-----------| | EAR (Export Administration Regulations) | USA | Crypto export controls | | Wassenaar Arrangement | 42 countries | Dual-use goods | | EU Dual-Use Regulation | EU | Crypto controls | | Russian Export Controls | Russia | GOST algorithm distribution | ### 3.2 Algorithm Classification | Algorithm | Classification | Notes | |-----------|---------------|-------| | ECDSA P-256/P-384 | Mass-market exempt | Widely available | | RSA 2048+ | Mass-market exempt | Widely available | | EdDSA (Ed25519) | Mass-market exempt | Widely available | | GOST R 34.10-2012 | Regional use | See Section 3.3 | | SM2/SM3 | Regional use | Chinese national standard | ### 3.3 GOST Algorithm Guidance GOST algorithms (GOST R 34.10-2012, GOST R 34.11-2012) are: - **Not export-controlled** from Russia when used in commercial software - **May be restricted** for import into certain jurisdictions - **Recommended** for use only in RootPack_RU deployments targeting Russian customers **Guidance:** 1. Default StellaOps distribution does NOT include GOST algorithms enabled 2. RootPack_RU is a separate distribution with GOST opt-in 3. Document that customers are responsible for compliance with local crypto regulations ### 3.4 Distribution Matrix | Component | Global | RootPack_RU | RootPack_CN | Notes | |-----------|--------|-------------|-------------|-------| | Core StellaOps | Yes | Yes | Yes | ECDSA/RSA/EdDSA | | GostCryptography Fork | Source only | Source + Binary | No | MIT license | | CryptoPro Plugin | Interface only | Interface + docs | No | Customer-provided CSP | | SM2/SM3 Plugin | No | No | Interface + docs | Customer-provided HSM | ## 4. EULA and Notice Requirements ### 4.1 NOTICE.md Addition Add to repository `NOTICE.md`: ```markdown ## Third-Party Cryptographic Components ### GostCryptography (MIT License) Copyright (c) 2014-2024 AlexMAS https://github.com/AlexMAS/GostCryptography This software includes a forked version of the GostCryptography library for GOST algorithm support. The fork is located at: third_party/forks/AlexMAS.GostCryptography/ ### CryptoPro CSP Integration The CryptoPro CSP plugin provides integration with CryptoPro CSP software. CryptoPro CSP is commercial software and must be licensed separately by the end user. StellaOps does not distribute CryptoPro CSP binaries. ``` ### 4.2 Installation Guide Addition Add to installation documentation: ```markdown ## Regional Crypto Support (Optional) ### Russian Federation (RootPack_RU) StellaOps supports GOST R 34.10-2012 signing through integration with CryptoPro CSP. This integration requires: 1. A valid CryptoPro CSP license (obtained separately from crypto-pro.ru) 2. CryptoPro CSP 4.0 or 5.0 installed on the target system 3. Configuration of the PKCS#11 module path **Note:** CryptoPro CSP is commercial software. StellaOps provides only the integration plugin; the CSP runtime must be licensed and installed by the customer. ``` ## 5. CI/Testing Implications ### 5.1 Test Environment Requirements | Environment | CSP Required | Legal Status | |-------------|--------------|--------------| | Development (Linux) | No | OpenSSL GOST engine fallback | | CI (Linux) | No | Mock/skip CSP tests | | CI (Windows opt-in) | Yes | Customer/StellaOps license | | Production | Customer | Customer license | ### 5.2 CI Guard Implementation Tests are guarded by environment variable: ```csharp [Fact] [SkipUnless("STELLAOPS_CRYPTO_PRO_ENABLED", "1")] public async Task CryptoProSigner_SignsWithGost() { // Test only runs when CSP is available and licensed } ``` ### 5.3 Wine Loader Experiment (RU-CRYPTO-VAL-05) **Status:** BLOCKED pending legal review Running CryptoPro CSP DLLs under Wine for cross-platform testing: | Consideration | Assessment | |---------------|------------| | Technical Feasibility | Uncertain - CSP uses Windows APIs | | Legal Permissibility | Requires CryptoPro EULA review | | Recommendation | Defer to Windows-only testing | **Decision:** Do not pursue Wine loader approach until/unless CryptoPro explicitly permits this use case in their EULA. ## 6. Action Items ### Immediate (unblocks RU-CRYPTO-VAL-06) - [x] Document fork licensing (MIT) ← This document - [x] Document CryptoPro distribution model ← This document - [ ] Add attribution to NOTICE.md - [ ] Update installation guide with CSP requirements ### Short-term - [ ] Review CryptoPro EULA for Wine usage (if needed) - [ ] Create regional distribution manifests for RootPack_RU - [ ] Add compliance checkboxes to RootPack_RU installation ### For Legal Sign-off - [ ] Confirm MIT + AGPL-3.0 compatibility statement - [ ] Confirm customer-provided model for CSP is acceptable - [ ] Review export control applicability for GOST distribution ## 7. Sign-off Log | Role | Name | Date | Notes | |------|------|------|-------| | Security Guild | | | | | Legal | | | | | Product | | | | --- *Document Version: 1.0.0* *Last Updated: 2025-12-07*