# StellaOps Cryptography Configuration - EU Profile (eIDAS) # This configuration aligns with eIDAS (electronic IDentification, Authentication and trust Services) # regulation (EU) No 910/2014 for European Union deployments. StellaOps: Crypto: Plugins: # Path to the plugin manifest JSON file ManifestPath: "/app/etc/crypto-plugins-manifest.json" # Discovery mode: "explicit" (only load configured plugins) or "auto" (load all compatible) # Production deployments should use "explicit" for security DiscoveryMode: "explicit" # List of enabled plugins with optional priority and configuration overrides Enabled: # Offline Verification Provider - temporary fallback until eIDAS plugin available # Uses NIST-approved algorithms (ECDSA P-256/384/521, RSA, SHA-2) # TODO: Replace with eidas.soft plugin when available - Id: "offline-verification" Priority: 100 Options: {} # Disable non-eIDAS compliant providers Disabled: - "sm.*" # Chinese SM algorithms - "openssl.gost" # Russian GOST - "pkcs11.gost" - "cryptopro.gost" - "wine.csp" - "pq.*" # Post-quantum (not yet eIDAS-qualified) # Fail application startup if a configured plugin cannot be loaded FailOnMissingPlugin: true # Require at least one crypto provider to be successfully loaded RequireAtLeastOne: true Compliance: # eIDAS compliance profile ProfileId: "eidas" # Enable strict validation (reject algorithms not approved by eIDAS) # TODO: Re-enable when eIDAS plugin is available StrictValidation: false # Enforce jurisdiction filtering (only EU-compliant plugins) # TODO: Re-enable when eIDAS plugin is available EnforceJurisdiction: false # Allowed jurisdictions AllowedJurisdictions: - "eu" - "world" # Canonical algorithm preferences (ETSI TS 119 312) HashAlgorithm: "SHA-256" SignatureAlgorithm: "ES256" # Enable algorithm downgrade warnings WarnOnWeakAlgorithms: true # eIDAS Qualified Timestamping Configuration (QTS-001, QTS-004) Timestamping: # Default timestamp mode DefaultMode: Standard # Standard | Qualified | QualifiedLtv # Qualified TSA Providers (EU Trust List validated) Providers: - Name: d-trust-qts Url: https://qts.d-trust.net/tsp Qualified: true TrustListRef: eu-lotl SignatureFormat: CadesT HashAlgorithm: SHA256 - Name: a-trust-qts Url: https://tsp.a-trust.at/tsp/tsp Qualified: true TrustListRef: eu-lotl SignatureFormat: CadesT - Name: infocert-qts Url: https://timestamp.infocert.it/tsa Qualified: true TrustListRef: eu-lotl # Non-qualified fallback (for non-EU deployments) - Name: digicert Url: http://timestamp.digicert.com Qualified: false # EU Trust List Configuration TrustList: # Online URL for EU List of Trusted Lists (LOTL) LotlUrl: https://ec.europa.eu/tools/lotl/eu-lotl.xml # Offline path for air-gapped environments (QTS-004 requirement) OfflinePath: /app/data/trustlists/eu-lotl.xml # Cache TTL in hours (refresh interval) CacheTtlHours: 24 # Verify signature on trust list updates VerifySignature: true # Fallback to offline if online fetch fails FallbackToOffline: true # Policy Overrides - require qualified timestamps per environment/tag Overrides: - Match: Environments: - production - staging Mode: Qualified TsaProvider: d-trust-qts SignatureFormat: CadesT - Match: Tags: - regulated - eidas-required - financial Mode: QualifiedLtv TsaProvider: d-trust-qts SignatureFormat: CadesLT # eIDAS certificate requirements (for reference): # - Certificates must comply with ETSI EN 319 412-1 and 319 412-2 # - Minimum key lengths: RSA 2048-bit, ECDSA P-256 # - Qualified certificates require QSCD (e.g., smart card, HSM) # - Advanced Electronic Signatures (AdES): XAdES, PAdES, CAdES formats