# Crypto Compliance Review · License & Export Analysis **Status:** IN REVIEW (legal sign-off pending) **Date:** 2025-12-07 **Owners:** Security Guild, Legal **Unblocks:** RU-CRYPTO-VAL-05, RU-CRYPTO-VAL-06 ## Overview This document captures the licensing, export controls, and distribution guidance for cryptographic components in StellaOps, specifically: 1. **GostCryptography Fork** (`third_party/forks/AlexMAS.GostCryptography`) 2. **CryptoPro Plugin** (`StellaOps.Cryptography.Plugin.CryptoPro`) 3. **Regional Crypto Providers** (GOST, SM2/SM3, eIDAS) ## 1. GostCryptography Fork ### 1.1 License | Attribute | Value | |-----------|-------| | Upstream | https://github.com/AlexMAS/GostCryptography | | License | MIT | | StellaOps Usage | Source-vendored in `third_party/forks/` | | Compatibility | MIT is compatible with AGPL-3.0-or-later | ### 1.2 Attribution Requirements The MIT license requires attribution in distributed software: ``` Copyright (c) 2014-2024 AlexMAS See third_party/forks/AlexMAS.GostCryptography/LICENSE ``` **Required Actions:** - [x] Keep `LICENSE` file in fork directory - [ ] Add attribution to `NOTICE.md` in repository root - [ ] Include attribution in RootPack_RU bundle documentation ### 1.3 Distribution Guidance | Distribution Channel | Allowed | Notes | |---------------------|---------|-------| | StellaOps Source | Yes | Fork stays vendored | | RootPack_RU Bundle | Yes | Source + binaries allowed | | Public NuGet | **No** | Do not publish as standalone package | | Container Images | Yes | With source attribution | ## 2. CryptoPro CSP Plugin ### 2.1 License | Attribute | Value | |-----------|-------| | Vendor | CryptoPro LLC (crypto-pro.ru) | | Product | CryptoPro CSP 5.0 | | License Type | Commercial (per-deployment) | | Cost | Varies by tier (~$50-200 USD per instance) | ### 2.2 Distribution Model CryptoPro CSP is **not redistributable** by StellaOps. The distribution model is: ``` ┌─────────────────────────────────────────────────────────────────┐ │ Distribution Model │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ StellaOps ships: │ │ ├── Plugin source code (AGPL-3.0-or-later) │ │ ├── Interface bindings to CryptoPro CSP │ │ └── Documentation for customer-provided CSP installation │ │ │ │ Customer provides: │ │ ├── CryptoPro CSP license │ │ ├── CSP binaries installed on target system │ │ └── PKCS#11 module path configuration │ │ │ └─────────────────────────────────────────────────────────────────┘ ``` ### 2.3 Configuration for Customer-Provided CSP ```yaml # etc/authority.yaml - Customer configures CSP path crypto: pkcs11: library_path: /opt/cprocsp/lib/amd64/libcapi20.so # Customer-provided slot_id: 0 pin_env: AUTHORITY_HSM_PIN ``` ### 2.4 Documentation Requirements - [x] Document that CSP is "customer-provided" in installation guide - [x] Add EULA notice that CSP licensing is customer responsibility - [x] Include CSP version compatibility matrix (CSP 4.0/5.0) - [x] Provide license acceptance/test procedure for Linux CSP service and Windows runners ### 2.5 License Acceptance & Validation (customer-provided CSP) **Linux (native CSP, headless)** 1. Place vendor `.tgz`/`.deb` bundles under `/opt/cryptopro/downloads` (mounted read-only into `/opt/cryptopro/downloads`). 2. Set `CRYPTOPRO_ACCEPT_EULA=1` only if you hold a valid license and agree to the vendor terms. 3. Install CSP packages with `ops/cryptopro/install-linux-csp.sh` (offline by default; respects arch filtering). 4. Build the HTTP wrapper with the same EULA flag: ```bash docker build -t cryptopro-linux-csp \ --build-arg CRYPTOPRO_ACCEPT_EULA=1 \ -f ops/cryptopro/linux-csp-service/Dockerfile . docker run --rm -p 18080:8080 cryptopro-linux-csp ``` 5. Validate license/keyset with the wrapper endpoints (fail closed if unlicensed): - `GET /health` (binary present) - `GET /license` (mirrors `csptest -keyset -info`; surfaces license/keyset errors) - `POST /keyset/init` (optional: creates empty keyset to silence container warnings) **Windows (native CSP)** 1. Install licensed CryptoPro CSP on the runner/host. 2. Accept the EULA during installation; ensure the license is activated per vendor tooling (`csptest -license -view`). 3. Set `STELLAOPS_CRYPTO_PRO_ENABLED=1` and configure `StellaOps:Crypto:CryptoPro:Keys` with certificate handle/thumbprint. 4. Run the guarded tests: `./scripts/crypto/run-cryptopro-tests.ps1` (skips when the env flag or CSP is missing). **No Windows HTTP wrapper/Wine path is shipped; only native CSP on Windows, and the Linux CSP service uses customer-provided `.deb` binaries.** 5. Capture test output + `csptest -keyset -info` in sprint evidence for RU-CRYPTO-VAL-04/06 closure. **EULA reminder:** StellaOps never distributes CSP binaries or license keys; operators must provide and accept the vendor EULA explicitly via the flags above. If licensing review is deferred, note explicitly in sprint records that licensing remains customer responsibility. ## 3. Export Control Analysis ### 3.1 Applicable Regulations | Regulation | Jurisdiction | Relevance | |------------|--------------|-----------| | EAR (Export Administration Regulations) | USA | Crypto export controls | | Wassenaar Arrangement | 42 countries | Dual-use goods | | EU Dual-Use Regulation | EU | Crypto controls | | Russian Export Controls | Russia | GOST algorithm distribution | ### 3.2 Algorithm Classification | Algorithm | Classification | Notes | |-----------|---------------|-------| | ECDSA P-256/P-384 | Mass-market exempt | Widely available | | RSA 2048+ | Mass-market exempt | Widely available | | EdDSA (Ed25519) | Mass-market exempt | Widely available | | GOST R 34.10-2012 | Regional use | See Section 3.3 | | SM2/SM3 | Regional use | Chinese national standard | ### 3.3 GOST Algorithm Guidance GOST algorithms (GOST R 34.10-2012, GOST R 34.11-2012) are: - **Not export-controlled** from Russia when used in commercial software - **May be restricted** for import into certain jurisdictions - **Recommended** for use only in RootPack_RU deployments targeting Russian customers **Guidance:** 1. Default StellaOps distribution does NOT include GOST algorithms enabled 2. RootPack_RU is a separate distribution with GOST opt-in 3. Document that customers are responsible for compliance with local crypto regulations ### 3.4 Distribution Matrix | Component | Global | RootPack_RU | RootPack_CN | Notes | |-----------|--------|-------------|-------------|-------| | Core StellaOps | Yes | Yes | Yes | ECDSA/RSA/EdDSA | | GostCryptography Fork | Source only | Source + Binary | No | MIT license | | CryptoPro Plugin | Interface only | Interface + docs | No | Customer-provided CSP | | SM2/SM3 Plugin | No | No | Interface + docs | Customer-provided HSM | ## 4. EULA and Notice Requirements ### 4.1 NOTICE.md Addition Add to repository `NOTICE.md`: ```markdown ## Third-Party Cryptographic Components ### GostCryptography (MIT License) Copyright (c) 2014-2024 AlexMAS https://github.com/AlexMAS/GostCryptography This software includes a forked version of the GostCryptography library for GOST algorithm support. The fork is located at: third_party/forks/AlexMAS.GostCryptography/ ### CryptoPro CSP Integration The CryptoPro CSP plugin provides integration with CryptoPro CSP software. CryptoPro CSP is commercial software and must be licensed separately by the end user. StellaOps does not distribute CryptoPro CSP binaries. ``` ### 4.2 Installation Guide Addition Add to installation documentation: ```markdown ## Regional Crypto Support (Optional) ### Russian Federation (RootPack_RU) StellaOps supports GOST R 34.10-2012 signing through integration with CryptoPro CSP. This integration requires: 1. A valid CryptoPro CSP license (obtained separately from crypto-pro.ru) 2. CryptoPro CSP 4.0 or 5.0 installed on the target system 3. Configuration of the PKCS#11 module path **Note:** CryptoPro CSP is commercial software. StellaOps provides only the integration plugin; the CSP runtime must be licensed and installed by the customer. ``` ## 5. CI/Testing Implications ### 5.1 Test Environment Requirements | Environment | CSP Required | Legal Status | |-------------|--------------|--------------| | Development (Linux) | No | OpenSSL GOST engine fallback | | CI (Linux) | No | Mock/skip CSP tests | | CI (Windows opt-in) | Yes | Customer/StellaOps license | | Production | Customer | Customer license | ### 5.2 CI Guard Implementation Tests are guarded by environment variable: ```csharp [Fact] [SkipUnless("STELLAOPS_CRYPTO_PRO_ENABLED", "1")] public async Task CryptoProSigner_SignsWithGost() { // Test only runs when CSP is available and licensed } ``` ### 5.3 Wine Loader Experiment (RU-CRYPTO-VAL-05) **Status:** BLOCKED pending legal review Running CryptoPro CSP DLLs under Wine for cross-platform testing: | Consideration | Assessment | |---------------|------------| | Technical Feasibility | Uncertain - CSP uses Windows APIs | | Legal Permissibility | Requires CryptoPro EULA review | | Recommendation | Defer to Windows-only testing | **Decision:** Do not pursue Wine loader approach until/unless CryptoPro explicitly permits this use case in their EULA. ## 6. Action Items ### Immediate (unblocks RU-CRYPTO-VAL-06) - [x] Document fork licensing (MIT) ← This document - [x] Document CryptoPro distribution model ← This document - [x] Add attribution to NOTICE.md - [x] Update installation guide with CSP requirements and license acceptance steps - [x] Document CSP license validation flow (Linux wrapper + Windows runner) ### Short-term - [ ] Review CryptoPro EULA for Wine usage (if needed) - [ ] Create regional distribution manifests for RootPack_RU - [ ] Add compliance checkboxes to RootPack_RU installation ### For Legal Sign-off - [ ] Confirm MIT + AGPL-3.0 compatibility statement - [ ] Confirm customer-provided model for CSP is acceptable - [ ] Review export control applicability for GOST distribution ## 7. Sign-off Log | Role | Name | Date | Notes | |------|------|------|-------| | Security Guild | | | | | Legal | | | | | Product | | | | --- *Document Version: 1.0.0* *Last Updated: 2025-12-07*