# Crypto Simulation Services · 2025-12-11 Use these simulation paths when licensed hardware or certified modules are unavailable. They let us keep the registry/profile contracts stable while we wait for customer licenses (CryptoPro), QSCD devices (eIDAS), KCMVP modules, or SM PKCS#11 tokens. ## Unified simulator (sim-crypto-service) - Location: `ops/crypto/sim-crypto-service/` - Provider ID: `sim.crypto.remote` - Algorithms covered: - GOST: `GOST12-256`, `GOST12-512`, `ru.magma.sim`, `ru.kuznyechik.sim` (deterministic HMAC-SHA256) - SM: `SM2`, `sm.sim`, `sm2.sim` (deterministic HMAC-SHA256) - PQ: `DILITHIUM3`, `FALCON512`, `pq.sim` (deterministic HMAC-SHA256) - FIPS/eIDAS/KCMVP/world: `ES256`, `ES384`, `ES512`, `fips.sim`, `eidas.sim`, `kcmvp.sim`, `world.sim` (ECDSA P-256 with static key) - Run: ```bash docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service docker run --rm -p 8080:8080 sim-crypto curl -s -X POST http://localhost:8080/sign -d '{"message":"hello","algorithm":"SM2"}' ``` - Wire: - Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` to append `sim.crypto.remote` to registry ordering. - Point the client: `STELLAOPS_CRYPTO_SIM_URL=http://:8080` or bind `StellaOps:Crypto:Sim:BaseAddress`. - The `SimRemoteProviderOptions.Algorithms` default list already includes the IDs above; extend if you add new aliases. - Quick check: ```bash curl -s -X POST http://localhost:8080/sign -d '{"message":"stellaops-sim-check","algorithm":"SM2"}' ``` - Scripted smoke (no VSTest): `scripts/crypto/run-sim-smoke.ps1` (args: `-BaseUrl http://localhost:5000 -SimProfile sm|ru-free|ru-paid|eidas|fips|kcmvp|pq`). - Headless smoke harness (no VSTest): `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj` (env: `STELLAOPS_CRYPTO_SIM_URL`, optional `SIM_ALGORITHMS=SM2,pq.sim,ES256`). ## Regional notes - **RU (GOST)**: OSS remote signer available at `docs/security/openssl-gost-remote.md`. Licensed CryptoPro path is Linux-only via `ops/cryptopro/linux-csp-service` (customer debs, `CRYPTOPRO_ACCEPT_EULA=1`); use the simulator above when licensing is unavailable. - **CN (SM)**: Hardware/PKCS#11 bring-up in `docs/security/sm-hardware-simulation.md`. Legacy SM-only simulator is retired; use `sim-crypto-service` for SM2 tests. - **FIPS / eIDAS / KCMVP**: Hardware/QSCD runbook in `docs/security/fips-eidas-kcmvp-validation.md`. Until certified modules arrive, rely on the simulator above and keep profiles labeled “non-certified.” - **PQ**: Built-in `pq.soft` remains the baseline; the simulator is available for integration tests that expect a remote signer. ## Config snippet (example) ```json { "StellaOps": { "Crypto": { "Registry": { "ActiveProfile": "sm", "PreferredProviders": [ "sim.crypto.remote", "cn.sm.soft" ] }, "Sim": { "BaseAddress": "http://localhost:8080" } } } } ``` ## Evidence to capture - JWKS export showing `sim.crypto.remote` keys. - `CryptoProviderMetrics` with the simulated provider ID. - Sample signatures/hashes from fixed message `stellaops-sim-vector`. ## Status - Simulation coverage exists for all regions; real licensing/hardware remains customer-supplied. Use this doc to unblock sprint closures until certified evidence arrives.