# StellaOps Cryptography Configuration - Russia (GOST) Profile # This configuration enforces GOST R 34.10-2012 and GOST R 34.11-2012 (Streebog) compliance # for Russian Federation deployments requiring FSB certification. # # IMPORTANT: This profile DISABLES all non-GOST algorithms for strict compliance. # Only GOST-approved cryptographic providers are enabled. StellaOps: Crypto: Plugins: # Path to the plugin manifest JSON file ManifestPath: "/etc/stellaops/crypto-plugins-manifest.json" # Discovery mode: "explicit" for strict control DiscoveryMode: "explicit" # Enabled GOST providers (in priority order) Enabled: # Primary: OpenSSL GOST engine (recommended for Linux) - Id: "openssl.gost" Priority: 100 Options: enginePath: "/usr/lib/x86_64-linux-gnu/engines-3/gost.so" # Alternate paths for different architectures: # ARM64: "/usr/lib/aarch64-linux-gnu/engines-3/gost.so" # Secondary: PKCS#11 provider for hardware security modules (Rutoken, JaCarta, etc.) - Id: "pkcs11.gost" Priority: 95 Options: libraryPath: "/usr/lib/x86_64-linux-gnu/pkcs11/librtpkcs11ecp.so" # Alternative paths: # - "/usr/lib/librtpkcs11ecp.so" (older installations) # - "/usr/lib/pkcs11/libccpkcs11.so" (CryptoPro PKCS#11) # PIN can be provided via environment variable: STELLAOPS_PKCS11_PIN pin: "${PKCS11_PIN}" # Use environment variable slotId: 0 # Tertiary: Wine CSP provider (for running Windows CryptoPro CSP on Linux) - Id: "wine.csp" Priority: 90 Options: winePrefix: "/opt/stellaops/wine" cspName: "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider" # Fallback: CryptoPro native provider (Windows only) # This will only load on Windows platforms due to platform filtering - Id: "cryptopro.gost" Priority: 110 Options: {} # CRITICAL: Disable ALL non-GOST providers Disabled: - "default" # Standard .NET crypto (SHA-256, ECDSA) - "libsodium" # Ed25519, XChaCha20-Poly1305 - "bouncycastle.*" # BouncyCastle providers - "sm.*" # Chinese SM2/SM3/SM4 - "eidas.*" # European eIDAS - "fips.*" # FIPS 140-3 - "pq.*" # Post-quantum - "sim.*" # Simulation providers # Fail immediately if GOST provider cannot be loaded FailOnMissingPlugin: true # Require at least one GOST provider RequireAtLeastOne: true Compliance: # Compliance profile: GOST R (Russia) ProfileId: "gost" # CRITICAL: Enable strict validation # This will REJECT any signature/hash algorithm that is not GOST-compliant StrictValidation: true # Enforce jurisdiction filtering EnforceJurisdiction: true # Only allow Russian jurisdiction plugins AllowedJurisdictions: - "russia" # Canonical algorithms (GOST R 34.10-2012 / GOST R 34.11-2012) HashAlgorithm: "GOST-R-34.11-2012-256" SignatureAlgorithm: "GOST-R-34.10-2012-256" # Enable warnings for any non-GOST algorithm attempts WarnOnWeakAlgorithms: true # OpenSSL GOST engine configuration # Crypto: # OpenSsl: # # Path to GOST engine shared library # EnginePath: "/usr/lib/x86_64-linux-gnu/engines-3/gost.so" # # Enable engine auto-loading # AutoLoadEngine: true # PKCS#11 configuration # Crypto: # Pkcs11: # # PKCS#11 library path # LibraryPath: "/usr/lib/librtpkcs11ecp.so" # # Token PIN (prefer environment variable for security) # Pin: "${PKCS11_PIN}" # # Slot ID (usually 0 for single-token systems) # SlotId: 0 # # Enable token login # RequireLogin: true # Wine CSP configuration (for Linux deployments requiring Windows CryptoPro CSP) # Crypto: # WineCsp: # # Wine prefix directory # WinePrefix: "/opt/stellaops/wine" # # Wine executable path # WineExecutable: "/opt/wine-stable/bin/wine64" # # CryptoPro CSP name # CspName: "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider" # CryptoPro configuration (Windows only) # Crypto: # CryptoPro: # # Container name # ContainerName: "stellaops-gost-signing" # # Use machine key store # UseMachineKeyStore: true # # Provider type # ProviderType: 80 # PROV_GOST_2012_256