154 lines
4.9 KiB
YAML
154 lines
4.9 KiB
YAML
# =============================================================================
|
|
# STELLA OPS - SM REMOTE OVERLAY (China)
|
|
# =============================================================================
|
|
# SM Remote service overlay for compliance-china.yml.
|
|
# Provides SM2/SM3/SM4 (ShangMi) cryptographic operations via software provider
|
|
# or integration with OSCCA-certified hardware security modules.
|
|
#
|
|
# Usage (MUST be combined with stella-ops AND compliance-china):
|
|
# docker compose \
|
|
# -f docker-compose.stella-ops.yml \
|
|
# -f docker-compose.compliance-china.yml \
|
|
# -f docker-compose.sm-remote.yml up -d
|
|
#
|
|
# For development/testing without SM hardware, use crypto-sim.yml instead:
|
|
# docker compose \
|
|
# -f docker-compose.stella-ops.yml \
|
|
# -f docker-compose.compliance-china.yml \
|
|
# -f docker-compose.crypto-sim.yml up -d
|
|
#
|
|
# SM Algorithms Provided:
|
|
# - SM2: Public key cryptography (ECDSA-like, 256-bit curve) - GM/T 0003-2012
|
|
# - SM3: Cryptographic hash function (256-bit output) - GM/T 0004-2012
|
|
# - SM4: Block cipher (128-bit key/block, AES-like) - GM/T 0002-2012
|
|
# - SM9: Identity-based cryptography - GM/T 0044-2016
|
|
#
|
|
# Providers:
|
|
# - cn.sm.soft: Software-only implementation using BouncyCastle
|
|
# - cn.sm.remote.http: Remote HSM integration via HTTP API
|
|
#
|
|
# OSCCA Compliance:
|
|
# - All cryptographic operations use SM algorithms exclusively
|
|
# - Hardware Security Modules should be OSCCA-certified
|
|
# - Certificates comply with GM/T 0015 (Certificate Profile)
|
|
#
|
|
# =============================================================================
|
|
|
|
x-sm-remote-labels: &sm-remote-labels
|
|
com.stellaops.component: "sm-remote"
|
|
com.stellaops.crypto.provider: "sm"
|
|
com.stellaops.crypto.profile: "china"
|
|
com.stellaops.crypto.jurisdiction: "china"
|
|
|
|
x-sm-remote-env: &sm-remote-env
|
|
STELLAOPS_CRYPTO_PROVIDERS: "cn.sm.soft,cn.sm.remote.http"
|
|
STELLAOPS_CRYPTO_SM_REMOTE_URL: "http://sm-remote:56080"
|
|
STELLAOPS_CRYPTO_SM_ENABLED: "true"
|
|
SM_SOFT_ALLOWED: "1"
|
|
|
|
networks:
|
|
stellaops:
|
|
external: true
|
|
name: stellaops
|
|
|
|
services:
|
|
# ---------------------------------------------------------------------------
|
|
# SM Remote Service - ShangMi cryptography provider
|
|
# ---------------------------------------------------------------------------
|
|
sm-remote:
|
|
build:
|
|
context: ../..
|
|
dockerfile: devops/services/sm-remote/Dockerfile
|
|
image: registry.stella-ops.org/stellaops/sm-remote:2025.10.0
|
|
container_name: stellaops-sm-remote
|
|
restart: unless-stopped
|
|
environment:
|
|
ASPNETCORE_URLS: "http://0.0.0.0:56080"
|
|
ASPNETCORE_ENVIRONMENT: "Production"
|
|
# Enable software-only SM2 provider (for testing/development)
|
|
SM_SOFT_ALLOWED: "${SM_SOFT_ALLOWED:-1}"
|
|
# Optional: Remote HSM configuration (for production with OSCCA-certified HSM)
|
|
SM_REMOTE_HSM_URL: "${SM_REMOTE_HSM_URL:-}"
|
|
SM_REMOTE_HSM_API_KEY: "${SM_REMOTE_HSM_API_KEY:-}"
|
|
SM_REMOTE_HSM_TIMEOUT: "${SM_REMOTE_HSM_TIMEOUT:-30000}"
|
|
# Optional: Client certificate authentication for HSM
|
|
SM_REMOTE_CLIENT_CERT_PATH: "${SM_REMOTE_CLIENT_CERT_PATH:-}"
|
|
SM_REMOTE_CLIENT_CERT_PASSWORD: "${SM_REMOTE_CLIENT_CERT_PASSWORD:-}"
|
|
volumes:
|
|
- ../../etc/sm-remote:/app/etc/sm-remote:ro
|
|
# Optional: Mount SM key containers
|
|
- sm-remote-keys:/var/lib/stellaops/sm-keys
|
|
ports:
|
|
- "${SM_REMOTE_PORT:-56080}:56080"
|
|
networks:
|
|
- stellaops
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:56080/status"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 15s
|
|
labels: *sm-remote-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Override services to use SM Remote
|
|
# ---------------------------------------------------------------------------
|
|
|
|
# Authority - Use SM Remote for SM2 signatures
|
|
authority:
|
|
environment:
|
|
<<: *sm-remote-env
|
|
depends_on:
|
|
- sm-remote
|
|
labels:
|
|
com.stellaops.crypto.provider: "sm"
|
|
|
|
# Signer - Use SM Remote for SM2 signatures
|
|
signer:
|
|
environment:
|
|
<<: *sm-remote-env
|
|
depends_on:
|
|
- sm-remote
|
|
labels:
|
|
com.stellaops.crypto.provider: "sm"
|
|
|
|
# Attestor - Use SM Remote for SM2 signatures
|
|
attestor:
|
|
environment:
|
|
<<: *sm-remote-env
|
|
depends_on:
|
|
- sm-remote
|
|
labels:
|
|
com.stellaops.crypto.provider: "sm"
|
|
|
|
# Scanner Web - Use SM Remote for verification
|
|
scanner-web:
|
|
environment:
|
|
<<: *sm-remote-env
|
|
depends_on:
|
|
- sm-remote
|
|
labels:
|
|
com.stellaops.crypto.provider: "sm"
|
|
|
|
# Scanner Worker - Use SM Remote for verification
|
|
scanner-worker:
|
|
environment:
|
|
<<: *sm-remote-env
|
|
depends_on:
|
|
- sm-remote
|
|
labels:
|
|
com.stellaops.crypto.provider: "sm"
|
|
|
|
# Excititor - Use SM Remote for VEX signing
|
|
excititor:
|
|
environment:
|
|
<<: *sm-remote-env
|
|
depends_on:
|
|
- sm-remote
|
|
labels:
|
|
com.stellaops.crypto.provider: "sm"
|
|
|
|
volumes:
|
|
sm-remote-keys:
|
|
name: stellaops-sm-remote-keys
|