git.stella-ops.org/docs/legal/crypto-compliance-review.md

Crypto Compliance Review · License & Export Analysis

Status: IN REVIEW (legal sign-off pending) Date: 2025-12-07 Owners: Security Guild, Legal Unblocks: RU-CRYPTO-VAL-05, RU-CRYPTO-VAL-06

Overview

This document captures the licensing, export controls, and distribution guidance for cryptographic components in StellaOps, specifically:

1. GostCryptography Fork (third_party/forks/AlexMAS.GostCryptography)
2. CryptoPro Plugin (StellaOps.Cryptography.Plugin.CryptoPro)
3. Regional Crypto Providers (GOST, SM2/SM3, eIDAS)

1. GostCryptography Fork

1.1 License

Attribute	Value
Upstream	https://github.com/AlexMAS/GostCryptography
License	MIT
StellaOps Usage	Source-vendored in third_party/forks/
Compatibility	MIT is compatible with AGPL-3.0-or-later

1.2 Attribution Requirements

The MIT license requires attribution in distributed software:

Copyright (c) 2014-2024 AlexMAS
See third_party/forks/AlexMAS.GostCryptography/LICENSE

Required Actions:

• Keep LICENSE file in fork directory
• Add attribution to NOTICE.md in repository root
• Include attribution in RootPack_RU bundle documentation

1.3 Distribution Guidance

Distribution Channel	Allowed	Notes
StellaOps Source	Yes	Fork stays vendored
RootPack_RU Bundle	Yes	Source + binaries allowed
Public NuGet	No	Do not publish as standalone package
Container Images	Yes	With source attribution

2. CryptoPro CSP Plugin

2.1 License

Attribute	Value
Vendor	CryptoPro LLC (crypto-pro.ru)
Product	CryptoPro CSP 5.0
License Type	Commercial (per-deployment)
Cost	Varies by tier (~$50-200 USD per instance)

2.2 Distribution Model

CryptoPro CSP is not redistributable by StellaOps. The distribution model is:

┌─────────────────────────────────────────────────────────────────┐
│                        Distribution Model                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  StellaOps ships:                                               │
│  ├── Plugin source code (AGPL-3.0-or-later)                     │
│  ├── Interface bindings to CryptoPro CSP                        │
│  └── Documentation for customer-provided CSP installation       │
│                                                                  │
│  Customer provides:                                              │
│  ├── CryptoPro CSP license                                      │
│  ├── CSP binaries installed on target system                    │
│  └── PKCS#11 module path configuration                          │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

2.3 Configuration for Customer-Provided CSP

# etc/authority.yaml - Customer configures CSP path
crypto:
  pkcs11:
    library_path: /opt/cprocsp/lib/amd64/libcapi20.so  # Customer-provided
    slot_id: 0
    pin_env: AUTHORITY_HSM_PIN

2.4 Documentation Requirements

• Document that CSP is "customer-provided" in installation guide
• Add EULA notice that CSP licensing is customer responsibility
• Include CSP version compatibility matrix (CSP 4.0/5.0)
• Provide license acceptance/test procedure for Linux CSP service and Windows runners

2.5 License Acceptance & Validation (customer-provided CSP)

Linux (native CSP, headless)

1. Place vendor .tgz/.deb bundles under <repo>/opt/cryptopro/downloads (mounted read-only into /opt/cryptopro/downloads).
2. Set CRYPTOPRO_ACCEPT_EULA=1 only if you hold a valid license and agree to the vendor terms.
3. Install CSP packages with ops/cryptopro/install-linux-csp.sh (offline by default; respects arch filtering).
4. Build the HTTP wrapper with the same EULA flag:

   docker build -t cryptopro-linux-csp \
     --build-arg CRYPTOPRO_ACCEPT_EULA=1 \
     -f ops/cryptopro/linux-csp-service/Dockerfile .
   docker run --rm -p 18080:8080 cryptopro-linux-csp
   

5. Validate license/keyset with the wrapper endpoints (fail closed if unlicensed):
   • GET /health (binary present)
   • GET /license (mirrors csptest -keyset -info; surfaces license/keyset errors)
   • POST /keyset/init (optional: creates empty keyset to silence container warnings)

Windows (native CSP)

1. Install licensed CryptoPro CSP on the runner/host.
2. Accept the EULA during installation; ensure the license is activated per vendor tooling (csptest -license -view).
3. Set STELLAOPS_CRYPTO_PRO_ENABLED=1 and configure StellaOps:Crypto:CryptoPro:Keys with certificate handle/thumbprint.
4. Run the guarded tests: ./scripts/crypto/run-cryptopro-tests.ps1 (skips when the env flag or CSP is missing). No Windows HTTP wrapper/Wine path is shipped; only native CSP on Windows, and the Linux CSP service uses customer-provided .deb binaries.
5. Capture test output + csptest -keyset -info in sprint evidence for RU-CRYPTO-VAL-04/06 closure.

EULA reminder: StellaOps never distributes CSP binaries or license keys; operators must provide and accept the vendor EULA explicitly via the flags above. If licensing review is deferred, note explicitly in sprint records that licensing remains customer responsibility.

3. Export Control Analysis

3.1 Applicable Regulations

Regulation	Jurisdiction	Relevance
EAR (Export Administration Regulations)	USA	Crypto export controls
Wassenaar Arrangement	42 countries	Dual-use goods
EU Dual-Use Regulation	EU	Crypto controls
Russian Export Controls	Russia	GOST algorithm distribution

3.2 Algorithm Classification

Algorithm	Classification	Notes
ECDSA P-256/P-384	Mass-market exempt	Widely available
RSA 2048+	Mass-market exempt	Widely available
EdDSA (Ed25519)	Mass-market exempt	Widely available
GOST R 34.10-2012	Regional use	See Section 3.3
SM2/SM3	Regional use	Chinese national standard

3.3 GOST Algorithm Guidance

GOST algorithms (GOST R 34.10-2012, GOST R 34.11-2012) are:

• Not export-controlled from Russia when used in commercial software
• May be restricted for import into certain jurisdictions
• Recommended for use only in RootPack_RU deployments targeting Russian customers

Guidance:

1. Default StellaOps distribution does NOT include GOST algorithms enabled
2. RootPack_RU is a separate distribution with GOST opt-in
3. Document that customers are responsible for compliance with local crypto regulations

3.4 Distribution Matrix

Component	Global	RootPack_RU	RootPack_CN	Notes
Core StellaOps	Yes	Yes	Yes	ECDSA/RSA/EdDSA
GostCryptography Fork	Source only	Source + Binary	No	MIT license
CryptoPro Plugin	Interface only	Interface + docs	No	Customer-provided CSP
SM2/SM3 Plugin	No	No	Interface + docs	Customer-provided HSM

4. EULA and Notice Requirements

4.1 NOTICE.md Addition

Add to repository NOTICE.md:

## Third-Party Cryptographic Components

### GostCryptography (MIT License)
Copyright (c) 2014-2024 AlexMAS
https://github.com/AlexMAS/GostCryptography

This software includes a forked version of the GostCryptography library
for GOST algorithm support. The fork is located at:
third_party/forks/AlexMAS.GostCryptography/

### CryptoPro CSP Integration
The CryptoPro CSP plugin provides integration with CryptoPro CSP software.
CryptoPro CSP is commercial software and must be licensed separately by
the end user. StellaOps does not distribute CryptoPro CSP binaries.

4.2 Installation Guide Addition

Add to installation documentation:

## Regional Crypto Support (Optional)

### Russian Federation (RootPack_RU)

StellaOps supports GOST R 34.10-2012 signing through integration with
CryptoPro CSP. This integration requires:

1. A valid CryptoPro CSP license (obtained separately from crypto-pro.ru)
2. CryptoPro CSP 4.0 or 5.0 installed on the target system
3. Configuration of the PKCS#11 module path

**Note:** CryptoPro CSP is commercial software. StellaOps provides only
the integration plugin; the CSP runtime must be licensed and installed
by the customer.

5. CI/Testing Implications

5.1 Test Environment Requirements

Environment	CSP Required	Legal Status
Development (Linux)	No	OpenSSL GOST engine fallback
CI (Linux)	No	Mock/skip CSP tests
CI (Windows opt-in)	Yes	Customer/StellaOps license
Production	Customer	Customer license

5.2 CI Guard Implementation

Tests are guarded by environment variable:

[Fact]
[SkipUnless("STELLAOPS_CRYPTO_PRO_ENABLED", "1")]
public async Task CryptoProSigner_SignsWithGost()
{
    // Test only runs when CSP is available and licensed
}

5.3 Wine Loader Experiment (RU-CRYPTO-VAL-05)

Status: BLOCKED pending legal review

Running CryptoPro CSP DLLs under Wine for cross-platform testing:

Consideration	Assessment
Technical Feasibility	Uncertain - CSP uses Windows APIs
Legal Permissibility	Requires CryptoPro EULA review
Recommendation	Defer to Windows-only testing

Decision: Do not pursue Wine loader approach until/unless CryptoPro explicitly permits this use case in their EULA.

6. Action Items

Immediate (unblocks RU-CRYPTO-VAL-06)

• Document fork licensing (MIT) ← This document
• Document CryptoPro distribution model ← This document
• Add attribution to NOTICE.md
• Update installation guide with CSP requirements and license acceptance steps
• Document CSP license validation flow (Linux wrapper + Windows runner)

Short-term

• Review CryptoPro EULA for Wine usage (if needed)
• Create regional distribution manifests for RootPack_RU
• Add compliance checkboxes to RootPack_RU installation

For Legal Sign-off

• Confirm MIT + AGPL-3.0 compatibility statement
• Confirm customer-provided model for CSP is acceptable
• Review export control applicability for GOST distribution

7. Sign-off Log

Role	Name	Date	Notes
Security Guild
Legal
Product

---

Document Version: 1.0.0 Last Updated: 2025-12-07