stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/etc/appsettings.crypto.eu.yaml
master 4903395618 sprints work.
2026-01-20 00:45:38 +02:00

134 lines
4.3 KiB
YAML
Raw Permalink Blame History

# StellaOps Cryptography Configuration - EU Profile (eIDAS)
# This configuration aligns with eIDAS (electronic IDentification, Authentication and trust Services)
# regulation (EU) No 910/2014 for European Union deployments.
StellaOps:
Crypto:
Plugins:
# Path to the plugin manifest JSON file
ManifestPath: "/app/etc/crypto-plugins-manifest.json"
# Discovery mode: "explicit" (only load configured plugins) or "auto" (load all compatible)
# Production deployments should use "explicit" for security
DiscoveryMode: "explicit"
# List of enabled plugins with optional priority and configuration overrides
Enabled:
# Offline Verification Provider - temporary fallback until eIDAS plugin available
# Uses NIST-approved algorithms (ECDSA P-256/384/521, RSA, SHA-2)
# TODO: Replace with eidas.soft plugin when available
- Id: "offline-verification"
Priority: 100
Options: {}
# Disable non-eIDAS compliant providers
Disabled:
- "sm.*" # Chinese SM algorithms
- "openssl.gost" # Russian GOST
- "pkcs11.gost"
- "cryptopro.gost"
- "wine.csp"
- "pq.*" # Post-quantum (not yet eIDAS-qualified)
# Fail application startup if a configured plugin cannot be loaded
FailOnMissingPlugin: true
# Require at least one crypto provider to be successfully loaded
RequireAtLeastOne: true
Compliance:
# eIDAS compliance profile
ProfileId: "eidas"
# Enable strict validation (reject algorithms not approved by eIDAS)
# TODO: Re-enable when eIDAS plugin is available
StrictValidation: false
# Enforce jurisdiction filtering (only EU-compliant plugins)
# TODO: Re-enable when eIDAS plugin is available
EnforceJurisdiction: false
# Allowed jurisdictions
AllowedJurisdictions:
- "eu"
- "world"
# Canonical algorithm preferences (ETSI TS 119 312)
HashAlgorithm: "SHA-256"
SignatureAlgorithm: "ES256"
# Enable algorithm downgrade warnings
WarnOnWeakAlgorithms: true
# eIDAS Qualified Timestamping Configuration (QTS-001, QTS-004)
Timestamping:
# Default timestamp mode
DefaultMode: Standard # Standard | Qualified | QualifiedLtv
# Qualified TSA Providers (EU Trust List validated)
Providers:
- Name: d-trust-qts
Url: https://qts.d-trust.net/tsp
Qualified: true
TrustListRef: eu-lotl
SignatureFormat: CadesT
HashAlgorithm: SHA256
- Name: a-trust-qts
Url: https://tsp.a-trust.at/tsp/tsp
Qualified: true
TrustListRef: eu-lotl
SignatureFormat: CadesT
- Name: infocert-qts
Url: https://timestamp.infocert.it/tsa
Qualified: true
TrustListRef: eu-lotl
# Non-qualified fallback (for non-EU deployments)
- Name: digicert
Url: http://timestamp.digicert.com
Qualified: false
# EU Trust List Configuration
TrustList:
# Online URL for EU List of Trusted Lists (LOTL)
LotlUrl: https://ec.europa.eu/tools/lotl/eu-lotl.xml
# Offline path for air-gapped environments (QTS-004 requirement)
OfflinePath: /app/data/trustlists/eu-lotl.xml
# Cache TTL in hours (refresh interval)
CacheTtlHours: 24
# Verify signature on trust list updates
VerifySignature: true
# Fallback to offline if online fetch fails
FallbackToOffline: true
# Policy Overrides - require qualified timestamps per environment/tag
Overrides:
- Match:
Environments:
- production
- staging
Mode: Qualified
TsaProvider: d-trust-qts
SignatureFormat: CadesT
- Match:
Tags:
- regulated
- eidas-required
- financial
Mode: QualifiedLtv
TsaProvider: d-trust-qts
SignatureFormat: CadesLT
# eIDAS certificate requirements (for reference):
# - Certificates must comply with ETSI EN 319 412-1 and 319 412-2
# - Minimum key lengths: RSA 2048-bit, ECDSA P-256
# - Qualified certificates require QSCD (e.g., smart card, HSM)
# - Advanced Electronic Signatures (AdES): XAdES, PAdES, CAdES formats
Reference in New Issue View Git Blame Copy Permalink