git.stella-ops.org/docs/features/checked/cryptography/additional-crypto-profiles.md

# Additional Crypto Profiles (GOST, SM2, eIDAS, PQC)

## Status
VERIFIED (PQC unimplemented)

## Description
The advisory explicitly deferred GOST R 34.10-2012, SM2, eIDAS, and post-quantum crypto profiles to future work. Note: the broader repo does have crypto modules under src/Cryptography and src/SmRemote, but those are part of separate efforts.

## Why Marked as Dropped (Correction)
**FINDING: These crypto profiles ARE implemented as plugins.** The following plugin projects exist under `src/Cryptography/`:
- `StellaOps.Cryptography.Plugin.Gost` -- GOST R 34.10-2012 support via `GostPlugin.cs`
- `StellaOps.Cryptography.Plugin.Eidas` -- eIDAS support via `EidasPlugin.cs`, includes ETSI conformance test vectors
- `StellaOps.Cryptography.Plugin.Sm` -- SM2/SM3 support
- `StellaOps.Cryptography.Plugin.Fips` -- FIPS 140 compliance plugin
- `StellaOps.Cryptography.Plugin.Hsm` -- HSM integration plugin

Additional infrastructure: `StellaOps.Cryptography.Plugin` base class (`CryptoPluginBase.cs`), `MultiProfileSigner.cs`, `SignatureProfile.cs`, ECDSA and EdDSA profile libraries. PQC (post-quantum) is the only profile that does not appear to have a dedicated plugin yet.

## Implementation Details
- Plugin architecture: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs`
- GOST: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs`
- eIDAS: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs`
- SM2: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/`
- FIPS: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/`
- HSM: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/`
- Tests: `src/Cryptography/__Tests/`, plus tests in `src/__Libraries/__Tests/StellaOps.Cryptography.Tests/`

## E2E Test Plan
- [x] Verify each crypto plugin can sign and verify payloads
- [x] Validate ETSI conformance test vectors pass for eIDAS plugin
- [x] Test multi-profile signing via MultiProfileSigner
- [x] Confirm plugin discovery and loading via CryptoPluginBase

## Source
- Feature matrix scan

## Notes
- Module: Cryptography
- Modules referenced: `src/Cryptography/`, `src/SmRemote/`
- **Status should be reclassified from NOT_FOUND to IMPLEMENTED (PARTIALLY) -- only PQC remains unimplemented**

## Verification
Run ID: run-001
Date: 2026-02-10
Method: Tier 1 code review + Tier 2d test verification

Build: PASS (0 errors, 0 warnings)
Tests: PASS (101/101 cryptography tests pass)

All plugins implemented (GOST, SM2, eIDAS, FIPS, HSM) with real cryptographic operations using BouncyCastle, .NET crypto, Pkcs11Interop. PQC enum values exist but no dedicated plugin. Status note: "PARTIALLY" remains accurate since PQC is not implemented.

Verdict: PASS

## Recheck (Run-002)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (`src/Cryptography/__Tests/StellaOps.Cryptography.Tests`: 101/101).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-002/tier2-integration-check.json`
- **Outcome**: Additional profile plugin coverage remains stable; PQC plugin caveat unchanged.

## Recheck (Run-003)
- **Verified**: 2026-02-10
- **Method**: Tier 2 follow-up deterministic integration replay.
- **Tests**: PASS (`src/Cryptography/__Tests/StellaOps.Cryptography.Tests`: 101/101).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-003/tier2-integration-check.json`
- **Outcome**: Profile coverage remains stable; PQC caveat remains unchanged.


## Recheck (Run-004)
- **Verified**: 2026-02-10
- **Method**: Tier 2 deterministic integration replay + full cryptography suite replay.
- **Tests**: PASS (`src/Cryptography/__Tests/StellaOps.Cryptography.Tests`: 101/101).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-004/tier2-integration-check.json`
- **Outcome**: Checked cryptography behavior remains stable; PQC caveat remains unchanged.

## Recheck (Run-005)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-005/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in follow-up replay.

## Recheck (Run-006)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-006/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.

## Recheck (Run-007)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-007/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.

## Recheck (Run-008)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-008/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.


## Recheck (Run-009)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-009/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
## Recheck (Run-010)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-010/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
## Recheck (Run-011)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-011/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
## Recheck (Run-012)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic cryptography suite replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-012/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.

## Recheck (Run-013)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
- **Tests**: PASS (101/101; Cryptography suite 101/101.)
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-013/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay; PQC caveat remains unchanged.

## Recheck (Run-016)
- **Verified**: 2026-02-11
- **Method**: Strict Tier 2 command-line behavioral replay via cryptography harness + Tier 1 suite replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests: 108/108).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-016/tier2-integration-check.json
- **Outcome**: Fresh harness transaction validated FIPS/GOST/SM positive signing paths and negative guard behavior (tampered verification + CanHandle ownership check).